You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Previous Top News: 2018


  • Congress has passed the Foundations for Evidence-Based Policymaking Act of 2018. The legislation, championed by House Speaker Paul Ryan (R-WI) and Senator Patty Murray (D-WA), includes new requirements for federal agencies to establish senior leaders for program evaluation and data coordination to help agencies produce and use evidence, strengthens privacy protections for confidential data, and directs government to make secure access to data more available to generate evidence. In a statement to Congress last year, EPIC expressed support for the findings of the Commission on Evidence-Based Policymaking — Congress established the Commission to study how data across the federal government could be combined to improve public policy while protecting privacy. EPIC filed comments with the Commission urging adoption of Privacy Enhancing Techniques, such as anonymization, that minimize or eliminate the collection of personal data. The National Academies of Sciences released a report last year that examined how disparate federal data sources can be used for policy research while protecting privacy. (Dec. 26, 2018)

  • The D.C. Attorney General filed a complaint against Facebook under the D.C. Consumer Protection Procedures Act, making D.C. the first U.S. jurisdiction to take action against the company for the mishandling of user data that led to Cambridge Analytica. The AG's complaint alleges that Facebook failed to monitor third-party use of personal data and failed to ensure users’ data was deleted. The D.C. lawsuit seeks financial penalties, and an injunction to ensure Facebook puts in place protocols and safeguards to protect users’ data and easier for users to control their privacy settings. AG Karl Racine said: “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.” EPIC filed a D.C. Consumer Protection Procedures Act lawsuitchallenging the unlawful collection, use, and disclosure of personal location data by AccuWeather through its mobile iOS app. (Dec. 20, 2018)

  • A New York Times investigation revealed that Facebook had deals with companies giving them access to personal data without meaningful user consent. These companies include Amazon, Sony, Microsoft, Yahoo, Spotify, and Netflix, as well as two companies considered security threats to the U.S.: Chinese smartphone manufacturer Huawei and Russian search engine Yandex. The deals Facebook made gave companies broad access to user data, including the the ability to read users’ private messages and access friend lists. EPIC and several consumer privacy organizations helped establish the 2011 consent order against Facebook, following a public campaign, and extensive complaints in 2009 and 2010. In March 2018, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Several related EPIC complaints regarding Facebook are also pending at the FTC, including facial recognition. (Dec. 20, 2018)

  • EPIC has asked Congress to obtain the public release of President Trump's tax returns. As EPIC explained, "By custom and tradition, candidates for the Presidency have routinely made available to the public their personal tax returns to ensure that there are no conflicts of interest that might jeopardize the public trust." EPIC's request to Congress follows the decision in EPIC v. IRS, a Freedom of Information Act case for the release of the tax returns. EPIC filed the case after President Trump falsely tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." EPIC continues to seek the President's business tax records in EPIC v. IRS II. (Dec. 19, 2018)

  • The European Commission has renewed the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. Oddly, the Commission cited the FTC investigation into the Cambridge Analytica scandal (which has produced no outcome) and the appointment of three members to the PCLOB as support for renewal. The report also overlooked the failure of the FTC to enforce the 2011 Consent Order against Facebook, which ultimately compromised the personal data of several hundred million Europeans. And the Commission had little concerns with passage of the CLOUD Act, renewal of Section 702 of FISA (permitting bulk surveillance of Europeans), and other shortcomings cited by EPIC comments and the European Parliament. The Commission did recommend an Ombudsperson for Privacy Shield (which was required in the original agreement), and encouraged the U.S. to ratify the International Privacy Convention. (Dec. 19, 2018)

  • EPIC has urged members of Congress responsible for a new National Commission on AI to nominate experts and public interest representatives who have endorsed the Universal Guidelines for Artificial Intelligence. EPIC told Congress "it is vitally important that the National Security Commission include members who can represent the interests of the American public on AI." Leading computer scientists and scientific societies, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines. According to the 2019 National Defense Authorization Act, the National Security Commission on AI will be composed of 15 members, conduct an extensive review of AI, and prepare an initial public report in 2019. (Dec. 19, 2018)

  • In a pair of reports released this week, the Senate Intelligence Committee provided fresh details on the extent of Russian interference in the 2016 election. Committee Chairman Richard Burr explained: "This newly released data demonstrates how aggressively Russia sought to divide Americans by race, religion and ideology, and how the IRA actively worked to erode trust in our democratic institutions. Most troublingly, it shows that these activities have not stopped." Shortly after the 2016 presidential election, EPIC filed a series of Freedom of Information Act lawsuits to determine the extent of Russian interference: EPIC v. FBI, EPIC v. ODNI, EPIC v. IRS I, and EPIC v. DHS. As EPIC President Marc Rotenberg explained in an op-ed in March 2017: "The public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election. And the public has a right to know what steps have been taken to prevent future attacks." (Dec. 18, 2018)

  • The D.C. Circuit ruled today that the IRS "misunderstands its FOIA disclosure obligations" in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. EPIC argued that the IRS has the authority, under a legal provision known as "(k)(3)," to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump falsely tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." Although the D.C. Circuit ruled that EPIC could not compel the IRS to use "(k)(3)," the Court rebuked the IRS for "disregard[ing] the plain statutory text" of FOIA and held that EPIC's request was wrongly "met with a closed door." The Court also emphasized that the law at issue in EPIC v. IRS II—EPIC's separate FOIA suit for President Trump's business tax records—"does allow the public to inspect certain return information." EPIC will continue to pursue the release of the President's tax records, which will reveal whether and how the President's private financial interests conflict with the national interests of the United States. (Dec. 18, 2018)

  • EPIC has filed an amicus brief in a case concerning Facebook's collection of facial images in violation of the Illinois Biometric Information Privacy Act. In Patel v. Facebook, EPIC argued that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC said that that the legal doctrine of standing "simply requires plaintiffs to demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Earlier in 2018, EPIC filed an amicus brief in Rosenbach v. Six Flags, another case about the Illinois biometric privacy law. EPIC routinely submits briefs in support of standing in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. (Dec. 18, 2018)

  • EPIC has filed a reply brief in EPIC v. Commission, urging the Supreme Court to review a decision that wrongly denied EPIC access to a required privacy impact assessment for state voter data. EPIC filed suit against the Presidential Election Commission last year to halt the collection of state voter data pending the completion of the assessment. As a result of EPIC's case, the Commission suspended data collection, discontinued the use of an unsafe computer server, and deleted the state voter data it wrongly acquired. The Commission was terminated in January of this year. EPIC told the Supreme Court that "there is, quite literally, no organization other than the 'Electronic Privacy Information Center' that suffers a greater concrete harm when a federal agency fails to comply with a publication requirement for privacy impact assessments." EPIC's case in the Supreme Court is EPIC v. Commission, No. 18-267. (Dec. 12, 2018)

  • In an urgent FOIA request, EPICis seeking documents from CBP about the procedures for travelers to opt-out of biometric entry/exit program. EPIC found that CBP frequently changes the program without any formal procedures. One consequence is that it is now more difficult for travelers to opt-out of the screening procedure EPIC wrote that "CBP is modifying rules as it is implementing the program," contrary to federal law. Earlier this week, EPIC urged Congress to suspend the program until privacy safeguards and meaningful opt-out procedures are established. In comments to the DHS Data Privacy and Integrity Advisory Committee, EPIC explained the substantial privacy risks of CBP's use of facial recognition technology. (Dec. 12, 2018)

  • In a statement to the House Judiciary committee, EPIC urged lawmakers press the FTC and the Department of Justice at a hearing on "Oversight of the Antitrust Enforcement Agencies." EPIC emphasized the risks of mergers to American consumers, stating that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. Consumer organizations in the US and the European Union recently urged antitrust authorities on both sides of the Atlantic to subject mergers to greater scrutiny. (Dec. 12, 2018)

  • EPIC has sent a statement to the Senate Judiciary Committee for an oversight hearing of Customs and Border Protection. EPIC cited frequent changes CBP has made to the opt-out procedures for the biometric entry/exit program. "Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program," EPIC said. EPIC urged the Committee to suspend the screening program until privacy safeguards and meaningful opt-out procedures are established. Last week, EPIC warned Customs and Border Protection about facial recognition technology and urged the DHS Privacy committee to end the program. (Dec. 11, 2018)

  • In comments to the European Commission, EPIC highlighted the safety and security risks of IoT toys and wrote "There should be 'smart' regulations for 'smart' toys." The European Commission sought public comment on the EU Toy Directive, which establishes toy safety guidelines to protect children's health and safety but ignores connected toys. EPIC has repeatedly demonstrated the risks of IoT and smart toys before Congress, the Federal Trade Commission, and the Consumer Product Safety Commission in testimony, agency comments, petitions, and investigative complaints. (Dec. 11, 2018)

  • In a statement on AI policy to the House Armed Services Committee, EPIC urged the panel to ensure public input on AI policy. The statement from EPIC follows a petition to the White House, backed by EPIC and leading scientific organizations, to solicit public comments on US AI policy. EPIC also proposed the Universal Guidelines for Artificial Intelligence as the basis for AI legislation. The Universal Guidelines are intended to "maximize the benefits of AI, minimize the risk, and ensure the protection of human rights." More than 230 experts and 60 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines. (Dec. 11, 2018)

  • The Irish High Court has ruled that Ireland's retention of telephone data violates European Law and the European Convention on Human Rights. The Communications Act, which requires all service providers to retain data for two years, is "general and indiscriminate." The Court also found insufficient safeguards for access to data, noting that the law did not require prior judicial and had few guarantees against abuse.The Court will now issue a final order to determine how the case will proceed. EPIC is participating DPC v. Facebook - an Irish High Court Case recently referred to the top European Court of Justice to determine whether Facebook's transfer of data from Ireland to the United States violates EU data protection law. EPIC has also petitioned the FCC to end a similar data retention mandate, arguing that it is inconsistent with international law. (Dec. 11, 2018)

  • As part of EPIC's Freedom of Information Act lawsuit against the Department of Homeland Security, the DHS Office of Intelligence and Analysis released to EPIC documents related to the Russian interference of the 2016 presidential election. One notable document is "Cyber Threats and Vulnerabilities to US Election Infrastructure." The report, issued before the presidential election, stated that the "DHS ha[d] no indication that adversaries or criminals are planning cyber operations against US election infrastructure that would change the outcome of the coming US election." The DHS report also stated that a successful widespread cyber operation against US voting machines would require "a multiyear effort with significant...resources available only to a nation state" but this level of level of effort "would make it nearly impossible to avoid detection." According to election experts, this assertion ignores the possibility that an adversary can change an election outcome without a widespread attacks. Launching targeted attacks on swing districts could compromise an election, especially when few states engage in post-election audits and the impossibility of a recount in states with paperless voting machines. EPIC is pursuing several other related FOIA cases about Russian interference with the 2016 election: EPIC v. FBI (response to Russian cyberattacks), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of Trump's tax returns), and EPIC v. IRS II (release of Trump's offers-in-compromise). (Dec. 10, 2018)

  • In detailed comments to the Department of Transportation EPIC urged the agency to establish national privacy and safety standards for connected cars. The agency requested comment on its revised framework that establishes "voluntary guidance" for the development of autonomous vehicles. "A connected car is the ultimate Internet of Things device," EPIC explained, highlighting the risks of autonomous vehicles. EPIC has diligently advocated for stronger regulation of IoT. EPIC has called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit. (Dec. 10, 2018)

  • EPIC has sent a statement to the House Judiciary Committee in advance of a hearing on Google's business practices. EPIC said that "algorithmic transparency" should be required for Internet firms. EPIC explained that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. EPIC pointed out that Google's algorithm preferences YouTube's web pages over EPIC's in searches for videos concerning "privacy." Last year the European Commission found that Google rigged search results to preference its own online service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. The US Federal Trade Commission has failed to take similar action, after even receiving substantial complaints. EPIC also urged Congress to consider the Universal Guidelines for AI as a basis for federal legislation. (Dec. 10, 2018)

  • In a report released today, the House Committee on Oversight declared that the Equifax breach, which affected 148 million U.S. consumers, was "entirely preventable." The breach, one of the largest in U.S. history, compromised the authenticating details, including dates of birth and social security numbers, of more than half of American consumers. The House report concluded that Equifax "failed to fully appreciate and mitigate" the cybersecurity risks and placed corporate growth over data security. Despite several agencies, such as the CFPB and the FTC, pledging to take action against Equifax, none have done so. The House Committee recommended that Equifax "provide more transparency to consumers" about data use and security practices and reduce the use of social security numbers as identifiers, longstanding priorities of EPIC. Following the Equifax data breach in 2017, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft. (Dec. 10, 2018)

  • In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information..." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations. (Dec. 7, 2018)

  • In response to a public notice by the Data Privacy and Integrity Advisory Committee, EPIC submitted comments urging the CBP to halt implementation of the biometric border program. EPIC stressed the need for federal regulation to safeguard privacy and prevent the misuse of facial recognition technology. EPIC called for a public rulemaking for the federal entry/exit program. EPIC also criticized the Committee's draft recommendations for facial recognition. EPIC said that the transfer of personal data from the State Department to the CBP was unlawful and that the opt-opt procedures were ignored in practice. Documents EPIC previously obtained in a FOIA lawsuit against CBP revealed that facial scanning did not perform operational matching at a "satisfactory" level. (Dec. 6, 2018)

  • On December 10th, EPIC celebrates Human Rights Day, which commemorates the United Nations adoption of the Universal Declaration on Human Rights, the most widely translated text in the world. This year marks the 70th Anniversary of the UDHR, which was adopted on December 10, 1948. EPIC has called for the fundamental right to privacy (Article 12 of the UDHR) to be reaffirmed in the digital age. Article 12 states "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that promotes international instruments for privacy protection, identifies new challenges, and calls for concrete actions. The complete text of the UDHR can be found in the 2018 EPIC Privacy Law Sourcebook, available at the EPIC Bookstore. (Dec. 6, 2018)

  • This week a British parliamentary committee released internal Facebook emails and documents. The documents revealed that Facebook concealed its decision to collect record of calls and texts on Android devices, in violation of privacy policies. An employee said of this decision: "This is a pretty high risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it." The documents also show that Facebook examined user data to determine which companies posed a threat, deciding to either target or acquire those firms. Last month, UK regulators released a report on the misuse of personal data by Cambridge Analytica for the Brexit vote. In 2011 EPIC, and other consumer privacy organizations obtained a far-reaching consent order against Facebook but the FTC has failed to enforce the legal judgment. In March, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. (Dec. 6, 2018)

  • In a statement this week, Senator Markey said he would not permit legislation on self-driving cars to proceed until the bill created meaningful "safety, cybersecurity, and privacy protections" for consumers. In January, EPIC wrote to the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has long supported baseline protections in self-driving vehicles. EPIC has appeared before Congress, written to federal agencies, and provided amicus briefs about the privacy and security risk of autonomous vehicles. In comments to the European Commission this week, EPIC identified several key concerns related to connected cars. (Dec. 6, 2018)

  • In comments to the European Commission, EPIC identified several key privacy and security concerns related to the development of connected cars. EPIC emphasized the need for comprehensive regulation to ensure the safety of connected vehicles and encouraged the Commission to require developers to build in safety measures, and not place new burdens on drivers. "Safety features should be under the hood, not on the dash board," EPIC wrote. EPIC has diligently advocated for stronger regulation of the Internet of Things , including connected vehicles. EPIC has highlighted the risks of connected cars in testimony before Congress, at the Federal Trade Commission, in comments to federal agencies, and in amicus briefs. (Dec. 5, 2018)

  • EPIC submitted comments in support of the FTC's proposed extension of the information collection requirements for the Children's Online Privacy Protection Act. EPIC explained the importance of the law that protects the personal data of children who use Internet services, but added that the law "would be more effective if the FTC established new limits on how firms can collect and use children's data." EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. Earlier this year, the FTC unanimously voted to approve EPIC's recommendations to create new safeguards for children's data in the gaming industry. (Dec. 3, 2018)

  • New revelations in the Mueller probe implicate EPIC’s Freedom of Information Act cases for President Trump’s tax returns. In EPIC v. IRS, currently before the D.C. Circuit, EPIC argued that the IRS has the authority to disclose the returns to correct misstatements of fact concerning financial ties to Russia. Trump had tweeted that “Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING.” This claim is now disproven by the Special Counsel’s investigation, which recently determined that Mr. Trump pursued a major real estate deal with the Russian government in 2016. In a second case, EPIC v. IRS II, EPIC is seeking the release of tax records related to President Trump's businesses. EPIC has also filed a FOIA request for records concerning the Special Counsel investigation. (Nov. 30, 2018)

  • In a statement to a Senate committee focused on technology and privacy, EPIC urged Senators to implement the Universal Guidelines for Artificial Intelligence in US law. The Guidelines maximize the benefits of AI, minimize the risk, and ensure the protection of human rights. More than 200 experts and 50 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines. EPIC also expressed concern about the secrecy surrounding the Senate workshops on AI. In a petition earlier this year, EPIC and leading scientific organizations, including AAAS, ACM and IEEE, and nearly 100 experts urged the White House to solicit public comments on AI policy. EPIC told the Senate committee that the Senate must also ensure a public process for developing AI policy. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability for AI decisionmaking. In 2015, EPIC launched an international campaign for Algorithmic Transparency. (Nov. 30, 2018)

  • The Department of Homeland Security released the 2017 Annual Data Mining Report. According to the report, Customs and Border Protection expanded the use of Automated Targeting System's risk assessments to TSA's Secure Flight passenger data. TSA uses the Secure Flight data to compare airline passenger records against various watch lists and to score air travellers. The report describes the use of biometric data to match and screen individuals applying for immigration benefits against other databases. In EPIC v. CBP, EPIC is currently pursuing documents related to the biometric entry/exit program, which uses facial recognition at border crossings to identify and screen travelers. (Nov. 29, 2018)

  • EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy for the 64th meeting of the International Working Group on Data Protection, held this year in Queenstown, New Zealand. The Working Group includes Data Protection Authorities and experts from around the world who review emerging privacy challenges. The EPIC 2018 report details the NTIA's proposed U.S. consumer privacy framework, the confirmation of three members of the Privacy and Civil Liberties Oversight Board, the passage of the California Consumer Privacy Act of 2018, the announcement of the Universal Guidelines on Artificial Intelligence, and more. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Nov. 29, 2018)

  • EPIC wrote to a Senate committee about the nominee to head the Immigration and Customs Enforcement agency. EPIC urged the Committee to examine the agency's practices, including the use of secretive algorithms and databases, warrantless searches of mobile devices, social media profiling, and the use of DACA application data for investigative purposes. EPIC has filed multiple FOIA lawsuits against ICE regarding theses surveillance programs. A previous FOIA lawsuit EPIC v. CPB uncovered Planter's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers. (Nov. 28, 2018)

  • Speaking at the European Parliament, EPIC International Counsel Eleni Kyriakides called for safeguards for law enforcement access to personal data across national borders. During the LIBE Committee hearing on electronic evidence, Kyriakides stressed the need for prior judicial review, data minimization, transparency, public reporting, and individual remedies. Kyriakides said such "well-established protections should be required for cross-border orders." EPIC submitted an amicus brief in the related Supreme Court case United States v. Microsoft, pointing to fundamental rights obligations in international law and explaining that cross border access to data abroad should require international consensus. EPIC has joined an NGO coalition to establish human rights protections in the Convention on Cybercrime. Kyriakides published "Digital Free for All Part Deux: European Commission Proposal on E-Evidence" in Just Security. (Nov. 27, 2018)

