Previous Top News: 2018


  • The D.C. Circuit has announced the three-judge panel that will decide EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. Arguments will be held in the case on Thursday, September 13, 2018 before Judge Karen LeCraft Henderson, Judge Patricia A. Millett, and Judge Harry T. Edwards. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC has pursued concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Aug. 14, 2018)

  • EPIC provided comments to the European Commission to inform the second annual review of the EU-U.S. Privacy Shield, a framework that permits the processing of the personal data of Europeans in the United States. EPIC detailed the latest privacy developments in the U.S., including the extension of Fourth Amendment protection to cell phone location data in Carpenter v. United States, passage of the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the vacancies at the PCLOB, the absence of a Privacy Shield Ombudsman at the Commerce Department, and the nomination of Judge Brett Kavanaugh to the Supreme Court. The Commission approved Privacy Shield last year, but sought additional steps by the United States. The European Parliament has called for suspension of the pact if the U.S. does not fully comply by September 1st. The European Commission will make a final determination this fall. (Aug. 14, 2018)

  • The FTC has unanimously voted to approve EPIC’s recommendations to strengthen safeguards for children's data in the gaming industry. In a 5-0 vote, the FTC adopted EPIC's proposals to revise the Entertainment Software Rating Board's industry rules to (1) extend children's privacy protections in COPPA to all users worldwide; and (2) to implement privacy safeguards for the collection of data "rendered anonymous." The FTC wrote, "the Commission agrees with EPIC's comment. As COPPA's protections are not limited only to U.S. residents, the definition of 'child' in the ESRB program has been revised to remove the limitation." The Commission also strengthened protections for de-identified children's data: "companies must provide notice and obtain verifiable parental consent if personal information is collected, even if it is later anonymized." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA. (Aug. 14, 2018)

  • The International Working Group on Data Protection in Telecommunications has adopted new recommendations to protect individual rights during criminal cross-border law enforcement. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The Working Group on Data Protection calls on governments and international organisations to ensure law enforcement requests accord with international human rights norms. The Working Group recommends specific safeguards for data protection and privacy, including accountability, procedural fairness, notice and an opportunity to challenge. EPIC addressed similar issues in an amicus brief for the US Supreme Court in the Microsoft case. EPIC and a coalition of civil society organizations recently urged the Council of Europe to protect human rights in the proposed revision to the Convention on Cybercrime. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Aug. 14, 2018)

  • The White House announced the nomination of two board members to the Privacy and Civil Liberties Oversight Board (PCLOB). Travis LeBlanc is a partner at Boies Schiller, and former Federal Communications Commission Enforcement Bureau Chief. Aditya Bamzai is a law professor at the University of Virginia and former Department of Justice attorney. The intelligence oversight body has been unable to act due to long-term vacancies. The European Parliament has called for suspension of the Privacy Shield if the U.S. does not to improve data protection and restore the PCLOB. Three other members have been nominated but have yet to be confirmed. EPIC opposed the nomination of Adam Klein to serve as Chairman of the Board. EPIC previously testified before PCLOB, made recommendations for PCLOB's handling of FOIA requests, and set out a broad agenda for the work of the independent agency. EPIC previously sought public release of the PCLOB report on Executive order 12333. (Aug. 13, 2018)

  • On Thursday, the Senate Judiciary Committee released the first production of records for Supreme Court nominee Brett M. Kavanaugh from his time as associate counsel for George W. Bush. Roughly 5,700 pages of documents were made available to the public. The documents show that Kavanaugh assisted in the effort to pass the Patriot Act and drafted a statement that President Bush incorporated in the bill signing. Kavanaugh wrote that the PATRIOT Act will “update laws authorizing government surveillance,” which he claimed, and President Bush then restated, were from an era of “rotary phones.” In fact, the PATRIOT Act weakened numerous U.S. privacy laws, including the subscriber privacy provisions in the Cable Act and the email safeguards in the Electronic Communications Privacy Act. Both laws were enacted after the era of rotary phones. Congress amended the Foreign Intelligence Surveillance Act after it was revealed that the White House had authorized warrantless wiretapping of Americans beginning in 2002. In an email exchange, Kavanaugh wrote that the PATRIOT Act was a "measured, careful, responsible, and constitutional approach . . . .” EPIC recently submitted two urgent Freedom of Information Act requests for Judge Kavanaugh’s records during his time serving as Staff Secretary for President Bush. (Aug. 11, 2018)

  • Senator Feinstein has sent an urgent letter to Archivist David S. Ferriero demanding reconsideration of the National Archives' decision to withhold documents related to Supreme Court nominee Brett Kavanaugh. In the letter, Senator Feinstein stated that the "records are crucially important to the Senate's understanding of Mr. Kavanaugh's full record, and withholding them prevents the minority from satisfying its constitutional obligation to provide advice and consent on his nomination." Under the National Archives' unprecedented interpretation of the Presidential Records Act, Feinstein explained that "minority members of the Senate Judiciary Committee now have no greater right to Mr. Kavanaugh's records than members of the press and the public." EPIC recently submitted two urgent Freedom of Information Act requests for Judge Kavanaugh's records during the time he served in the White House when many of the post-September 11 mass surveillance systems were implemented. (Aug. 8, 2018)

  • A coalition of nonpartisan open government groups has called for the disclosure of Supreme Court nominee Brett Kavanaugh's White House records. In a letter to the Senate Judiciary Committee, the coalition asserted that "curtailed document requests will hinder the Senate's ability to fully assess Judge Kavanaugh's background and qualifications..." To uphold the constitution, the coalition emphasized that "senators from both parties must have equal access to all documents relevant to a nominee, in as timely and complete a manner as possible." EPIC recently submitted two urgent Freedom of Information Act requests for Judge Kavanaugh's White House records during the time when many of the post-September 11 mass surveillance systems were implemented. (Aug. 8, 2018)

  • In comments to the U.S. Census Bureau, EPIC opposed the agency's decision to add a citizenship question to the 2020 census. The administration's stated purpose for the question is to assist the DOJ, but EPIC argued that census data should never be used for enforcement purposes because collecting data to enforce laws will interfere with the census's constitutional purpose and will undermine the integrity of the census. The Bureau earlier conducted a Privacy Impact Assessment for the census, but it did not acknowledge the privacy risks raised by the recently added citizenship question. EPIC said the assessment does not meet the Commerce Department's standards and that it is required to conduct a revised assessment, analyzing the privacy risks created by the citizenship question. Through a Freedom of Information Act request, EPIC obtained documents (part 1, part 2, part 3, part 4) concerning Commerce Secretary Wilbur Ross and the citizenship question. The census raises significant privacy risks and was used to target Japanese-Americans for internment in World War II. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. As a consequence of EPIC's lawsuit, the Census Bureau revised its policy on disclosing statistical information about "sensitive populations" to law enforcement and intelligence agencies. (Aug. 8, 2018)

  • EPIC has sent a letter to the Federal Communications Commission urging the FCC to act immediately on a Petition submitted by EPIC and a coalition of civil rights organizations, technical experts and legal scholars exactly three years ago. The Petition called for an end to the FCC rule requiring the mass retention of phone records, known as the “data retention mandate.” EPIC explained in the Petition that the rule was “unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers. The U.S. Supreme Court recently declared that cell phone location records are protected under the Fourth Amendment in Carpenter v. United States. EPIC wrote in the letter that “as we anticipated in the original Petition, the retention of cell phone data implicates constitutional interests.” All of the comments received by the FCC on this topic favored an end to the mandate.
    (Aug. 2, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice for the release of reports on the collection and use of cell site location information. Modern cell phones generate precise location records, known as “cell site location information,” that was often accessible to law enforcement agencies. However, the Department of Justice has never produced any comprehensive reports concerning the use of cell site data. In Carpenter v. United States, the Supreme Court held that the Fourth Amendment protects location records generated and that the “police must get a warrant when collecting” cell site location information. In the complaint, EPIC stated that it “seeks to determine the use, effectiveness, cost, and necessity in the collection and use of cell site location information so that the public, lawmakers, and the courts may have a better understanding of the use of this investigative technique.” The case is EPIC v. DOJ, No. 18-1814 (D.D.C. filed August 1, 2018). (Aug. 2, 2018)

  • EPIC has submitted two urgent Freedom of Information Act requests to the George W. Bush Library for records about Supreme Court nominee Brett M. Kavanaugh and various proposals for surveillance of the American public. Judge Kavanaugh served as Staff Secretary for President Bush between 2003 and 2006. During that time, many of the post-September 11 mass surveillance systems were implemented such as the warrantless wiretapping of Americans, which were later deemed unconstitutional, as well as Total Information Awareness, airport body scanners, and Real ID. The first EPIC FOIA request concerns staff files during his tenure at the White House and the second EPIC FOIA request concerns his e-mails. Judge Kavanaugh has stated that his time serving as Staff Secretary was “the most interesting, and in many ways, among the most instructive” to his work as a judge. Judge Kavanaugh also wrote an opinion on the D.C. Circuit Court of Appeals, defending mass surveillance, that surprised even conservative legal scholars.

    (Aug. 2, 2018)

  • EPIC submitted comments in response to the the National Telecommunications and Information Administration's request for recommendations on its international internet policy priorities. NTIA is the Executive Branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues. EPIC recommended that the administration (1) enact comprehensive privacy law, based on the OECD Privacy Guidelines); (2) encourage US firms to comply with GDPR; and (3) ratify the Council of Europe Privacy Convention. EPIC has urged Congress to update U.S. privacy laws and recently wrote in the Financial Times that “Instead of criticizing the EU effort, the Commerce Department should help develop a comprehensive strategy to update US data protection laws.” EPIC comments to the NTIA also addressed Algorithmic Transparency, security standards for the Internet of Things, and data minimization. (Aug. 1, 2018)

  • In detailed comments, EPIC advised the FTC to strengthen a proposed settlement with ReadyTech concerning Privacy Shield, a framework that permits the flow of data on Europeans to the U.S. The FTC settlement prohibited the company from making future misrepresentations regarding compliance with Privacy Shield, but provided no relief for Europeans whose data was unlawfully collected. EPIC urged the FTC to require ReadyTech to undergo and release independent privacy assessments, disgorge all data collected from E.U. citizens, and implement Fair Information Practices. EPIC told the FTC that enforcement of Privacy Shield comes at a critical moment, as the European Parliament recently called for suspension by September 1st if the U.S. does not fully comply. EPIC stressed the urgency of the FTC’s Facebook-Cambridge Analytica investigation, which the European Parliament highlighted as a particular concern. EPIC previously told the FTC that the Cambridge Analytic breach could have been prevented had the FTC enforced the 2011 Consent Order against Facebook, which EPIC and other organizations helped obtain. (Aug. 1, 2018)

  • EPIC submitted a Freedom of Information Act request to the Transportation Security Authority after renews reports that the agency secretly surveills airport travelers. The program, known as "Quiet Skies," uses teams of federal marshals to track and observe unsuspecting travelers while they are in the airport and on flights. A Government Accountability Office report on a similar program that used behavioral analysis found the program to be ineffective. The GAO report stated that the "Screening of Passengers by Observation Techniques" program also raised significant concerns over racial and ethnic profiling. EPIC has urged TSA to undertake a comprehensive audit of the civil rights impact of airport screening policies on racial and religious minorities. (Jul. 31, 2018)

  • EPIC is planning to submit a Freedom of Information Act request to the Bush Library and the National Archives and Records Administration for records concerning programs of mass surveillance and Supreme Court nominee Brett M. Kavanaugh. Kavanaugh served as Assistant to the President and Staff Secretary for President George W. Bush between July 2003 and May 2006. During that time, the Bush administration undertook a wide range of mass surveillance programs, including the warrantless wiretapping of Americans, which was later deemed unlawful. On the federal appellate court, Judge Kavanaugh wrote that a suspicionless surveillance program "is entirely consistent with the Fourth Amendment." "Critical national security need outweighs the impact on privacy occasioned by the program," wrote Kavanaugh. Other programs backed by the White House when Judge Kavanaugh served as White House Staff Secretary include Total Information Awareness, airport body scanners, and Real ID. (Jul. 30, 2018)

  • In advance of a hearing on "The Internet and Digital Communications: Examining the Impact of Global Internet Governance," EPIC urged the Senate Commerce Committee to prioritize updating U.S. privacy law to respond to changes in technology. "The failure of the United States to address the growing concerns about online privacy is threatening both the digital economy and democratic institutions," EPIC stated. EPIC explained that privacy protection is necessary to ensure the free flow of information online. EPIC again warned Congress that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency. (Jul. 30, 2018)

  • A federal judge ruled that lawsuits challenging the Trump administration's decision to add a question on citizenship status to the 2020 census could move forward. The court rejected the administration's claim that the plaintiffs lacked standing and ruled that it was "plausible" that the decision was motivated by racial animus and would result in a discriminatory effect on immigrant communities. Through a Freedom of Information Act request, EPIC obtained documents (part 1, part 2, part 3, part 4) considered by Commerce Secretary Wilbur Ross to add the citizenship question. The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. (Jul. 27, 2018)

  • The NSA's Office of Inspector General issued the first unclassified semi-annual report to Congress on the National Security Agency. The report describes the internal watchdog's audits, studies, and investigations of the NSA's activities. Among other findings, the OIG uncovered improper searches through U.S. persons' data collected under the Foreign Intelligence Surveillance Act, as well as "many instances of noncompliance" with rules to secure NSA networks, systems, and data. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. EPIC also routinely highlights reporting on federal surveillance under the Wiretap Act. In EPIC v. NSA, EPIC obtained the Presidential Decision Directive, outlining the agency's authority for domestic surveillance. (Jul. 25, 2018)

  • In comments to Customs and Border Protection, EPIC urged the agency to suspend the Biometric Entry/Exit Program. EPIC argued that less privacy-invasive alternatives should be considered and that the program should not move forward until Congress has passed regulations implementing safeguards for the use of biometrics. CBP solicited comments about the collection of biometrics, based on facial recognition, from people in vehicles crossing the border. EPIC said that such an expansion could quickly lead to a program of mass surveillance. In EPIC v. CBP, EPIC has sued the agency for details about the program. A report EPIC obtained in the lawsuit showed that facial recognition at a pedestrian border failed to perform at a "satisfactory" level. (Jul. 25, 2018)

  • EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to push the FCC to develop a comprehensive plan for online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections. (Jul. 24, 2018)

  • Through a Freedom of Information Act lawsuit, EPIC obtained Customs and Border Protection's directive on Unmanned Aircraft System Operations and Privacy. The directive allows the agency to disseminate information collected through drone operations with federal, state, local, tribal, and foreign law enforcement agencies. EPIC's FOIA request stems from 2015 Presidential Memorandum that requires all federal agencies to develop and publish policies and procedures that address the privacy, civil liberties, and civil right issues posed by the use of drones. EPIC recently sent a statement to the Senate Committee on Homeland Security and Government Affairs, urging the Committee to not consider a S. 2836, Preventing Emerging Threats Act of 2018: Countering Malicious Drones, until all federal agencies establish drone privacy procedures. (Jul. 20, 2018)

  • Sen. Dianne Feinstein (D-Calif.) has introduced S. 3127, the Bot Disclosure and Accountability Act of 2018. The bill directs the FTC to create a rule to require social media companies to disclose any social media bots on their platform. The bill also prohibits candidates and political parties from using bots. "This bill is designed to help respond to Russia's efforts to interfere in U.S. elections through the use of social media bots, which spread divisive propaganda," Feinstein said. Earlier this week, EPIC sent a statement to the House Judiciary Committee arguing that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. EPIC has also recommended identification requirements for drones. (Jul. 19, 2018)

  • Today the Department of Justice released a summary and assessment of federal agencies' Chief FOIA Officer Reports. The annual FOIA Report provides a detailed assessment of FOIA processing across the federal government. The summary tracks the Department's FOIA Guidelines: Applying the Presumption of Openness, Having Effective Systems for Responding to Requests, Making Information Available Proactively, Utilizing Technology, and Reducing Backlogs and Improving Timeliness. The guidance offers methods to manage these backlogs, guidance on closing oldest consultations, and recommending that agencies post raw data from the annual FOIA reports. EPIC pursues an extensive FOIA docket. (Jul. 19, 2018)

  • EPIC and a coalition of groups gave the White House the final go-ahead today to destroy the state voter data unlawfully collected by the Presidential Election Commission. In a notice to the federal court overseeing EPIC v. Commission, EPIC and the other groups that sued the Commission said that the White House should delete the data as it stated earlier it would. The deletion of the voter data is the outcome EPIC sought in EPIC v. Commission, which challenged the Commission for failing to conduct a required Privacy Impact Assessment before collecting personal data. As a result of EPIC's case, the Commission previously suspended its data collection, discontinued the use of an unsafe computer server, and deleted a prior batch of voter information that was illegally obtained. The Commission was disbanded in January. (Jul. 19, 2018)

  • In testimony this morning before the House Energy and Commerce Committee, new Federal Trade Commission Chairman Joseph Simons said the FTC needs greater authority to protect consumers. Simons asserted that privacy and data security are now the top priority for the FTC, and signaled his support for data protection legislation that would accomplish three things: (1) provide civil penalties for companies that violated the law, (2) give the FTC jurisdiction over nonprofits and common carriers, and (3) provide the FTC with rulemaking authority for privacy and data security. EPIC submitted a statement prior to today's hearing emphasizing that the FTC must conclude its investigation of Facebook and issue a fine for its violations of the 2011 Consent Order and unwind the Facebook-WhatsApp deal. (Jul. 18, 2018)

  • EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on “Oversight of the Federal Trade Commission.” EPIC told the Committee to urge the new FTC leadership to enforce the Facebook Consent Order and unwind the Facebook-WhatsApp merger As EPIC previously told Congress, the Cambridge Analytica breach could have been avoided if the FTC had enforced its 2011 Consent Order against Facebook. That Order was the result of detailed complaints filed by EPIC and consumer privacy organizations in 2009 and 2010. In 2014, EPIC and the Center for Digital Democracy urged the FTC to block Facebook’s acquisition of WhatsApp unless appropriate privacy safeguards were put in place. In 2016, EPIC and CDD filed a second complaint after Facebook broke its privacy promises and began collecting WhatsApp users' data. (Jul. 17, 2018)

  • EPIC wrote to FAA Acting Administrator Daniel K. Elwell today to request that the agency livestream the FAA Drone Advisory Committee meeting that takes place tomorrow in Santa Clara. Earlier this year, EPIC filed suit against the Drone Committee, alleging that it had conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones. As EPIC explained in the request for public streaming, “the FAA’s Drone Advisory Committee plays a key role in setting public policy on drone deployment for the United States, yet the public is largely excluded from this process. This secrecy is of particular concern given ongoing public concerns about the deployment of drones in the United States.” (Jul. 16, 2018)

  • In advance of a hearing on Filtering Practices of Social Media Companies, EPIC has sent a statement to the House Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But last year, after a seven year investigation, the European Commission found that Google rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. (Jul. 16, 2018)