  • In advance of a hearing for commissioners to the Election Assistance Commission, EPIC submitted a statement to the Senate Rules Committee stressing the importance of strong election security standards. EPIC noted growing threats to election security and voting integrity. EPIC said the Commission should finalize the Voluntary Voting Systems Guidelines, the technical guidelines for voting systems' security. EPIC also cited the recent report of the National Academies of Science "Securing the Vote: Protecting American Democracy (2018)," which concluded that "all U.S. elections should use paper ballots by the 2020 presidential election." The National Academies also advised against Internet voting. (Nov. 27, 2018)

  • EPIC has sent a statement to the Senate Commerce Committee in advance of a hearing on "Oversight of the Federal Trade Commission." EPIC told the Committee that the FTC should enforce the Facebook Consent Order and unwind the Facebook-WhatsApp deal. As EPIC previously told Congress, the Cambridge Analytica scandal could have been avoided if the FTC had enforced the Consent Order. That Order followed complaints by EPIC and consumer privacy organizations in 2009 and 2010. In 2014, EPIC urged the FTC to block Facebook's acquisition of WhatsApp. In 2016, EPIC filed a second complaint after Facebook broke commitments to the FTC and began collecting WhatsApp users' data. EPIC also highlighted the FTC's inaction in major privacy cases such as those against Uber, Facebook, and Google. (Nov. 26, 2018)

  • EPIC has submitted a Freedom of Information Act appeal challenging the Federal Trade Commission's withholdings of 42 pages of records about the Irish Data Protection Commissioner's inquiries regarding Facebook's compliance with the FTC Consent Order In response to EPIC's FOIA request the FTC released 413 pages of publicly available documents but withheld 42 pages in full under several exemptions, including an exemption protecting records compiled for law enforcement purposes. In 2011 the Irish Data Protection Commissioner initiated an audit of Facebook Ireland, a subsidiary of Facebook that is responsible for data protection for all Facebook users outside of the U.S. and Canada, to assess its compliance with both Irish Data Protection law and EU law. The 2011 audit found that the safeguards for third party applications did not ensure security for user data. The 2012 re-audit found a "satisfactory response" from Facebook regarding preventing third party applications from accessing unauthorized user information. Following the 2012 re-audit, the FTC and Irish Data Protection Commissioner signed a Memorandum of Understanding to mutually assist and exchange information to protect consumer privacy. Two years after the Irish Data Protection Commissioner determined a "satisfactory response," Cambridge Analytica improperly harvested the personal data of millions of users to use for political purposes. The FTC announced that it was reopening the Facebook investigation after the Cambridge Analytica scandal but to date, there has been no announcement, no report, and no fine. EPIC is holding FTC accountable to its 2011 consent order enforcement obligations in EPIC v. FTC seeking the full release of the Facebook Assessments and related records. (Nov. 21, 2018)

  • EPIC has filed a lawsuit to block the addition of a citizenship question to the 2020 Census. EPIC charged that the Census Bureau failed to complete multiple Privacy Impact Assessments, as required by law. The Bureau abruptly added the citizenship question earlier this year but did not assess the privacy impact on census respondents, who are legally obligated to answer all questions. As EPIC's lawsuit reveals, the Bureau recently indicated—for the first time—that personal data provided to the Census Bureau could be used "for criminal law enforcement activities." The Bureau's admission raises new questions about whether citizenship information will be transmitted to the Department of Justice. EPIC has filed numerous successful lawsuits seeking to enforce federal agencies' obligation to publish Privacy Impact Assessments. Earlier this year, the Presidential Advisory Commission on Election Integrity was shut down after EPIC filed a lawsuit to block the collection of state voter data and challenging the Commission's failure to complete a Privacy Impact Assessment. (Nov. 20, 2018)

  • Speaking to the OECD Global Strategy Group in Paris, EPIC President Marc Rotenberg urged OECD member countries to endorse the Universal Guidelines for AI. "Civil society recognizes that AI may help solve the world's greatest challenges - from climate change and resource scarcity to  medical breakthroughs and sustainable development. But we also believe that the public must be given the opportunity to participate in the development of AI policy. And there should be guidelines at the outset that safeguard democratic values and human rights," said Mr. Rotenberg. More than 200 experts and 50 NGOs, from across 40 countries, have endorsed the Universal Guidelines for AI, the first human rights framework for artificial intelligence. The OECD Global Strategy Group brings together senior officials from member countries to discuss the challenges shaping today's world. (Nov. 19, 2018)

  • In comments to the Department of Defense, EPIC has proposed privacy safeguards for the agency's Personnel Vetting system of records. The records system would authorize limitless collection of sensitive information on current, former, and prospective public and private sector employees, their friends and relatives, Red Cross volunteers, and foreign nationals. EPIC opposes the records system's disclosure standards that authorize sharing of individuals' personal information with any requesting source as part of an investigation, including U.S. Citizenship and Immigration Services and foreign law enforcement entities. EPIC consistently warns against overbroad government databases and urges agencies to withdraw unnecessary Privacy Act exemptions. (Nov. 16, 2018)

  • A new survey from the Pew Research Center "Public Attitudes Toward Computer Algorithms" found widespread concern about the fairness of automated decision making. According to the Pew report, "Americans express broad concerns over the fairness and effectiveness of computer programs making important decisions in people's lives." Americans oppose the use algorithms for criminal risk assessments (56%), automated resume screening for job applicants (57%), and personal finance scores (68%). Many of the concerns in the Pew Report are addressed in the Universal Guidelines for AI, the first human rights framework for AI. More than 200 experts and 50 NGOs have endorsed the Universal Guidelines. Public opinion polls consistently find strong support among Americans for new privacy laws. (Nov. 16, 2018)

  • The FAA's Drone Advisory Committee, facing an open government lawsuit from EPIC, has scrapped the secretive committees that developed drone policy. EPIC filed a lawsuit challenging the closed-door meetings with agency officials and industry reps. EPIC also charged that the FAA ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. The FAA acknowledged that the committees provided policy advice, but the FAA failed to comply with open government laws. EPIC has a long history of promoting government transparency and advocating for privacy protections against drones. (Nov. 15, 2018)

  • EPIC has filed a "friend of the court" brief in a case concerning the constitutionality of the Telephone Consumer Protection Act, the law the prohibits unwanted "robocalls." In Gallion v. Charter Communications, EPIC argued that "the TCPA prohibitions are needed now more than ever," citing the intrusiveness of marketing calls directed toward cell phones. EPIC also said the TCPA "protects important consumer privacy interests." EPIC testified in support of the TCPA and has submitted extensive comments and amicus briefs on the consumer privacy law. (Nov. 13, 2018)

  • EPIC submitted comments to the National Telecommunications and Information Administration—the agency that advises the White House on Internet policy—on the proposed framework for consumer privacy. EPIC backed the "Desired Outcomes:" (1) transparency, (2) control, (3) minimization, (4) security, (5) access and correction, (6) risk management, and (7) accountability. But EPIC urged the agency to support federal baseline legislation, the creation of a data protection agency, and the ratification of the International Privacy Convention. EPIC explained, "These are not policy preferences or partisan perspectives. These are the steps that modern societies must take to safeguard the personal data of their citizens.” NTIA Secretary David Redl met with the Privacy Coalition last month. (Nov. 9, 2018)

  • New Hampshire voters overwhelmingly approved a ballot measure that guarantees a constitutional right to information privacy in the state. The measure, which received 80% of the vote, amends Article 2 in the New Hampshire Bill of Rights providing that "an individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent." New Hampshire joins a growing number of states with constitutional privacy protections. EPIC Advisory Board member David Flaherty has written about the development of constitutional privacy protections. EPIC regularly files amicus briefs supporting state privacy rights. In a recent amicus brief concerning the OPM data breach, EPIC argued that the right to information privacy exists in the federal Constitution. (Nov. 8, 2018)

  • In comments to the Department of Health and Human Services, EPIC urged the agency to abandon a policy of transferring background check data from potential sponsors of unaccompanied children to the DHS. According to reports, children are kept in detention centers for extended periods due to a policy which places sponsors and household members at risk of deportation. The proposed rule also conflicts with a Privacy Impact Assessment, which fails to assess this risk. EPIC had previously warned Congress about the misuse of immigrant data by the DHS. (Nov. 8, 2018)

  • With the change of control in Congress and the ongoing interest in President Trump's tax returns, two EPIC Freedom of Information Act cases will receive renewed attention. In EPIC v. IRS, currently before the D.C. Circuit, EPIC argued that the IRS has the authority to disclose the returns to correct numerous misstatements of fact concerning his financial ties to Russia. President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by his own attorneys, family members, and business partners. EPIC has repeatedly urged Congress to exercise oversight of the IRS and to support the disclosure of the President's returns in EPIC's case. In a second case, EPIC v. IRS II, EPIC is seeking the release of additional tax records related to President Trump and over 300 of his businesses. Two-thirds of voters favor the release of Trump's tax returns. (Nov. 7, 2018)

  • The UK Information Commissioner released a report on the misuse of personal data in the Brexit vote. The investigation "uncovered a disturbing disregard for voters' personal privacy" and found that the Leave.EU campaign and Cambridge Analytica both improperly harvested personal data. The Commissioner's office will fine the Leave.EU campaign and would fine Cambridge Analytica if the firm were not already in bankruptcy proceedings. The UK report proposes a code of practice for the use of personal data in political campaigns. Earlier this year, EPIC and a coalition of consumer groups urged the FTC to investigate the Facebook-Cambridge Analytica matter. In March, the FTC said it would investigate the matter, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. (Nov. 7, 2018)

  • In comments to the Department of Health and Human Services, EPIC urged the agency to abandon a policy of transferring background check information from potential sponsors of unaccompanied children to the DHS. According to reports, children are kept in detention centers for extended periods due to this policy which places sponsors and household members at risk of deportation. The proposed rule also conflicts with HHS's Privacy Impact Assessment, which fails to assess this risk. EPIC had previously warned Congress about the misuse of immigrant data by the DHS. (Nov. 6, 2018)

  • The U.S. Supreme Court has ordered additional briefing in Frank v. Gaos, a case about a controversial class action settlement. Plaintiffs alleged that Google disclosed search histories to third parties in violation of various privacy laws, but settled the case with no change in business practice and no benefit to class members. Now the Supreme Court has ordered supplemental briefs to determine whether any named plaintiff has standing to pursue the dispute. EPIC filed an amicus brief about the settlement, arguing that the "proposed settlement is bad for consumers and does nothing to change Google's business practices." EPIC and several consumer privacy organizations objected to the original settlement on three separate occasions. EPIC has filed many briefs on standing in consumer privacy cases. (Nov. 6, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Department of Justice for records about Special Counsel Robert Mueller's investigation into the Russian interference in the 2016 U.S. presidential election. In May 2017, the Acting Attorney General authorized an investigation into Russian interference, including "any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump." Special Counsel Mueller has since brought criminal charges against 33 individuals and three organizations. According to news reports and President Trump's attorneys, Special Counsel Mueller intends to transmit one or more reports detailing his findings. EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election. EPIC is currently pursuing several related FOIA cases concerning Russian interference with the 2016 election: EPIC v. FBI (response to Russian cyberattacks), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of Trump's tax returns), EPIC v. IRS II (release of Trump’s offers-in-compromise), and EPIC v. DHS (election cybersecurity). (Nov. 5, 2018)

  • In comments to the Department of Transportation, EPIC has proposed privacy safeguards for the agency's "Insider Threat" database. The database would permit boundless collection of personal data on many people unaffiliated with the agency. The Department also plans to exempt the database from Privacy Act obligations that require data minimization and individual access to records. EPIC wrote, "It is as if the agency has placed itself beyond the reach of the American legal system on the issue of greatest concerns to the American public - the protection of personal privacy." EPIC also urged the agency to limit data collection, citing numerous government data breaches that have put individuals at risk. EPIC has consistently warned against overbroad and insecure government databases. (Nov. 2, 2018)

  • The D.C. Circuit Court of Appeals will hear arguments Friday in a case about the 2015 data breach at the U.S. Office of Personnel and Management, which affected 22 million federal employees, their friends, and their family members. EPIC filed an amicus brief in the case, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board). In the brief, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In the 2011 case NASA v. Nelson, EPIC urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government. Arguments are scheduled to begin at 9:30 AM ET and will be streamed live. (Nov. 1, 2018)

  • EDRi, a powerful association of European NGOs, launched a campaign to implement the EU General Data Protection Regulation. GDPR Today is an online hub reporting the latest developments in data protection. "The initiative will prioritise building knowledge around legal guidelines and decisions, data breaches, new codes of conduct, tools facilitating individuals’ exercise of rights, important business developments and governmental support for data protection authorities," EDRi explained. EPIC recently encouraged US firms to comply with the GDPR, and advised the UK Information Commissioner's Office on Data Protection Impact Assessments and GDPR implementation. The 2018 Privacy Law Sourcebook also includes the full text of the GDPR. (Oct. 31, 2018)

  • In comments to the Department of Homeland Security, EPIC opposed changes to the agency's Correspondence Tracking System. The agency's proposal would allow the DHS to collect personal information about individuals named in agency correspondence, even if they had no direct contact with the agency. EPIC urged DHS to withdraw the proposal, along with revisions that would conflict with federal law. EPIC said DHS should undertake an updated Privacy Impact Assessment. EPIC has routinely urged strict compliance with Privacy Act and warned that overbroad government databases threaten individual privacy. (Oct. 31, 2018)

  • The U.S. Supreme Court will hear arguments this week in Frank v. Gaos, a class action settlement that provided no benefit to Internet users. Google disclosed user search histories to third parties without consent, a practice that could violate federal and state privacy laws. But under the terms of the settlement, Google "will not be required or requested to make any changes" to its business practices. Also, no funds were provided to the Internet users on whose behalf the case was brought. EPIC filed an amicus brief arguing that the settlement was not "fair, reasonable, and adequate." EPIC stated, "The proposed settlement is bad for consumers and does nothing to change Google's business practices." A federal appeals court narrowly approved the settlement, 2-1, with the dissenting judge warning that courts must be on the lookout "not only for explicit collusion, but also for more subtle signs that class counsel have allowed pursuit of their own self-interests." EPIC and several consumer privacy organization objected to the original settlement on three separate occasions. EPIC routinely opposes class action settlements that fail to benefit consumers and Internet users. (Oct. 30, 2018)

  • EPIC has filed an amicus brief in a case challenging the addition of a citizenship question to the 2020 census. EPIC expressed support for the decennial tally of those in the US, but warned that, "history has shown that personal data, collected by the government through the census, can threaten individual rights." EPIC said that the Bureau failed to complete an updated Privacy Impact Assessment about the risk that personal data could be used for purposes unrelated to the census. In comments to the Census Bureau, EPIC opposed the citizenship question this year. EPIC also obtained Census Bureau documents in FOIA case, including email from Kris Kobach to Secretary Ross requesting the addition "on the direction of Steve Bannon." A 2004 EPIC FOIA lawsuit revealed that the Census Bureau had provided DHS with data on Arab Americans after 9-11, leading the Census Bureau to revise its "sensitive data" policy for transfers to law enforcement and intelligence agencies. Former Directors of the Census Bureau also filed an amicus brief in New York et al. v. Department of Commerce, opposing the citizenship question. (Oct. 30, 2018)

  • The Federal Trade Commission finalized a settlement with Uber after the company failed to implement reasonable security measures and allowed employees to access customers' personal information. Because of Uber's lax security practice, the company was breached twice, exposing vast amounts of sensitive information. The settlement follows on the heels of Uber's settlement with the attorneys general of all fifty states and the District of Columbia for failing to notify users of Uber's second breach in 2016. EPIC wrote to the FTC in May, urging the Commission to strengthen its existing settlement with Uber. The Commission responded directly to several of EPIC's suggestions, which included mandating cybersecurity and privacy requirements. Commissioner Chopra also agreed with EPIC that "the Commission should make required audits and assessments public." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to a previous FTC settlement with Uber. EPIC has also proposed a privacy law for Uber and other similar transportation companies. (Oct. 29, 2018)

  • Following a petition from EPIC and leading scientific societies requesting the opportunity for public comment on national policies for Artificial Intelligence, EPIC submitted comments urging the National Science Foundation to adopt the Universal Guidelines for Artificial Intelligence, and to promote and enforce the UGAI across funding, research, and deployment of US AI systems. Over 200 experts and 50 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines for Artificial Intelligence. The Guidelines outline rights to transparency and human determination, obligations for identification, fairness, accountability, validity, data quality, public safety, cybersecurity, termination, and prohibitions on secret profiling and unitary scoring. EPIC said that UGAI should shape the National AI Strategic Plan for the United States. (Oct. 29, 2018)

  • Speaking at the closing session of the 40th annual meeting of the Data Protection Commissioners, EPIC President Marc Rotenberg emphasized the importance of civil society participation in the annual privacy conference. "This cannot be a conversation between governments and industry. Democratic legitimacy requires public participation," said Mr. Rotenberg. He thanked European Data Protection Supervisor Giovanni Buttarelli and the Data Protection Commissioners for their support for the Public Voice and the work of civil society. Speaking to the conference theme, Mr. Rotenberg emphasized the importance of ethics to emerging challenges in the data protection field, such as AI. He described the development of the Universal Guidelines for AI, which acknowledged current legal rights but also incorporated ethical guidelines from computer science and human rights. "Ethics tells us not only what the law is, but also what the law should be," said Mr. Rotenberg. (Oct. 25, 2018)

  • The National Archives has found hundreds of e-mails about Justice Kavanaugh's role in controversial White House surveillance programs, including warrantless wiretapping and passenger profiling. Following EPIC's Freedom of Information Act lawsuit, the agency found hundreds of Kavanaugh email messages about the wiretapping program from 2003. Kavanaugh also exchanged 95 e-mail messages about the controversial renewal in 2004, which the Attorney General and FBI Director opposed. There are also 573 Kavanaugh email messages about "Lichtblau" and "Risen" prior to the New York Times expose on the warrantless wiretapping program. The National Archives also found more than 8,000 e-mails that Kavanaugh sent or received about passenger profiling programs. Prior to the nomination hearing, EPIC warned that Kavanaugh, both as a White House legal advisor and then as a federal appellate judge, showed little regard for the constitutional privacy rights of Americans. (Oct. 24, 2018)

  • Professor Anita Allen expressed support for the Universal Guidelines for AI at a press conference in Brussels. Allen called attention to the fairness, transparency, and accountability guidelines as foundational ethical principles. More than 220 experts and NGOs have endorsed the UGAI. Allen also called for a comprehensive privacy law in the US, noting that US law is "outdated." Allen spoke on a panel with Tristan Harris, Elizabeth Denham, Tim Berners Lee, and Pascale Fung, organized by the European Data Protection Supervisor. (Oct. 24, 2018)

  • Professor Anita Allen delivered a moving keynote address today at the Privacy Commissioners Conference. Allen spoke about ethics as the "basis of character and moral life." And she described the coexistence of law and ethics. "Ethics are respected as the ideal foundation of law and professional standards." Allen published an essay this week in New Europe "Why Ethics Now?" Allen is a member of the EPIC board of directors and a recipient of an EPIC Lifetime Achievement award. She is the author of several books, including Privacy Law and Society. (Oct. 24, 2018)

  • Apple CEO Tim Cook (@tim_cook) delivered an impassioned speech at at the Commissioners Conference in Brussels. Cook said, "Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies." Cook warned, "Rogue actors and even governments have taken advantage of user trust to deepen divisions, incite violence, and even undermine our shared sense of what is true and what is false. This crisis is real. It is not imagined, or exaggerated, or crazy." Cook endorsed the GDPR and called for comprehensive privacy legislation in the US. Tim Cook received the EPIC Champion of Freedom Award in 2015. (Oct. 24, 2018)

  • Giovanni Buttarelli, the European Data Protection Supervisor, delivered the opening speech of the Privacy Commissioners Conference, "Choose Humanity: Putting Dignity back into Digital." Buttarelli said "we need to establish a sustainable ethics for a digital society." The privacy commissioners have adopted new resolutions on Artificial Intelligence, E-Learning, Collaboration with Consumer Protection Authorities, and Building Effective Privacy Networks. (Oct. 24, 2018)

  • The Universal Guidelines for Artificial Intelligence, the first human rights framework for AI, will be announced in Brussels on October 23 at the Public Voice symposium "AI, Ethics, and Fundamental Rights." The Universal Guidelines set out 12 principles to "inform and improve the design and use of AI. The Guidelines are intended to maximize the benefits of AI, to minimize the risk, and to ensure the protection of human rights." More than 150 experts and 40 organizations, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines. Representatives from more than 30 countries supported the statement. The release of the Universal Guidelines precedes the annual meeting of the Data Protections and Privacy Commissioners, the leading privacy event in the world. (Oct. 22, 2018)

  • A federal appeals court has ruled that Georgia cannot copyright any part of the state’s code of laws. Georgia had previously charged citizens as much as $400 to access official "annotations" to the code, which establish the meaning of the state's laws. But the appeals court ruled that "the People are the owners of these works, meaning that the works are intrinsically public domain material and, therefore, uncopyrightable." EPIC has long advocated for public access to court documents and other sources of law. In 2015, EPIC called on federal agencies to make statutes, regulations, adjudications, and relevant court documents freely available on agency websites. (Oct. 22, 2018)

  • In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Following a detailed complaint by EPIC and other consumer privacy organizations, the FTC issued an order in 2011 that required biennial audits of Facebook's privacy practices. EPIC pursued public release of these reports and related emails to understand why the FTC failed to bring an enforcement action action against the company. Today the FTC released to EPIC 89 emails between the FTC and Facebook from the years 2011, 2012, 2013, 2014, 2015, 2016, 2017, and 2018. In March 2018, following the Cambridge Analytica data breach, the FTC announced it was reopening the Facebook investigation. To date, there is still no announcement, no report, and no fine. (Oct. 19, 2018)

  • EPIC has filed an amicus brief with the U.S. Court of Appeals for the Sixth Circuit in United States v. Miller, arguing that the Government must prove the reliability of Google email screening technique. The lower court held that law enforcement could search any images that Google's algorithm had flagged as apparent child pornography. EPIC explained that a search is unreasonable when the government cannot establish the reliability of the technique. EPIC also warned that the government could use this technique "to determine if files contain religious viewpoints, political opinions, or banned books." EPIC has promoted algorithmic transparency for many years. EPIC routinely submits amicus briefs on the application of the Fourth Amendment to investigative techniques. EPIC previously urged the government to prove the reliability of investigative techniques in Florida v. Harris. (Oct. 18, 2018)

  • EPIC has obtained records concerning "Media Monitoring Services," a controversial DHS project to track journalists, news outlets, and social media accounts. The records, released in EPIC's FOIA lawsuit against the federal agency, reveal that the DHS bypassed the agency's own privacy officials and ignored the privacy and First Amendment implications of monitoring the coverage by particular journalists of a federal agency. As a result of EPIC's lawsuit, the agency previously admitted that it did not conduct a Privacy Impact Assessment for the program, as required by law. EPIC has successfully obtained several Privacy Impact Assessments, including for a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to the collection of state voter data. (Oct. 17, 2018)

  • EPIC proudly announces the 2018 edition of the Privacy Law Sourcebook, the definitive reference guide to US and international privacy law. The Privacy Law Sourcebook is an edited collection of the primary legal instruments for privacy protection in the modern age, including United States law, International law, and recent developments. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The EPIC Privacy Law Sourcebook also includes the full text of the GDPR. EPIC will make the Privacy Law Sourcebook freely available to NGOs and human rights organizations. EPIC publications and the publications of EPIC Advisory Board members are available at the EPIC Bookstore. (Oct. 16, 2018)

  • In response to EPIC's Freedom of Information Act lawsuit, the FTC has released communications about Facebook's biennial audits. The audits are required by the FTC's 2011 Consent Order with Facebook, which followed a detailed complaint by EPIC and other consumer privacy organizations. The emails show that the FTC had concerns about the scope of Facebook's 2015 assessment, stating "PwC's report does not demonstrate whether and how Facebook addressed the impact of acquisitions on its Privacy Program." In other email, the FTC expressed similar concerns about the 2017 assessment and whether the audit evaluated the company's acquisitions impact on Facebook's privacy program. EPIC had previously opposed Facebook's acquisition of WhatsApp and submitted detailed comments for the FTC's review of the merger remedy process. In March 2018, following the Cambridge Analytica breach, the FTC announced it was reopening the Facebook investigation, but still there is no announcement, no report, and no fine. (Oct. 15, 2018)

  • EPIC and a coalition of civil society organizations told the Australian Parliament that pending legislation would weaken digital security and increase the risks to human rights. The proposal is one of several that promotes weak encryption for digital services. In 2016, Apple refused a demand by the FBI to redesign iPhones to enable law enforcement access. The FBI sued Apple, and EPIC filed an amicus brief in support of Apple, arguing that the FBI's demand "places at risk millions of cell phone users across the United States." The FBI eventually dropped the case. (Oct. 12, 2018)

  • EPIC has appealed a federal district court decision for the release of a "Predictive Analytics Report." The district court backed the Department of Justice when the agency claimed the "presidential communications privilege." But neither the D.C. Circuit Court of Appeals nor the Supreme Court has ever permitted a federal agency to invoke that privilege in a FOIA case. EPIC sued the agency in 2017 to obtain records about "risk assessment" tools in the criminal justice system. These controversial techniques are used to set bail, determine criminal sentences, and even contribute to determinations about guilt or innocence. EPIC has pursued numerous FOIA cases concerning algorithmic transparency, passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. The D.C. Circuit will likely hear EPIC's appeal next year. (Oct. 12, 2018)

  • In response to EPIC's Freedom of Information Act request, the Transportation Security Administration has released records about Secure Flight, a program that compares airline passenger records with various watch lists. The documents provided to EPIC contain an interagency agreement between the TSA and Customs and Border Protection, as well as related documents about Secure Flight. During the processing of EPIC's request, the TSA destroyed over a hundred pages of responsive records "due to the records disposition schedule." EPIC has testified before Congress and published a "Spotlight on Surveillance" report about the Watchlist Program. For more information, see EPIC: Passenger Profiling, and EPIC: Air Travel Privacy. (Oct. 12, 2018)

  • The Senate last night confirmed Advisory Board Member Ed Felten to serve on the Privacy and Civil Liberties Oversight Board. Professor Felten is a former Chief Technology Officer for the FTC and former Deputy White House Science Advisor. Felten's confirmation, along with two others, establishes a quorum for the long dormant agency but still leaves key nominees pending. EPIC and others have urged the Senate to fill the vacant PCLOB seats. EPIC helped establish the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the Champion of Freedom Award. (Oct. 12, 2018)

  • In EPIC's Freedom of Information Act suit, the National Archives has now identified thousands of additional records concerning Justice Kavanaugh's role in controversial White House surveillance programs, including warrantless wiretapping and the Patriot Act. These programs were later suspended, curtailed, or modified by Congress. The agency completed its second search of e-mails on Wednesday, in response to EPIC's case, and found that Kavanaugh received 183 messages from John Yoo, the architect of the warrantless wiretapping program. The Archives also found 1,988 e-mails concerning Kavanaugh and "surveillance" programs and the "Patriot Act" and 754 e-mails concerning Kavanaugh "CAPPS II" (passenger profiling), "Fusion Centers" (government surveillance centers), and the Privacy Act. The National Archives will eventually release these records to the public as a result of EPIC's lawsuit. Prior to nomination hearing, EPIC had warned that Kavanaugh, both as a White House legal advisor and then as a federal appellate judge, showed little regard for the constitutional privacy rights of Americans. (Oct. 11, 2018)

  • The Council of Europe has opened for signature updates to Convention 108, the international Privacy Convention. Among other changes, the modernized Convention requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights, including algorithmic transparency. Twenty-one nations have signed the treaty. Many more are expected to sign. EPIC and consumer coalitions have urged the United States to ratify the international Privacy Convention. The complete text of the modernized Convention will be available in the 2018 edition of the Privacy Law Sourcebook, available at the EPIC Bookstore. (Oct. 11, 2018)

  • In advance of an international conference with privacy commissioners from around the world, the Public Voice, a civil society coalition, is seeking comments on Guidelines for Artificial Intelligence. The draft Guidelines set out several principles to "guide the design and use of AI," including a Right to Transparency and a Right to a Human Determination, an Identification Obligation and a Public Safety Obligation, and Prohibitions on Secret Profiles and National Scoring. According to the statement, "the Guidelines should be incorporated into ethical standards, adopted in national law and international agreements, and built into the design of systems." The Public Voice launched a similar campaign in 2009 in support of the Madrid Privacy Declaration. The draft AI Guidelines are open for comment until October 16, 2018. The Guidelines will be open for signature by individuals and organizations on October 17, and released in Brussels on October 23. (Oct. 11, 2018)

  • EPIC joined a group of twelve consumer and privacy organizations that submitted a statement to the Senate Commerce Committee in advance of a consumer privacy hearing. The groups outlined a draft framework for data protection in the U.S., advocating that Congress (1) enact baseline federal data protection legislation; (2) limit government access to personal data; (3) establish algorithmic transparency and end discriminatory profiling; (4) prohibit “take it or leave it” and other unfair terms; (5) ensure robust enforcement; (6) promote privacy innovation; and (7) establish a data protection agency. EPIC also submitted a statement to the Committee that highlighted recent breaches at Google and Facebook and the FTC's failure to enforce its own consent orders. (Oct. 9, 2018)

  • EPIC and the Public Voice, a coalition of civil society organizations, will host a symposium in Brussels on AI and ethics on October 23, 2018. Speakers for "AI, Ethics, and Fundamental Rights" include Professor Anita Allen, European Data Protection Board Chair Andrea Jelinek, UK Information Commissioner Elizabeth Denham, Irish Data Protection Commissioner Helen Dixon, NGO leaders, human rights advocates, and experts in Artificial Intelligence. EPIC has provided Public Voice Scholarships to support NGO participation in the International Conference of Data Protection and Privacy Commissioners, which follows the Public Voice symposium. Registration is now open for the Public Voice symposium. Email brussels18@thepublicvoice.org with full name and affiliation to register. EPIC will also provide copies of the 2018 Privacy Law Sourcebook to symposium participants. (Oct. 9, 2018)

  • In advance of a hearing on consumer privacy, EPIC told the Senate Commerce Committee that America is facing a data protection "crisis." EPIC highlighted recent breaches at Google and Facebook, coupled with the FTC's failure to enforce its own consent orders, and said the system is "badly broken." EPIC also noted that more than six months have passed since the FTC said it would investigate Cambridge Analytica, "but still there is no report, no outcome, and no fine." EPIC joined a coalition of 28 consumer privacy groups in a letter to the Senate Commerce Committee, endorsing "federal baseline legislation, heightened penalties for data breaches, the end of arbitration clauses, the establishment of a privacy agency in the U.S., techniques for data minimization, [and] algorithmic transparency to prevent the secret profiling of American consumers." In today's statement, EPIC told the Committee "The FTC's failure to enforce consumer privacy safeguards has led not only to diminished data protection in the United States, but also to less innovation and less competition among Internet services." (Oct. 9, 2018)

  • A Department of Homeland Security Inspector General report highlighted many challenges to facial recognition at airports. The problems of accurate biometric matches apply to all travelers, and particularly U.S. citizens. According to the Inspector General's report, "U.S. citizens accounted for the lowest biometric confirmation rate." A report obtained by EPIC last year through a Freedom of Information Act lawsuit revealed that iris imaging and facial recognition for border control did not perform at a "satisfactory" level. In a statement to Congress earlier this year, EPIC warned that biometric identification techniques are unreliable and lack proper privacy safeguards. (Oct. 4, 2018)

  • The International Working Group on Data Protection adopted new recommendations to protect privacy as vehicles become increasingly connected. The Berlin-based Working Group includes data protection authorities who assess emerging privacy challenges. As cars today connect both to the Internet and other vehicles "more and more personal data will be collected and processed by the vehicles and will become accessible to third parties," the Working Group paper explains. The Working Group recommended that vehicle sensors not store personal data of persons outside the vehicle, allow drivers to opt out of non-essential data collection, and minimize personal data collection. In comments to NHTSA, EPIC called for national safety standards for connected cars. EPIC also underscored the privacy risks of modern vehicles in a recent amicus brief to the Supreme Court. In 2017, EPIC hosted a meeting of the IWG in Washington, D.C. at the Goethe-Institut. (Oct. 4, 2018)

  • The Senate has passed legislation to reauthorize the FAA and expand drone integration, but the bill ignores pressing concerns about the privacy impact of drones. A previous version of the bill included privacy protections originally proposed by Sen. Markey and Rep. Welch in the Drone Aircraft Privacy and Transparency Act. The version passed by the House and Senate only requires a report on drone surveillance risks but does not establish any baseline privacy safeguards. The bill now goes to the President's desk. EPIC has repeatedly urged both Congress and the FAA to take decisive action to limit the use of drones for surveillance and to establish a national database detailing drone surveillance capabilities. EPIC sued the FAA to establish privacy rules for drones, after more than 100 experts and organizations petitioned the agency. (Oct. 3, 2018)

  • Following the release of new information to EPIC in a FOIA lawsuit against the National Archives, EPIC has asked Senator McConnell and Senator Schumer to postpone a vote on the nomination of Judge Brett Kavanaugh. The documents obtained in EPIC v. NARA reveal that Judge Kavanaugh played a significant role in controversial White House surveillance programs that implicate the constitutional privacy rights of Americans. The Archives has now confirmed that there are hundreds of emails concerning Kavanaugh's role in such programs as warrantless wiretapping, the Patriot Act, "CAPPS II" (passenger profiling), and "Fusion centers" (government surveillance centers). Kavanaugh exchanged almost a dozen emails to John Yoo, whose legal memos on surveillance were later rescinded by the Office of Legal Counsel. EPIC wrote, "the Senate curtailed several of these programs that Brett Kavanaugh helped develop." (Oct. 3, 2018)

  • In response to EPIC's Freedom of Information Act suit, the National Archives has now confirmed that there are hundreds of records concerning Brett Kavanaugh's role in controversial White House surveillance programs, including warrantless wiretapping and the Patriot Act. The programs were later suspended, curtailed, or modified by Congress. The communication to EPIC revealed that Kavanaugh sent 11 e-mails to John Yoo, the architect of warrantless wiretapping; 227 e-mails about "surveillance" programs and the "Patriot Act;" and 119 e-mails concerning "CAPPS II" (passenger profiling), "Fusion Centers" (government surveillance centers), and the Privacy Act. The National Archives has processed roughly 300,000 pages of Judge Kavanaugh's records between 2001 and 2003. These records will be released this month pending White House approval. EPIC has warned that Kavanaugh, both as a top-level White House aide and then as a federal appellate judge, has shown little regard for the Constitutional privacy rights of Americans. (Oct. 3, 2018)

  • Apple CEO Tim Cook, an EPIC Champion of Freedom, will deliver the keynote speech at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels on October 24. European Data Protection Supervisor Giovanni Buttarelli said, "Tim has been a strong voice in the debate around privacy, as the leader of a company which has taken a clear privacy position, we look forward to hearing his perspective." The theme of the International Conference is "Debating Ethics: Dignity and Respect in Data Driven Life." EPIC and the Public Voice are organizing a related symposium, "The Public Voice: AI, Ethics, and Fundamental Rights." Speakers include the European Data Protection Board Chair Andrea Jelinek, UK Information Commissioner Elizabeth Denham, NGO leaders, human rights advocates, and experts in Artificial Intelligence. EPIC has provided Public Voice Scholarships to support NGO participation. (Oct. 3, 2018)

  • In advance of the nomination hearing for the Census director, EPIC has sent a statement to a Senate committee urging the Census Bureau to suspend the citizenship question in the 2020 Census until a Privacy Impact Assessment is conducted. The administration conceded that the question was added at the request of the Justice Department, but EPIC explained that census data should never be used for law enforcement because that would undermine the constitutional purpose and the integrity of the census. An earlier Privacy Impact Assessment preceded the addition of the citizenship question. EPIC said that assessment does not meet the agency standards and that the Census is required by law to conduct a revised assessment. Through a Freedom of Information Act request, EPIC obtained documents (part 1, part 2, part 3, part 4) concerning Commerce Secretary Wilbur Ross and the citizenship question. The census raises significant privacy risks and was used to target Japanese-Americans for internment during World War II. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. As a consequence of EPIC's lawsuit, the Census Bureau revised its policy on disclosing statistical information about "sensitive populations" to law enforcement and intelligence agencies. EPIC also opposed the addition of the citizenship question in recent comments to the U.S. Census Bureau. (Oct. 3, 2018)

  • California Governor Jerry Brown recently signed two modern privacy laws, including a first in the nation law governing the security of the Internet of Things. SB327 sets baseline security standards for IoT devices. EPIC recently submitted comments to the Consumer Product Safety Commission recommending similar action. Governor Brown also signed a bill banning anonymous bots. The law makes it illegal to use a bot, or automated account, to mislead California residents or communicate without disclosing the identity of the actual operator. EPIC President Marc Rotenberg had earlier proposed that Asimov's Laws of Robotics be updated to require that robots reveal the basis of their decisions (Algorithmic Transparency) and that robots reveal their actual identity. (Oct. 2, 2018)

  • The Department of Homeland Security and FCC have rescheduled a controversial test that allows the President to suspend cell phone service and communicate directly with cell phone subscribers in the United States. The test message header is labelled "Presidential Alert" and will include the following text "THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed." Cell phone users cannot opt out of the test. The President has sole authority to determine when the alert will be activated. The test will use the same special tone and vibration as with alerts for Tornado Warnings and AMBER Alerts. It is unclear why the alert is designated a "Presidential Alert" or when it may be issued. In 2006, the Department of Homeland Security established a secret procedure - "SOP 303" - to suspend cell phone services. EPIC sued the agency after government officials disabled wireless service during a peaceful protest at a San Francisco metro station in 2011. (Oct. 1, 2018)