  • EPIC has filed an amicus brief in Frank v. Gaos, concerning a class action settlement that provided no benefit to Internet users and no change in the business practices of defendant Google. EPIC said the settlement was not "fair, reasonable, and adequate." The case involves Google's disclosure of Internet user search histories to third parties without user consent, a business practice that could violate federal and state privacy law. EPIC stated, "The proposed settlement is bad for consumers and does nothing to change Google's business practices." A federal appeals court narrowly approved that settlement, 2-1, with the dissenting judge warning that courts must be on the lookout "not only for explicit collusion, but also for more subtle signs that class counsel have allowed pursuit of their own self-interests." EPIC said that, "cy pres requires vigilant judicial oversight to guard against the risks of collusion and ensure that judges are not rubber-stamping settlements that pay attorneys while failing to benefit class members." EPIC and several consumer privacy organization objected to the original settlement on three separate occasions. EPIC routinely opposes class action settlements that fail to provided a benefit to Internet users. (Jul. 16, 2018)

  • Russian intelligence officers hacked the website of a political organization in 2016 and stole personal data on more than 500,000 voters, according to a new indictment from the Special Counsel's Office. The stolen data included "names, addresses, partial social security numbers, dates of birth and driver's license numbers." In January 2017, EPIC sued the FBI for information about the agency's failure to respond to foreign cyber attacks on the DNC and the RNC. EPIC eventually obtained the victim notification procedures that would have applied during the 2016 Presidential election, but which the FBI failed to follow. Almost 18 months have passed since the filing of EPIC v. FBI and the first criminal indictments. (Jul. 13, 2018)

  • EPIC has sent a letter to the Federal Trade Commission and the European Data Protection Board urging the suspension of a proposed study that will disclose user data to third parties without their consent. EPIC warned that the Social Science One project transfer likely violates the GDPR, as well as the FTC's 2011 Consent Order with Facebook, which bars Facebook from disclosing data to third parties without users' affirmative consent. The FTC announced in April that Facebook is under investigation over the transfer of personal data to Cambridge Analytica, a research organization affiliated with a prestigious university. In 2012, Facebook conducted a psychological experiment on its users by secretly manipulating their news feeds to examine the effects of social media on user emotions. The study was suspended after objections from EPIC, professional societies, and others. The Guardian reported that the "lack of 'informed consent' means that Facebook experiment on nearly 700,000 news feeds broke rules on tests on human subjects." (Jul. 13, 2018)

  • In a companion case to EPIC v. FAA, the D.C. Circuit ruled in Taylor v. FAA that the regulations for drones operated by hobbyists are within the agency's statutory authority. The D.C. Circuit previously ruled that EPIC lacked standing to compel the FAA to establish privacy rules for commercial drones. The D.C. Circuit declined to reach the merits of EPIC's challenge. The FAA is expected to issue rules later this year that will require drones to identify themselves with radio beacons, as EPIC had previously urged. (Jul. 13, 2018)

  • EPIC and a coalition of organizations sent a letter to Congress urging an investigation of the Department of Homeland Security's records management practices. The concern follows the administration's "zero-tolerance" immigration enforcement policy and family unification efforts. Recent reports indicate that border agents are improperly destroying records of the separated families, making it difficult to reestablish family connections. "The purposeful deletion of records by border agents would be a clear violation of the [Federal Records Act], with dire humanitarian consequences," the group stated. The letter also encouraged Congress to ensure DHS is fulfilling its transparency obligations by making its policy guidances available to the public. EPIC has previously warned the Senate about the misuse of immigrant data by the DHS. (Jul. 12, 2018)

  • In the first public consultation held by the European Data Protection Board, EPIC proposed a rights-based certification criteria for the General Data Protection Regulation. The Data Protection Board is now the lead privacy agency in Europe. EPIC explained the risks of self-regulatory certification mechanisms, pointing to TRUSTe and the Facebook audits obtained by EPIC that wrongly certified Facebook's compliance with the 2011 FTC Consent Order. EPIC said, certification mechanisms "must be developed by national DPAs and implemented in conformity with the fundamental principles and rights of the GDPR." EPIC has also advised the UK Information Commissioner's Office and the Irish Data Protection Commissioner on GDPR enforcement. (Jul. 12, 2018)

  • In advance of a joint Committee hearing on "Oversight of FBI and DOJ Actions Surrounding the 2016 Election," EPIC has sent a statement to the House Judiciary and House Oversight Committees urging the release of the complete declassified Intelligence Community report on Russian interference in the 2016 U.S. Presidential Election. EPIC pursued a FOIA lawsuit, EPIC v. ODNI, to obtain public release of the complete Intelligence report, and a federal court ruled that ODNI could withhold the document from public release. However, a recent report from the Senate Select Committee on Intelligence confirmed the 2017 assessment from the Intelligence Community. The Intelligence report stated "Russia's goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump." EPIC argued that, in light of this report, the public has a right to know the Intelligence Community's findings. In 2017, EPIC launched a new project on Democracy and Cybersecurity to focus attention on new threats to democratic institutions. (Jul. 11, 2018)

  • The Information Commissioner's Office, the lead agency for data protection in England, has issued the maximum £500,000 fine on Facebook for failing to secure user data from Cambridge Analytica. ICO investigations found that Cambridge Analytica harvested 87 million Facebook users' personal data to target ads for political purposes, and that Facebook did not compel the deletion of this data to prevent further misuses. Facebook was charged with two violations of the UK Data Protection Act 1998: "failing to safeguard people's information [and] failing to be transparent about how people's data was harvested by others and why they might be targeted by a political party or campaign." ICO also told other companies that served online political ads during the EU Brexit Referendum to stop processing UK citizens' data. In March and April, EPIC told the FTC and Congress that the Cambridge Analytica breach could have been prevented if the FTC had enforced the 2011 Consent Order with Facebook. The FTC is currently investigating Facebook but has never imposed any fines against the company. (Jul. 11, 2018)

  • In advance of the hearing "Protecting Customer Proprietary Network Information in the Internet Age," EPIC urged Congress to protect the privacy of users of third-party apps, such as WhatsApp and Google Voice. The Telecommunications Act of 1996 protects the privacy of "CPNI" — phone numbers dialed, date and time of calls — but this safeguard does not cover internet-based calls. EPIC told Congress that CPNI privacy rules should apply to both telecommunications companies and Internet firms. In 2005, EPIC filed the original FCC petition to extend CPNI privacy protections. EPIC also proposed uniform privacy standards for telecommunications firms and information service providers in the 2016 FCC Privacy Order. (Jul. 10, 2018)

  • In advance of a hearing on "Examining Warrantless Smartphone Searches at the Border," EPIC has sent a statement to the Senate urging a warrant requirement for searches of electronic devices at the border. EPIC recently filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's warrantless searches of mobile devices. ICE has contracts with Cellebrite to extract data from mobile devices, including personal data stored in cloud-based accounts, without judicial authority. Privacy complaints regarding the search of mobile devices at the border continue to increase. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced S. 2386, legislation to restrict border searches of cellphones. EPIC Advisory Board member Professor Laura Donohue will testify at the hearing. (Jul. 10, 2018)

  • President Trump's nomination of Judge Brett M. Kavanaugh to the Supreme Court has raised concerns about the future of privacy and Constitutional protections against government surveillance. As a judge on the D.C. Circuit Court of Appeals, Kavanaugh upheld the warrantless, widespread, and suspicionless collection of call records of Americans. Kavanaugh, authoring an opinion where none was expected, wrote that the mass surveillance program "is entirely consistent with the Fourth Amendment." Kavanaugh further stated that even if the search triggered constitutional concerns, it "fit comfortably" in the special needs exception to the Fourth Amendment. "Critical national security need outweighs the impact on privacy occasioned by the program," wrote Kavanaugh. Congress subsequently determined that the data collection activity was overly broad and terminated the program. EPIC will ask the Senate Judiciary Committee to question Kavanaugh on a wide range of privacy, First Amendment, open government, and consumer protection issues. EPIC has submitted similar statements to the Judiciary Committee for the hearings on Justice Gorsuch, Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts. (Jul. 10, 2018)

  • Members of the House Energy and Commerce Committee have sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page seeking information about the data collection capabilities of smartphones. Prompted by recent privacy scandals, the representatives asked Google and Apple whether their devices track users' location even when location services are disabled or record users' private conversations without a "trigger" word. The issue of smartphones and privacy has generated widespread attention following the Supreme Court's landmark ruling in Carpenter v. U.S. that the Fourth Amendment protects location records generated by mobile phones. EPIC recently advised Congress to strengthen privacy protections for mobile location data in response to the Supreme Court's ruling. (Jul. 10, 2018)

  • EPIC has filed an amicus brief with the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp, about the collection of a child's biometric data in violation of the Illinois Biometric Information Privacy Act. EPIC explained that the Illinois biometric law "imposes clear responsibilities on companies that collect biometric identifiers" and said the company had failed to comply with the state law. EPIC made clear that "collection is the threshold safeguard in privacy law" and if corresponding provisions are "not enforced, the statute’s subsequent provisions are of little consequence." EPIC first identified the risk of collecting biometric data from children entering amusement parks in a 2005 report "Theme Parks and Your Privacy." The state of Illinois adopted the nation's first biometric privacy law in 2008. EPIC has long advocated for strict limits on use of biometric data. EPIC also routinely submits amicus briefs, including in the recent OPM data breach case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case. (Jul. 5, 2018)

  • EPIC and a coalition of civil society organizations urged the Council of Europe to include robust human rights protections in the proposed revision to the Convention on Cybercrime. Otherwise, the updates could enable "a race to the bottom for protection," the coalition warned. The groups opposed the CLOUD Act model for law enforcement access to data in foreign jurisdictions, calling instead for robust transparency and accountability requirements. The human rights groups also urged widespread ratification of the International Privacy Convention 108. EPIC and US consumer rights groups have long campaigned for United States ratification of Convention 108. (Jul. 5, 2018)

  • In comments to the Irish Data Protection Commission, EPIC proposed guidance for Data Protection Impact Assessments. The EU General Data Protection Regulation requires organizations to carefully assess the collection and use of personal data. EPIC explained that Data Protection Impact Assessments require the disclosure of the reason for the processing of personal data. EPIC also urged the Irish Privacy Commission to protect individuals against profiling and tracking by minimizing the collection of sensitive data. EPIC supports "Algorithmic Transparency" and brought FTC consumer complaints to promote accountability over secret algorithms. EPIC has also advised the UK Information Commissioner's Office on Data Protection Impact Assessments and GDPR implementation. (Jul. 5, 2018)

  • The European Parliament has called for the suspension of the "Privacy Shield" if the U.S. does not comply in full by September 1, 2018. The resolution states that the pact, which permits US companies to obtain the personal data of European, does not protect privacy. The Parliament cited numerous problems, including the Cambridge Analytica breach of 87 million Facebook users data, the reauthorization of FISA Section 702, the failure to appoint members to the PCLOB, and passage of the CLOUD Act, which permits US law enforcement agencies to access personal data stored in Europe. The vote of the full Parliament follows an earlier statement from the civil liberties "LIBE" committee. EPIC highlighted many of the same concerns in recent comments. EPIC also told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook. The European Commission, the EU body in charge of the Shield, must now decide how to respond. (Jul. 5, 2018)

  • A report from the Senate Select Committee on Intelligence has confirmed the 2017 assessment from the Intelligence Community on Russian interference with the 2016 election. The Intelligence report stated "Russia's goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump." Senate Committee Chair Richard Burr (R-NC) said "the Committee has spent the last 16 months reviewing the sources, tradecraft and analytic work underpinning the Intelligence Community Assessment and sees no reason to dispute the conclusions," The Senate Report also stated, "the Committee's investigation has exposed a far more extensive Russian effort to manipulate social media outlets to sow discord and to interfere in the 2016 election and American society" than the Intelligence Community assessment reported. EPIC pursued a FOIA lawsuit, EPIC v. ODNI, to obtain public release of the complete Intelligence report. In 2017, EPIC launched a new project on Democracy and Cybersecurity to focus attention on new threats to democratic institutions. (Jul. 5, 2018)

  • In a petition to the Office of Science and Technology Policy, EPIC, leading scientific organizations, including AAAS, ACM and IEEE, and nearly 100 experts urged the White House to solicit public comments on artificial intelligence policy. The Open AI Policy petition follows a White House summit on "AI and American Industry" that was closed to the public and ignored issues such as privacy, accountability, and fairness. EPIC has filed a Freedom of Information Act request seeking records about the establishment of the Select Committee. In advance of a recent hearing on Artificial Intelligence, EPIC also told the House Science Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies. In 2014, EPIC led a similar petition drive for a White House initiative on Big Data. (Jul. 3, 2018)

  • The FTC announced today that it settled charges with ReadyTech, a California company, for misrepresenting compliance with Privacy Shield, a self-certification arrangement that allows US companies to obtain the personal data of Europeans. The FTC settlement prohibits the company from making future misrepresentations about Privacy Shield compliance, but imposes no penalties and provides no remedy to European consumers whose personal data was wrongfully obtained. Last year, the FTC settled charges with three companies that misrepresented their participation in Privacy Shield, but similarly failed to impose penalties. The European Parliament's Civil Liberties Committee ("LIBE") recently passed a resolution stating that Privacy Shield does not protect European consumers, and called for its suspension if the U.S. does not comply by September 1, 2018. LIBE specifically called attention to the Cambridge Analytica breach of 87 million Facebook users. In March, EPIC told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook. (Jul. 2, 2018)

  • Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jul. 2, 2018)

  • In comments to the National Institute of Standards and Technology, EPIC backed NIST's efforts to coordinate "lightweight" crypto standards. EPIC took no position on the specific proposal, but expressed support for the NIST standard-setting process. EPIC said, "NIST's expertise in cryptography, its authority to accept public comment, and its ability to bring together leading experts to evaluate proposals is critical to the adoption of trustworthy computer standards in the United States and around the world." EPIC helped establish the freedom to use encryption in the United States with the "Clipper Chip" petition and has pursued many efforts to safeguard this right. Last week, EPIC advised NIST to revise the Risk Management Framework to make clear that federal agencies are required to conduct privacy impact assessments. (Jun. 29, 2018)

  • EPIC advised the FCC on how to interpret the Telephone Communications Protection Act to best protect consumers in light of the recent decision in ACA Int'l v. FCC. EPIC filed a friend of the court brief in that case arguing that consumers could revoke consent by any "reasonable means." The court agreed but vacated other aspects of the rule. Many industry groups urged the Commission to make a rule that if "any" human intervention is involved in the dialing or sorting of the list of numbers a calling system would not be considered an "automatic telephone dialing system." EPIC opposed that recommendation, explaining that such a definition would allow autodialers to use deceptive tactics to evade regulation. EPIC contributed to the development of the Telephone Communications Protection Act and regularly submits comments to the FCC. (Jun. 29, 2018)

  • EPIC has submitted comments to the UK Data Protection Authority on implementation of the General Data Protection Regulation. EPIC urged the UK privacy agency to (1) promote transparency of enforcement proceedings, (2) increase scrutiny of mergers concerning personal data, and (3) encourage cooperation with the US FTC. EPIC said that international cooperation is necessary to hold companies accountable. Yesterday, EPIC and several consumer groups urged the FTC to investigate Facebook and Google's deceptive consent practices that violate both US and UK law. Last year, EPIC made similar recommendations on the FTC 2018-2022 Strategic Plan. (Jun. 28, 2018)

  • The State of California has enacted the California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. The Act will establish the right of residents of California to know what personal information about them is being collected; to know whether their information is sold or disclosed and to whom; to limit the sale of personal information to others; to access their information held by others; and to obtain equal service and price, even if they exercise their privacy rights. The Act will allow individuals to delete their data and it will establish opt-in consent for those under 16. The Consumer Privacy Act provides for enforcement by the Attorney General, a private right of action, and will establish a Consumer Privacy Fund to support the purposes of Act. The California Consumer Privacy Act of 2018 follows a California ballot initiative that gathered over 600,000 signatures. After the Equifax data breach, EPIC testified in the U.S. Senate that comprehensive privacy legislation was long overdue. The EPIC State Policy Project also provides expertise to the states to help shape strong privacy laws. (Jun. 28, 2018)

  • The White House's Select Committee on Artificial Intelligence held its first meeting this week but the public was not invited. The Select Committee was announced last month at the White House Summit on Artificial Intelligence for American Industry which was also closed to public participation. According to the Summit report, many of the critical issues in the AI field, including "fairness," "transparency," and "accountability," were never mentioned. EPIC has filed a Freedom of Information Act request seeking records about the establishment of the Select Committee. In advance of a hearing this week on Artificial Intelligence, EPIC told the House Science Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies and ensure that the White House Select Committee is open to public participation. (Jun. 28, 2018)

  • A federal court in Washington, DC has ruled that the Presidential Election Commission must release a large volume of records detailing its activities from last year. The ruling, in a case brought by Maine Secretary of State and EPIC Champion of Freedom Matthew Dunlap, requires the Commission to disclose all "relevant documents that any of the former commissioners generated or received." After the court ordered the Commission to release the same records in December, the President abruptly disbanded the Commission. EPIC brought the lead case against the Commission, forcing it to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the voter information that was unlawfully obtained. EPIC is continuing to pursue its case on appeal and will ask the Supreme Court to grant review. (Jun. 28, 2018)

  • EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 27, 2018)

  • The Federal Election Commission is holding a two day hearing to hear expert testimony on the agency's proposed rule governing disclosures for political ads on the Internet. Christine Bannan, EPIC Administrative Law and Policy Fellow, will testify on the second day of the hearing. EPIC submitted multiple comments to the FEC urging the agency to promulgate rules that would require online political ads to disclose funders as is required for traditional media ads. EPIC proposed the FEC adopt "algorithmic transparency" procedures that would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment, and maintain a public directory of advertiser data. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack. (Jun. 27, 2018)

  • EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options. EPIC and consumer privacy organizations previously filed complaints with the FTC when Facebook undermined users' privacy settings and Google automatically opted users into Google Buzz. In both cases, the FTC determined that the companies had engaged in "unfair and deceptive trade practices." Both Facebook and Google settled with the FTC and were then subject to 20 year consent orders that were intended to prevent the companies from engaging in similar practices in the future. (Jun. 27, 2018)

  • In advance of a hearing on “Bolstering Data Privacy and Mobile Security” EPIC has told the House Science Committee that Congress should apply a heightened “super warrant” standard to "StingRays,” a technique for tracking cell phones users. After an EPIC FOIA lawsuit revealed that the FBI was using stingrays without a warrant, the Bureau changed its practices. EPIC filed amicus briefs in U.S. v. Jones and Carpenter v. U.S., two recent Supreme Court cases, arguing that a warrant is required to obtain location information. In a landmark ruling last week, the Supreme Court held that the Fourth Amendment protects location records generated by mobile phones. As a consequence, EPIC said, Congress should update federal privacy law. (Jun. 27, 2018)