  • An Inspector General report has found that a federal agency failed to establish privacy safeguards for sensitive drone communications. Customs and Border Control did not complete a privacy threshold analysis and sidestepped review by the agency privacy office. According to the IG report, the CBP also collected and stored surveillance data that "remained unprotected for more than 2 years." Through a Freedom of Information Act lawsuit, EPIC obtained a related CBP directive on Unmanned Aircraft System Operations and Privacy. In a recent statement to Congress, EPIC highlighted the unique threat drones pose to privacy and said that the Congress should "establish drone privacy safeguards that limit the risk of public surveillance" before granting new authority to federal agencies. (Oct. 1, 2018)

  • In comments to the State Department, EPIC opposed changes to the visa application process that would allow the State Department to collect private social media identifiers, email addresses, and phone numbers for vetting purposes. The agency's plans to collect immigrant and nonimmigrant visa applicants' social media history and personal communications records raises substantial privacy, free expression and security concerns. EPIC urged the agency to retract these proposals. EPIC previously filed comments opposing the government's inspection of immigrants' social media activities, and has continuously advocated for strong First Amendment protections. (Sep. 28, 2018)

  • Chairman Charles Grassley (R-IA) has scheduled a vote today on the nomination of Judge Brett Kavanaugh to the Supreme Court, though records of Kavanaugh's White House role in the Patriot Act, warrantless wiretapping, and other programs of mass surveillance remain secret. EPIC filed a Freedom of Information Act lawsuit against the National Archive for release of these records and then moved for a preliminary injunction so that the records could be made available prior to Senate consideration of the nominee. In an earlier statement to the Senate Judiciary Committee, EPIC warned that Kavanaugh, both as a top-level White House aide and then as a federal appellate judge, has shown little regard for the Constitutional privacy rights of Americans. In Klayman v. Obama, he backed the warrantless collection of the telephone records of all Americans under the "special needs" doctrine, a view endorsed by no other judge in the federal judiciary. In a second letter, EPIC urged postponement of the Senate vote, pending release of these documents. Yesterday, the American Bar Association called for postponement of the vote, pending an investigation of charges concerning sexual assault. (Sep. 28, 2018)

  • The attorneys general of all 50 states and the District of Columbia have settled their lawsuit with Uber for $148 Million. The nationwide investigation found that Uber had violated data breach notification laws because the company payed a hacker $100,000 to keep quiet about the breach instead of notifying consumers that their information had been compromised. The settlement also requires Uber to adopt model data breach notification and data security practices, a corporate integrity program, and hire an independent third party to conduct data security assessments. After Uber made the breach public, EPIC wrote detailed comments to the FTC and the agency revised its settlement with the company. While EPIC supported the FTC's action, EPC said that "the FTC should make Uber's privacy assessments public so that consumers can evaluate whether the company is meeting its obligations under the Consent Order." The FTC's initial investigation and subsequent settlement with Uber were prompted by EPIC's complaint against Uber in 2015. (Sep. 26, 2018)

  • In a ruling today, the Indian Supreme Court imposed new limits on Aadhar, India's national biometric identification system. The Court found the system did not violate the Indian constitution, but struck down a section of the law permitting private entities to demand Aadhar to verify identity. Aadhar can no longer be mandatory to register for education, open a bank account, or obtain a cell phone connection. However, the state-issued number may still be required for purposes related to government funds, including filing an income tax. The Court also struck down an exception authorizing disclosure of Aadhar data for national security purposes. The Court encouraged the state to establish a "a robust statutory regime" for data protection "in near future." The dissent would have held Aadhar unconstitutional. The biometric system "violates essential norms pertaining to informational privacy, self-determination and data protection," the dissent states, and "dignity of individuals cannot be made to depend on algorithms or probabilities." Last year, India's Supreme Court ruled that privacy is a fundamental right under the Indian Constitution. EPIC has also backed comprehensive privacy legislation in comments to the Indian government, and urged creation of a private right of action and breach notification requirement. (Sep. 26, 2018)

  • In comments to the Office of Management and Budget, EPIC opposed changes to FOIA regulations that would create obstacles to those seeking access to public information. EPIC urged the agency to remove changes that would delay FOIA requests, increase request costs, and reduce agency accountability. The proposed rules also conflict with the federal law and cases that favor disclosure over withholding. EPIC routinely comments on agency proposals that affect the rights of FOIA requestors. Several agencies, including the Federal Trade Commission, the Privacy and Civil Liberties Oversight Board, and the Defense Logistics Agency have adopted EPIC's recommendations on proposed FOIA rule changes. (Sep. 26, 2018)

  • The National Science Foundation has announced that it is seeking public comment on US policy for artificial intelligence The decision follows a petition by EPIC, leading scientific organizations including AAAS, ACM, FAS, and IEEE, and nearly 100 experts calling for public participation in the work of the White House Select Committee on Artificial Intelligence. In May, the White House held a secret meeting with government agencies and federal officials. Several key AI challenges, such as accountability, transparency, ethics, and fairness, were ignored. EPIC recently urged the Senate Commerce Committee to ensure public participation in U.S. AI policy. In a FOIA request, EPIC obtained communications between the Office of Science and Technology Policy and the National Science Foundation. Last month EPIC urged the Senate Commerce Committee to ensure public participation in US AI policy. And EPIC is hosting a Public Voice conference in Brussels on "AI, Ethics, and Fundamental Rights." Comments on US AI policy are due to NSF by October 26. (Sep. 26, 2018)

  • The National Telecommunications and Information Administration—the agency that advises the White House on telecommunications and information policy—released a proposed framework for consumer privacy. The NTIA framework outlines seven "desired outcomes" for the processing of personal data: (1) transparency, (2) control, (3) minimization, (4) security, (5) access and correction, (6) risk management, and (7) accountability. The NTIA framework is similar to many Fair Information Practices framework, such as the OECD Privacy Guidelines, but does not outline a strategy for implementation and enforcement. Today the United States experiences unprecedented levels of identity theft, financial fraud, and data breaches. The personal data of Americans, stored by US firms, is also the target of foreign adversaries. European governments, which recently adopted the GDPR to safeguard personal data, have expressed growing concern about the lack of legal protections in the United States. The European Parliament voted recently to suspend Privacy Shield, an arrangement that permits the transfer of personal data of Europeans to the United States. In earlier comments to the NTIA, EPIC urged the agency to "pursue comprehensive data protection legislation that would strengthen privacy protections for Americans and create an independent agency to enforce those rights." (Sep. 26, 2018)

  • Congress is considering legislation to reauthorize the FAA and expand drone integration, but the bill ignores pressing concerns about the privacy impact of drones. A previous version of the bill included privacy protections originally proposed by Sen. Markey and Rep. Welch in the Drone Aircraft Privacy and Transparency Act. The pending bill only requires a report on drone surveillance risks but does not establish any baseline privacy safeguards. EPIC has repeatedly urged both Congress and the FAA to take decisive action to limit the use of drones for surveillance and to establish a national database detailing drone surveillance capabilities. EPIC sued the FAA to establish privacy rules for drones, after more than 100 experts and organizations petitioned the agency. (Sep. 25, 2018)

  • In comments to the FCC, EPIC has renewed its call to the agency to block unlawful robocalls. The FCC proposed a rule that would allow phone companies to block calls from numbers they know are invalid, such as numbers that have not been assigned to a subscriber. EPIC recommended that the FCC (1) require phone providers to proactively block calls from numbers that are unassigned, unallocated, or invalid; (2) prohibit spoofing if there is an intent to defraud or cause harm; and (3) encourage the use of call authentication technology that safeguards caller anonymity. EPIC previously filed comments in when the FCC proposed the rule, and has long advocated for robust telephone privacy protections. EPIC filed an amicus brief in 2015 that strengthened consumer protections. (Sep. 25, 2018)

  • In advance of a hearing on "Examining Safeguards for Consumer Data Privacy," EPIC has sent a brief statement to the Senate Commerce Committee, expressing "deep concern that not a single consumer group was invited to testify at this week's hearing." The Senate Commerce hearing follows an FTC hearing on consumer privacy that also excluded experts on consumer privacy. Last week, EPIC joined a coalition of 28 consumer privacy groups in a letter to Committee Chairman John Thune (R-S.D.) and ranking member Bill Nelson (D-Fla.) that asked the Senators to include consumer advocates in the hearing. The Committee is currently scheduled to hear from AT&T, Amazon, Google, Twitter, Apple and Charter Communications. EPIC President Marc Rotenberg and consumer advocate Ralph Nader recently wrote "the voices of these consumer advocates should be heard. It is not too late to start a meaningful dialogue on the future of privacy in America." (Sep. 24, 2018)

  • EPIC has filed a motion seeking a preliminary injunction against the National Archives to compel the release of Brett Kavanaugh’s White House records about warrantless surveillance and the Patriot Act. EPIC argues that these records are essential to understand Kavanaugh’s views on privacy, and must be released prior to the Senate votes on the Supreme Court nominee. EPIC explained that the agency has already missed deadlines established by the Freedom of Information Act. EPIC filed suit against NARA on September 17 after NARA failed to process EPIC’s two urgent Freedom of Information Act requests. EPIC earlier sent two letters to the Senate Judiciary Committee highlighting concerns about Kavanaugh’s role in the creation of the Patriot Act, his defense of warrantless wiretapping in the White House, and his troubling opinion as a judge in Klayman v. Obama, which justified the warrantless collection of phone records of all Americans. (Sep. 21, 2018)

  • EPIC joined a coalition of 28 consumer privacy groups in a letter to Senate Commerce Committee Chairman John Thune (R-S.D.) and ranking member Bill Nelson (D-Fla.) that asked the Senators to include consumer advocates in an upcoming hearing on consumer privacy. At this time, the Committee has invited, AT&T, Amazon, Google, Twitter, Apple and Charter Communications. The consumer privacy groups wrote, "the absence of consumer representatives all but ensures a narrow discussion, focused on policy alternatives favored by business groups." Proposals endorsed by consumers include, "federal baseline legislation, heightened penalties for data breaches, the end of arbitration clauses, the establishment of a privacy agency in the U.S., techniques for data minimization, [and] algorithmic transparency to prevent the secret profiling of American consumers." The groups also noted that a recent Harris survey found that "78 percent of U.S. respondents say a company's ability to keep their data private is 'extremely important,' but only 20 percent 'completely trust' organizations they interact with to maintain the privacy of their data." (Sep. 20, 2018)

  • The Drug Enforcement Agency has released to EPIC a new FOIA production about the AT&T "Hemisphere" program. Hemisphere is a massive call records database made available to government agents by the nation's largest telecommunication company. AT&T discloses to the government billions of detailed customer phone records, including location data, without judicial review. The new release to EPIC reveals that both the FBI and CBP obtained access to these call details records. EPIC filed suit against the DEA in 2013 after the agency failed to respond to EPIC's FOIA request for information about the Hemisphere program. EPIC previously argued that the names of other agencies with access to Hemisphere records should be released. In June, the Supreme Court held in Carpenter v US that government access to location data is a search subject to Fourth Amendment review. EPIC filed an amicus brief in the Carpenter case. (Sep. 18, 2018)

  • EPIC has filed a lawsuit to compel the National Archives and Records Administration to release Brett Kavanaugh's White House records about warrantless surveillance and the Patriot Act. EPIC's lawsuit follows the agency's failure to respond to EPIC's two urgent Freedom of Information Act requests. In the complaint, EPIC explains that timely release of these records is now essential to assess Kavanaugh's role in the White House surveillance programs. In Senate testimony, Kavanaugh claimed that he knew nothing about these programs, but documents indicate that he drafted President Bush's speech on the Patriot Act, communicated with John Yoo, the architect of the warrantless surveillance program, and defended suspicionless surveillance of the American public. Last week, EPIC sent a letter to the Senate Judiciary Committee urging postponement of the the committee vote on Kavanaugh until the documents EPIC requested are released. EPIC highlighted concerns about Kavanaugh’s White House years in an earlier letter to the Committee. (Sep. 18, 2018)

  • Starting next week, consumers will be able to "freeze" their credit reports at no cost. A credit freeze restricts public access to a consumer's credit report, making it much more difficult for identity thieves to open fraudulent accounts. Previously, state laws allowed credit bureaus to charge consumers $2 to $10 to place or lift credit freezes. Amendments to the Fair Credit Reporting Act also extend the time period for a fraud alert in a consumer's file and create new safeguards for the protection of credit records of minors. Following the Equifax data breach in 2017, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft. (Sep. 14, 2018)

  • The D.C. Circuit heard oral arguments today in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. EPIC argued that the IRS has the authority, under a provision known as "(k)(3)," to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump falsely tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." EPIC Counsel John Davisson told the court that "If ever there were a situation that justified the use of (k)(3), this is it." Judge Patricia Millett questioned the IRS's claim that it can only process EPIC's FOIA with the President's consent. "It would be ludicrous to require consent of the taxpayer under (k)(3)," Millett said. A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC has pursued concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyberattack) and EPIC v. DHS (election cybersecurity). In a related case, EPIC v. IRS II, EPIC is seeking the release of tax settlement information concerning Donald Trump's businesses. These "offers in compromise" are "an agreement between a taxpayer and the Internal Revenue Service that settles a taxpayer's tax liabilities for less than the full amount owed." (Sep. 13, 2018)

  • The European Court of Human Rights has ruled that the UK's surveillance regime, revealed by Edward Snowden, violates human rights set out in the European Convention. In consolidated cases Big Brother Watch v. UK, Bureau of Investigative Journalism v. UK, and 10 Human Rights Organizations v. UK, the Court ruled that the UK surveillance system violated Article 8, the right to privacy, because there were "inadequate" safeguards for selecting the data subject to surveillance. The Court also said "all interception regimes...have the potential to be abused," and that bulk surveillance include safeguards "to be sufficiently foreseeable to minimise the risk of abuses of power." The Court also ruled UK surveillance violated the right of free expression because the law did not sufficiently protect confidential journalistic material. EPIC filed a brief in the case explaining that the US, which transfers intelligence data to the UK, has "technological capacities" enabling "wide scale surveillance" and that US law do not restrict surveillance of non-U.S. persons abroad. EPIC casebook Privacy Law and Society explores a wide range of privacy issues, including recent decisions of the European Court of Human Rights. (Sep. 13, 2018)

  • In a letter to the Senate Judiciary Committee, EPIC has urged the Senate Judiciary Committee to postpone the vote in the Executive Business Meeting on the nomination of Judge Brett Kavanaugh, pending the release of documents concerning the development, defense, and promotion of surveillance programs during the period 2001-2006. EPIC said “[t[he documents are necessary for a full consideration of the qualifications of the nominee to serve on the United States Supreme Court.” In an earlier letter to the Committee, EPIC asked the Senate to determine Judge Kavanuagh's role, while in the Bush White House, in the unlawful warrantless wiretapping program and the secret expansion of the Patriot Act. Traditionally, the records of Supreme Court nominees who served in the White House are routinely made available prior to committee hearings. Last month, EPIC submitted two urgent Freedom of Information Act requests for the records. EPIC regularly shares its views with the Senate concerning nominees to the Supreme Court, including Justice Gorsuch, Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts. (Sep. 12, 2018)

  • The FTC is holding a hearing this week to examine the regulation of consumer data, the consumer welfare standard in antitrust law, and vertical mergers. This is the first in a series of hearings on "Competition and Consumer Protection in the 21st Century" that will examine how changes in the economy affect the FTC's enforcement priorities. EPIC and a coalition of consumer groups submitted extensive comments for the hearings. EPIC and the groups said that privacy protection is critical for competition and innovation. EPIC and the groups told the FTC that it should: 1) unwind the Facebook-WhatsApp deal; 2) require Facebook and Google to spin off their advertising units; 3) block future acquisitions by Facebook and Google that would extend monopoly control over consumer data; 4) impose privacy safeguards for all mergers that implicate data privacy; and 5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct. The FTC reopened the investigation of Facebook in March after EPIC and consumer groups filed a formal complaint, but has still taken no action. The UK Information Commissioner completed its initial investigation, published a report, and issued a substantial fine in July. (Sep. 12, 2018)

  • The Government Accountability Office released a report on "Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach." The GAO report details the Equifax data breach in 2017 that compromised the authenticating details (SSN, Data of Birth) of over one hundred million Americans. The response also summarizes the response of Equifax and federal agencies. To date no federal agency has taken action against Equifax, following one of the largest data breaches in US history. Rep. Luetkemeyer (R-MO) has introduced a bill that would codify basic data breach notification standards for the financial services industry but would preempt stronger state laws. The House Financial Services Committee is expected to mark up the bill this week. In testimony before the House Financial Services Committee in February, EPIC called on Congress to ensure that the CFPB takes action against Equifax and to pass comprehensive data protection regulation that would not preempt state laws. (Sep. 12, 2018)

  • In response to an EPIC Freedom of Information Act lawsuit, the Federal Trade Commission has released supplemental materials from the biennial Facebook audits (production 1, production 2, production 3, production 4). The audits were required by the FTC's 2011 Consent Order with Facebook. The documents include letters from the FTC to Facebook inquiring about Facebook's relationship with Instagram and telling the company that "whenever a corporate change such as an acquisition may affect the design and/or implementation of the Company's privacy program, the Company must notify the Commission." EPIC opposed Facebook's acquisition of WhatsApp and submitted comments for the FTC's review of the merger remedy process. FTC reopened its investigation into Facebook in March after EPIC, consumer groups urged action. The UK Information Commissioner completed its initial investigation, published report, and issued a fine in July. The FTC begins hearings this week on competition and consumer protection in the 21st century. (Sep. 12, 2018)

  • The D.C. Circuit will hear arguments on Thursday, September 13 in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. Live audio of the arguments will be streamed from this link at or around 9:30 a.m. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC has pursued concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyberattack) and EPIC v. DHS (election cybersecurity). (Sep. 11, 2018)

  • Today the Court of Justice for the European Union heard arguments in Google v. Commission nationale de l'informatique et des liberté concerning the "Right to Be Forgotten." Google v. CNIL follows a ruling in Google v. Spain that Europeans have a right, in some circumstances, to remove links to their personal data posted online by Google. Google has fought the judgement of the European high court and now is fighting the French agency, continuing to post links to personal data worldwide even after it is found to violate privacy rights in democratic countries. EPIC has supported the CNIL's approach, explaining that "the right to privacy is global." EPIC published "The Right to be Forgotten on the Internet: Google v. Spain" an account of the case by former Spanish Privacy Commissioner Artemi Rallo, an EPIC Champion of Freedom. (Sep. 11, 2018)

  • A federal appeals court has ruled that a California law requiring nonprofit organizations to provide the state with an annual list of donors and donations does not violate the First Amendment. The Ninth Circuit concluded that the law does not significantly burden the free speech of nonprofits "because the information is collected solely for nonpublic use, and the risk of inadvertent public disclosure is slight." EPIC filed an amicus brief in the case, arguing that the reporting requirement "infringes on several First Amendment interests, including the free exercise of religion, the freedom to express views without attribution, and the freedom to join in association with others without government monitoring." EPIC also explained that California had "failed to implement basic data protection standards" for donor information. EPIC has argued for donor privacy and similar constitutional privacy rights in Packingham v. North Carolina, Doe v. Reed, and Watchtower Bible v. Stratton. (Sep. 11, 2018)

  • ICE has reversed position and is no longer seeking the immediate release of over 18 million voting records from North Carolina. Citing administrative difficulties and the unprecedented scope of the subpoena, ICE agreed to limit its demand to preserve voter privacy and will allow state officials to respond after the midterm elections in January 2019. The demand still poses substantial privacy risks and departs from testimony by Homeland Security Secretary Kristjen Nielsen, who told Congress that DHS would not make such requests. EPIC previously highlighted these problems and explained that the data demand violates DHS policy. EPIC has long fought to ensure voter privacy and recently forced the defunct Presidential Election Commission to delete millions of state voter records unlawfully obtained. (Sep. 7, 2018)

  • During day three of the Senate Judiciary Committee’s nominations hearings, Senator Patrick Leahy asked Judge Kavanaugh about privacy and government surveillance. (6:20) Senator Leahy stated “In your concurrence in Klayman v. Obama you went out of your way to say that not only is the dragnet collection of American’s telephone records by the NSA okay because it’s 'not a search,’ you also said that 'even if it is a search, it is justified in order to prevent terrorism.’” Senator Leahy pointed out that the Privacy and Civil Liberties Oversight Board found that the legal authorities in the Klayman case had not prevented a single terrorist act. Leahy asked, "Why did you go out of your way to write an opinion stating that the program met a critical national security need when it had already been found by our national security people it made no concrete difference in fighting terrorism?” Judge Kavanaugh said that the recent Supreme Court decision in Carpenter was a “game-changer” and that had it been law at the time, he could not have written the concurrence in Klayman. Senator Leahy also questioned Judge Kavanaugh on U.S. v. Jones, asking “do you believe that there becomes a point where the collection of data about a person becomes so pervasive that a warrant would be required even if the collection of one bit of the same data would not?” Judge Kavanaugh did not answer this question directly. Senator Flake commended Senator Leahy’s questions, noting that future of privacy was a critical issue for the Committee to consider. (Sep. 6, 2018)

  • Immigration and Customs Enforcement has demanded that North Carolina provide over 18 million voter records from the past eight years. The subpoena is outside the Department of Homeland Security authority and goes against testimony by DHS Secretary Kirstjen Nielsen, who told Congress this year that DHS’s role is limited to voluntary requests for assistance from the states. Nielsen also wrote, in records obtained through an EPIC FOIA request, that associating the DHS with voter data collection “could disrupt critical efforts” to work with state officials on election cybersecurity. EPIC has long fought to ensure voter privacy and recently forced the defunct Presidential Election Commission to delete millions of state voter records unlawfully obtained. (Sep. 6, 2018)

  • Two recent surveys reveal that many Facebook users don’t understand how the site’s news feed works and that Americans are changing their relationship with Facebook. 54% of adult Facebook users have adjusted their privacy settings in the past year and 42% say they have not used the platform for at least several weeks. 53% of U.S. adults who use Facebook said that they do not understand why certain posts but not others are included in their news feed. Only 14% of Facebook users think they have “a lot” of control over the content that appears in their newsfeed, while 57% think they have “a little” control and 28% think they have no control. Public opinion polls consistently find strong support among Americans for privacy rights in law to protect their personal information from government and commercial entities. (Sep. 6, 2018)

  • The National Academies of Sciences has released a report "Securing the Vote: Protecting American Democracy," highlighting vulnerabilities in current voting technology. EPIC Advisory Board member Ronald Rivest served on the expert committee. The Academies report includes many recommendations "designed to harden our election infrastructure and safeguard its integrity and credibility," concerning voter registration, ballot design, voting technology, system certification, cybersecurity, online voting, and auditing. The Academies report recommends end-to-end verifiable systems to ensure that votes have been counted as intended. These systems use cryptographic methods developed by EPIC Advisory Board member David Chaum. In 2016, EPIC published "The Secret Ballot at Risk: Recommendations for Protecting Democracy," highlighting the importance of the secret ballot for American democracy. The Academies report noted that new strategies for election security "must still preserve the secret ballot." (Sep. 6, 2018)

  • The Department of Commerce has told the President of the European Parliament that the US is in compliance with the Privacy Shield, a pact that permits US companies to obtain the personal data of Europeans. The statement follows a resolution of Parliament to suspend the international arrangement if the U.S. did not comply in full by September 1. The Parliament cited the Cambridge Analytica data breach, the reauthorization of FISA Section 702 without reform, the failure to stand up the PCLOB, the passage of the CLOUD Act, and the absence of a Privacy Shield ombudsman. The Commerce Department disputed the Parliament's findings but failed to show progress on the issues identified. EPIC highlighted similar problems with data protection in the United States in recent comments to the European Commission. Almost six months have passed since the FTC reopened the investigation of Facebook's compliance with the 2011 consent order, which followed a complaint from EPIC and other consumer privacy organizations. (Sep. 5, 2018)

  • In advance of a hearing on "Foreign Influence Operations' Use of Social Media Platforms," EPIC has sent a statement to the Senate Select Committee on Intelligence. EPIC said that the American public must be given more information about the extent of Russian interference in the 2016 election. EPIC asked the Senate Committee to press the social media companies to be more transparent about the manipulation of news and information. EPIC sent similar requests this year to both the Senate and House Intelligence Committees. EPIC also pursued an important FOIA case, EPIC v. ODNI, to make public the Intelligence Committee Assessment on Russian interference. (Sep. 5, 2018)

  • In advance of a hearing on Twitter: Transparency and Accountability, EPIC has sent a statement to the House Energy and Commerce Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In a 2011 statement to the FTC during the investigation of Google, EPIC said that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. EPIC pointed out that it was then competing with the search giant for the rankings of "privacy" videos and that Google's algorithm preferences Google's web pages over EPIC's. The FTC took no action on EPIC's complaint. But last year the European Commission found that Google in fact rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. (Sep. 4, 2018)

  • In a letter and memo to the Senate Judiciary Committee, EPIC has urged Senators to question Supreme Court nominee Brett Kavanaugh on critical privacy, open government, and government surveillance issues. EPIC expressed concerns about the Kavanaugh’s views on privacy and Constitutional rights, stating “In Klayman v. Obama, Judge Kavanaugh went out of his way to set out theories to defend the suspicionless surveillance of the American public that surprised even conservative legal scholars.” EPIC said that Kavanaugh's views are out of step with recent Supreme Court opinions that carry forward Fourth Amendment protections to the digital age for GPS tracking, cell phone searches, and cell site location data. EPIC also asked the Senate to determine Judge Kavanuagh’s role, while in the Bush White House, in the unlawful warrantless wiretapping program and the secret expansion of the Patriot Act. EPIC regularly shares its views with the Senate concerning nominees to the Supreme Court, including Justice Gorsuch, Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts. The Senate hearings begin on Tuesday, September 4. (Sep. 3, 2018)

  • In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions that would reduce privacy safeguards in the federal government. The Immigration Biometric and Background Check database will contain personal data on U.S. and non-U.S. citizens. DHS has proposed to exempt the database from several Privacy Act protections, including ensuring that records are accurate, timely, and complete. DHS also claims numerous “routine uses” that allow the agency to disseminate the data to law enforcement and intelligence agencies. EPIC has urged strict compliance with Privacy Act obligations and warned that inaccurate, insecure, and overbroad government databases threaten both privacy and national security. (Aug. 31, 2018)

  • Following then end of the Presidential Election Commission and the deletion of the voter data it unlawfully obtained, EPIC has asked the Supreme Court to review a lower court decision that wrongly denied EPIC access to a privacy impact assessment the Commission was required to publish. EPIC told the Supreme Court that the D.C. Circuit “misconstrued” the privacy impact assessment requirement “in a way that will seriously undermine the provision.” EPIC also warned that the lower court decision could adversely impact the privacy of personal data held by federal agencies. EPIC’s suit against the Commission led to the suspension of data collection, the discontinued use of an unsafe computer server, and the deletion of state voter data wrongly acquired. EPIC’s case in the Supreme Court is EPIC v. Commission, No. 17A1406. (Aug. 31, 2018)

  • EPIC has settled a Freedom of Information Act lawsuit against the Department of Homeland Security that sought communications between the agency and the Presidential Election Commission. Through the lawsuit, EPIC obtained records showing that DHS communicated frequently with the Presidential Election Commission after EPIC sued to block the Commission's efforts to obtain state voter data. The records also revealed that Kirstjen Nielsen, now the DHS Secretary, worried that the Commission’s voter data grab would "disrupt critical efforts DHS is leading to work with state and local officials" on election cybersecurity. EPIC's separate lawsuit against the Presidential Election Commission led to the suspension of state voter data collection and ultimately to the complete destruction of the wrongfully collected data. (Aug. 29, 2018)

  • EPIC and 30 other organizations sent a letter to the Senate Judiciary Committee to urge action on the final two nominees to the Privacy and Civil Liberties Oversight Board. The Senate Judiciary has held hearings on only three of the five nominees. The independent agency reviews federal surveillance programs to ensure that they provide adequate safeguards for privacy and civil liberties, but the PCLOB has lacked a quorum for over 19 months and not held hearings, issued reports, or performed other critical functions. The letter stated that the absence of a quorum is a "lost opportunity to better inform the public and facilitate Congressional action." EPIC previously testified before PCLOB, made recommendations for PCLOB's handling of FOIA requests, and set out a broad agenda for the work of the independent agency. (Aug. 29, 2018)

  • EPIC along with a nonpartisan coalition of open government groups sent a letter to the Chair and Ranking Member of the Senate Judiciary Committee urging the Senate to delay hearings on Supreme Court nominee Brett M. Kavanaugh until all relevant records are released. In the letter, the groups stated, "Secrecy and selective availability of information continue to plague public confidence in the Senate's ability to conduct a fair and impartial review of Judge Kavanaugh's background and qualification." The groups urged the senators to work across party lines to ensure maximum transparency and protect the public's right to know. Judge Kavanaugh's confirmation hearing is currently scheduled for September 4, yet most of the records from his White House years have been withheld. Traditionally, the records of Supreme Court nominees who served in the White House are routinely made available prior to committee hearings. Earlier this month, EPIC submitted two urgent Freedom of Information Act requests for the records. At issue are concerns about Judge Kavanaugh's role in the warrantless wiretapping program and the secret expansion of the Patriot Act. (Aug. 27, 2018)

  • EPIC along with a nonpartisan coalition of open government groups sent a letter to the Chair and Ranking Member of the Senate Judiciary Committee urging the Senate to delay hearings on Supreme Court nominee Brett M. Kavanaugh until all relevant records are released. In the letter, the groups stated, "Secrecy and selective availability of information continue to plague public confidence in the Senate's ability to conduct a fair and impartial review of Judge Kavanaugh's background and qualification." The groups urged the senators to work across party lines to ensure maximum transparency and protect the public's right to know. Judge Kavanaugh's confirmation hearing is currently scheduled for September 4, yet most of the records from his White House years have been withheld. Traditionally, the records of Supreme Court nominees who served in the White House are routinely made available prior to committee hearings. Earlier this month, EPIC submitted two urgent Freedom of Information Act requests for the records. At issue are concerns about Judge Kavanaugh's role in the warrantless wiretapping program and the secret expansion of the Patriot Act. (Aug. 27, 2018)

  • The Congressional Research Service, has published a report regarding Supreme Court nominee Judge Kavanaugh's jurisprudence. The nonpartisan CRS provides policy and legal analysis to committees and Members of both the House and Senate, regardless of party affiliation. The CRS report discusses Judge Kavanaugh's potential impact on the Supreme Court if confirmed. According to the report, Judge Kavanaugh has a "more restrictive view" on the constitutional right to be free of unreasonable searches and seizures than other judges on the D.C. Circuit Court of Appeals. Notably in Klayman v. Obama, Judge Kavanaugh stated that the National Security Agency's suspicionless surveillance of the American public was "entirely consistent with the Fourth Amendment." The report also includes an Appendix with tables that summarizes his rate of concurring and dissenting opinions relative to other judges on the D.C. Circuit and how his opinions have fared when reviewed by the Supreme Court. (Aug. 27, 2018)

  • A federal appeals court has ruled that smart meters perform a "search" under the Fourth Amendment but found that their collection of household energy data is "reasonable." Smart meters periodically transmit information to public utilities about home energy consumption, which can reveal personal behavior patterns and enable real-time surveillance. "The ever-accelerating pace of technological development carries serious privacy implications," the Seventh Circuit wrote. "Smart meters are no exception." The Court held that the searches performed by smart meters are justified by cost reductions and service improvements, but the Court warned that "our conclusion could change" if the meters sent data more frequently or if law enforcement were given easier access to the data. EPIC has long warned about the privacy implications of the smart grid and filed an amicus brief in United States v. Carpenter, a recent Supreme Court case that recognized Fourth Amendment protections for cell phone location data. (Aug. 23, 2018)

  • Through a Freedom of Information Act request to the National Science Foundation, EPIC has obtained communications between the Office of Science and Technology Policy and the NSF about the White House's Select Committee on Artificial Intelligence. The Committee was announced earlier this year at the White House Artificial Intelligence Summit. In an e-mail Michael Kratsios, Deputy Assistant to the President for Technology Policy, stated that the summit was "well received by industry and academia" but makes no mention of the absence of public participation. The Committee's inaugural meeting in May was held in secret, and the OSTP has still not announced a plan for public participation. EPIC and leading scientific organizations, including AAAS, ACM, and IEEE, and technology experts petitioned the OSTP to solicit public comments on artificial intelligence policy. EPIC again argued for public participation in US AI policy in a recent statement to the Senate Commerce Committee. (Aug. 22, 2018)

  • The FTC confirmed this week that it is investigating Google's compliance with the 2011 consent order. EPIC sent a letter to the FTC last week urging the Commission to determine whether Google violated the consent order following a report that Google tracked user location even when users opt-out. EPIC explained that modifying the "privacy policy" after obtaining the location data from users would not comply with the FTC's consent order. In the response to EPIC, the agency said that FTC attorneys monitor compliance with the agency's consumer protection orders and "the Google order is undergoing just such a review." The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups, Google entered into a settlement, and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them. This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations." (Aug. 22, 2018)

  • In advance of a hearing concerning the Office of Science and Technology Policy, EPIC said that OSTP should ensure public participation in the development of AI policy. EPIC told the Senate Commerce Committee that Congress must also implement oversight mechanisms for the use of AI. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. In a recent petition to OSTP, EPIC, leading scientific organizations, including AAAS, ACM and IEEE, and nearly 100 experts urged the White House to solicit public comments on artificial intelligence policy. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency. (Aug. 21, 2018)

  • EPIC has advised the FTC on algorithmic decision tools, artificial intelligence, and predictive analytics for the hearings on "Competition and Consumer Protection in the 21st Century." In the comments, EPIC urged the FTC to (1) prohibit unfair and deceptive algorithms, (2) seek legislative authority for "algorithmic transparency" to establish consumer protection in automated decision-making, (3) provide guidance on the ethical design and implementation of algorithms, and (4) make public the "Universal Tennis Rating" algorithm that secretly scores young athletes. Calling on the Commission to act on EPIC's repeated complaints on the proprietary algorithm that poses risks to children's privacy, EPIC said: "secret algorithms are unfair and deceptive," conceal bias, and deprive consumers of opportunities in the marketplace. EPIC champions "Algorithmic Transparency", and has advised Congress that algorithmic transparency is necessary for fairness and accountability. (Aug. 21, 2018)

  • EPIC, the Center for Digital Democracy, the Consumer Federation of America, and US PIRG submitted comments to the FTC in advance of hearings on "Competition and Consumer Protection in the 21st Century." The consumer groups said that privacy protection is critical for competition and innovation. The groups told the FTC that it should: 1) unwind the Facebook-WhatsApp deal; 2) require Facebook and Google to spin off their advertising units into independent companies; 3) block all future acquisitions by Facebook and Google that would enable the companies to increase their monopoly over consumer data; 4) impose privacy safeguards for all future mergers that implicate data privacy concerns; and 5) perform audits of algorithmic tools to promote accountability and to limit anticompetitive conduct. This will be the first time the FTC has reexamined its approach to consumer protection and competition since the FTC's 1995 hearings on "Global Competition and Innovation." EPIC participated in the 1995 hearings which led to the FTC's work on consumer privacy. (Aug. 20, 2018)

  • The White House confirmed Monday that it has destroyed the state voter data unlawfully collected by the Presidential Election Commission. Responding to a court order in EPIC v. Commission the White House stated that the voter data is now "entirely deleted and unrecoverable." The deletion of the voter data is the outcome EPIC sought in its case, which challenged the Commission's failure to conduct a required Privacy Impact Assessment before collecting personal data. As a result of EPIC's lawsuit in July 2017, the Commission suspended data collection, discontinued the use of an unsafe computer server, and deleted state voter data that was illegally obtained. The Commission was disbanded in January 2018. (Aug. 20, 2018)

  • Following a report that Google tracks user location even when users opt-out, EPIC wrote to the FTC that Google violated the 2011 consent order. EPIC said "Google's subsequent changes to its policy, after it has already obtained location data on Internet users, fails to comply with the 2011 order." EPIC also told the FTC that "The Commission's inactions have made the Internet less safe and less secure for users and consumers." The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. The groups charged that Google had engaged in unfair and deceptive trade practices when it changed the privacy settings of Gmail users and opted them into Google Buzz. The FTC agreed with the consumer groups, Google entered into a settlement and Buzz was shuttered. FTC chairman John Liebowitz said at the time, "When companies make privacy pledges, they need to honor them. This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations." (Aug. 17, 2018)

  • A federal court in the District of Columbia has blocked EPIC's efforts to obtain a secret "Predictive Analytics Report" in a FOIA case against the Department of Justice. The court sided with the agency which had withheld the report and asserted the "Presidential communications privilege." Neither the Supreme Court nor the D.C. Circuit has ever permitted a federal agency to invoke that privilege in a FOIA case. EPIC sued the agency in 2017 to obtain records about "risk assessment" tools in the criminal justice system. These techniques are used to set bail, determine criminal sentences, and even contribute to determinations about guilt or innocence. Many criminal justice experts oppose their use. EPIC has pursued several FOIA cases concerning "algorithmic transparency," passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. The case is EPIC v. DOJ (Aug. 14, 2018 D.D.C.). EPIC is considering an appeal. (Aug. 16, 2018)

  • EPIC and a coalition of consumer groups have asked the FTC to conclude the Facebook-Cambridge Analytica investigation by September 1, 2018. The groups said, "It is critical that the FTC conclude the Facebook matter, issue a significant fine, and ensure that the company upholds its privacy commitments to users.” Congress and the European Parliament have both conducted extensive hearings on the Cambridge Analytica matter. The U.K. Information Commissioner’s Office conducted an extensive investigation, published a substantial report, and issued a significant fine in July. The FTC announced in March that it would reopen the Facebook investigation. (Aug. 15, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained the Department of Defense's Inspector General report on audit of hotline allegations involving improper use of agency funds for foreign counterintelligence billets. The report found that the Defense Intelligence Agency followed proper appropriation authorities but did not ensure proper function and management for the program. The Inspector General found that "employees were performing duties not aligned with their position descriptions and funding." In a 2012 FOIA case, EPIC v. CIA, EPIC uncovered an Inspector General's report which revealed that the CIA, in collaboration with the NYPD, conducted domestic surveillance of mosques, Muslim student groups, and Muslim stores and businesses. EPIC continues to pursue the release of government documents to improve oversight and accountability through litigation and EPIC's Open Government Project. (Aug. 15, 2018)