  • In response to an EPIC Freedom of Information Act lawsuit, the Federal Trade Commission today released materials, previously withheld, from the biennial Facebook audits. The audits were required by the FTC's 2011 Consent Order with Facebook. Heavily redacted versions of those audits were previously available on the FTC's website. But in March, following the Cambridge Analytica breach, EPIC filed an urgent FOIA request for the complete 2013, 2015, 2017 Facebook audits. (The 2017 audit covers the period the Cambridge Analytica breach.) In a detailed letter to Congress in April, EPIC explained that the FTC failed to review the reports and failed to enforce the 2011 consent order against Facebook. The documents released today to EPIC contain information that was not previously available to the public. EPIC is currently reviewing the documents obtained from the FTC. (Jun. 26, 2018)

  • EPIC has submitted a Freedom of Information Act request to the General Service Administration about the White House's Select Committee on Artificial Intelligence. The Select Committee will advise the President and coordinate AI policies among executive branch agencies. The Select Committee charter states that it may receive advice from private sector groups, but it does not state whether the public will participate in the committee's activities. EPIC is seeking records from the GSA to determine whether the Committee intends to comply with federal open meeting obligations. EPIC has previously told Congress that the Select Committee should be open to public comment. (Jun. 26, 2018)

  • In advance of a hearing on "Artificial Intelligence - With Great Power Comes Great Responsibility," EPIC told the House Science Committee that Congress must implement oversight mechanisms for the use of AI. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. EPIC said that Congress should amend the E-Government Act to require disclosure of the "logic" of algorithms that profile individuals. EPIC also said that the White House Select Committee on Artificial Intelligence should be open to public comment. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency. (Jun. 25, 2018)

  • In a landmark ruling, the U.S. Supreme Court held that the Fourth Amendment protects location records generated by mobile phones. The government in Carpenter v. United States had obtained more than 6 months of location records without a warrant. EPIC filed a "friend-of-the-court" brief in Carpenter, signed by thirty-six technical experts and legal scholars, urging the Court to recognize that the "world has changed since Smith v. Maryland" was decided. EPIC argued that "Cell phones are now as necessary to the life of Americans as they are ubiquitous" and that users expect their location data will remain private. The Court agreed, in a decision by the Chief Justice, emphasizing the importance of protecting privacy as technology advances: "As technology has enhanced the Government's capacity to encroach upon areas normally guarded from inquisitive eyes, this Court has sought to 'assure[ ] preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted.'" The Court held that "an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through" a cell phone. Dissenting opinions were filed by Justices Kennedy, Thomas, Alito, and Gorsuch. (Jun. 22, 2018)

  • The FTC Chairman Joe Simmons announced today that the FTC will hold a series of public hearings this fall on how to safeguard consumer protection and competition in light of economic and technologic developments. "The hearings may identify areas for enforcement and policy guidance, including improvements to the agency's investigation and law enforcement processes, as well as areas that warrant additional study," said the FTC. The hearings will focus on several topics, including "the intersection between privacy, big data, and competition" and "the use of algorithmic decision tools, artificial intelligence, and predictive analytics." The FTC is requesting public comment in advance of the hearings. This will be the first time the FTC has reexamined its approach to consumer protection and competition since the FTC's 1995 hearings on "Global Competition and Innovation." EPIC participated in those hearings and helped the FTC develop authority to address emerging privacy issues. More recently, EPIC has put forward "10 Recommendations" for how the FTC can protect consumers, promote competition, and encourage innovation. (Jun. 20, 2018)

  • In a Senate Commerce Committee hearing today on Facebook and data privacy, former FTC CTO Ashkan Soltani stated that Facebook violated the 2011 FTC Consent Order by transferring personal data to Cambridge Analytica and device makers contrary to user privacy expectations. Soltani said that Facebook continued to misrepresent the extent to which users could control their privacy settings and allowed device makers to override users' privacy settings. Senator Blumenthal and other members of Congress had previously said the company violated the Consent Order, which was the result of complaints filed by EPIC in 2009 and 2010. In a statement to the Committee in advance of the hearing, EPIC urged the Senate to focus on the FTC's failure to enforce the Consent Order with Facebook. (Jun. 19, 2018)

  • The D.C. Circuit has scheduled oral argument in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. The Court will hear the case on Thursday, September 13, 2018. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Jun. 19, 2018)

  • The D.C. Circuit ruled today in EPIC v. FAA that EPIC lacked standing to compel the FAA to establish privacy rules for commercial drones. In 2012 EPIC, backed by more than one hundred organizations and privacy experts, petitioned the agency to establish privacy safeguards for drones. EPIC also cited a 2012 law requiring the FAA to develop a "comprehensive plan" for drone deployment. EPIC subsequently filed suit against the FAA, challenging the 2016 rule authorizing commercial drone operations without any privacy safeguards. Today the D.C. Circuit declined to reach the merits of EPIC's challenge, finding that neither EPIC nor its members had established an "injury" caused by the FAA rule. EPIC will continue to push for the establishment of drone privacy safeguards at the FAA. The drone privacy case is EPIC v. FAA, No. 16-1297 (D.C. Cir.). (Jun. 19, 2018)

  • EPIC has sent a statement to the Senate Commerce Committee outlining the FTC's failure to enforce the 2011 Consent Order with Facebook. The statement from EPIC is for a hearing on "Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks." In 2009, EPIC and several consumer groups pursued a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook's data practices. The FTC established a Consent Order in 2011, but failed to enforce the Order even after EPIC sued the agency in a related matter. In the statement to the Senate this week, EPIC contends that the FTC could have prevented the Cambridge Analytica debacle and Facebook's secret arrangements with device makers if the agency enforced the 2011 Order. (Jun. 19, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology," a proposed system that will integrate biometric identifiers across the federal government. HART would replace IDENT, which now contains biometric records on over 220 million unique individuals. In 2015 a breach at the Office of Personnel Management compromised 22 m records, including 5 m digitized fingerprints. It appears that Homeland Security failed to complete the Privacy Assessment prior to launching HART. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that stores personally identifiable information. In EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year. (Jun. 18, 2018)

  • EPIC has sent a statement to the Senate Judiciary Committee ahead of Monday's hearing "Examining the Inspector General’s First Report on Justice Department and FBI Actions in Advance of the 2016 Presidential Election." EPIC urged the Committee to explore the FBI's ability to respond to future cyberattacks. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." But an AP investigation found that the FBI failed to notify hundreds of officials whose email was hacked during the 2016 election. EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI. Last month, a federal court ruled that the agency may withhold records still sought by EPIC but said that lawmakers should pursue threats to democratic institutions described in the EPIC lawsuit. (Jun. 15, 2018)

  • EPIC submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques (“PETs”). EPIC recently told Congress that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” EPIC has also called out the CPSC for its reluctance to address the privacy and security challenges of IoT. In the statement to Congress, EPIC described the increasing risks to American consumers. (Jun. 15, 2018)

  • EPIC has submitted a statement to the House Energy & Commerce Committee regarding today's hearing on "Understanding the Digital Advertising Ecosystem." EPIC told the Committee "The 'Digital Advertising Ecosystem' today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The ad platforms are manipulated by foreign adversaries. Secrecy and complexity are increasing as accountability is diminished. It would be foolish to imagine that the current model is sustainable." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (Jun. 14, 2018)

  • Apple announced two measures to strengthen the privacy and security of its devices: it will close a loophole that allowed law enforcement to access devices and it will prevent apps from secretly selling contact lists. In 2016, Apple refused a demand by the FBI to build backdoor access to iPhones to allow the FBI to unlock the phone of a criminal suspect. The FBI sued Apple, and EPIC filed an amicus brief in support of Apple, arguing that the FBI's demand "places at risk millions of cell phone users across the United States." The FBI eventually dropped the case. In a privacy complaint to the FTC, EPIC also opposed Google's plan to launch "Buzz," a social networking service, with private address book information. Google later backed off the plan and shuttered Buzz. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Jun. 14, 2018)

  • EPIC advised the FCC on how to interpret the Telephone Communications Protection Act to best protect consumers in light of a recent decision in ACA Int'l v. FCC. EPIC filed a friend of the court brief in that case arguing that consumers could revoke consent by any "reasonable means." The court agreed but vacated other aspects of the rule. EPIC's comments argue that the FCC should require callers to meet three conditions to simplify the revocation of consent: (1) inform consumers of their right to revoke, (2) provide a simple means of revocation, and (3) comply in a timely manner. EPIC contributed to the development of the Telephone Communications Protection Act and regularly submits comments to the FCC. (Jun. 13, 2018)

  • As the Senate Commitee on Homeland Security and Government Affairs considers S. 2836, the Preventing Emerging Threats Act of 2018: Countering Malicious Drones, EPIC has sent a statement to the Committee urging that action on the bill be suspended until DHS and other federal agencies establish and publish drone privacy procedures as required by a 2015 Presidential Memorandum. EPIC has brought a series of open government cases against the DHS and the Department of Defense to determine the use of drones by the federal government in the United States. EPIC's cases have determined that drones operated by the DHS intercept private communications, conduct human identification at a distance, and may include military payloads. (Jun. 13, 2018)

  • EPIC sent a statement to the Senate Commerce Committee in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC urged Congress and the NTIA to work together to update U.S. privacy laws and establish a data protection agency. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices. (Jun. 12, 2018)

  • Members of European Parliament are calling for the suspension of the EU-U.S. Privacy Shield if the U.S. does not comply in full by September 1, 2018. The Civil Liberties Committee ("LIBE") passed a resolution stating that the pact, which permits the flow of European consumers' personal data to the U.S, does not adequately protect privacy. LIBE urged US authorities to respond without delay to the Cambridge Analytica breach of 87 million Facebook users. The groups also expressed "strong concerns" about the CLOUD Act which permits US law enforcement to unilaterally access personal data stored in Europe. EPIC recently told the FTC that the Cambridge Analytica breach could have been avoided had the agency enforced a 2011 Consent Order that EPIC and a coalition of consumer privacy groups obtained. (Jun. 12, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained documents (part 1, part 2, part 3, part 4) considered by Commerce Secretary Wilbur Ross to add a citizenship question to the 2020 Census. Following a request from the Department of Justice, the Census Bureau announced that it would ask about citizenship status for the first time in over 50 years. The documents obtained by EPIC, and others who made similar requests, reflect the varying opinions from lawmakers, scientists, and immigration groups about the proposal. The documents also reveal that Kris Kobach, former Vice Chair of the now-defunct Presidential Advisory Commission on Election Integrity, urged Secretary Ross "on the direction of Steve Bannon" to add the citizenship question. According to an analysis conducted by the Census Bureau, the impact of asking about citizenship would be "very costly, harms the quality of the census count, and would use substantially less accurate citizenship data than are available" from other government resources. In a FOIA case against DHS, EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. (Jun. 11, 2018)

  • In advance of a hearing on the 2020 Census, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on disclosing statistical information about "sensitive populations" to law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau." (Jun. 8, 2018)

  • The Court of Appeals for the Eleventh Circuit has vacated an administrative order by the Federal Trade Commission, which required the medical testing company LabMD to implement "reasonable" data security measures, finding that the order was not specific enough to be enforceable. The court explained that the FTC can require companies to implement data security measures as long as it provides specific guidance. EPIC has repeatedly urged the FTC to mandate specific data security requirements in consumer privacy settlements, including in comments on recent settlements with Uber and PayPal. EPIC also submitted an amicus brief in FTC v. Wyndham, a case in which the Third Circuit Court of Appeals upheld the FTC's authority to enforce data security standards. (Jun. 7, 2018)

  • At the National Press Club in Washington, DC, EPIC presented the 2018 Champions of Freedom Awards to Maine Secretary of State Matthew Dunlap and California Secretary of State Alex Padilla for their defense of the privacy of state voter records. Secretary Dunlap and Secretary Padilla successfully opposed the efforts of the Presidential Advisory Commission on Election Integrity to obtain voter data on state residents. The inscription on the award read "Guardian of privacy and democratic institutions." Dr. Peter Neumann received the 2018 EPIC Lifetime Achievement Award for his work on computer-related risk. Dr. Stephanie Perrin received the 2018 EPIC Privacy Champion Award for her work on WHOIS privacy. The EPIC Champion of Freedom Awards are presented annually to individuals who defend democratic values with courage and integrity. Previous recipients include Senator Patrick Leahy, Judge Pat Wald, Tim Cook, and Garry Kasparov. The EPIC awards event was preceded by a policy panel on the GDPR with FTC Commissioner Rohit Chopra and leading experts in data protection and privacy law. (Jun. 7, 2018)

  • Facebook had secret arrangements with at least 60 device makers granting them access to users' personal data, according to a report by the New York Times. Facebook overrode users privacy settings to allow companies to access sensitive information that users' had explicitly set to private. These arrangements directly contradict Facebook's previous statements that it cut off third party access to user data in 2015. Facebook is already under FTC investigation for violating a 2011 Consent Order that EPIC and consumer privacy organizations obtained. The Order bars Facebook from disclosing data to third parties without explicit consent. EPIC recently urged the FTC to enforce the Consent Order following revelations that Facebook allowed Cambridge Analytica to access the data of 87 million users. In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jun. 5, 2018)

  • EPIC and a coalition of twenty organizations called for the Department of Justice Inspector General to investigate the FBI's "grossly inflated" statistic of encrypted devices inaccessible to law enforcement in 2017. The Washington Post reported that the FBI repeatedly stated it was locked out of 7,800 devices, but subsequent review suggested the actual number is about 1,200. The coalition wrote to the IG asking him to investigate the error, why DOJ officials used the data point after it was discovered to be incorrect, and what measures were taken to inform Congress and the public of the FBI's miscalculation. EPIC President Marc Rotenberg previously told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States." (Jun. 5, 2018)

  • EPIC has filed an amicus brief in a case about whether a dating app should be liable for failing to remove false profiles, including name and likeness, that posed a danger to personal safety. In Herrick v. Grindr, LLC, EPIC told the Second Circuit Court of Appeals that Section 230, a provision in the Communication Decency Act, was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." EPIC emphasized that a lower court opinion "would not advance the speech-promoting policy of the statute." EPIC explained that victims may be subjected to ongoing "psychological, social, and financial harm" if Internet services are not accountable for harassment and abuse. EPIC frequently participates as amicus curiae in cases concerning emerging privacy and civil liberties issues, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 1, 2018)

  • In 2011, EPIC uncovered the first government program to monitor social media. EPIC v. DHS revealed that a government agency was tracking posts on social media to identify critics of government. Today EPIC released a new report on the recent developments in government media monitoring. The report follows a case filed by EPIC this week concerning a new DHS program for "Media Monitoring Services." The report explores different media monitoring systems and points to the absence of effective controls. EPIC's Spotlight on Surveillance also highlights the privacy and civil liberties risks, including chilling free speech, discrimination, unreliability, and misattribution. EPIC's Spotlight on Surveillance project explores the privacy and civil liberties implications of surveillance programs in the United States. EPIC has previously released reports on drones, the FBI's Next Generation Identification program, and "enhanced" driver's licenses. (Jun. 1, 2018)

  • EPIC and a coalition of privacy and civil liberties groups urged the Office of the Director of National Intelligence to abide by the transparency requirements of the USA FREEDOM Act. The Act ended the NSA's bulk collection of domestic call detail information. The Act also requires the public reporting of the number of unique identifiers gathered under the Foreign Intelligence Surveillance Act. A related letter to the House Judiciary Committee urged the Committee to oversee the reporting requirement. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. Several of EPIC's recommendations were incorporated in the USA FREEDOM Act. (May. 31, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit to obtain a Privacy Impact Assessment for "Media Monitoring Services," a controversial new database proposed by the Department of Homeland Security. In April, the DHS announced a system to track journalists and "media influencers" and to monitor hundreds of thousands of news outlets and social media accounts. Although the system is designed to monitor journalists, the federal agency failed to conduct a Privacy Impact Assessment as required by law. EPIC submitted a request for Assessment but the agency did not respond. EPIC has successfully obtained several Privacy Impact Assessments, including a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to collection of state voter data. (May. 31, 2018)

  • EPIC has obtained records under the Freedom of Information Act showing that the Department of Homeland Security communicated frequently with the Presidential Election Commission after EPIC filed a lawsuit to block the Commission's efforts to obtain state voter data. The documents show that DHS officials had numerous communications with Commission staff beginning in June 2017. The records obtained by EPIC also reveal that Kirstjen Nielsen, now the DHS Secretary, worried that the Commission's voter data grab would "disrupt critical efforts DHS is leading to work with state and local officials" on election cybersecurity. After EPIC brought suit in July, the Commission suspended the data collection program, discontinued the use of an unsafe computer server, and deleted voter information that was illegally obtained. The Commission was ultimately shut down in January 2018. (May. 31, 2018)

  • EPIC, the Brennan Center and 55 privacy, civil liberties, and civil rights organizations submitted comments opposing the State Department's plan to collect social media identifiers from individuals applying for visas. The coalition warned that the proposal would "undermine First Amendment rights of speech, expression, and association." Social media monitoring raises serious privacy and civil liberties issues. EPIC previously opposed the State Department's expansion of social media collection as well as a similar proposal by the Department of Homeland Security. In EPIC v. DHS, a 2011 Freedom of Information Act case, EPIC uncovered the first agency plan to monitor social media. (May. 30, 2018)

  • "Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices. (May. 24, 2018)

  • EPIC submitted comments on the Federal Election Commission's (FEC) proposed rules for political ads on the internet. The FEC proposed two alternative rules, one which would hold internet companies to the same standard as traditional media companies and one which would make exceptions for online ads. EPIC stated: "FEC rules should be technology-neutral and consistent across media platforms." EPIC also recommended that the FEC adopt algorithmic transparency rules, which would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment, and maintain a public directory of advertiser data. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack. (May. 24, 2018)

  • Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups, has written to ninety-five major internet companies, including Amazon and Google, seeking compliance with the EU General Data Protection Regulation (GDPR) as a baseline standard for all users worldwide. TACD wrote, "Strong privacy standards should apply to everyone who uses online platforms and services no matter where they live." The letter states that "European regulation provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for people whose data is gathered." Following an earlier TACD letter and questions from Congress, Marc Zuckerberg said Facebook would apply GDPR protections in all jurisdictions. The TransAtlantic Consumer Dialogue was established in 1998 and works to promote the consumer interest in EU and US policy making. (May. 24, 2018)

  • According to the Washington Post, the FBI "provided grossly inflated statistics to Congress and the public" about the number of encrypted cellphones inaccessible to law enforcement. The FBI stated it was locked out of 7,800 devices, but a subsequent review suggested the actual number is about 1,200. EPIC President Marc Rotenberg told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States." According to the federal wiretap reports, in 2016 a total of 68 federal wiretaps were reported as being encrypted, of which 53 could not be decrypted. In a 2016 debate before the American Bar Association, former FBI Director James Comey said the FBI was locked out of about 650 phones. Rotenberg countered that 3.1 million phones were stolen or lost in a year and subject to misuse without strong encryption. (May. 23, 2018)