  • EPIC has sent a statement to the Senate Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to push the FCC to protect online privacy. EPIC also asked the Committee to press the FCC to repeal a regulation that requires the retention of telephone customer records for 18 months. EPIC filed the petition urging the repeal of this mandate more than two years ago. Every comment received by the FCC favored the EPIC petition. EPIC has submitted multiple comments to the FCC to strengthen online privacy and has recommended an industry neutral and comprehensive privacy framework. (Aug. 15, 2018)

  • The D.C. Circuit has announced the three-judge panel that will decide EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. Arguments will be held in the case on Thursday, September 13, 2018 before Judge Karen LeCraft Henderson, Judge Patricia A. Millett, and Judge Harry T. Edwards. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC has pursued concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Aug. 14, 2018)

  • EPIC provided comments to the European Commission to inform the second annual review of the EU-U.S. Privacy Shield, a framework that permits the processing of the personal data of Europeans in the United States. EPIC detailed the latest privacy developments in the U.S., including the extension of Fourth Amendment protection to cell phone location data in Carpenter v. United States, passage of the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the vacancies at the PCLOB, the absence of a Privacy Shield Ombudsman at the Commerce Department, and the nomination of Judge Brett Kavanaugh to the Supreme Court. The Commission approved Privacy Shield last year, but sought additional steps by the United States. The European Parliament has called for suspension of the pact if the U.S. does not fully comply by September 1st. The European Commission will make a final determination this fall. (Aug. 14, 2018)

  • The FTC has unanimously voted to approve EPIC’s recommendations to strengthen safeguards for children's data in the gaming industry. In a 5-0 vote, the FTC adopted EPIC's proposals to revise the Entertainment Software Rating Board's industry rules to (1) extend children's privacy protections in COPPA to all users worldwide; and (2) to implement privacy safeguards for the collection of data "rendered anonymous." The FTC wrote, "the Commission agrees with EPIC's comment. As COPPA's protections are not limited only to U.S. residents, the definition of 'child' in the ESRB program has been revised to remove the limitation." The Commission also strengthened protections for de-identified children's data: "companies must provide notice and obtain verifiable parental consent if personal information is collected, even if it is later anonymized." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA. (Aug. 14, 2018)

  • The International Working Group on Data Protection in Telecommunications has adopted new recommendations to protect individual rights during criminal cross-border law enforcement. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The Working Group on Data Protection calls on governments and international organisations to ensure law enforcement requests accord with international human rights norms. The Working Group recommends specific safeguards for data protection and privacy, including accountability, procedural fairness, notice and an opportunity to challenge. EPIC addressed similar issues in an amicus brief for the US Supreme Court in the Microsoft case. EPIC and a coalition of civil society organizations recently urged the Council of Europe to protect human rights in the proposed revision to the Convention on Cybercrime. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Aug. 14, 2018)

  • The White House announced the nomination of two board members to the Privacy and Civil Liberties Oversight Board (PCLOB). Travis LeBlanc is a partner at Boies Schiller, and former Federal Communications Commission Enforcement Bureau Chief. Aditya Bamzai is a law professor at the University of Virginia and former Department of Justice attorney. The intelligence oversight body has been unable to act due to long-term vacancies. The European Parliament has called for suspension of the Privacy Shield if the U.S. does not to improve data protection and restore the PCLOB. Three other members have been nominated but have yet to be confirmed. EPIC opposed the nomination of Adam Klein to serve as Chairman of the Board. EPIC previously testified before PCLOB, made recommendations for PCLOB's handling of FOIA requests, and set out a broad agenda for the work of the independent agency. EPIC previously sought public release of the PCLOB report on Executive order 12333. (Aug. 13, 2018)

  • On Thursday, the Senate Judiciary Committee released the first production of records for Supreme Court nominee Brett M. Kavanaugh from his time as associate counsel for George W. Bush. Roughly 5,700 pages of documents were made available to the public. The documents show that Kavanaugh assisted in the effort to pass the Patriot Act and drafted a statement that President Bush incorporated in the bill signing. Kavanaugh wrote that the PATRIOT Act will “update laws authorizing government surveillance,” which he claimed, and President Bush then restated, were from an era of “rotary phones.” In fact, the PATRIOT Act weakened numerous U.S. privacy laws, including the subscriber privacy provisions in the Cable Act and the email safeguards in the Electronic Communications Privacy Act. Both laws were enacted after the era of rotary phones. Congress amended the Foreign Intelligence Surveillance Act after it was revealed that the White House had authorized warrantless wiretapping of Americans beginning in 2002. In an email exchange, Kavanaugh wrote that the PATRIOT Act was a "measured, careful, responsible, and constitutional approach . . . .” EPIC recently submitted two urgent Freedom of Information Act requests for Judge Kavanaugh’s records during his time serving as Staff Secretary for President Bush. (Aug. 11, 2018)

  • Senator Feinstein has sent an urgent letter to Archivist David S. Ferriero demanding reconsideration of the National Archives' decision to withhold documents related to Supreme Court nominee Brett Kavanaugh. In the letter, Senator Feinstein stated that the "records are crucially important to the Senate's understanding of Mr. Kavanaugh's full record, and withholding them prevents the minority from satisfying its constitutional obligation to provide advice and consent on his nomination." Under the National Archives' unprecedented interpretation of the Presidential Records Act, Feinstein explained that "minority members of the Senate Judiciary Committee now have no greater right to Mr. Kavanaugh's records than members of the press and the public." EPIC recently submitted two urgent Freedom of Information Act requests for Judge Kavanaugh's records during the time he served in the White House when many of the post-September 11 mass surveillance systems were implemented. (Aug. 8, 2018)

  • A coalition of nonpartisan open government groups has called for the disclosure of Supreme Court nominee Brett Kavanaugh's White House records. In a letter to the Senate Judiciary Committee, the coalition asserted that "curtailed document requests will hinder the Senate's ability to fully assess Judge Kavanaugh's background and qualifications..." To uphold the constitution, the coalition emphasized that "senators from both parties must have equal access to all documents relevant to a nominee, in as timely and complete a manner as possible." EPIC recently submitted two urgent Freedom of Information Act requests for Judge Kavanaugh's White House records during the time when many of the post-September 11 mass surveillance systems were implemented. (Aug. 8, 2018)

  • In comments to the U.S. Census Bureau, EPIC opposed the agency's decision to add a citizenship question to the 2020 census. The administration's stated purpose for the question is to assist the DOJ, but EPIC argued that census data should never be used for enforcement purposes because collecting data to enforce laws will interfere with the census's constitutional purpose and will undermine the integrity of the census. The Bureau earlier conducted a Privacy Impact Assessment for the census, but it did not acknowledge the privacy risks raised by the recently added citizenship question. EPIC said the assessment does not meet the Commerce Department's standards and that it is required to conduct a revised assessment, analyzing the privacy risks created by the citizenship question. Through a Freedom of Information Act request, EPIC obtained documents (part 1, part 2, part 3, part 4) concerning Commerce Secretary Wilbur Ross and the citizenship question. The census raises significant privacy risks and was used to target Japanese-Americans for internment in World War II. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. As a consequence of EPIC's lawsuit, the Census Bureau revised its policy on disclosing statistical information about "sensitive populations" to law enforcement and intelligence agencies. (Aug. 8, 2018)

  • EPIC has sent a letter to the Federal Communications Commission urging the FCC to act immediately on a Petition submitted by EPIC and a coalition of civil rights organizations, technical experts and legal scholars exactly three years ago. The Petition called for an end to the FCC rule requiring the mass retention of phone records, known as the “data retention mandate.” EPIC explained in the Petition that the rule was “unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers. The U.S. Supreme Court recently declared that cell phone location records are protected under the Fourth Amendment in Carpenter v. United States. EPIC wrote in the letter that “as we anticipated in the original Petition, the retention of cell phone data implicates constitutional interests.” All of the comments received by the FCC on this topic favored an end to the mandate. (Aug. 2, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice for the release of reports on the collection and use of cell site location information. Modern cell phones generate precise location records, known as “cell site location information,” that was often accessible to law enforcement agencies. However, the Department of Justice has never produced any comprehensive reports concerning the use of cell site data. In Carpenter v. United States, the Supreme Court held that the Fourth Amendment protects location records generated and that the “police must get a warrant when collecting” cell site location information. In the complaint, EPIC stated that it “seeks to determine the use, effectiveness, cost, and necessity in the collection and use of cell site location information so that the public, lawmakers, and the courts may have a better understanding of the use of this investigative technique.” The case is EPIC v. DOJ, No. 18-1814 (D.D.C. filed August 1, 2018). (Aug. 2, 2018)

  • EPIC has submitted two urgent Freedom of Information Act requests to the George W. Bush Library for records about Supreme Court nominee Brett M. Kavanaugh and various proposals for surveillance of the American public. Judge Kavanaugh served as Staff Secretary for President Bush between 2003 and 2006. During that time, many of the post-September 11 mass surveillance systems were implemented such as the warrantless wiretapping of Americans, which were later deemed unconstitutional, as well as Total Information Awareness, airport body scanners, and Real ID. The first EPIC FOIA request concerns staff files during his tenure at the White House and the second EPIC FOIA request concerns his e-mails. Judge Kavanaugh has stated that his time serving as Staff Secretary was “the most interesting, and in many ways, among the most instructive” to his work as a judge. Judge Kavanaugh also wrote an opinion on the D.C. Circuit Court of Appeals, defending mass surveillance, that surprised even conservative legal scholars.

    (Aug. 2, 2018)

  • EPIC submitted comments in response to the the National Telecommunications and Information Administration's request for recommendations on its international internet policy priorities. NTIA is the Executive Branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues. EPIC recommended that the administration (1) enact comprehensive privacy law, based on the OECD Privacy Guidelines); (2) encourage US firms to comply with GDPR; and (3) ratify the Council of Europe Privacy Convention. EPIC has urged Congress to update U.S. privacy laws and recently wrote in the Financial Times that “Instead of criticizing the EU effort, the Commerce Department should help develop a comprehensive strategy to update US data protection laws.” EPIC comments to the NTIA also addressed Algorithmic Transparency, security standards for the Internet of Things, and data minimization. (Aug. 1, 2018)

  • In detailed comments, EPIC advised the FTC to strengthen a proposed settlement with ReadyTech concerning Privacy Shield, a framework that permits the flow of data on Europeans to the U.S. The FTC settlement prohibited the company from making future misrepresentations regarding compliance with Privacy Shield, but provided no relief for Europeans whose data was unlawfully collected. EPIC urged the FTC to require ReadyTech to undergo and release independent privacy assessments, disgorge all data collected from E.U. citizens, and implement Fair Information Practices. EPIC told the FTC that enforcement of Privacy Shield comes at a critical moment, as the European Parliament recently called for suspension by September 1st if the U.S. does not fully comply. EPIC stressed the urgency of the FTC’s Facebook-Cambridge Analytica investigation, which the European Parliament highlighted as a particular concern. EPIC previously told the FTC that the Cambridge Analytic breach could have been prevented had the FTC enforced the 2011 Consent Order against Facebook, which EPIC and other organizations helped obtain. (Aug. 1, 2018)

  • EPIC submitted a Freedom of Information Act request to the Transportation Security Authority after renews reports that the agency secretly surveills airport travelers. The program, known as "Quiet Skies," uses teams of federal marshals to track and observe unsuspecting travelers while they are in the airport and on flights. A Government Accountability Office report on a similar program that used behavioral analysis found the program to be ineffective. The GAO report stated that the "Screening of Passengers by Observation Techniques" program also raised significant concerns over racial and ethnic profiling. EPIC has urged TSA to undertake a comprehensive audit of the civil rights impact of airport screening policies on racial and religious minorities. (Jul. 31, 2018)

  • EPIC is planning to submit a Freedom of Information Act request to the Bush Library and the National Archives and Records Administration for records concerning programs of mass surveillance and Supreme Court nominee Brett M. Kavanaugh. Kavanaugh served as Assistant to the President and Staff Secretary for President George W. Bush between July 2003 and May 2006. During that time, the Bush administration undertook a wide range of mass surveillance programs, including the warrantless wiretapping of Americans, which was later deemed unlawful. On the federal appellate court, Judge Kavanaugh wrote that a suspicionless surveillance program "is entirely consistent with the Fourth Amendment." "Critical national security need outweighs the impact on privacy occasioned by the program," wrote Kavanaugh. Other programs backed by the White House when Judge Kavanaugh served as White House Staff Secretary include Total Information Awareness, airport body scanners, and Real ID. (Jul. 30, 2018)

  • In advance of a hearing on "The Internet and Digital Communications: Examining the Impact of Global Internet Governance," EPIC urged the Senate Commerce Committee to prioritize updating U.S. privacy law to respond to changes in technology. "The failure of the United States to address the growing concerns about online privacy is threatening both the digital economy and democratic institutions," EPIC stated. EPIC explained that privacy protection is necessary to ensure the free flow of information online. EPIC again warned Congress that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency. (Jul. 30, 2018)

  • A federal judge ruled that lawsuits challenging the Trump administration's decision to add a question on citizenship status to the 2020 census could move forward. The court rejected the administration's claim that the plaintiffs lacked standing and ruled that it was "plausible" that the decision was motivated by racial animus and would result in a discriminatory effect on immigrant communities. Through a Freedom of Information Act request, EPIC obtained documents (part 1, part 2, part 3, part 4) considered by Commerce Secretary Wilbur Ross to add the citizenship question. The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. (Jul. 27, 2018)

  • The NSA's Office of Inspector General issued the first unclassified semi-annual report to Congress on the National Security Agency. The report describes the internal watchdog's audits, studies, and investigations of the NSA's activities. Among other findings, the OIG uncovered improper searches through U.S. persons' data collected under the Foreign Intelligence Surveillance Act, as well as "many instances of noncompliance" with rules to secure NSA networks, systems, and data. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. EPIC also routinely highlights reporting on federal surveillance under the Wiretap Act. In EPIC v. NSA, EPIC obtained the Presidential Decision Directive, outlining the agency's authority for domestic surveillance. (Jul. 25, 2018)

  • In comments to Customs and Border Protection, EPIC urged the agency to suspend the Biometric Entry/Exit Program. EPIC argued that less privacy-invasive alternatives should be considered and that the program should not move forward until Congress has passed regulations implementing safeguards for the use of biometrics. CBP solicited comments about the collection of biometrics, based on facial recognition, from people in vehicles crossing the border. EPIC said that such an expansion could quickly lead to a program of mass surveillance. In EPIC v. CBP, EPIC has sued the agency for details about the program. A report EPIC obtained in the lawsuit showed that facial recognition at a pedestrian border failed to perform at a "satisfactory" level. (Jul. 25, 2018)

  • EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to push the FCC to develop a comprehensive plan for online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections. (Jul. 24, 2018)

  • Through a Freedom of Information Act lawsuit, EPIC obtained Customs and Border Protection's directive on Unmanned Aircraft System Operations and Privacy. The directive allows the agency to disseminate information collected through drone operations with federal, state, local, tribal, and foreign law enforcement agencies. EPIC's FOIA request stems from 2015 Presidential Memorandum that requires all federal agencies to develop and publish policies and procedures that address the privacy, civil liberties, and civil right issues posed by the use of drones. EPIC recently sent a statement to the Senate Committee on Homeland Security and Government Affairs, urging the Committee to not consider a S. 2836, Preventing Emerging Threats Act of 2018: Countering Malicious Drones, until all federal agencies establish drone privacy procedures. (Jul. 20, 2018)

  • Sen. Dianne Feinstein (D-Calif.) has introduced S. 3127, the Bot Disclosure and Accountability Act of 2018. The bill directs the FTC to create a rule to require social media companies to disclose any social media bots on their platform. The bill also prohibits candidates and political parties from using bots. "This bill is designed to help respond to Russia's efforts to interfere in U.S. elections through the use of social media bots, which spread divisive propaganda," Feinstein said. Earlier this week, EPIC sent a statement to the House Judiciary Committee arguing that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. EPIC has also recommended identification requirements for drones. (Jul. 19, 2018)

  • Today the Department of Justice released a summary and assessment of federal agencies' Chief FOIA Officer Reports. The annual FOIA Report provides a detailed assessment of FOIA processing across the federal government. The summary tracks the Department's FOIA Guidelines: Applying the Presumption of Openness, Having Effective Systems for Responding to Requests, Making Information Available Proactively, Utilizing Technology, and Reducing Backlogs and Improving Timeliness. The guidance offers methods to manage these backlogs, guidance on closing oldest consultations, and recommending that agencies post raw data from the annual FOIA reports. EPIC pursues an extensive FOIA docket. (Jul. 19, 2018)

  • EPIC and a coalition of groups gave the White House the final go-ahead today to destroy the state voter data unlawfully collected by the Presidential Election Commission. In a notice to the federal court overseeing EPIC v. Commission, EPIC and the other groups that sued the Commission said that the White House should delete the data as it stated earlier it would. The deletion of the voter data is the outcome EPIC sought in EPIC v. Commission, which challenged the Commission for failing to conduct a required Privacy Impact Assessment before collecting personal data. As a result of EPIC's case, the Commission previously suspended its data collection, discontinued the use of an unsafe computer server, and deleted a prior batch of voter information that was illegally obtained. The Commission was disbanded in January. (Jul. 19, 2018)

  • In testimony this morning before the House Energy and Commerce Committee, new Federal Trade Commission Chairman Joseph Simons said the FTC needs greater authority to protect consumers. Simons asserted that privacy and data security are now the top priority for the FTC, and signaled his support for data protection legislation that would accomplish three things: (1) provide civil penalties for companies that violated the law, (2) give the FTC jurisdiction over nonprofits and common carriers, and (3) provide the FTC with rulemaking authority for privacy and data security. EPIC submitted a statement prior to today's hearing emphasizing that the FTC must conclude its investigation of Facebook and issue a fine for its violations of the 2011 Consent Order and unwind the Facebook-WhatsApp deal. (Jul. 18, 2018)

  • EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on “Oversight of the Federal Trade Commission.” EPIC told the Committee to urge the new FTC leadership to enforce the Facebook Consent Order and unwind the Facebook-WhatsApp merger As EPIC previously told Congress, the Cambridge Analytica breach could have been avoided if the FTC had enforced its 2011 Consent Order against Facebook. That Order was the result of detailed complaints filed by EPIC and consumer privacy organizations in 2009 and 2010. In 2014, EPIC and the Center for Digital Democracy urged the FTC to block Facebook’s acquisition of WhatsApp unless appropriate privacy safeguards were put in place. In 2016, EPIC and CDD filed a second complaint after Facebook broke its privacy promises and began collecting WhatsApp users' data. (Jul. 17, 2018)

  • EPIC wrote to FAA Acting Administrator Daniel K. Elwell today to request that the agency livestream the FAA Drone Advisory Committee meeting that takes place tomorrow in Santa Clara. Earlier this year, EPIC filed suit against the Drone Committee, alleging that it had conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones. As EPIC explained in the request for public streaming, “the FAA’s Drone Advisory Committee plays a key role in setting public policy on drone deployment for the United States, yet the public is largely excluded from this process. This secrecy is of particular concern given ongoing public concerns about the deployment of drones in the United States.” (Jul. 16, 2018)

  • In advance of a hearing on Filtering Practices of Social Media Companies, EPIC has sent a statement to the House Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But last year, after a seven year investigation, the European Commission found that Google rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. (Jul. 16, 2018)

  • EPIC has filed an amicus brief in Frank v. Gaos, concerning a class action settlement that provided no benefit to Internet users and no change in the business practices of defendant Google. EPIC said the settlement was not "fair, reasonable, and adequate." The case involves Google's disclosure of Internet user search histories to third parties without user consent, a business practice that could violate federal and state privacy law. EPIC stated, "The proposed settlement is bad for consumers and does nothing to change Google's business practices." A federal appeals court narrowly approved that settlement, 2-1, with the dissenting judge warning that courts must be on the lookout "not only for explicit collusion, but also for more subtle signs that class counsel have allowed pursuit of their own self-interests." EPIC said that, "cy pres requires vigilant judicial oversight to guard against the risks of collusion and ensure that judges are not rubber-stamping settlements that pay attorneys while failing to benefit class members." EPIC and several consumer privacy organization objected to the original settlement on three separate occasions. EPIC routinely opposes class action settlements that fail to provided a benefit to Internet users. (Jul. 16, 2018)

  • Russian intelligence officers hacked the website of a political organization in 2016 and stole personal data on more than 500,000 voters, according to a new indictment from the Special Counsel's Office. The stolen data included "names, addresses, partial social security numbers, dates of birth and driver's license numbers." In January 2017, EPIC sued the FBI for information about the agency's failure to respond to foreign cyber attacks on the DNC and the RNC. EPIC eventually obtained the victim notification procedures that would have applied during the 2016 Presidential election, but which the FBI failed to follow. Almost 18 months have passed since the filing of EPIC v. FBI and the first criminal indictments. (Jul. 13, 2018)

  • EPIC has sent a letter to the Federal Trade Commission and the European Data Protection Board urging the suspension of a proposed study that will disclose user data to third parties without their consent. EPIC warned that the Social Science One project transfer likely violates the GDPR, as well as the FTC's 2011 Consent Order with Facebook, which bars Facebook from disclosing data to third parties without users' affirmative consent. The FTC announced in April that Facebook is under investigation over the transfer of personal data to Cambridge Analytica, a research organization affiliated with a prestigious university. In 2012, Facebook conducted a psychological experiment on its users by secretly manipulating their news feeds to examine the effects of social media on user emotions. The study was suspended after objections from EPIC, professional societies, and others. The Guardian reported that the "lack of 'informed consent' means that Facebook experiment on nearly 700,000 news feeds broke rules on tests on human subjects." (Jul. 13, 2018)

  • In a companion case to EPIC v. FAA, the D.C. Circuit ruled in Taylor v. FAA that the regulations for drones operated by hobbyists are within the agency's statutory authority. The D.C. Circuit previously ruled that EPIC lacked standing to compel the FAA to establish privacy rules for commercial drones. The D.C. Circuit declined to reach the merits of EPIC's challenge. The FAA is expected to issue rules later this year that will require drones to identify themselves with radio beacons, as EPIC had previously urged. (Jul. 13, 2018)

  • EPIC and a coalition of organizations sent a letter to Congress urging an investigation of the Department of Homeland Security's records management practices. The concern follows the administration's "zero-tolerance" immigration enforcement policy and family unification efforts. Recent reports indicate that border agents are improperly destroying records of the separated families, making it difficult to reestablish family connections. "The purposeful deletion of records by border agents would be a clear violation of the [Federal Records Act], with dire humanitarian consequences," the group stated. The letter also encouraged Congress to ensure DHS is fulfilling its transparency obligations by making its policy guidances available to the public. EPIC has previously warned the Senate about the misuse of immigrant data by the DHS. (Jul. 12, 2018)

  • In the first public consultation held by the European Data Protection Board, EPIC proposed a rights-based certification criteria for the General Data Protection Regulation. The Data Protection Board is now the lead privacy agency in Europe. EPIC explained the risks of self-regulatory certification mechanisms, pointing to TRUSTe and the Facebook audits obtained by EPIC that wrongly certified Facebook's compliance with the 2011 FTC Consent Order. EPIC said, certification mechanisms "must be developed by national DPAs and implemented in conformity with the fundamental principles and rights of the GDPR." EPIC has also advised the UK Information Commissioner's Office and the Irish Data Protection Commissioner on GDPR enforcement. (Jul. 12, 2018)

  • In advance of a joint Committee hearing on "Oversight of FBI and DOJ Actions Surrounding the 2016 Election," EPIC has sent a statement to the House Judiciary and House Oversight Committees urging the release of the complete declassified Intelligence Community report on Russian interference in the 2016 U.S. Presidential Election. EPIC pursued a FOIA lawsuit, EPIC v. ODNI, to obtain public release of the complete Intelligence report, and a federal court ruled that ODNI could withhold the document from public release. However, a recent report from the Senate Select Committee on Intelligence confirmed the 2017 assessment from the Intelligence Community. The Intelligence report stated "Russia's goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump." EPIC argued that, in light of this report, the public has a right to know the Intelligence Community's findings. In 2017, EPIC launched a new project on Democracy and Cybersecurity to focus attention on new threats to democratic institutions. (Jul. 11, 2018)

  • The Information Commissioner's Office, the lead agency for data protection in England, has issued the maximum £500,000 fine on Facebook for failing to secure user data from Cambridge Analytica. ICO investigations found that Cambridge Analytica harvested 87 million Facebook users' personal data to target ads for political purposes, and that Facebook did not compel the deletion of this data to prevent further misuses. Facebook was charged with two violations of the UK Data Protection Act 1998: "failing to safeguard people's information [and] failing to be transparent about how people's data was harvested by others and why they might be targeted by a political party or campaign." ICO also told other companies that served online political ads during the EU Brexit Referendum to stop processing UK citizens' data. In March and April, EPIC told the FTC and Congress that the Cambridge Analytica breach could have been prevented if the FTC had enforced the 2011 Consent Order with Facebook. The FTC is currently investigating Facebook but has never imposed any fines against the company. (Jul. 11, 2018)

  • In advance of the hearing "Protecting Customer Proprietary Network Information in the Internet Age," EPIC urged Congress to protect the privacy of users of third-party apps, such as WhatsApp and Google Voice. The Telecommunications Act of 1996 protects the privacy of "CPNI" — phone numbers dialed, date and time of calls — but this safeguard does not cover internet-based calls. EPIC told Congress that CPNI privacy rules should apply to both telecommunications companies and Internet firms. In 2005, EPIC filed the original FCC petition to extend CPNI privacy protections. EPIC also proposed uniform privacy standards for telecommunications firms and information service providers in the 2016 FCC Privacy Order. (Jul. 10, 2018)

  • In advance of a hearing on "Examining Warrantless Smartphone Searches at the Border," EPIC has sent a statement to the Senate urging a warrant requirement for searches of electronic devices at the border. EPIC recently filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's warrantless searches of mobile devices. ICE has contracts with Cellebrite to extract data from mobile devices, including personal data stored in cloud-based accounts, without judicial authority. Privacy complaints regarding the search of mobile devices at the border continue to increase. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced S. 2386, legislation to restrict border searches of cellphones. EPIC Advisory Board member Professor Laura Donohue will testify at the hearing. (Jul. 10, 2018)

  • President Trump's nomination of Judge Brett M. Kavanaugh to the Supreme Court has raised concerns about the future of privacy and Constitutional protections against government surveillance. As a judge on the D.C. Circuit Court of Appeals, Kavanaugh upheld the warrantless, widespread, and suspicionless collection of call records of Americans. Kavanaugh, authoring an opinion where none was expected, wrote that the mass surveillance program "is entirely consistent with the Fourth Amendment." Kavanaugh further stated that even if the search triggered constitutional concerns, it "fit comfortably" in the special needs exception to the Fourth Amendment. "Critical national security need outweighs the impact on privacy occasioned by the program," wrote Kavanaugh. Congress subsequently determined that the data collection activity was overly broad and terminated the program. EPIC will ask the Senate Judiciary Committee to question Kavanaugh on a wide range of privacy, First Amendment, open government, and consumer protection issues. EPIC has submitted similar statements to the Judiciary Committee for the hearings on Justice Gorsuch, Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts. (Jul. 10, 2018)

  • Members of the House Energy and Commerce Committee have sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page seeking information about the data collection capabilities of smartphones. Prompted by recent privacy scandals, the representatives asked Google and Apple whether their devices track users' location even when location services are disabled or record users' private conversations without a "trigger" word. The issue of smartphones and privacy has generated widespread attention following the Supreme Court's landmark ruling in Carpenter v. U.S. that the Fourth Amendment protects location records generated by mobile phones. EPIC recently advised Congress to strengthen privacy protections for mobile location data in response to the Supreme Court's ruling. (Jul. 10, 2018)

  • EPIC has filed an amicus brief with the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp, about the collection of a child's biometric data in violation of the Illinois Biometric Information Privacy Act. EPIC explained that the Illinois biometric law "imposes clear responsibilities on companies that collect biometric identifiers" and said the company had failed to comply with the state law. EPIC made clear that "collection is the threshold safeguard in privacy law" and if corresponding provisions are "not enforced, the statute’s subsequent provisions are of little consequence." EPIC first identified the risk of collecting biometric data from children entering amusement parks in a 2005 report "Theme Parks and Your Privacy." The state of Illinois adopted the nation's first biometric privacy law in 2008. EPIC has long advocated for strict limits on use of biometric data. EPIC also routinely submits amicus briefs, including in the recent OPM data breach case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case. (Jul. 5, 2018)

  • EPIC and a coalition of civil society organizations urged the Council of Europe to include robust human rights protections in the proposed revision to the Convention on Cybercrime. Otherwise, the updates could enable "a race to the bottom for protection," the coalition warned. The groups opposed the CLOUD Act model for law enforcement access to data in foreign jurisdictions, calling instead for robust transparency and accountability requirements. The human rights groups also urged widespread ratification of the International Privacy Convention 108. EPIC and US consumer rights groups have long campaigned for United States ratification of Convention 108. (Jul. 5, 2018)

  • In comments to the Irish Data Protection Commission, EPIC proposed guidance for Data Protection Impact Assessments. The EU General Data Protection Regulation requires organizations to carefully assess the collection and use of personal data. EPIC explained that Data Protection Impact Assessments require the disclosure of the reason for the processing of personal data. EPIC also urged the Irish Privacy Commission to protect individuals against profiling and tracking by minimizing the collection of sensitive data. EPIC supports "Algorithmic Transparency" and brought FTC consumer complaints to promote accountability over secret algorithms. EPIC has also advised the UK Information Commissioner's Office on Data Protection Impact Assessments and GDPR implementation. (Jul. 5, 2018)

  • The European Parliament has called for the suspension of the "Privacy Shield" if the U.S. does not comply in full by September 1, 2018. The resolution states that the pact, which permits US companies to obtain the personal data of European, does not protect privacy. The Parliament cited numerous problems, including the Cambridge Analytica breach of 87 million Facebook users data, the reauthorization of FISA Section 702, the failure to appoint members to the PCLOB, and passage of the CLOUD Act, which permits US law enforcement agencies to access personal data stored in Europe. The vote of the full Parliament follows an earlier statement from the civil liberties "LIBE" committee. EPIC highlighted many of the same concerns in recent comments. EPIC also told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook. The European Commission, the EU body in charge of the Shield, must now decide how to respond. (Jul. 5, 2018)

  • A report from the Senate Select Committee on Intelligence has confirmed the 2017 assessment from the Intelligence Community on Russian interference with the 2016 election. The Intelligence report stated "Russia's goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump." Senate Committee Chair Richard Burr (R-NC) said "the Committee has spent the last 16 months reviewing the sources, tradecraft and analytic work underpinning the Intelligence Community Assessment and sees no reason to dispute the conclusions," The Senate Report also stated, "the Committee's investigation has exposed a far more extensive Russian effort to manipulate social media outlets to sow discord and to interfere in the 2016 election and American society" than the Intelligence Community assessment reported. EPIC pursued a FOIA lawsuit, EPIC v. ODNI, to obtain public release of the complete Intelligence report. In 2017, EPIC launched a new project on Democracy and Cybersecurity to focus attention on new threats to democratic institutions. (Jul. 5, 2018)

  • In a petition to the Office of Science and Technology Policy, EPIC, leading scientific organizations, including AAAS, ACM and IEEE, and nearly 100 experts urged the White House to solicit public comments on artificial intelligence policy. The Open AI Policy petition follows a White House summit on "AI and American Industry" that was closed to the public and ignored issues such as privacy, accountability, and fairness. EPIC has filed a Freedom of Information Act request seeking records about the establishment of the Select Committee. In advance of a recent hearing on Artificial Intelligence, EPIC also told the House Science Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies. In 2014, EPIC led a similar petition drive for a White House initiative on Big Data. (Jul. 3, 2018)

  • The FTC announced today that it settled charges with ReadyTech, a California company, for misrepresenting compliance with Privacy Shield, a self-certification arrangement that allows US companies to obtain the personal data of Europeans. The FTC settlement prohibits the company from making future misrepresentations about Privacy Shield compliance, but imposes no penalties and provides no remedy to European consumers whose personal data was wrongfully obtained. Last year, the FTC settled charges with three companies that misrepresented their participation in Privacy Shield, but similarly failed to impose penalties. The European Parliament's Civil Liberties Committee ("LIBE") recently passed a resolution stating that Privacy Shield does not protect European consumers, and called for its suspension if the U.S. does not comply by September 1, 2018. LIBE specifically called attention to the Cambridge Analytica breach of 87 million Facebook users. In March, EPIC told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook. (Jul. 2, 2018)

  • Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jul. 2, 2018)

  • In comments to the National Institute of Standards and Technology, EPIC backed NIST's efforts to coordinate "lightweight" crypto standards. EPIC took no position on the specific proposal, but expressed support for the NIST standard-setting process. EPIC said, "NIST's expertise in cryptography, its authority to accept public comment, and its ability to bring together leading experts to evaluate proposals is critical to the adoption of trustworthy computer standards in the United States and around the world." EPIC helped establish the freedom to use encryption in the United States with the "Clipper Chip" petition and has pursued many efforts to safeguard this right. Last week, EPIC advised NIST to revise the Risk Management Framework to make clear that federal agencies are required to conduct privacy impact assessments. (Jun. 29, 2018)

  • EPIC advised the FCC on how to interpret the Telephone Communications Protection Act to best protect consumers in light of the recent decision in ACA Int'l v. FCC. EPIC filed a friend of the court brief in that case arguing that consumers could revoke consent by any "reasonable means." The court agreed but vacated other aspects of the rule. Many industry groups urged the Commission to make a rule that if "any" human intervention is involved in the dialing or sorting of the list of numbers a calling system would not be considered an "automatic telephone dialing system." EPIC opposed that recommendation, explaining that such a definition would allow autodialers to use deceptive tactics to evade regulation. EPIC contributed to the development of the Telephone Communications Protection Act and regularly submits comments to the FCC. (Jun. 29, 2018)

  • EPIC has submitted comments to the UK Data Protection Authority on implementation of the General Data Protection Regulation. EPIC urged the UK privacy agency to (1) promote transparency of enforcement proceedings, (2) increase scrutiny of mergers concerning personal data, and (3) encourage cooperation with the US FTC. EPIC said that international cooperation is necessary to hold companies accountable. Yesterday, EPIC and several consumer groups urged the FTC to investigate Facebook and Google's deceptive consent practices that violate both US and UK law. Last year, EPIC made similar recommendations on the FTC 2018-2022 Strategic Plan. (Jun. 28, 2018)

  • The State of California has enacted the California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. The Act will establish the right of residents of California to know what personal information about them is being collected; to know whether their information is sold or disclosed and to whom; to limit the sale of personal information to others; to access their information held by others; and to obtain equal service and price, even if they exercise their privacy rights. The Act will allow individuals to delete their data and it will establish opt-in consent for those under 16. The Consumer Privacy Act provides for enforcement by the Attorney General, a private right of action, and will establish a Consumer Privacy Fund to support the purposes of Act. The California Consumer Privacy Act of 2018 follows a California ballot initiative that gathered over 600,000 signatures. After the Equifax data breach, EPIC testified in the U.S. Senate that comprehensive privacy legislation was long overdue. The EPIC State Policy Project also provides expertise to the states to help shape strong privacy laws. (Jun. 28, 2018)

  • The White House's Select Committee on Artificial Intelligence held its first meeting this week but the public was not invited. The Select Committee was announced last month at the White House Summit on Artificial Intelligence for American Industry which was also closed to public participation. According to the Summit report, many of the critical issues in the AI field, including "fairness," "transparency," and "accountability," were never mentioned. EPIC has filed a Freedom of Information Act request seeking records about the establishment of the Select Committee. In advance of a hearing this week on Artificial Intelligence, EPIC told the House Science Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies and ensure that the White House Select Committee is open to public participation. (Jun. 28, 2018)

  • A federal court in Washington, DC has ruled that the Presidential Election Commission must release a large volume of records detailing its activities from last year. The ruling, in a case brought by Maine Secretary of State and EPIC Champion of Freedom Matthew Dunlap, requires the Commission to disclose all "relevant documents that any of the former commissioners generated or received." After the court ordered the Commission to release the same records in December, the President abruptly disbanded the Commission. EPIC brought the lead case against the Commission, forcing it to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the voter information that was unlawfully obtained. EPIC is continuing to pursue its case on appeal and will ask the Supreme Court to grant review. (Jun. 28, 2018)

  • EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 27, 2018)

  • The Federal Election Commission is holding a two day hearing to hear expert testimony on the agency's proposed rule governing disclosures for political ads on the Internet. Christine Bannan, EPIC Administrative Law and Policy Fellow, will testify on the second day of the hearing. EPIC submitted multiple comments to the FEC urging the agency to promulgate rules that would require online political ads to disclose funders as is required for traditional media ads. EPIC proposed the FEC adopt "algorithmic transparency" procedures that would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment, and maintain a public directory of advertiser data. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack. (Jun. 27, 2018)

  • EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options. EPIC and consumer privacy organizations previously filed complaints with the FTC when Facebook undermined users' privacy settings and Google automatically opted users into Google Buzz. In both cases, the FTC determined that the companies had engaged in "unfair and deceptive trade practices." Both Facebook and Google settled with the FTC and were then subject to 20 year consent orders that were intended to prevent the companies from engaging in similar practices in the future. (Jun. 27, 2018)

  • In advance of a hearing on “Bolstering Data Privacy and Mobile Security” EPIC has told the House Science Committee that Congress should apply a heightened “super warrant” standard to "StingRays,” a technique for tracking cell phones users. After an EPIC FOIA lawsuit revealed that the FBI was using stingrays without a warrant, the Bureau changed its practices. EPIC filed amicus briefs in U.S. v. Jones and Carpenter v. U.S., two recent Supreme Court cases, arguing that a warrant is required to obtain location information. In a landmark ruling last week, the Supreme Court held that the Fourth Amendment protects location records generated by mobile phones. As a consequence, EPIC said, Congress should update federal privacy law. (Jun. 27, 2018)