  • Senator Edward Markey (D-MA) and Congressman Joe Barton (TX-06), along with Senator Richard Blumenthal (D-CT) and Congressman Bobby L. Rush (IL-01), have reintroduced the Do Not Track Kids Act, a bill that would strengthen the Children's Online Privacy Protection Act (COPPA) by extending its protections to children under 15 and creating an "Eraser Button" that would allow parents and children to delete publicly available personal information. The bill would also prohibit targeted advertising to children, mandate data security standards for internet-connected devices sold to children, and establish a "Digital Marketing Bill of Rights for Minors" that would limit the collection of children's personal information, including geolocation information. EPIC recently warned the Federal Trade Commission not to weaken existing rules under COPPA that safeguard children's privacy. EPIC and a coalition of consumer groups have also urged the FTC to stop companies from selling dangerous, internet-connected "toys that spy". (May. 23, 2018)

  • The 12th international conference on Computers, Privacy and Data Protection will take place in Brussels, January 30 to February 1, 2019. The theme of the conference is "Data Protection and Democracy." CPDP is seeking panel proposals from academic consortia, research projects, think tanks and other research organizations. The deadline is June 21, 2018. CPDP2018 offered 85 panel sessions with 420 international speakers from academia, public and private sectors and civil society. More than 1,000 people from from 55 countries attended CPDP2018. EPIC is an event sponsor of CPDP and will present the 2019 International Champion of Freedom Award on January 30, 2019. (May. 23, 2018)

  • EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the FTC about the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating," a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. According to EPIC, "the UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens." EPIC pointed to objective, provable, and transparent rating systems such as ELO as far preferable. EPIC has championed "Algorithmic Transparency" as a fundamental human right. Earlier this month, the Council of Europe adopted the modernized Privacy Convention that establishes a legal right for individuals to obtain "knowledge of the reasoning" for the processing of personal data. (May. 23, 2018)

  • After EPIC obtained the FBI cyberattack victim notification procedures in Freedom of Information Act lawsuit EPIC v. FBI, a D.C. federal court has ruled that the agency may withhold remaining records explaining FBI's response to the Russian interference in the 2016 election. EPIC had argued that the FBI had failed to demonstrate that releasing records of the agency's response to cyberattacks would interfere with its investigation of the Russian interference. The "Victim Notification Procedures" obtained by EPIC led to Associated Press investigation which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. EPIC is currently pursuing related FOIA cases about Russian interference in the 2016 election, including EPIC v. IRS (Release of Trump Tax Returns) and EPIC v. DHS (election cybersecurity). (May. 23, 2018)

  • In advance of a hearing on the Internet of Things (IoT), EPIC wrote to Congress on the need for privacy and security regulations for IoT consumer products. EPIC explained that regulation is necessary "because neither the manufacturers nor the owners of those devices have incentive to fix weak security." EPIC has called upon the Consumer Product Safety Commission to regulate IoT products, saying that the privacy and security of IoT devices, such as Internet-connected door locks and thermostats, are critical concerns for American consumers. Last week, EPIC testified before the Safety Commission on IoT hazards and promoted baseline standards to protect consumer safety. EPIC previously testified before Congress on the "Internet of Cars." (May. 22, 2018)

  • EPIC has filed a "friend of the court" brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breach case. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In a 2011 case NASA v. Nelson, EPIC urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government. (May. 18, 2018)

  • The Council of Europe has updated Convention 108, the first international treaty for privacy and data protection. Among other changes, the amending protocol requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights including algorithmic transparency. EPIC and consumer coalitions have urged the United States to ratify the International Privacy Convention. The complete text of the Privacy Convention is contained in the Privacy Law Sourcebook, available at the EPIC Bookstore. (May. 18, 2018)

  • EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Samsung's "always on" SmartTV, which surreptitiously records consumers' private conversations and transmits their unencrypted voice recordings to third parties. EPIC also warned the FTC that "Samsung is now collecting viewing data from consumers," a practice the FTC found unlawful in a recent settlement with VIZIO. EPIC originally filed this complaint with the FTC on February 24, 2015, but the Commission took no action. EPIC routinely files complaints with the FTC. EPIC's complaints against Uber, Facebook and Google all led to FTC settlements with the companies. Last week, EPIC renewed its complaint against Google for tracking consumers' in-store purchases. (May. 18, 2018)

  • Immigration and Customs Enforcement has dropped a plan to use machine learning software to determine if a visa applicant might commit a crime or terrorist act. Last year, EPIC joined over 50 privacy, civil liberties, and civil rights groups to oppose the plan, stating that the "initiative was tailor-made for discrimination." EPIC has pursued several FOIA cases to uncover the use of secret algorithms by government agencies to score people, including EPIC v. CBP about the "Analytical Framework for Intelligence" that generated secret "risk assessments" on US travelers. In testimony for the 9-11 Commission, EPIC warned that "the use of information technology to identify individuals that may pose a specific threat to the United States" is a "complex problem [that] necessarily involves subjective judgments." (May. 18, 2018)

  • EPIC testified before the Consumer Product Safety Commission at the hearing on "The Internet of Things and Consumer Product Hazards." EPIC International Law Counsel Sunny Kang urged the Commission to focus on privacy and security. EPIC's Kang told the Commission that "IoT is the weakest link to privacy and security vulnerabilities in consumer products." EPIC recommended baseline rules for IoT device manufacturers adopted by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups previously urged the Commission to recall the Google Home Mini device which was designed to always record conversations. (May. 17, 2018)

  • EPIC Consumer Privacy Counsel Sam Lester testified before the House Ways and Means Committee at a hearing on "Securing Americans' Identities: The Future of the Social Security Number." EPIC's Lester emphasized that "the SSN was never meant to be an all-purpose identifier," and its widespread use has contributed to the epidemic of data breaches, identity theft and financial fraud. Lester called on Congress to prohibit the use of the SSN in the private sector without explicit legal authorization. Lester also warned Congress against creating a national biometric identifier that would raise serious privacy and civil liberties risks. EPIC frequently testifies before Congress. EPIC President Marc Rotenberg recently testified before the Senate Banking Committee and the House Financial Services Committee on the need to update U.S. privacy law. EPIC also maintains an archive of information about the SSN online. (May. 17, 2018)

  • In advance of a hearing on Cambridge Analytica and the Future of Data Privacy, EPIC has sent a statement to the Seante Judiciary Committee. EPIC said that "It has become increasingly clear that even as we are asked to give up our privacy, companies have become ever more secretive about how they profile and target voters." In 2014, EPIC challenged Facebook's manipulation of users' News Feeds for psychological research. "If Facebook used data manipulation to shape users' emotions, it can use data manipulation to shape voters' practices," EPIC told the Committee. (May. 15, 2018)

  • In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a revised settlement with Uber. The FTC reached a settlement with Uber back in August of 2017 for its numerous privacy abuses, including secretly tracking riders and using software to evade authorities. But shortly after announcing the settlement, the FTC discovered that Uber had hid a massive data breach and used its bug bounty program to pay off the hackers. As a result, the FTC required Uber to submit all of its privacy assessments to the Commission. While EPIC supported the FTC’s action, EPC said that "the FTC should make Uber's privacy assessments public so that consumers can evaluate whether the company is meeting its obligations under the Consent Order." The FTC's initial investigation and subsequent settlement with Uber were prompted by EPIC's complaint against Uber's in 2015. (May. 15, 2018)

  • Through a Freedom of Information Act request, EPIC obtained declassified memorandums from former FBI Director James Comey detailing his conversations with President Trump from January to April 2017. The conversations include President Trump asking about the possibility of imprisoning journalists, dropping the investigation of former advisor Michael Flynn, and the need to "lift the cloud" of the Russia investigation. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several FOIA cases concerning Russian interference with the 2016 election including: EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). (May. 15, 2018)

  • Incoming Federal Trade Commissioner Rohit Chopra issued a memo today warning that the FTC will enforce its consent orders against companies that violate the law. "FTC orders are not suggestions," said Chopra. Chopra said the FTC should seek structural remedies as well as monetary fines. EPIC has repeatedly told the FTC to enforce its orders, and even sued the agency, EPIC v. FTC, for failing to enforce the order against Google following the Buzz fiasco. More recently, EPIC and a coalition of consumer groups told the FTC that the Cambridge Analytica breach could have been avoided had FTC enforced the 2011 Consent Order against Facebook. The FTC has since confirmed that it is investigating Facebook for the breach. According to the former Acting Director of the FTC's Bureau of Consumer Protection, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." (May. 14, 2018)

  • The U.S. Supreme Court ruled today that a driver in lawful possession of a rental car has a reasonable expectation of privacy regardless of a rental car agreement. The Court held in Byrd v. United States that, "the mere fact that a driver in lawful possession or control of a rental car is not listed on the rental agreement will not defeat his or her otherwise reasonable expectation of privacy." EPIC filed an amicus brief in the case, joined by 23 technical experts and legal scholars members of the EPIC Advisory Board, which stated that "relying on rental contracts to negate Fourth Amendment standing would undermine legitimate expectations of privacy." EPIC also urged the Court to recognize that a modern car collects vast troves of personal data and "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Microsoft Corp., Dahda v. United States, and United States v. Jones. (May. 14, 2018)

  • The Supreme Court has ruled in Dahda v. United States, a case about the federal Wiretap Act and the suppression of evidence obtained under an overly broad wiretap order. A lower court permitted the evidence, relying on a novel interpretation of the Act. EPIC filed an amicus brief in the case, arguing that "it is not for the courts to create textual exceptions" to federal privacy laws. The Supreme Court agreed with EPIC that it "makes little sense" for the court to rewrite the statute. However, the Court declined to suppress the evidence, finding that it was a lawful search under a narrow interpretation of the Wiretap Act. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, including Byrd v. United States (a case in which the Court rejected suspicionless searches of rental cars) and Carpenter v. United States (a case about warrantless searches of cellphone location records). (May. 14, 2018)

  • In a letter to DHS Secretary Kirstjen Nielson, Senators Edward Markey (D-MA) and Mike Lee (R-UT) urged the agency to promptly conduct a public rulemaking on the agency's biometric exit program prior to any expansion of the program. The program, currently implemented in nine U.S. airports, requires travelers on departing international flights to submit to facial recognition identification. The Senators requested that DHS determine the accuracy of the technique and the procedures for collecting passenger data. EPIC is currently pursuing documents about the biometric exit program, but documents EPIC obtained about a related program that tested iris and facial recognition scanning at the border revealed that the technology did not perform operational matching at a "satisfactory" level. An earlier EPIC lawsuit against the DHS led to the removal of backscatter x-ray devices — "body scanners" — at US airports. (May. 11, 2018)

  • EPIC has submitted a Freedom of Information Act request seeking records about the Irish Data Protection Commissioner's inquiries regarding Facebook’s compliance with the FTC's Consent Order. In 2011, the Austrian privacy group Europe-v-Facebook and other parties filed formal complaints to the Irish Data Protection Commissioner about third party access to Facebook user data. The Irish Data Protection Commissioner then initiated an audit of Facebook to assess its compliance with both Irish Data Protection Law and EU law. The 2011 Irish audit found that the safeguards for third party applications did not ensure security for user data. In a 2012 re-audit, the Irish on Commissioner found a "satisfactory response" from Facebook regarding preventing third party applications. Following the 2012 re-audit, the FTC and the Data Protection Commissioner signed a Memorandum of Understanding to exchange information to enforce compliance with privacy laws in each respective country. Two years after the Data Protection Commissioner found a "satisfactory response" from Facebook regarding third party applications, a third party application harvested the data of over 87 million users and transferred the data to Cambridge Analytica. (May. 11, 2018)

  • The White House has established the "Select Committee on Artificial Intelligence" to advise the President and coordinate AI policies among executive branch agencies. The Office of Science and Technology Policy, NSF, and DARPA will lead the interagency committee. According to the White House, the goals of the Committee are (1) prioritize funding for AI research and development; (2) remove barriers to AI innovation; (3) train the future American workforce; (4) achieve strategic military advantage; (5) leverage AI for government services; and (6) lead international AI negotiations. The Committee will also coordinate efforts across federal agencies to research and adopt technologies such as autonomous systems, biometric identification, computerized image and video analysis, machine learning and robotics. It is unclear whether the Committee will include public perspectives in its work. In 2014, EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the OSTP to accept public comments on a White House project concerning Big Data. The petition stated, "The public should be given the opportunity to contribute to the OSTP's review of 'Big Data and the Future of Privacy' since it is their information that is being collected and their privacy and their future that is at stake." In 2015 EPIC launched an international campaign for Algorithmic Transparency and recently urged Congress to establish oversight mechanisms for the use of AI by federal agencies. (May. 10, 2018)

  • A federal appeals court has ruled that U.S. border officials may not conduct a forensic search of a mobile device without a "reasonable suspicion" that the device contains evidence of a crime. The court's decision followed Riley v. California, a 2014 Supreme Court case holding that the Fourth Amendment requires police to obtain a warrant to search a cell phone. EPIC filed an amicus brief in the Riley case, cited by the Supreme Court, about the detailed personal data stored in cell phones. EPIC's Alan Butler predicted that the Riley decision would lead courts to require "reasonable suspicion" for border searches. EPIC recently filed a FOIA suit against against a federal agency for information about the warrantless searches of cell phones. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border. (May. 10, 2018)

  • In response to an industry proposal to diminish safeguards for children's privacy, EPIC reminded the FTC that industry guidelines must comply with the Children's Online Privacy Protection Act. EPIC also highlighted recent updates in the COPPA regulations that minimize data collection concerning children. EPIC wrote, "COPPA has evolved to address changes in technology and business practices." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA. (May. 9, 2018)

  • In advance of a hearing on "Program Integrity for the Supplemental Nutrition Assistance Program," EPIC has sent a statement to the House Oversight Committee. A provision of the Agriculture and Nutrition Act of 2018 would establish a federal database of Supplemental Nutrition Assistance Program recipients for the purpose of denying food assistance. The SNAP program provides assistance to low-income households and is administered by the states. However, Section 4001 would create a federal database with personal data, such as social security numbers, employment status, and income amounts, with the aim of denying food assistance. EPIC warned that if Congress decides to create this federal database, then the Department of Agriculture will be subject to Privacy Act obligations, including potential liability for the data breaches that may result. Last year, EPIC successfully challenged the efforts of a federal commission to establish a national voter database, noting that voting is a state function. (May. 8, 2018)

  • The Transatlantic Consumer Dialogue, a coalition of more than 70 consumer organizations in Europe and North America, has made available "10 Things to Know About the GDPR." The analysis details key elements of the new European privacy law. TACD wrote, "People's data should be treated with the highest privacy protections no matter where they are based. Privacy is a fundamental human right and data protection is intrinsically linked to it." Last month, TACD sent a letter to Mark Zuckerberg urging Facebook to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD will host a press conference on GDPR with EPIC in Washington DC on May 16. EPIC makes available the complete text of the GDPR and related materials in the Privacy Law Sourcebook. (May. 8, 2018)

  • In advance of a hearing on the 2020 Census, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau." (May. 8, 2018)

  • According to the Office of Director National Intelligence 2017 report, the number of Foreign Intelligence Surveillance Act orders to collect call records more than tripled last year, from 151 million records in 2016 to 534 million in 2017. In 2012, EPIC testified before Congress on the need for more public reporting concerning the use of FISA authorities. Several of EPIC's recommendations, including better reporting on government surveillance activities, were incorporated in the USA FREEDOM Act. (May. 7, 2018)

  • EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Google's tracking of consumer purchases. EPIC told the FTC that "this tracking of consumer purchases is without precedent and also raises questions as to what else Google does with the consumer data it obtains." EPIC originally filed the Complaint with the FTC on July 31, 2017. The Complaint alleges that Google collects billions of credit and debit card transactions and links that data to the activities of Internet users. Google claims to protect privacy but refuses to provide any details about a secret algorithm it uses, making it impossible for consumers to verify that their privacy is protected. EPIC has filed numerous complaints with the FTC, including the complaints that led to the FTC's 2011 Google Buzz Order and the 2011 Facebook Order. The FTC recently welcomed a new Chairman and three new Commissioners. (May. 7, 2018)

  • In advance of a Senate hearing "Keeping Pace with Innovation - Update on the Safe Integration of Unmanned Aircraft Systems into the Airspace," EPIC submitted a statement to inform the committee of EPIC's ongoing work to establish transparency and oversight for the use of unmanned aircraft in the United States. EPIC believes that strong drone privacy rules are vital for the safe integration of commercial drones in the National Air Space. EPIC is now proceeding in the U.S. Court of Appeals of the D.C. Circuit against the FAA for the agency's failure to establish drone privacy safeguards. EPIC has also filed suit to enforce the transparency obligations of the Drone Advisory Committee, a body created by the FAA to study and make recommendations on U.S. drone policy. EPIC has also pursued several open government matters regarding the FAA's decision making process, which appears intended to purposefully avoid the development of meaningful privacy safeguards. (May. 7, 2018)

  • A coalition of consumer safety groups wrote to senators asking them to delay passing the AV START Act (S. 1885) until the National Transportation Safety Board finished its investigation of two recent crashes involving autonomous vehicles. The groups said: "we are very concerned that provisions in the bill put others sharing the road with AVs at unnecessary and unacceptable risk." EPIC has called for national safety standards for connected cars in comments to NHTSA. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data. (May. 6, 2018)

  • The Irish High Court has denied Facebook's request to halt review of Data Protection Commissioner v. Facebookby Europe's top court. The case, which was recently referred to the European Court of Justice, concerns whether Facebook's transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans' personal data. Ruling against Facebook's request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook's conduct in the case. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law. (May. 3, 2018)

  • EPIC and a coalition of consumer organizations have sent a letter to Mick Mulvaney urging the Acting Director not to ban public access to the CFPB consumer complaint database. "The public complaint database is a tool that empowers individuals to inform and protect themselves in the marketplace," the groups stated. In recent remarks at a banking industry conference, Mulvaney said that he is considering closing off access to the database. The database has helped expose wrongdoing by numerous financial institutions-including failures by Equifax following its data breach, as detailed in a report just released by three Senators. EPIC has called on the CFPB to more vigorously pursue its investigation of Equifax, and has filed a Freedom of Information Act request to obtain communications about that investigation. (May. 3, 2018)

  • EPIC submitted comments to the Consumer Product Safety Commission for an upcoming hearing on "The Internet of Things and Consumer Product Hazards." EPIC urged the Commission to focus on privacy and security issues, which the Commission claims are outside its scope. EPIC told the Consumer Product Safety Commission that "Holding a hearing in the year 2018 to discuss IoT without addressing privacy and security is akin to holding a hearing in the last century about kitchen appliances without addressing the risk that a toaster might catch fire because of bad wiring." EPIC recommended that the Commission implement thirteen rules for manufacturers of IoT devices that were laid out by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups preciously urged the Commission to order the recall of the Google Home Mini "smart speaker" and received a response saying that it does not pursue privacy or data security issues. (May. 2, 2018)

  • A controversial provision of the Agriculture and Nutrition Act of 2018 would establish a federal database of Supplemental Nutrition Assistance Program recipients for the purpose of denying food assistance. The SNAP program provides assistance to low-income households and is administered by the states. However, Section 4001 would create a federal database with personal data, such as social security numbers, employment status, and income amounts, with the aim of denying food assistance. Privacy scholars have explained that government agencies often subject individuals living in poverty to excessive surveillance. Last year, EPIC successfully challenged the efforts of a federal commission to establish a national voter database, noting that voting is a state function. (May. 2, 2018)

  • Senators Warren (D-MA), Schatz (D-HI) and Menendez (D-NJ) have published a report examining thousands of consumer complaints filed with the Consumer Financial Protection Bureau after Equifax's massive data breach last fall. The report, entitled "Breach of Trust," reveals the extent of Equifax's failure to address significant harms consumers faced as a result of the breach. The Senators sent their report along with a letter to the CFPB demanding the agency hold Equifax accountable. Despite the massive number of complaints, the CFPB has yet to announce any action against Equifax eight months after the breach. The Senators also admonished Director Mulvaney for his recent suggestion that he would end public access to the CFPB's complaint database. In testimony before the House Financial Services Committee in February, EPIC called on Congress to ensure that the CFPB takes action against Equifax. A February Reuters story indicated that the CFPB had halted its investigation into Equifax, but Mulvaney since confirmed that an investigation is still ongoing. EPIC submitted a Freedom of Information Act request to obtain information about the CFPB's Equifax investigation. (May. 1, 2018)

  • The House Permanent Select Committee on Intelligence has published a redacted version of its report on Russian interference with the 2016 Presidential Election. The report concludes that Russia did conduct cyberattacks on U.S. political institutions in 2015 and 2016. It also found that the FBI's "notification to numerous Russian hacking victims was largely inadequate." The report recommends that the FBI improve cyberattack victim notification. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents state that "[b]ecause timely victim notification has the potential to completely mitigate ongoing and future intrusions and can mitigate the damage of past attacks while increasing the potential for the collection of actionable intelligence, CyD's policy regarding victim notification is designed to strongly favor victim notification." However, the FBI did not follow this procedure following cyber attacks on the DNC and RNC during the 2016 Presidential Election. The Committee also recommended measures to strengthen U.S. election systems, such as paper ballots, protection of voter registration systems, and funding for risk assessment of state election agency computer systems. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. (Apr. 30, 2018)

  • The Supreme Court today granted certiorari to address for the first time whether a class action settlement that awards cy pres but provides no direct relief to class members is "fair, reasonable, and adequate." The case, Frank v. Gaos, involves a settlement arising from Google's tracking of Internet users by circumventing their browsers' privacy settings. The settlement awarded cy pres funds to several organizations but resulted in no change in Google's business practices nor payments to class members. EPIC objected to the proposed settlement on three separate occasions, arguing that, "The proposed settlement is bad for consumers and does nothing to change Google's business practices. The company will simply revise its notice so that it may continue to engage in the privacy-invading practice that class counsel claimed at one time provided the basis for class action certification and monetary relief." EPIC has routinely opposed class action settlements that fail to compensate class members or change business practices. In 2013, Chief Justice John Roberts wrote that the Court would soon need to address "fundamental concerns" surrounding the use of cy pres in class action settlements. EPIC has proposed an objective basis to evaluate cy pres awards. (Apr. 30, 2018)

  • EPIC joined dozens of human rights organizations condemning Russia's attempt to block encrypted messaging app Telegram. In an open letter, the coalition states Russia's attempts to block the app have "resulted in extensive violations of freedom of expression and access to information, including mass collateral website blocking." The groups call on international organizations and governments to challenge Russia's actions, and on tech companies to resist government attempts to compromise fundamental rights. EPIC has historically campaigned in support of strong encryption. In April 1994, EPIC initiated the campaign to stop the Clipper Chip, a key escrow encryption scheme developed by the NSA. (Apr. 30, 2018)

  • In a letter to Axon's Artificial Intelligence Ethics Board, EPIC and a coalition of civil rights and civil liberties groups called upon the Board to prevent Axon, the largest provider of police body cameras, from implementing real-time facial recognition. The letter states that "real-time facial recognition would chill the constitutional freedoms of speech and association." In 2015, EPIC forewarned that body cameras implemented for police accountability "could easily become a system of mass surveillance." EPIC also highlighted at the time that "the benefits of body cameras as a tool of police accountability have not been established." Last year, the largest study to date of police body cameras concluded that the cameras had no impact on police use of force and civilian complaints. (Apr. 26, 2018)

  • In advance of a hearing on Filtering Practices of Social Media Companies, EPIC has sent a statement to the House Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But last year, after a seven year investigation, the European Commission found that Google rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. (Apr. 25, 2018)

  • The Administrative Office of the U.S. Courts has issued the 2017 report on activities of the Foreign Intelligence Surveillance Court. Scrutiny of FISA applications increased substantially in 2017. The 2017 FISA report reveals that there were 1,614 FISA applications in 2017, of which 1,147 were granted, 391 were modified, 50 were denied in part, and 26 were denied in full. As compared to 2016, the FISA court denied nearly two times as many applications in part, and denied nearly three times as many applications in full. EPIC testified before Congress in 2012 on the need to improve review of FISA applications. In recent comments on US surveillance authority, EPIC noted the reauthorization of 702 spying authorities without sufficient safeguards. (Apr. 25, 2018)

  • EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing with the Commissioner of Customs and Border Protection. EPIC urged the Committee to ask the CBP Commissioner about the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC is currently seeking records from the federal agency concerning the accuracy of facial recognition. EPIC also recommended the Committee examine how CBP will comply with state laws prohibiting warrantless aerial surveillance when deploying drones at the border. As a result of an earlier FOIA lawsuit, EPIC found that the CBP is deploying drones with facial recognition technology without warrant authority. (Apr. 24, 2018)

  • EPIC submitted a statement to the Senate Homeland Security Committee in advance of a hearing on "Cyber Threats Facing America." Last year, the White House National Security Strategy report set out the administration's goals for global policy. EPIC supports several of the goals in the National Strategy report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the Senate Committee to seek assurances that those goals will remain priorities for this administration. Quoting former world chess champion Garry Kasparov, EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time." (Apr. 24, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit to obtain the release of the unredacted Facebook Assessments from the FTC. The FTC Consent Order. required Facebook to provide to the FTC biennial assessments conducted by an independent auditor. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, 2017 Facebook Assessments and related records. EPIC's FOIA request drew attention to a version of the 2017 report available at the FTC website. But that version is heavily redacted. EPIC is suing now for the release of unredacted report. EPIC has an extensive open government practice and has previously obtained records from many federal agencies. The case is EPIC v. FTC, No. 18-942 (D.D.C. filed April 20, 2018). (Apr. 20, 2018)

  • EPIC has obtained a redacted version of the 2017 Facebook Assessment required by the 2012 Federal Trade Commission Consent Order. The Order required Facebook to conduct biennial assessments from a third-party auditor of Facebook's privacy and security practices. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, and 2017 Facebook Assessments as well as related records. The 2017 Facebook Assessment, prepared by PwC, stated that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. This assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users. In a statement to Congress for the Facebook hearings last week, EPIC noted that FTC Commissioners represented that the Consent Order protected the privacy of hundreds of millions of Facebook users in the United States and Europe. (Apr. 20, 2018)

  • Senator Richard Blumenthal (D-CT) has called for "monetary penalties that provide redress for consumers and stricter oversight" in a letter to the Federal Trade Commission. Senator Blumenthal focused on the FTC's 2011 Consent Order that EPIC, and a coalition of consumer groups obtained, after preparing a detailed complaint in 2009. Referring to the Cambridge Analytica scandal, Senator Blumenthal wrote that "three of the FTC's claims concerned the misrepresentation of verification and privacy preferences of third-party apps." Senator Blumenthal also raised questions about the FTC's monitoring of the consent order, noting that "even the most rudimentary oversight would have uncovered these problematic terms of service." And the Senator stated, "The Cambridge Analytica matter also calls into question Facebook's compliance with the consent decree's requirements to respect privacy settings and protect private information." EPIC and other consumer groups recently urged the FTC to reopen the investigation. The FTC has confirmed that an investigation of Facebook is now underway. (Apr. 20, 2018)

  • A coalition of 14 consumer groups in Latin America has sent a letter to Facebook CEO Mark Zuckerberg, urging him to comply with the EU General Data Protection Regulation (GDPR) at a global level. The groups wrote, "The GDPR provides a solid foundation for the protection of personal data: it establishes clear responsibilities for companies that collect and process personal data and provides data subjects, Facebook users whose data your company collects and processes, with clear rights. These are protections that all users should be entitled to, regardless of where they are located." Earlier this month, the Transatlantic Consumer Dialogue (TACD), a coalition of consumer groups in North America and Europe, also sent a letter to Facebook advocating for the GDPR to be implemented as a baseline standard of data protection for all users. (Apr. 19, 2018)

  • In advance of a hearing on "Game Changers: Artificial Intelligence Part III, Artificial Intelligence and Public Policy," EPIC told the House Oversight Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. EPIC also said that Congress should amend the E-Government Act to require disclosure of the logic of algorithms that profile individuals. EPIC made similar comments to the UK Privacy Commissioner on issues facing the EU under the GDPR. A recent GAO report explored challenges with AI, including the risk that machine-learning algorithms may not comply with legal requirements or ethical norms. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency. (Apr. 19, 2018)

  • In advance of a hearing on "Abusive Robocalls and How We Can Stop Them" EPIC recommended reforms that would combat fraud while protecting privacy. EPIC supports regulations that would (1) allow phone providers to proactively block numbers that are unassigned, unallocated, or invalid; (2) block invalid numbers without requiring consumer consent; (3) provide strong security measures for any database of blocked numbers; and (4) prohibit spoofing with the intent to defraud or cause harm. EPIC played a leading role in the creation of the Telephone Consumer Protection Act and continues to defend the Act. (Apr. 17, 2018)

  • In advance of a hearing on the Census Bureau, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau." (Apr. 17, 2018)

  • EPIC has filed a second Freedom of Information Act lawsuit to obtain President Trump's tax records. EPIC is seeking information about IRS settlements involving the President and his businesses—information which the agency is required to disclose to the public upon request. The IRS agreed to process EPIC's request in February but has failed to release any records to date. EPIC previously sued the IRS for the release of the President's personal tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's own lawyers. That case, EPIC v. IRS, is now before the D.C. Circuit Court of Appeals. EPIC is litigating several other FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Apr. 17, 2018)

  • The Supreme Court has vacated United States v. Microsoft, a case concerning whether a U.S. communications law can be used by a U.S. law enforcement agency to obtain personal data stored outside of the U.S. While the case was pending, the Congress quickly passed the CLOUD Act, which requires internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Court then determined that there was no longer a matter to adjudicate and ended the proceeding. EPIC's amicus brief to the Supreme Court argued that human rights law and privacy standard should govern law enforcement access to personal data stored abroad. In recent comments to the UN, EPIC explained that the CLOUD Act "undermines communications privacy protections." (Apr. 17, 2018)

  • In advance of a hearing regarding IRS oversight, EPIC sent a statement to a House committee urging the release of President Trump's tax returns. As EPIC explained, "candidates for the Presidency have routinely released tax record information to the American public. Mr. Trump broke with that tradition even though he pledged to make this information publicly available." As a consequence, EPIC brought a FOIA suit for the release of the President's tax returns. EPIC recently filed the opening brief in EPIC v. IRS, now before the D.C. Circuit Court of Appeals. EPIC told the court that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"--a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC explained to the Court and to Congress, "there has never been a more compelling FOIA request presented to the IRS." (Apr. 17, 2018)

  • EPIC submitted a statement following the Senate nomination hearing on Mike Pompeo for Secretary of State. EPIC said that the US Secretary of State should uphold privacy as a fundamental human right around the world. The United States Department of State publishes an annual human rights report that covers "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements." EPIC also said that "international agreements provide the best opportunity to establish data protection standards" and urged the Secretary of State to ratify the International Privacy Convention. Privacy experts and advocates have also called for adoption of the Madrid Privacy Declaration, a comprehensive framework for data protection. (Apr. 16, 2018)

  • The Article 29 Working Party has released a statement on encryption policy. The Working Party stated "strong and efficient encryption is a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy." The Working Party found that "backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner. Any obligation aiming at reducing the effectiveness of those techniques in order to allow law enforcement access to encrypted data could seriously harm the privacy of European citizens." The Working Party is a group of leading privacy officials in the European that often issues reports and opinions on emerging privacy issues. Under the GDPR, the Working Party will become the European Data Protection Board with new legal authorities. Communications services with escrow encryption, and other similar techniques, could be prohibited under the GDPR. EPIC began in April 1994 with the first internet petition, the campaign to stop the Clipper Chip, a key escrow encryption scheme developed by the NSA. (Apr. 16, 2018)

  • EPIC has submitted extensive comments on proposed guidance for Data Protection Impact Assessments. The new European Union privacy law - the "GDPR" — requires organizations to carefully assess the collection and use of personal data. In comments to UK privacy commissioner, EPIC said that disclosure of the technique for decision making is a core requirement for Data Protection Impact Assessments. EPIC supports "Algorithmic Transparency". EPIC has pursued criminal justice FOIA cases, and FTC consumer consumer complaints to promote transparency and accountability. EPIC has warned Congress of the risks of "citizen scoring." (Apr. 13, 2018)

  • EPIC has submitted a Freedom of Information Act request to the Department of Homeland Security seeking Privacy Impact Assessments and other records related to the solicitation for "media monitoring services." The DHS posted a solicitation to compile a database of journalists and "media influencers," including bloggers and social media influencers. The DHS is seeking to identify journalists based on their beat, publication, contact information, and articles published. Agency officials plan to search lists and analyze news coverage. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that contains personally identifiable information. In a prior FOIA lawsuit, EPIC obtained Privacy Impact Assessments from the FBI that were not publicly available. And in EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year. (Apr. 13, 2018)

  • The Federal Trade Commission has strengthened its 2017 settlement with Uber because the company hid a massive data breach and bug bounty program in 2016. Under the revised settlement, Uber must submit all of its privacy audits to the FTC, and will face civil penalties if it fails to disclose another breach. In February 2018, EPIC advised Congress that "bug bounty programs do not excuse non-compliance with data breach notification laws." The FTC's 2017 settlement with Uber was the result of EPIC's 2015 complaint to the Commission detailing Uber's numerous privacy abuses. In public comments, EPIC advised the FTC to strengthen the settlement by making all of Uber's privacy audits available to the public. (Apr. 12, 2018)

  • The Irish High Court has sent eleven questions to the European Court of Justice for review in Data Protection Commissioner v. Facebook. The case considers whether Facebook's transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines "standard contractual clauses" and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US "Privacy Shield" matters. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law. (Apr. 12, 2018)

  • EPIC has filed suit to enforce the open government obligations of the Drone Advisory Committee, an industry-dominated committee that advises the Federal Aviation Administration on U.S. drone policy. For over a year, the Committee has conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones, even after the Committee identified privacy as a top public concern. EPIC's lawsuit would force the Committee to disclose its work to the public. EPIC has a long history of promoting government transparency. EPIC's case to establish drone privacy regulations, EPIC v. FAA, No. 16-1297, is pending before the D.C. Circuit Court of Appeals. (Apr. 12, 2018)

  • In advance of a hearing regarding challenges facing the IRS, EPIC sent a statement to the Senate Finance Committee urging the release of President Trump's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election. EPIC recently filed the opening brief in the case before the D.C. Circuit Court of Appeals. EPIC told the court that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"--a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." (Apr. 12, 2018)

  • In response to a series of questions from Rep. Gene Green, (D-TX), Facebook CEO Mark Zuckerberg confirmed that Facebook will comply with the new European Union privacy law - "the GDPR" - in all jurisdictions. Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, sent a letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process." (Apr. 11, 2018)

  • The Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, has sent a letter to Facebook CEO Mark Zuckerberg urging him to comply with the EU General Data Protection Regulation (GDPR) as a baseline standard, not just for EU consumers as it is required, but for all Facebook services. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and the democratic process. The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered. These are protections that all users should be entitled to no matter where they are located." Zuckerberg will testify before the Senate and House this week on Facebook's failure to protect user data. The TransAtlantic Consumer Dialogue was established in 1998 and works to promote the consumer interest in EU and US policy making. (Apr. 9, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's use of mobile forensic technology to conduct warrantless searches of mobile devices. ICE has contracts with a company called Cellebrite for techniques to unlock, decrypt, and extract data from mobile devices, including personal data stored in cloud-based accounts. Privacy complaints regarding the search of mobile devices at the border continue to increase. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact the rights of U.S. citizens. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border. (Apr. 9, 2018)

  • EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy for the 63rd meeting of the International Working Group on Data Protection. The Working Group includes Data Protection Authorities and experts from around the world who work together to address emerging privacy challenges. The EPIC 2018 report details the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the ongoing investigation of the Russian interference in the 2016 election, federal nominees to the FTC and PCLOB, recent legislative proposals on Artificial Intelligence, and more. The 64th meeting of the IWG will take place in Queenstown, New Zealand on November 29-30. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Apr. 9, 2018)

  • In advance of a joint hearing about Facebook's failure to protect the personal data of users, EPIC has sent a comprehensive statement to the Senate Committee on the Judiciary and the Senate Committee on Commerce. EPIC is urging the Senators to focus on the 2011 Consent Order between Facebook and the Federal Trade Commission. In 2009, EPIC and a coalition of consumer groups presented the FTC with a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook. The FTC adopted a Consent Order in 2011, based on EPIC's Complaint, but failed to enforce the Order even after EPIC sued the agency in a related matter. In numerous comments to the FTC, EPIC and others urged the FTC to enforce its consent order. In the statement to the Senate this week, EPIC contends that the Cambridge Analytica debacle could have been prevented if the FTC enforced the Order. (Apr. 9, 2018)

  • EPIC has submitted input to the UN Office of the High Commissioner for Human Rights for an upcoming report on the right to privacy in the digital age. The OHCHR is soliciting information for a report to Human Rights Council on the right to privacy around the world. EPIC's comments detail shortcomings in US privacy law, including the CLOUD Act, the reauthorization of FISA Section 702, and FTC's failure to enforce consumer privacy guarantees. EPIC also highlighted the need for the Special Rapporteur on Privacy to promote fundamental privacy rights, particularly Article 12 of the Universal Declaration of Human Rights. (Apr. 6, 2018)

  • EPIC and a coalition of consumer groups have filed a complaint with the FTC, charging that Facebook's use of facial recognition techniques threaten user privacy and "in multiple ways" violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." In 2011 EPIC and consumer groups urged the FTC to investigate Facebook’s facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." EPIC President Marc Rotenberg said today, "Facebook should suspend further deployment of facial recognition pending the outcome of the FTC investigation." (Apr. 6, 2018)

  • EPIC and a coalition of consumer groups will file a complaint with the FTC on Friday charging that Facebook's use of facial recognition techniques threaten user privacy and violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." The FTC has confirmed that an investigation is now underway. The FTC said, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements." Facebook CEO Mark Zuckerberg will testify next week before the Senate Judiciary Committee and the House Commerce Committee. In 2011 EPIC urged the FTC to investigate Facebook's facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." (Apr. 5, 2018)

  • Congressional leaders have announced the establishment of the Congressional Artificial Intelligence Caucus. The Caucus will bring together experts from academics, government, and the private sector to inform policymakers of the technological, economic and social impacts of advances in AI. The Congressional AI Caucus is bipartisan and co-chaired by Congressmen John Delaney (D-MD) and Pete Olson (R-TX). This is one of several initiatives in Congress to pursue AI policy objectives. Rep. Delaney introduced the FUTURE of Artificial Intelligence Act (H.R. 4625) and Rep. Elise Stefanik (R-NY) introduced a bill (H.R. 5356) that would create the National Security Commission on AI. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the growing of opaque and unaccountable techniques in automated decision-making. (Apr. 3, 2018)

  • The D.C. Circuit Court of Appeals has refused to void an earlier ruling in EPIC's case to halt the collection of state voter data by the Presidential Election Commission. Although the Commission was disbanded in January, last year's decision by a three-judge panel of the D.C. Circuit remains on the books. The panel wrongly held that EPIC, a privacy and open government organization, did not have standing to challenge the Commission's failure to conduct and publish a privacy impact assessment required by law. EPIC asked the full D.C. Circuit to take the rare step of revisiting the panel's decision, but the court declined. EPIC's lawsuit previously led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, delete the voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission's efforts to collect state voter data. EPIC will continue to pursue the case, which is eligible for appeal to the U.S. Supreme Court. The case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Apr. 2, 2018)

  • EPIC has filed a consumer protection lawsuit against AccuWeather for deceptively tracking the location of subscribers who downloaded the company’s app. In papers filed in the District of Columbia, EPIC charged that AccuWeather tracked consumers even when they expressly opted out of location tracking. EPIC also charged that AccuWeather failed to disclose that it transferred location data to third-party advertisers. EPIC alleges that these practices violate the District of Columbia Consumer Protection Procedures Act. EPIC has long advocated for the privacy of location data. EPIC filed a “friend of the court” brief with the US Supreme Court in a case concerning police surveillance and a complaint with the Federal Trade Commission concerning Uber’s tracking of subscribers. EPIC also opposed Apple’s tracking of iPhone users. EPIC also maintains detailed webpages on location privacy. (Apr. 2, 2018)

  • French President Emmanuel Macron has expressed support for "Algorithmic transparency" as a core democratic principle. In an interview with Wired magazine, President Macron said that algorithms deployed by the French government and companies that receive public funding will be open and transparent. President Macron emphasized, "I have to be confident for my people that there is no bias, at least no unfair bias, in this algorithm." President Macron's statement echoed similar comments in 2016 by German Chancellor Angela Merkel, "These algorithms, when they are not transparent, can lead to a distortion of our perception, they narrow our breadth of information." EPIC has a longstanding campaign to promote transparency and to end secret profiling. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right. In recent comments to UNESCO, EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decision-making, based on opaque algorithms. (Apr. 2, 2018)

  • The Consumer Product Safety Commission responded to a complaint from EPIC and a coalition of consumer groups, urging the Commission to order the recall of the Google Home Mini "smart speaker." The touchpad on the device was permanently set to "on" so that Google recorded all conversations without a consumer's knowledge or consent. The groups wrote "this is a classic manufacturing defect that places consumers at risk. The defect in Google Home Mini is well within the purview of the Consumer Product Safety Commission." In the response, the Commission claimed that it monitors the hazards of IoT but said that it does not pursue privacy or data security issues. IoT devices are frequently the target of botnet attacks. According to Hacker News, "the DDoS threat landscape is skyrocketing" and the UK National Cyber Security Centre's report has called for comprehensive safeguards for IoT devices. EPIC Senior Counsel Alan Butler has written about products liability for IoT manufacturers. (Apr. 2, 2018)

  • In a Federal Register notice released today, the State Department is proposing that all visa applicants submit social media identifiers to the federal government. EPIC previously opposed the agency’s plan, warning that "this proposal leaves the door open for abuse, mission creep, and the disproportionate targeting of Muslim and Arab Americans." Earlier this year, EPIC and a broad coalition of civil rights organizations submitted a Freedom of Information Act request seeking details of the Trump Administration’s “extreme vetting” initiative, including the collection and use of social media information. (Mar. 30, 2018)

  • In detailed comments, EPIC advised the FTC to strengthen a proposed settlement with PayPal concerning Venmo, a mobile app for peer-to-peer payments. The FTC complaint found that Venmo made misrepresentations about privacy and security practices. EPIC recommended that the FTC require PayPal to (1) change the default setting to private, (2) require affirmative consent for subsequent changes, (3) make the privacy assessments public, (4) require multi-factor authentication, and (5) comply with Fair Information Practices. The FTC is obligated to consider public comments before finalizing a proposed settlement and must provide a “reasoned response” if it fails to modify an order. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. (Mar. 29, 2018)

  • An internal investigation has revealed the FBI was not transparent about its technical capabilities before suing Apple to unlock an encrypted iPhone. Department of Justice Inspector General reports that FBI personnel failed to communicate to agency leadership that the FBI was very close to opening the phone. Investigating the 2015 mass shooting San Bernardino, the FBI filed suit to force Apple to create custom technology to decrypt an iPhone. The Agency's case relied on the fact that it "cannot access" that phone's content. EPIC filed an amicus brief in Apple v. FBI arguing that the "security features in dispute in this case were adopted to protect consumers from crime." (Mar. 28, 2018)

  • EPIC joined Consumer Watchdog and a coalition of consumer organizations to urge Facebook to cease all campaign contributions and electioneering activity. The groups also recommended that Facebook retain Jimmy Carter and the Carter Center to audit Facebook's use of personal information for election advertisements. Last week, EPIC and a coalition of consumer groups called on the Federal Trade Commission to investigate Facebook. EPIC has also urged the Federal Election Commission to provide transparency for online political ads. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity. (Mar. 28, 2018)

  • The Department of Commerce announced that the 2020 census will include a question on citizenship status. The decennial census has not included a citizenship question since 1950. Critics argue that the question will result in unreliable data collection and skew census results. Senator Menendez (D-NJ) has introduced S. 2580, a bill that would prohibit the census from including a citizenship question. Last week EPIC submitted a Freedom of Information Act request seeking documents on the Department's consideration of the many complicated issues related to the question. The census raises significant privacy risks. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. (Mar. 27, 2018)

  • The D.C. Circuit has set the briefing schedule for the OPM Data Security Breach case, concerning a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC recently informed the Court that it will file an amicus brief, which will now be due on May 17, 2018. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies. (Mar. 26, 2018)

  • A bipartisan group of 37 State Attorneys General is investigating Facebook's business practices and lack of privacy protections. "Businesses like Facebook must comply with the law when it comes to how they use their customers' personal data," Pennsylvania Attorney General Josh Shapiro said. "State Attorneys General have an important role to play in holding them accountable." The Federal Trade Commission also announced today that it is investigating Facebook. Senate Judiciary Chairman Grassley has also said there will be hearings on the Facebook matter when Congress returns. (Mar. 26, 2018)

  • President Trump has signed the CLOUD Act, requiring internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Act also allows the executive branch to create agreements with foreign countries to provide direct access to personal data stored in the United States. EPIC submitted an amicus brief in United States v. Microsoft arguing that law enforcement access to data abroad should be resolved by international consensus and comply with human rights norms. Many organizations and privacy experts have endorsed the Madrid Privacy Declaration, which would establish international protections for personal data. (Mar. 26, 2018)

  • Through a Freedom of Information Act request, EPIC obtained records of email communications between Consumer Financial Protection Bureau staff members regarding the Equifax data breach investigation. The emails reveal that the CFPB was contacted by a Reuters reporter days before the article alleging the CFPB halted the Equifax investigation was published to confirm certain facts about the story. At that time, the CFPB did not correct the allegations in the article but instead provided the reporter a brief official statement stating they will not comment to ongoing investigations but the CFPB has the "desire, expertise, and know-how, in-house, to vigorously hypothetically pursue matters such as these." In the aftermath of the Reuters Equifax article, the CFPB exchanged emails about how to respond to the story and one staffer stated, "no more specific reaction than 'reports are incorrect.'" Acting Director Mick Mulvaney has since publicly confirmed that the CFPB's Equifax investigation is still ongoing. (Mar. 26, 2018)

  • The Federal Trade Commission has confirmed an investigation into Facebook for the company's failure to protect the personal data obtained by Cambridge Analytica. Facebook likely violated the FTC's 2011 Consent Order with the company. Last week, EPIC and a coalition of consumer organizations urged the FTC to reopen the investigation. EPIC and other consumer organizations brought the complaint that led to the FTC's 2011 Order. Thomas Pahl, the Acting Director of the FTC's Bureau of Consumer Protection stated today, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent article for Techonomy, EPIC President Marc Rotenberg emphasized that "the transfer of 50 million user records to the controversial data mining and political consulting firm could have been avoided if the Federal Trade Commission had done its job." (Mar. 26, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Department of Commerce seeking information about a proposed citizenship question on the 2020 census. Secretary Wilbur Ross stated today that the Department of Commerce will make a decision as to whether to include the controversial question in the 2020 census by March 31. Secretary Ross also said, “there are probably 15 or 20 different very complicated issues involved in the request.” EPIC specifically requested information about these issues. The census raises significant privacy risks. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. (Mar. 22, 2018)

  • Congresswoman Elise Stefanik (R-NY) has introduced a bill (H.R. 5356) that would create the National Security Commission on Artificial Intelligence (AI).Congresswoman Stefanik said, “It is critical to our national security but also to the development of our broader economy that the United States becomes the global leader in further developing this cutting edge technology.” The Commission would conduct a comprehensive review of AI technologies, assess the risks to national security, identity actionable items, and provide recommendations to the President and Congress. The Commission’s recommendations would also address: data and privacy, international law and ethics, competitiveness, technological advantages, cooperation and competition, investments and research, and workforce and education. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the use of opaque technique in automated decision-making. (Mar. 22, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained the FBI’s “Policy for Biometric Information Sharing with Domestic and International Agencies.” The documents EPIC obtained also contain details of the United States’ agreement with Iraq to exchange biometric data, including to not subject the information to any dissemination restrictions of the US or Iraq. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification” system, which includes facial IDs gathered from international conflicts. In 2007, EPIC, Privacy International, and Human Rights Watch warned the Secretary of Defense that the “system of biometric identification contravene international privacy standards and could lead to further reprisals and killings.” EPIC noted in 2010 "President Obama’s address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict." (Mar. 22, 2018)

  • At a Senate Intelligence Committee hearing on Election Security this week. Senator Diane Feinstein said “America is the victim and America has to know what’s wrong. And if there are states that have been attacked, America should know that.” In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents state that “[b]ecause timely victim notification has the potential to completely mitigate ongoing and future intrusions and can mitigate the damage of past attacks while increasing the potential for the collection of actionable intelligence, CyD’s policy regarding victim notification is designed to strongly favor victim notification.” However, the FBI did not follow this procedure following cyber attacks on the DNC and RNC during the 2016 Presidential Election. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several additional FOIA cases concerning Russian interference with the 2016 election, EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).
    (Mar. 22, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission, seeking the privacy assessments required by the FTC's 2012 Consent Order. Facebook is required to produce independent privacy assessments every two years for the next 20 years. Each assessment should "identify Facebook's privacy controls maintained during the reporting period, explain the appropriateness of these controlsin relation to Facebook's activities and sensitivity of information, as well as explain how these controls meet or exceed the protections" required in the 2012 Consent Order. Facebook is also required to identify an independent privacy auditor, approved by the FTC. EPIC previously obtained the 2012 Initial Compliance Report as well as the 2013 Initial Assessment through an earlier FOIA request. EPIC is now seeking the 2015 and 2017 reports which cover the period for the data transfers to Cambridge Analytica. (Mar. 20, 2018)

  • In a statement issued today, EPIC and a coalition of consumer groups have called on the Federal Trade Commission to determine whether Facebook violated a 2011 Consent Order when it facilitated the transfer of personal data of 50 million Facebook users to the data mining firm Cambridge Analytica. The groups had repeatedly urged the FTC to enforce its own legal judgements. EPIC even sued the agency in 2012 for its failure to enforce a consent order against Google. "The FTC's failure to act imperils not only privacy but democracy as well," the groups warned. Between 2009 and 2011 EPIC and other consumer groups undertook extensive work to document Facebook's privacy abuses that led to the consent order in 2011. (Mar. 20, 2018)

  • EPIC has sent a statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The Committee held a hearing today to discuss the FY19 budget for the Department of Commerce. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by this week's report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency. (Mar. 20, 2018)

  • In 2009, EPIC and a coalition of US consumer privacy organizations petitioned the Federal Trade Commission to establish comprehensive privacy safeguards after Facebook changed user privacy settings and secretly transferred user data to third parties. In 2011, the FTC agreed with the privacy groups and established a far-reaching settlement with the company, that prevented such disclosures, prohibited deceptive statements, and required annual reporting. But the FTC failed to enforce its consent order, even after EPIC sued the agency and consumer groups repeatedly urged the Commission to act. This weekend the Washington Post and the New York Times reported that Facebook disclosed the personal data of 50 million users without their consent to Cambridge Analytica, the controversial British data mining firm that sought to influence the 2016 presidential election. (Mar. 19, 2018)

  • A federal appeals court ruled today in a closely watched case concerning robocalls. The rule under review in ACA International v. FCC concerned the FCC's regulations for the Telephone Consumer Protection Act. EPIC filed a friend of the court brief in the case in support of the FCC regulations. EPIC said that companies "seeking to engage in privacy-invading business practices" bear "the burden of proving consent." The court agreed that consumers could withdraw consent by all "reasonable means." However, the court vacated other aspects of the rule, including the definition of automated telephone dialing system and proposed procedures for calls to reassigned numbers. (Mar. 16, 2018)

  • EPIC has provided comments to UNESCO on a proposed framework for Internet Universality Indicators. The UNESCO framework emphasizes Rights, Openness, Accessibility, and Multistakeholder participation. UNESCO said that the framework will help guide protections for fundamental rights. EPIC also proposed "Algorithmic Transparency" as a key indicator of Internet Universality. EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decisionmaking, based on opaque algorithms. EPIC has worked closely with UNESCO for over 20 years on Internet policy issues. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right. (Mar. 16, 2018)

  • EPIC has informed the D.C. Circuit Court of Appeals that it will file an amicus brief in the OPM Data Security Breach case. The case concerns a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies. (Mar. 15, 2018)

  • Today the Federal Election Commission voted unanimously, at a public meeting, to publish a proposed rule concerning transparency requirements for online political ads. The FEC noted EPIC's comments—arguing that internet companies should be held to the same standard as broadcast companies—in its proposal. The FEC will publish the proposal in the Federal Register, accept comments from the public, and then hold a public hearing on June 27, 2018. After Russian interference in the 2016 election, EPIC launched the Democracy and Cybersecurity Project to preserve the integrity of elections and democratic institutions. In comments to the FEC in November 2017, EPIC explained the "need to protect democratic institutions from foreign adversaries has never been greater...To help ensure the integrity of U.S. elections, the Federal Election Commission should not exempt technology companies from notification requirements for Internet communications." (Mar. 14, 2018)

  • In advance of the hearing on the nomination of Lieutenant General Paul M. Nakasone to be the Director of the National Security Agency, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged the Committee to ask the nominee whether he agrees with the January 2017 assessment of the Intelligence Community that the Russians interfered with the 2016 Presidential election and whether he believes that the United States has taken sufficient steps to prevent Russian meddling in the mid-term elections. In the latest FOIA gallery, EPIC highlighted four new EPIC FOIA lawsuits to uncover details of the Russian interference in the 2016 Presidential election. One EPIC's FOIA cases, EPIC v. FBI, revealed that the Bureau failed to warn the DNC and the RNC that they were targeted by a Russian cyber attack. (Mar. 14, 2018)

  • U.K. privacy officials have blocked WhatApp from transferring personal data to Facebook until the company complies with the GDPR, the new European privacy law. The Information Commissioner's Office found that WhatsApp's proposed data transfer would have violated the U.K. Data Protection Act. "People have a right to have their personal data kept safe," explained Commissioner Elizabeth Denham in a blog post. EPIC has twice urged the FTC to block WhatsApp's transfer of personal data to Facebook, but the FTC has failed to act. The FTC approved Facebook's acquisition of WhatsApp in 2014 after both companies assured the Commission and the public that they would protect users' privacy, but in 2016 WhatsApp announced that it would begin transferring the names and phone numbers of its users to Facebook. France blocked the data transfer and the EU fined Facebook $122 million for misleading European authorities about the data transfer. (Mar. 14, 2018)

  • EPIC has filed an amicus brief with the Eleventh Circuit Court of Appeals in Jackson v. McCurry, stating that teachers may not search a student's cell phone unless they have followed an explicit school policy that complies with Fourth Amendment requirements. Citing a recent Supreme Court opinion, EPIC explained, "after Riley, searches of students' cell phones require heightened privacy protections." Noting that "most teenagers today could not survive without a cellphone," EPIC wrote that searches of cell phones should be "limited to those circumstances when it is strictly necessary." EPIC previously participated as amicus curiae in Riley v. California, arguing that the search of a cellphone requires a warrant, and Commonwealth v. White, a case before the Massachusetts Supreme Judicial Court, arguing that a warrant is required before a school may turn over a student's cell phone to the police. Both cases produced favorable outcomes. (Mar. 13, 2018)

  • In advance of the Senate hearing on the Freedom of Information Act (FOIA), EPIC submitted a statement highlighting recent FOIA cases. EPIC told the committee about documents EPIC has obtained through FOIA requests and litigation, including documents obtained last week that show federal voting rights officials sought to "clean up" state voter rolls. EPIC also discussed its case against the IRS seeking the release of President Trump's tax returns. Since 2001, EPIC has produced an annual FOIA gallery in honor of Sunshine Week to feature EPIC's FOIA work over the past year. (Mar. 12, 2018)

  • In celebration of Sunshine Week, a national recognition of public access to information, EPIC has unveiled the 2018 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases. In 2017, EPIC obtained the "victim notification procedures" that the FBI did not follow during the 2016 Presidential election, revealed that the FBI also failed to follow internal guidance for using intelligence data for criminal investigations, and uncovered problems with the border security biometric matching program. In the latest FOIA gallery, EPIC also highlighted four new EPIC FOIA lawsuits to uncover details of the Russian interference in the 2016 Presidential election and records, obtained by EPIC, revealing federal voting rights officials discussing ways to "clean" state voter rolls. (Mar. 12, 2018)

  • Officials from four different federal agencies discussed joint plans to "clean" state voter rolls last year, according to documents obtained by EPIC through a Freedom of Information Act request. The records show that the Election Assistance Commission, the Presidential Election Commission, the Department of Justice, and the Department of Homeland Security explored ways to cooperate on "cleaning" and "maintenance" of state voter registration databases. The documents also reveal that the Presidential Election Commission and the DOJ discussed "election integrity" issues just two weeks before both agencies issued sweeping requests for state election records on the same day. After EPIC brought suit against the Commission last yet to halt its unlawful gathering of personal voter data, the Commission temporarily suspended its data collection, discontinued the use of an unsafe computer server, deleted voter information that was illegally obtained, and ultimately disbanded. (Mar. 12, 2018)

  • A federal appeals court has ruled that consumers affected by a Zappos.com data breach have the right to sue the online retailer. The 2012 breach exposed the personal data of more than 24 million Zappos customers. A lower court previously held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN (where the Ninth Circuit also held for consumers), Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Mar. 9, 2018)

  • The International Working Group on Data Protection has adopted new recommendations to enhance the privacy of website registration data. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The "Working Paper on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory" highlights privacy risks of the current registration system. When registering a new website with ICANN, the personal data of website owners is published in a widely accessible database. The Working Group recommends limitations on disclosure consistent with the purpose of registration - to provide limited contact information to resolve technical concerns. Registration data is also subject to the GDPR. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Mar. 9, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain the public release of information about the use of drones for domestic surveillance. EPIC cited a Presidential Memorandum that required all federal agencies to prepare public reports on drone deployment. EPIC's lawsuit charges that the DHS has failed to make these reports public. In a previous lawsuit against the DHS, EPIC obtained records which revealed that DHS drones had the capability to intercept electronic communications and identity humans at a distance. EPIC has also brought a lawsuit against the FAA to establish drone privacy regulations in the United States. (Mar. 9, 2018)

  • EPIC has announced the newest members of the EPIC Advisory Board. They are Professor Woodrow Hartzog, Dr. Rush D. Holt, Len Kennedy, and Roger McNamee. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy who contribute to EPIC’s work on privacy and civil liberties. The publication of the EPIC Advisory Board members are available at the EPIC Bookstore. Dr. Whitfield Diffie, Professor Harry Lewis, and Professor Jennifer Daskal recently joined the EPIC Board of Directors. The 2018 EPIC Champion of Freedom Awards will be presented on June 6, 2018 at the National Press Club. Press Release. (Mar. 6, 2018)

  • EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices. (Mar. 6, 2018)

  • Today the Senate Armed Services Committee held a hearing that addressed concerns about Russian interference in upcoming elections. In his opening statement, the Director of National Intelligence Daniel Coats stated that Russia views its influence on the 2016 election as successful and emphasized the threat that Russian cyberattacks pose to U.S. democracy. Coats testified that the U.S.'s response has not been sufficient to deter Russia from interfering in the 2018 midterm elections, agreeing with testimony of Admiral Michael Rogers, the Commander of U.S. Cyber Command, in a hearing last week. Coats called the U.S.'s strategy to combat Russian interference a "whole government approach," but it concerned some Senators that there was no lead agency in charge of this effort, including Senator Mazie Hirono (D-HI) who said that it caused her to conclude that it is "not a top priority" for the President. EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election. (Mar. 6, 2018)

  • Senators Patrick Leahy (D-VT) and Steve Daines (R-MT) have introduced a bill that would place restrictions on searches and seizures of electronic devices at the border. The bill sets out detailed procedures for seizing electronic devices, including a warrant requirement prior to inspection of the device, data minimization, and exclusion of evidence that is obtained in violation of the Act. The bill also establishes reporting requirements to determine the scope and frequency of device searches. Senator Leahy stated that "no American should have to relinquish all of their privacy rights to their cell phones, laptops and other electronic devices, simply because they are coming home from a trip abroad." The bill would also require a warrant to use software to analyze seized electronic devices. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact citizens' rights. (Mar. 5, 2018)

  • The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security. (Mar. 5, 2018)

  • Today Rep. Lieu (D-CA) introduced two bills to safeguard consumer data: the "Protecting Consumer Information Act of 2018" and the "Ending Forced Arbitration for Victims of Data Breaches Act." The first bill will expand the Federal Trade Commission's enforcement authority over credit reporting agencies, while allowing state attorneys general to also bring enforcement actions. The second bill will prohibit entities from enforcing mandatory arbitrary clauses—which prohibit consumers from filing lawsuits—in data breach cases. In a press release announcing the legislation, Rep. Lieu said, "these bills forge a path forward that can both prevent future breaches and ensure victims can seek due process when they occur." Rep. Lieu's announcement came the same day that Equifax disclosed an addition 2.4 million people were impacted by last year's data breach, bringing the total to approximately 148 million people. EPIC President Marc Rotenberg recently testified before Congress to call for comprehensive privacy legislation and the creation of a federal data protection agency. (Mar. 1, 2018)

  • EPIC and a broad coalition of civil rights organizations submitted a Freedom of Information Act request today seeking details related to ICE's "Extreme Vetting" Initiative, including the collection and use of social media information. The federal is agency is making deportations and visa decisions based on vague and ambiguous criteria. The FOIA request seeks to make public the specific procedures and policies for Extreme Vetting. Last year, EPIC and a coalition of civil rights organizations sent a joint statement to the Acting Secretary of Homeland Security to oppose the Extreme Vetting Initiative. EPIC previously opposed a proposal to collect social media information for use in visa determinations. (Mar. 1, 2018)

  • Identity theft ranked second among all complaints submitted to the Federal Trade Commission in 2017. Although the total number of complaints dropped, consumers reported losing $63 million more to identity theft and fraud in 2017 than in 2016. EPIC has warned that "the FTC's failure to act against the growing threats to consumer privacy and security could be catastrophic." 2017 marked a record year for data breaches. EPIC urged the FTC to enforce data security standards as part of its 10 recommendations for the FTC's five-year strategic plan. EPIC President Marc Rotenberg also testified before the Senate and the House following the Equifax breach, calling for comprehensive data protection legislation. (Mar. 1, 2018)

  • This week, the Supreme Court heard arguments in United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority." EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping). (Feb. 28, 2018)

  • A new Axios-SurveyMonkey poll found that 55% of Americans believe the government should do more to regulate tech companies such as Google and Facebook. The poll showed bipartisan support for increased regulation, with 45% of Republicans, 64% of Democrats, and 57% of Independents saying they are "more concerned" that the government will not go far enough to regulate tech. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs. (Feb. 28, 2018)

  • In a statement to Congress in advance of a hearing on the Department of Defense's cyber operations, EPIC urged lawmakers to consider the privacy impact of cyber policies. The Cybersecurity Information Sharing Act of 2015 allowed the federal government to obtain cyber threat information from the private sector—much of which concerns the activities of individual Internet users—without privacy safeguards. EPIC urged Congress to ask Michael Rogers, the Commander of U.S. Cyber Command, about the steps the Defense Department will take to reduce privacy risks. EPIC previously sued the federal government for information regarding a Department of Homeland Security program that allowed the NSA to monitor the Internet traffic of defense contractors. (Feb. 27, 2018)

  • The Northern District of California has ruled that Facebook users have standing to pursue a class action challenging Facebook's use of facial recognition software. The court said that the Illinois Biometric Information Privacy Act requires plaintiffs only to show that Facebook has unlawfully collected their biometric data without their consent. Facebook sought to dismiss the suit by arguing that the Supreme Court's decision in Spokeo v. Robins required the plaintiffs to show additional harm. EPIC submitted a friend-of-the-court brief in Spokeo, arguing that courts should not second-guess privacy laws. The Ninth Circuit Court of Appeals recently agreed with EPIC that internet users have standing when a company has disclosed their personal information in violation of the Video Privacy Protection Act. (Feb. 27, 2018)

  • EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC previously pursued a significant lawsuit against the TSA that led to the removal of x-ray body scanners from US airports. EPIC is currently seeking records from Customs and Border Protection concerning the accuracy of facial recognition. (Feb. 26, 2018)

  • The Ninth Circuit Court of Appeals has ruled in FTC v. AT&T that the Federal Trade Commission can regulate telephone and internet companies, reversing an earlier decision by a three-judge panel that stripped the FTC of its authority over "common carriers." The full Ninth Circuit held that the common carrier exemption to the FTC Act is activity-based, not status-based. This means that the FTC can regulate AT&T's data-throttling practices. The Ninth Circuit reached the result that EPIC and a coalition of consumer advocates had urged in a friend-of-the-court brief. EPIC also vigorously defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards" in an amicus brief in FTC v. Wyndham. (Feb. 26, 2018)

  • EPIC has filed the opening brief in its case to obtain President Trump's tax returns. EPIC told the D.C. Circuit Court of Appeals that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." A Quinnipiac poll released today confirms that public overwhelmingly supports (67%) the release of the President's returns. As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). Press Release. (Feb. 22, 2018)

  • The Secure and Succeed Act (S. Amdt. 1959 to H.R. 2579), sponsored by several Republican Senators, would link DACA with hi-tech border surveillance. Customs and Border Protection would use facial recognition and other biometric technologies to inspect travelers, both US citizens and non-citizens, at airports. The bill also establishes "Operation Phalanx" that instructs the Department of Defense—a military agency—to use drones for domestic surveillance. EPIC has pursued many FOIA cases on border surveillance involving biometrics, drones, and airport body scanners, In a statement to Congress, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens." (Feb. 21, 2018)

  • The Supreme Court will hear arguments this week in Dahda v. United States, a case concerning the federal Wiretap Act and the suppression of evidence obtained following an invalid wiretap order. The Wiretap Act requires exclusion of evidence obtained as a result of an invalid order, but a lower court denied suppression in the case even though the order was unlawfully broad. In an amicus brief, EPIC wrote that "it is not for the courts to create textual exceptions" to federal privacy laws. EPIC explained that Congress enacted strict and unambiguous privacy provisions in the Wiretap Act. "If the government wishes a different outcome," EPIC wrote, "then it should go to Congress to revise the statute." EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Byrd v. United States (suspicionless searches of rental cars) and Carpenter v. United States (warrantless searches of cellphone location records). (Feb. 20, 2018)

  • The Supreme Court has denied a petition for a writ of certiorari in Carefirst, Inc. v. Attias, a case concerning standing to sue in data breach cases. Consumers had sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The federal appeals court agreed with EPIC and held that consumers may sue companies that fail to safeguard their personal data. Carefirst appealed the decision, but the Supreme Court chose not to take the case. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN, where the Ninth Circuit also held for consumers, as well as Gubala v. Time Warner Cable and In re SuperValu Customer Data Security Breach Litigation. (Feb. 20, 2018)

  • Rep. Luetkemeyer (R-MO) and Rep. Maloney (D-NY) circulated a draft bill, the "Data Acquisition and Technology Accountability and Security Act," that would set federal requirements for companies collecting personal data and require prompt breach notification. The Federal Trade Commission, which has often failed to pursue important data breach cases, and state Attorneys General would both be responsible for enforcing the law. The law would only trigger liability if the personal data breached is "reasonably likely to result in identity theft, fraud, or economic loss" and would preempt stronger state data breach laws. Earlier this week, EPIC President Marc Rotenberg testified before the House, calling for comprehensive data privacy legislation that would preserve stronger state laws. Last fall, EPIC testified at a Senate hearing on the Equifax breach, calling it one of the worst in U.S. history. (Feb. 16, 2018)

  • Special Counsel Robert Mueller has indicted thirteen Russian nationals and three Russian entities for interfering in the 2016 U.S. presidential election. "Beginning as early as 2014" the defendants began operations "to interfere with the U.S. political system" and "sow discord," the indictment explains. They also posed as U.S. persons online, reaching "significant numbers of Americans" on social media. EPIC first sought details of the Russians' "multifaceted" influence campaign in January 2017, pursuing release of the complete Intelligence Community assessment on Russian meddling. EPIC President Marc Rotenberg recently highlighted the role of the Russian Internet Research Agency, named in the Mueller indictment, explaining, "Facebook sold advertising to Russian troll farms working to undermine the American political process." EPIC launched a new project on Democracy an Cybersecurity in early 2017 to help preserve democratic institutions. (Feb. 16, 2018)

  • The Congressional Task Force on Election Security today released its final report detailing vulnerabilities in U.S. election systems. The report includes many recommendations, purchasing voting systems with paper ballots, post-election audits, and funding for IT support. The report also proposes a national strategy to counter efforts to undermine democratic institutions. Election experts have said that Congress has not done enough to safeguard the mid-term elections. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). (Feb. 14, 2018)

  • In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google. (Feb. 13, 2018)

  • The Senate Intelligence Committee held a hearing today with top officials from all U.S. intelligence agencies: Office of the Director of National Intelligence, CIA, NSA, Defense Intelligence Agency, FBI, and the National Geospatial-Intelligence Agency. The officials unanimously agreed that Russia interfered in the 2016 election and will interfere in the 2018 election, noting that they have already observed attempts to influence upcoming elections. Director of National Intelligence Dan Coats said: "There should be no doubt that Russia perceived that its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations." EPIC launched the Project on Democracy and Cybersecurity, after the 2016 presidential election, to safeguard democratic institutions. EPIC is currently pursuing several FOIA cases concerning Russian interference, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). EPIC also provided comments to the Federal Election Commission to improve transparency of election advertising on social media. (Feb. 13, 2018)

  • EPIC President Marc Rotenberg will testify before the House Financial Services Committee this week. Rotenberg will say that "Data breaches pose enormous challenges to the security of American families, as well as our country's national security." EPIC will call for comprehensive data protection legislation and the creation of a federal data protection agency. EPIC also challenged the decision of the CFPB Director to drop the investigation into the Equifax data breach. EPIC has repeatedly urged Congress to address the data protection crisis in the United States, warning that it endangers national security and international trade. Last year EPIC testified before the Senate in the wake of the Equifax breach, emphasizing the growing risks to American consumers. (Feb. 12, 2018)

  • The IRS acknowledged that it will fulfill EPIC's FOIA request seeking certain tax records of President Trump and the President's businesses. It marks the first time, to EPIC's knowledge, that the IRS has agreed to process a third-party FOIA request for the President's tax information. EPIC is seeking tax records relating to settlements with the IRS, which the agency is required to disclose to the public upon request. EPIC previously sued the IRS for the release of the President's personal tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's own lawyers. That case, EPIC v. IRS, is now before the D.C. Circuit Court of Appeals. EPIC is litigating several other FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). (Feb. 12, 2018)

  • EPIC filed a Freedom of Information Act request to the Department of Homeland Security seeking records about DHS's investigation of state voter fraud. Since the termination of the Presidential Advisory Commission on Election Integrity, President Trump suggested that the DHS investigate voter fraud, which falls outside the agency's jurisdiction. The agency has stated that its top priority is securing election systems from cyberattacks. This week, the DHS admitted that Russian hackers successfully penetrated election systems in the 2016 Presidential Election. EPIC had earlier submitted a statement to Congress seeking assurances that DHS will not continue the work of the disbanded Commission. (Feb. 9, 2018)

  • EPIC and other leading open government organizations urged Congress to promote transparency and accountability of the Intelligence agencies. The groups called for the release of annual public reports, all significant opinions by the Foreign Intelligence Surveillance Court, and an accounting on the number of Americans subject tp foreign intelligence surveillance. EPIC previously called on lawmakers to require federal agencies to obtain a warrant before searching information about Americans in foreign intelligence databases. Through a Freedom of Information Act lawsuit, EPIC obtained a report detailing the FBI's failure to follow procedures regarding the use of foreign intelligence data for a domestic criminal investigation. EPIC has also testified in Congress on reforms to the Foreign Intelligence Surveillance Act. (Feb. 9, 2018)

  • A group of 31 Senators wrote to Acting Director Leandra English and Director Mick Mulvaney of the Consumer Financial Protection Bureau about the agency's failure to pursue the probe of the 2017 Equifax breach. The Senators wrote that "the CFPB has a clear duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary." Earlier this week, EPIC urged the Senate Banking Committee to investigate the CFPB. EPIC also filed a FOIA request seeking records about Mulvaney's decision to halt the CFPB's Equifax investigation. (Feb. 8, 2018)

  • EPIC has filed an urgent Freedom of Information Act request for records about Acting Director Mulvaney's decision to shut down the CFPB investigation of Equifax. The 2017 data breach, likely undertaken by a foreign adversary, compromised the personal data of 143 million Americans. Last year CFPB warned that US servicemembers were at particular risk as a result of the Equifax breach. EPIC is seeking communication between Mulvaney and Equifax officials, as well as records of meetings and any related memos regarding the decision to close the investigation. In a letter to the Senate Banking Committee yesterday, EPIC recommended that the Committee undertake a thorough investigation of the CFPB's recent decision regarding the investigation. (Feb. 7, 2018)

  • According to recent reports, the Consumer Financial Protection Bureau has shut down the investigation of the 2017 Equifax data breach that exposed the personal data of 145.5 million Americans. CFPB Acting Director Mulvaney failed to seek subpoenas or obtain sworn testimony from Equifax executives. Mr. Mulvaney also ended plans to test Equifax’s security systems, and rejected offers from regulators to assist with the investigation. EPIC urged the Senate Banking Committee to investigate, stating: “If the reports are accurate, Director Mulvaney’s failure to pursue a thorough investigation of the Equifax matter verges on malfeasance.” Last fall, EPIC President Marc Rotenberg testified at a Senate hearing on the Equifax breach. EPIC described the data breach as one of the worst in U.S. history. EPIC’s Christine Bannan also proposed steps to strengthen data protection safeguards for American consumers.

    (Feb. 6, 2018)

  • EPIC submitted a statement to the Senate in advance of a hearing to examine the October 2016 Uber breach and the value of bug bounty programs. Last fall, Uber admitted that hackers stole the data of 57 million Uber customers and drivers and that the company paid the hackers $100,000 to delete the data. This has raised legal questions about Uber's failure to notify those affected by the breach and about "bug bounty" programs, where companies pay hackers that bring vulnerabilities to their attention. EPIC explained to the Senate that, "bug bounty programs do not excuse non-compliance with data breach notification laws." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other similar transportation companies. (Feb. 5, 2018)

  • EPIC has filed a new Freedom of Information Act request with the IRS, seeking tax-related records for President Trump's businesses. The new EPIC request follows EPIC's pending lawsuit for the release of Trump's personal tax returns. The request seeks the release of tax records concerning settlements with the IRS, which the agency is required to disclose to the public upon request. EPIC previously called on the IRS to release the President's tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's lawyers. EPIC v. IRS, which is now before the D.C. Circuit Court of Appeals, is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election. EPIC is also litigating EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). (Feb. 5, 2018)

  • EPIC has filed an amicus brief with a federal appeals court urging the court to reject a proposed class action settlement over Facebook's practice of scanning private messages. EPIC challenged the settlement because it did not require Facebook to stop scanning private messages. In fact, the company can continue scanning messages by simply burying a notice on its website. Also, there was no compensation to Internet users for the prior violation of federal and state laws. EPIC is dedicated to class action fairness in privacy cases and has objected to many similar settlements that failed to provide actual benefits to Internet users. EPIC recently opposed a settlement with Google that allows the company to continue tracking web users. EPIC also opposed a settlement with Facebook in 2014 that allowed the company to continue an unlawful practice. (Feb. 2, 2018)

  • Senators Jerry Moran (R-KS) and Richard Blumenthal (D-CT) wrote Federal Trade Commission Acting Chair Maureen Ohlhausen to urge the FTC to investigate companies that use fraudulent automated accounts to influence social media. The techniques, known as "amplification bots," follow, retweet, and like social media content to boost a client's visibility. The Senators' letter follows a recent New York Times report on Devumi, a company engaged in such practices. Devumi's bots often steal identities, using the photos and personal information of real people, some of whom are minors. The Senators called these practices a "unique kind of social identity theft" that "have the effect of distorting the online marketplace and creating a false sense of celebrity, credibility, or importance in people, companies, or institutions that may not deserve it." The practice also violates state privacy laws concerning "the right of publicity," which EPIC has defended. (Feb. 1, 2018)

  • In response to a white paper on data protection from the Indian government, EPIC provided detailed comments, backing comprehensive legislation. The white paper analyzes data protection laws from around the world, comparing the approaches of different countries. The Indian government proposes a data protection framework based on seven principles: (1) technology agnosticism, (2) holistic application, (3) informed consent, (4) data minimization, (5) controller accountability, (6) structured enforcement, and (7) deterrent penalties. In comments on the proposal, EPIC backed India's efforts to adopt data protection legislation, and recommended also a private right of action and breach notification. Last year, the Supreme Court of India ruled that privacy is a fundamental right. EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world. (Jan. 31, 2018)

  • Professor Jennifer Daskal, Dr. Whitfield Diffie and former Dean Harry Lewis have joined the EPIC Board of Directors. Daskal is an Associate Professor at the Washington College of Law and a leading expert in criminal law, national security law, and constitutional law. Diffie is an American cryptographer, one of the pioneers of public-key cryptography, and a recipient of the Turing Award, the most prestigious award in the field of computer science. Lewis is a professor of computer science at Harvard University, former dean of Harvard College, and the author of several books on technology and education. The members of the EPIC Board of Directors are chosen from the EPIC Advisory Board, distinguished experts in law, technology, and public policy. (Jan. 31, 2018)

  • EPIC, the Center for Commercial Free Childhood, and others have urged Mark Zuckerberg to shutter Facebook's "Messenger Kids" app. The groups cited rising concern about social media among adolescents and wrote it is irresponsible to encourage preschoolers to use Facebook products. Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have questioned Facebook about the Messenger Kids app. EPIC recently backed a campaign that led Mattel to cancel a device that spies on young children. EPIC also led efforts to require Facebook to respect the privacy rights of WhatsApp users. (Jan. 30, 2018)

  • In advance of a hearing on "Protecting Privacy, Promoting Policy: Evidence-Based Policymaking and the Future of Education," EPIC wrote a statement to the House committee, expressing support for both evidence-based policy and student privacy. EPIC explained that privacy enhancing technologies are necessary to protect student data, because even where data has been de-identified it may still possible to extract personal data. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. EPIC also testified before the Commission on Evidence-Based Policymaking, and recommended innovative privacy techniques to protect personal data that also enable informed public policy decisions. (Jan. 30, 2018)

  • The Court of Justice of the European Union, following an advisory opinion, has determined that Max Schrem's class action in Austria cannot proceed against Facebook, but individual privacy claims can. The Court granted Schrems standing, recognizing that "the activities of publishing books, giving lectures, operating websites," and similar activities does not entail the loss of "a user's status as a 'consumer.'" However, the Court found that "the consumer forum cannot be invoked" in "claims assigned by other consumers." The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges that Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. Max Schrems recently launched NYOB to pursue class actions under the General Data Protection Regulation. In 2013, Max Schrems received the EPIC International Champion of Freedom Award. (Jan. 30, 2018)

  • Rep. Ros-Lehtinen (R-FL) and Rep. Schneider (D-IL) introduced the Defending Elections from Threats by Establishing Redlines Act of 2018 to deter foreign interference in U.S. elections. The bipartisan legislation stipulates that if the Director of National Intelligence determines that the Russian government knowingly interfered in a U.S. election, the President is required to impose sanctions on Russia's aerospace, banking, defense, energy, intelligence and mining industries. The bill is a direct response to Russian interference in the 2016 Presidential election. EPIC is currently pursuing several related FOIA cases, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). (Jan. 29, 2018)

  • 2017 marked the "worst year ever" for data breaches, according to a pair of reports by Thales and the Online Trust Alliance. Data breaches nearly doubled from 2016 to 2017, and 73% of all U.S. companies have now been breached. Noteworthy were the data security failures of Equifax and Uber. In testimony before the Senate Banking Committee following the Equifax breach last year, EPIC called on Congress to enact meaningful reforms, including default credit freezes and prompt data breach notification. Two years ago, EPIC launched the DataProtection2016 campaign to promote stronger privacy safeguards in the U.S. (Jan. 25, 2018)

  • EPIC presented the 2018 International Privacy Champion Award to Gus Hosein, director of Privacy International, and Professor Artemi Rallo, the former chair of the Spanish Data Protection Agency. The award to Hosein recognized his work, "defending privacy in the UK and around the world." The award to Rallo described him as a "constitutional scholar, data protection advocate, friend of civil society." Announcement. Photo. The 2018 EPIC Champion of Freedom Awards will be held at the National Press Club in Washington, DC on June 6, 2018. (Jan. 25, 2018)

  • The U.S. Court of Appeals for the D.C. Circuit will hear arguments this week in EPIC v. FAA, a lawsuit concerning the FAA's failure to establish privacy rules for commercial drones. EPIC's case is based on an Act of Congress requiring a "comprehensive plan" for drone deployment in the United States and a petition, backed by more than one hundred organizations and privacy experts, calling for privacy safeguards. As EPIC argued in a brief to the Court, "It is not possible to address the hazards associated with drone operations without addressing privacy in the final rule for small commercial drones." Arguments will be held Thursday morning at the American University Washington College of Law. EPIC Senior Counsel Alan Butler will argue the case. EPIC's case is EPIC v. FAA, No. 16-1297 (D.C. Cir.). (Jan. 24, 2018)

  • EPIC submitted a statement to the Senate Armed Services Committee in advance of a hearing on "Global Challenges and U.S. National Security Strategy." Last year, the White House released a National Security Strategy report that laid out the administration's goals. EPIC supports many of the goals stated in the report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the committee to seek assurances that those goals will remain priorities for this administration. EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time." (Jan. 24, 2018)

  • In advance of a hearing on self-driving cars, EPIC submitted a statement to the Senate on the privacy and security risks of autonomous vehicles. Researchers have been able to hack connected cars, and the vehicles have caused several accidents. EPIC told the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has worked extensively on the privacy and data security implications of connected cars, having testified on "The Internet of Cars" and submitted numerous comments to the National Highway and Transportation Safety Agency. In a recent amicus brief to the Supreme Court, EPIC underscored the privacy risks of modern vehicles, which collect vast troves of personal data. (Jan. 24, 2018)

  • In advance of a hearing on the nomination of Adam Klein to the Privacy and Civil Liberties Oversiight Board, EPIC urged the Senate to oppose the nomination. EPIC explained that "PCLOB plays a vital role safeguarding the privacy rights of Americans and ensuring oversight and accountability of the Intelligence community." EPIC also said that the nominee "does not appreciate the full extent of the privacy interests at stake in many of the most significant debates about the scope of government surveillance authority." EPIC has a particular interest in the work of the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. (Jan. 24, 2018)

  • In a decision that could jeopardize relations with Europe, Congress has renewed "Section 702" of the Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The FISA Amendment Reauthorization Act also permits government surveillance of Americans and restarts the controversial "about" collection program. Congress rejected updates, including limits on data collection, that would preserve a privacy agreement between Europe and the United States. The European Court of Justice will also soon decide whether to allow data transfers from Ireland to the United States. EPIC served as the US NGO amicus curiae in that case. (Jan. 18, 2018)

  • In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars." (Jan. 18, 2018)

  • EPIC has filed an amicus brief in United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping). (Jan. 18, 2018)

  • In response to request for comments from the Maryland legislature, EPIC submitted a statement in support of a bill to prohibit law enforcement from obtaining data recorded by a smart meter without a warrant. Smart meters collect personal data about the use of utility services that can reveal when a person is at home and what they are doing. EPIC stated that "the routine collection of this data, without adequate privacy safeguards, would enable ongoing surveillance of Maryland residents without regard to any criminal suspicion." EPIC said that HR 56 is a "model privacy law that enables innovation while safeguarding personal privacy." EPIC has testified in Congress and submitted comments to NIST and the state of California on smart grid privacy. EPIC has also submitted amicus briefs on Fourth Amendment cases before the Supreme Court, including Carpenter v. United States and Byrd v. United States. (Jan. 16, 2018)

  • At a Senate hearing today, DHS Secretary Kristjen Nielsen stated that DHS would not undertake a new investigation of voter fraud. EPIC submitted a statement in advance of the hearing, asking Senators to seek assurances that DHS would not pursue the work of the recently disbanded Presidential Advisory Commission on Election Integrity, as former Vice Chair Kris Kobach had suggested. In response to a question from Senator Kamala Harris, Nielsen answered that Kobach does not have any role at DHS. Although Nielsen stated that DHS would not pursue any new work, she indicated that the agency would continue to work with states pursuing voter fraud investigations. EPIC recently filed a FOIA lawsuit against DHS seeking communications with the Commission regarding the transfer of personal voter data. The Commission, facing a lawsuit by EPIC, was terminated earlier this month. EPIC's lawsuit led the Commission last year to suspend the collection of voter data. (Jan. 16, 2018)

  • EPIC sent a statement to the Senate Judiciary Committee in advance of a DHS Oversight Hearing, to seek assurances that "the DHS will not continue the activities of the Presidential Advisory Commission on Election Integrity." After the Commission was disbanded in the wake of EPIC’s lawsuit, the former Vice Chair told reporters that he intended to continue the work of the Commission at the DHS. But EPIC told the Senate committee that the Commission has no authority to transfer the voter data and warned that the DHS would be subject to federal lawsuits if it assembled a database of voter information. EPIC also urged the Senate to confirm that the personal data provided by DACA applicants will not be misused by DHS, and that DHS biometric programs will not be expanded until transparency obligations are fulfilled and privacy safeguards are established. The EPIC letter follows a statement last week from civil rights and government oversight organizations to the DHS Secretary, seeking assurance that there will be no transfer or collection of state voter data. (Jan. 15, 2018)

  • EPIC has asked the D.C. Circuit Court of Appeals to void last month's ruling in which the Court refused to order the Presidential Election Commission to conduct a Privacy Impact Assessment. The Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded last week by President Trump. The Commission's sudden demise unfairly prevents EPIC from appealing the Court's legal reasoning because there is no "live" dispute left for a higher court to consider. EPIC's lawsuit led the Commission to suspend the collection of voter data last year, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. EPIC's case against the Commission is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). EPIC filed a separate lawsuit on Monday for communications between the Department of Homeland Security and the Commission regarding the transfer of personal voter data. (Jan. 11, 2018)

  • Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced legislation to hold credit reporting agencies accountable for data breaches. The Data Breach Prevention and Compensation Act establishes an office of cybersecurity within the FTC to give it direct supervisory authority over the credit reporting industry and imposes mandatory penalties for breaches involving consumer data at credit reporting agencies. The bill is a direct response to the Equifax data breach last year that exposed the sensitive personal information of over 145 million Americans. "Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers," said EPIC President, Marc Rotenberg. EPIC testified before Congress last year following the Equifax breach, urging legislation to give consumers more control over their credit reports. Senators Warren and Brian Schatz (D-HI) also introduced a bill last year that would allow consumers to freeze and unfreeze their credit reports for free. (Jan. 10, 2018)

  • As the result of a Freedom of Information Act lawsuit EPIC v. NSD, EPIC has obtained a report from the Department of Justice National Security Division detailing the FBI's use of foreign intelligence data for a domestic criminal investigation. Section 702 of the Foreign Intelligence Surveillance Act authorizes the surveillance of foreigners located abroad. However, the FBI can also use this data to investigate Americans. The report obtained by EPIC also shows that the FBI analyst failed to follow internal guidance to notify superiors of the search, raising questions about whether the FBI is accurately reporting these searches. The USA Rights Act, now pending in Congress, would require a federal agency to obtain a warrant to search foreign surveillance data for information on Americans. (Jan. 9, 2018)

  • The Federal Trade Commission released a brief report summarizing a June 2017 workshop, co-hosted with the National Highway Traffic Safety Administration, on connected vehicles. While the report acknowledges consumer privacy interests, the report offers no concrete proposals for how the FTC will address the privacy and safety risks of connected cars. EPIC submitted comments to the FTC and NHTSA and gave a presentation at the FTC workshop, calling for national safety standards for connected cars. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data. The Senate is currently considering a bill on connected cars and the NHTSA recently released revised guidance for connected cars, but both lack mandatory safety standards and encourage industry self-regulation. (Jan. 9, 2018)

  • In response to a request for comments, EPIC has urged the FBI to expand its use of name-based — rather than fingerprint-based — background checks for noncriminal purposes, such as employment. The FBI currently uses fingerprints, stored in the Next Generation Identification (NGI) database, to conduct non-criminal background checks. "Names checks" were only conducted for individuals whose fingerprints failed the NGI matching requirements. EPIC told the FBI that the "name-based background check accomplishes the same purpose as the fingerprint-based background check without requiring the collection of sensitive biometric information." EPIC has opposed the expansion of the NGI system for non-law enforcement purposes. EPIC has also pursued a series of Freedom of Information Act requests to assess the reliability of the NGI system. (Jan. 9, 2018)

  • EPIC has filed a lawsuit against the Department of Homeland Security for communications between the agency and the Presidential Commission on Elections regarding the transfer of personal voter data. EPIC filed a Freedom of Information Act request with the DHS after the Commission tried to collect records from federal agencies to match against state voter records, but the agency failed to respond to EPIC's request. Last year, EPIC filed a lawsuit against the Commission that led to the suspension of the collection of voter data. EPIC v. Commission is still pending in federal court. EPIC filed the recent suit after President Trump said he asked DHS "to determine the next course of action" after he dissolved the Commission. (Jan. 9, 2018)

  • The Supreme Court will hear arguments in Byrd v. United States, concerning the warrantless search of a rental vehicle. EPIC filed an amicus brief in the case urging the Supreme Court to recognize that a modern car collects vast troves of personal data. EPIC explained cars today "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC pointed to the routine collection of cell phone contents with a Bluetooth connection, data which is stored in the car even after "deletion." EPIC also emphasized that the status of the driver has no bearing on Fourth Amendment privacy interests. EPIC's Natasha Babazadeh prepared an explainer video of the case. (Jan. 8, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained former Secretary of Homeland Security John Kelly's notes for an interview with NPR about border security. The notes include talking points about southwest border security and the construction of the southwest border wall. During the interview, Mr. Kelly also described DHS's plans to increase vetting of immigrants and coordination with the White House, despite the fact these issues were not included in the talking points. EPIC previously warned the House Oversight Committee that enhanced surveillance at the border will impact the rights of U.S. citizens. As a result of an earlier FOIA lawsuit, EPIC found that the Customs and Borders Protection is already deploying drones with facial recognition technology near the border. (Jan. 8, 2018)

  • EPIC and ten civil rights and government oversight organizations have sent a letter to DHS Secretary Nielsen, urging her not to accept any personal data from the now defunct Presidential Advisory Commission on Election Integrity. The groups explained that the Commission lacks legal authority to transfer personal data to the Commission. The groups also warned that the DHS would be subject to numerous federal laws if it were to acquire state voter data. EPIC and the organizations brought several lawsuits against the Commission. EPIC's lawsuit led the Commission to suspend the collection of voter data in July 2017. President trump disbanded the Commission on January 3, 2018. However, former Vice Chair Kris Kobach told reporters that he intends to resume the work of the Commission at the Department of Homeland Security. (Jan. 8, 2018)

  • The Center for Class Action Fairness has asked the U.S. Supreme Court to decide whether a settlement that awards funds to certain organizations and fails to compensate injured class members is fair. The settlement involved Google's tracking of Internet users in violation of users' privacy settings but resulted in no change in business practices or payment to class members. Some of the organizations that received class settlement funds are separately funded by Google. EPIC recently filed an amicus brief opposing a similar settlement in a related class action against Google. EPIC has also opposed settlements against Facebook and Google that failed to compensate class members or change business practices. EPIC President Marc Rotenberg has proposed an objective basis to evaluate settlement proposals. The Supreme Court has yet to address cy pres fairness, but Chief Justice John Roberts, in Marek v. Lane concerning Facebook's Beacon program, echoed the concerns of EPIC when he wrote that the "vast majority of Beacon's victims" got nothing. (Jan. 8, 2018)

  • The Federal Trade Commission announced a settlement with VTech Electronics over charges that the company collected personal information from children without parental consent and failed to provide data security. In 2015, Senators Edward Markey (D-MA) and Joe Barton (R-TX) inquired about VTech's privacy practices after the toy company was hacked, exposing the personal information of millions of children. EPIC and a coalition of consumer organizations recently renewed their call to the FTC to take action on toys that spy, one year after the groups filed a complaint with the FTC regarding dangerous internet-connected toys. The Children's Online Privacy Act (COPPA) sets forth strict requirements for the collection of information from children. In a recent interview with NBC Nightly News, EPIC's Sam Lester highlighted the dangers these toys pose from hackers. EPIC has supported numerous efforts to oppose toys that spy, including a successful effort in 2017 to recall Mattel's Aristotle. (Jan. 8, 2018)

  • The Presidential Election Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded Wednesday by President Trump. The Commission had faced an ongoing lawsuit by EPIC over its failure to conduct and publish a Privacy Impact Assessment before collecting personal data, as required by law. EPIC’s lawsuit led the Commission to suspend the collection of voter data last year, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission’s efforts to collect state voter data. In a statement, the President said that he had asked the Department of Homeland Security “to determine next courses of action.” EPIC has a pending Freedom of Information Act request to the DHS for records concerning the federal government’s collection of personal data on voters. EPIC’s case against the Commission, which remains open, is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Jan. 3, 2018)

  • The Federal Trade Commission has given final approval to a settlement with Lenovo over its practice of pre-installing adware onto consumers' laptops. The complaint alleged that the adware transmitted consumers' personal information to third parties and made consumer' laptops vulnerable to cyberattacks. The settlement prohibits Lenovo from misrepresenting any pre-installed software, but imposes no fines and allows Lenovo to continue pre-installing adware onto consumers' laptops. EPIC has routinely urged the FTC to strengthen its privacy settlements, and recently emphasized the need for the FTC to step up its data protection in comments on the FTC's five-year strategic plan. (Jan. 3, 2018)

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.