  • In response to an EPIC Freedom of Information Act lawsuit, the Federal Trade Commission today released materials, previously withheld, from the biennial Facebook audits. The audits were required by the FTC's 2011 Consent Order with Facebook. Heavily redacted versions of those audits were previously available on the FTC's website. But in March, following the Cambridge Analytica breach, EPIC filed an urgent FOIA request for the complete 2013, 2015, 2017 Facebook audits. (The 2017 audit covers the period the Cambridge Analytica breach.) In a detailed letter to Congress in April, EPIC explained that the FTC failed to review the reports and failed to enforce the 2011 consent order against Facebook. The documents released today to EPIC contain information that was not previously available to the public. EPIC is currently reviewing the documents obtained from the FTC. (Jun. 26, 2018)

  • EPIC has submitted a Freedom of Information Act request to the General Service Administration about the White House's Select Committee on Artificial Intelligence. The Select Committee will advise the President and coordinate AI policies among executive branch agencies. The Select Committee charter states that it may receive advice from private sector groups, but it does not state whether the public will participate in the committee's activities. EPIC is seeking records from the GSA to determine whether the Committee intends to comply with federal open meeting obligations. EPIC has previously told Congress that the Select Committee should be open to public comment. (Jun. 26, 2018)

  • In advance of a hearing on "Artificial Intelligence - With Great Power Comes Great Responsibility," EPIC told the House Science Committee that Congress must implement oversight mechanisms for the use of AI. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. EPIC said that Congress should amend the E-Government Act to require disclosure of the "logic" of algorithms that profile individuals. EPIC also said that the White House Select Committee on Artificial Intelligence should be open to public comment. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency. (Jun. 25, 2018)

  • In a landmark ruling, the U.S. Supreme Court held that the Fourth Amendment protects location records generated by mobile phones. The government in Carpenter v. United States had obtained more than 6 months of location records without a warrant. EPIC filed a "friend-of-the-court" brief in Carpenter, signed by thirty-six technical experts and legal scholars, urging the Court to recognize that the "world has changed since Smith v. Maryland" was decided. EPIC argued that "Cell phones are now as necessary to the life of Americans as they are ubiquitous" and that users expect their location data will remain private. The Court agreed, in a decision by the Chief Justice, emphasizing the importance of protecting privacy as technology advances: "As technology has enhanced the Government's capacity to encroach upon areas normally guarded from inquisitive eyes, this Court has sought to 'assure[ ] preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted.'" The Court held that "an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through" a cell phone. Dissenting opinions were filed by Justices Kennedy, Thomas, Alito, and Gorsuch. (Jun. 22, 2018)

  • The FTC Chairman Joe Simmons announced today that the FTC will hold a series of public hearings this fall on how to safeguard consumer protection and competition in light of economic and technologic developments. "The hearings may identify areas for enforcement and policy guidance, including improvements to the agency's investigation and law enforcement processes, as well as areas that warrant additional study," said the FTC. The hearings will focus on several topics, including "the intersection between privacy, big data, and competition" and "the use of algorithmic decision tools, artificial intelligence, and predictive analytics." The FTC is requesting public comment in advance of the hearings. This will be the first time the FTC has reexamined its approach to consumer protection and competition since the FTC's 1995 hearings on "Global Competition and Innovation." EPIC participated in those hearings and helped the FTC develop authority to address emerging privacy issues. More recently, EPIC has put forward "10 Recommendations" for how the FTC can protect consumers, promote competition, and encourage innovation. (Jun. 20, 2018)

  • In a Senate Commerce Committee hearing today on Facebook and data privacy, former FTC CTO Ashkan Soltani stated that Facebook violated the 2011 FTC Consent Order by transferring personal data to Cambridge Analytica and device makers contrary to user privacy expectations. Soltani said that Facebook continued to misrepresent the extent to which users could control their privacy settings and allowed device makers to override users' privacy settings. Senator Blumenthal and other members of Congress had previously said the company violated the Consent Order, which was the result of complaints filed by EPIC in 2009 and 2010. In a statement to the Committee in advance of the hearing, EPIC urged the Senate to focus on the FTC's failure to enforce the Consent Order with Facebook. (Jun. 19, 2018)

  • The D.C. Circuit has scheduled oral argument in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. The Court will hear the case on Thursday, September 13, 2018. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Jun. 19, 2018)

  • The D.C. Circuit ruled today in EPIC v. FAA that EPIC lacked standing to compel the FAA to establish privacy rules for commercial drones. In 2012 EPIC, backed by more than one hundred organizations and privacy experts, petitioned the agency to establish privacy safeguards for drones. EPIC also cited a 2012 law requiring the FAA to develop a "comprehensive plan" for drone deployment. EPIC subsequently filed suit against the FAA, challenging the 2016 rule authorizing commercial drone operations without any privacy safeguards. Today the D.C. Circuit declined to reach the merits of EPIC's challenge, finding that neither EPIC nor its members had established an "injury" caused by the FAA rule. EPIC will continue to push for the establishment of drone privacy safeguards at the FAA. The drone privacy case is EPIC v. FAA, No. 16-1297 (D.C. Cir.). (Jun. 19, 2018)

  • EPIC has sent a statement to the Senate Commerce Committee outlining the FTC's failure to enforce the 2011 Consent Order with Facebook. The statement from EPIC is for a hearing on "Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks." In 2009, EPIC and several consumer groups pursued a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook's data practices. The FTC established a Consent Order in 2011, but failed to enforce the Order even after EPIC sued the agency in a related matter. In the statement to the Senate this week, EPIC contends that the FTC could have prevented the Cambridge Analytica debacle and Facebook's secret arrangements with device makers if the agency enforced the 2011 Order. (Jun. 19, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology," a proposed system that will integrate biometric identifiers across the federal government. HART would replace IDENT, which now contains biometric records on over 220 million unique individuals. In 2015 a breach at the Office of Personnel Management compromised 22 m records, including 5 m digitized fingerprints. It appears that Homeland Security failed to complete the Privacy Assessment prior to launching HART. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that stores personally identifiable information. In EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year. (Jun. 18, 2018)

  • EPIC has sent a statement to the Senate Judiciary Committee ahead of Monday's hearing "Examining the Inspector General’s First Report on Justice Department and FBI Actions in Advance of the 2016 Presidential Election." EPIC urged the Committee to explore the FBI's ability to respond to future cyberattacks. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." But an AP investigation found that the FBI failed to notify hundreds of officials whose email was hacked during the 2016 election. EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI. Last month, a federal court ruled that the agency may withhold records still sought by EPIC but said that lawmakers should pursue threats to democratic institutions described in the EPIC lawsuit. (Jun. 15, 2018)

  • EPIC submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques (“PETs”). EPIC recently told Congress that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” EPIC has also called out the CPSC for its reluctance to address the privacy and security challenges of IoT. In the statement to Congress, EPIC described the increasing risks to American consumers. (Jun. 15, 2018)

  • EPIC has submitted a statement to the House Energy & Commerce Committee regarding today's hearing on "Understanding the Digital Advertising Ecosystem." EPIC told the Committee "The 'Digital Advertising Ecosystem' today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The ad platforms are manipulated by foreign adversaries. Secrecy and complexity are increasing as accountability is diminished. It would be foolish to imagine that the current model is sustainable." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (Jun. 14, 2018)

  • Apple announced two measures to strengthen the privacy and security of its devices: it will close a loophole that allowed law enforcement to access devices and it will prevent apps from secretly selling contact lists. In 2016, Apple refused a demand by the FBI to build backdoor access to iPhones to allow the FBI to unlock the phone of a criminal suspect. The FBI sued Apple, and EPIC filed an amicus brief in support of Apple, arguing that the FBI's demand "places at risk millions of cell phone users across the United States." The FBI eventually dropped the case. In a privacy complaint to the FTC, EPIC also opposed Google's plan to launch "Buzz," a social networking service, with private address book information. Google later backed off the plan and shuttered Buzz. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Jun. 14, 2018)

  • EPIC advised the FCC on how to interpret the Telephone Communications Protection Act to best protect consumers in light of a recent decision in ACA Int'l v. FCC. EPIC filed a friend of the court brief in that case arguing that consumers could revoke consent by any "reasonable means." The court agreed but vacated other aspects of the rule. EPIC's comments argue that the FCC should require callers to meet three conditions to simplify the revocation of consent: (1) inform consumers of their right to revoke, (2) provide a simple means of revocation, and (3) comply in a timely manner. EPIC contributed to the development of the Telephone Communications Protection Act and regularly submits comments to the FCC. (Jun. 13, 2018)

  • As the Senate Commitee on Homeland Security and Government Affairs considers S. 2836, the Preventing Emerging Threats Act of 2018: Countering Malicious Drones, EPIC has sent a statement to the Committee urging that action on the bill be suspended until DHS and other federal agencies establish and publish drone privacy procedures as required by a 2015 Presidential Memorandum. EPIC has brought a series of open government cases against the DHS and the Department of Defense to determine the use of drones by the federal government in the United States. EPIC's cases have determined that drones operated by the DHS intercept private communications, conduct human identification at a distance, and may include military payloads. (Jun. 13, 2018)

  • EPIC sent a statement to the Senate Commerce Committee in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC urged Congress and the NTIA to work together to update U.S. privacy laws and establish a data protection agency. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices. (Jun. 12, 2018)

  • Members of European Parliament are calling for the suspension of the EU-U.S. Privacy Shield if the U.S. does not comply in full by September 1, 2018. The Civil Liberties Committee ("LIBE") passed a resolution stating that the pact, which permits the flow of European consumers' personal data to the U.S, does not adequately protect privacy. LIBE urged US authorities to respond without delay to the Cambridge Analytica breach of 87 million Facebook users. The groups also expressed "strong concerns" about the CLOUD Act which permits US law enforcement to unilaterally access personal data stored in Europe. EPIC recently told the FTC that the Cambridge Analytica breach could have been avoided had the agency enforced a 2011 Consent Order that EPIC and a coalition of consumer privacy groups obtained. (Jun. 12, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained documents (part 1, part 2, part 3, part 4) considered by Commerce Secretary Wilbur Ross to add a citizenship question to the 2020 Census. Following a request from the Department of Justice, the Census Bureau announced that it would ask about citizenship status for the first time in over 50 years. The documents obtained by EPIC, and others who made similar requests, reflect the varying opinions from lawmakers, scientists, and immigration groups about the proposal. The documents also reveal that Kris Kobach, former Vice Chair of the now-defunct Presidential Advisory Commission on Election Integrity, urged Secretary Ross "on the direction of Steve Bannon" to add the citizenship question. According to an analysis conducted by the Census Bureau, the impact of asking about citizenship would be "very costly, harms the quality of the census count, and would use substantially less accurate citizenship data than are available" from other government resources. In a FOIA case against DHS, EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. (Jun. 11, 2018)

  • In advance of a hearing on the 2020 Census, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on disclosing statistical information about "sensitive populations" to law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau." (Jun. 8, 2018)

  • The Court of Appeals for the Eleventh Circuit has vacated an administrative order by the Federal Trade Commission, which required the medical testing company LabMD to implement "reasonable" data security measures, finding that the order was not specific enough to be enforceable. The court explained that the FTC can require companies to implement data security measures as long as it provides specific guidance. EPIC has repeatedly urged the FTC to mandate specific data security requirements in consumer privacy settlements, including in comments on recent settlements with Uber and PayPal. EPIC also submitted an amicus brief in FTC v. Wyndham, a case in which the Third Circuit Court of Appeals upheld the FTC's authority to enforce data security standards. (Jun. 7, 2018)

  • At the National Press Club in Washington, DC, EPIC presented the 2018 Champions of Freedom Awards to Maine Secretary of State Matthew Dunlap and California Secretary of State Alex Padilla for their defense of the privacy of state voter records. Secretary Dunlap and Secretary Padilla successfully opposed the efforts of the Presidential Advisory Commission on Election Integrity to obtain voter data on state residents. The inscription on the award read "Guardian of privacy and democratic institutions." Dr. Peter Neumann received the 2018 EPIC Lifetime Achievement Award for his work on computer-related risk. Dr. Stephanie Perrin received the 2018 EPIC Privacy Champion Award for her work on WHOIS privacy. The EPIC Champion of Freedom Awards are presented annually to individuals who defend democratic values with courage and integrity. Previous recipients include Senator Patrick Leahy, Judge Pat Wald, Tim Cook, and Garry Kasparov. The EPIC awards event was preceded by a policy panel on the GDPR with FTC Commissioner Rohit Chopra and leading experts in data protection and privacy law. (Jun. 7, 2018)

  • Facebook had secret arrangements with at least 60 device makers granting them access to users' personal data, according to a report by the New York Times. Facebook overrode users privacy settings to allow companies to access sensitive information that users' had explicitly set to private. These arrangements directly contradict Facebook's previous statements that it cut off third party access to user data in 2015. Facebook is already under FTC investigation for violating a 2011 Consent Order that EPIC and consumer privacy organizations obtained. The Order bars Facebook from disclosing data to third parties without explicit consent. EPIC recently urged the FTC to enforce the Consent Order following revelations that Facebook allowed Cambridge Analytica to access the data of 87 million users. In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jun. 5, 2018)

  • EPIC and a coalition of twenty organizations called for the Department of Justice Inspector General to investigate the FBI's "grossly inflated" statistic of encrypted devices inaccessible to law enforcement in 2017. The Washington Post reported that the FBI repeatedly stated it was locked out of 7,800 devices, but subsequent review suggested the actual number is about 1,200. The coalition wrote to the IG asking him to investigate the error, why DOJ officials used the data point after it was discovered to be incorrect, and what measures were taken to inform Congress and the public of the FBI's miscalculation. EPIC President Marc Rotenberg previously told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States." (Jun. 5, 2018)

  • EPIC has filed an amicus brief in a case about whether a dating app should be liable for failing to remove false profiles, including name and likeness, that posed a danger to personal safety. In Herrick v. Grindr, LLC, EPIC told the Second Circuit Court of Appeals that Section 230, a provision in the Communication Decency Act, was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." EPIC emphasized that a lower court opinion "would not advance the speech-promoting policy of the statute." EPIC explained that victims may be subjected to ongoing "psychological, social, and financial harm" if Internet services are not accountable for harassment and abuse. EPIC frequently participates as amicus curiae in cases concerning emerging privacy and civil liberties issues, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 1, 2018)

  • In 2011, EPIC uncovered the first government program to monitor social media. EPIC v. DHS revealed that a government agency was tracking posts on social media to identify critics of government. Today EPIC released a new report on the recent developments in government media monitoring. The report follows a case filed by EPIC this week concerning a new DHS program for "Media Monitoring Services." The report explores different media monitoring systems and points to the absence of effective controls. EPIC's Spotlight on Surveillance also highlights the privacy and civil liberties risks, including chilling free speech, discrimination, unreliability, and misattribution. EPIC's Spotlight on Surveillance project explores the privacy and civil liberties implications of surveillance programs in the United States. EPIC has previously released reports on drones, the FBI's Next Generation Identification program, and "enhanced" driver's licenses. (Jun. 1, 2018)

  • EPIC and a coalition of privacy and civil liberties groups urged the Office of the Director of National Intelligence to abide by the transparency requirements of the USA FREEDOM Act. The Act ended the NSA's bulk collection of domestic call detail information. The Act also requires the public reporting of the number of unique identifiers gathered under the Foreign Intelligence Surveillance Act. A related letter to the House Judiciary Committee urged the Committee to oversee the reporting requirement. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. Several of EPIC's recommendations were incorporated in the USA FREEDOM Act. (May. 31, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit to obtain a Privacy Impact Assessment for "Media Monitoring Services," a controversial new database proposed by the Department of Homeland Security. In April, the DHS announced a system to track journalists and "media influencers" and to monitor hundreds of thousands of news outlets and social media accounts. Although the system is designed to monitor journalists, the federal agency failed to conduct a Privacy Impact Assessment as required by law. EPIC submitted a request for Assessment but the agency did not respond. EPIC has successfully obtained several Privacy Impact Assessments, including a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to collection of state voter data. (May. 31, 2018)

  • EPIC has obtained records under the Freedom of Information Act showing that the Department of Homeland Security communicated frequently with the Presidential Election Commission after EPIC filed a lawsuit to block the Commission's efforts to obtain state voter data. The documents show that DHS officials had numerous communications with Commission staff beginning in June 2017. The records obtained by EPIC also reveal that Kirstjen Nielsen, now the DHS Secretary, worried that the Commission's voter data grab would "disrupt critical efforts DHS is leading to work with state and local officials" on election cybersecurity. After EPIC brought suit in July, the Commission suspended the data collection program, discontinued the use of an unsafe computer server, and deleted voter information that was illegally obtained. The Commission was ultimately shut down in January 2018. (May. 31, 2018)

  • EPIC, the Brennan Center and 55 privacy, civil liberties, and civil rights organizations submitted comments opposing the State Department's plan to collect social media identifiers from individuals applying for visas. The coalition warned that the proposal would "undermine First Amendment rights of speech, expression, and association." Social media monitoring raises serious privacy and civil liberties issues. EPIC previously opposed the State Department's expansion of social media collection as well as a similar proposal by the Department of Homeland Security. In EPIC v. DHS, a 2011 Freedom of Information Act case, EPIC uncovered the first agency plan to monitor social media. (May. 30, 2018)

  • "Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices. (May. 24, 2018)

  • EPIC submitted comments on the Federal Election Commission's (FEC) proposed rules for political ads on the internet. The FEC proposed two alternative rules, one which would hold internet companies to the same standard as traditional media companies and one which would make exceptions for online ads. EPIC stated: "FEC rules should be technology-neutral and consistent across media platforms." EPIC also recommended that the FEC adopt algorithmic transparency rules, which would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment, and maintain a public directory of advertiser data. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack. (May. 24, 2018)

  • Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups, has written to ninety-five major internet companies, including Amazon and Google, seeking compliance with the EU General Data Protection Regulation (GDPR) as a baseline standard for all users worldwide. TACD wrote, "Strong privacy standards should apply to everyone who uses online platforms and services no matter where they live." The letter states that "European regulation provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for people whose data is gathered." Following an earlier TACD letter and questions from Congress, Marc Zuckerberg said Facebook would apply GDPR protections in all jurisdictions. The TransAtlantic Consumer Dialogue was established in 1998 and works to promote the consumer interest in EU and US policy making. (May. 24, 2018)

  • According to the Washington Post, the FBI "provided grossly inflated statistics to Congress and the public" about the number of encrypted cellphones inaccessible to law enforcement. The FBI stated it was locked out of 7,800 devices, but a subsequent review suggested the actual number is about 1,200. EPIC President Marc Rotenberg told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States." According to the federal wiretap reports, in 2016 a total of 68 federal wiretaps were reported as being encrypted, of which 53 could not be decrypted. In a 2016 debate before the American Bar Association, former FBI Director James Comey said the FBI was locked out of about 650 phones. Rotenberg countered that 3.1 million phones were stolen or lost in a year and subject to misuse without strong encryption. (May. 23, 2018)

  • Senator Edward Markey (D-MA) and Congressman Joe Barton (TX-06), along with Senator Richard Blumenthal (D-CT) and Congressman Bobby L. Rush (IL-01), have reintroduced the Do Not Track Kids Act, a bill that would strengthen the Children's Online Privacy Protection Act (COPPA) by extending its protections to children under 15 and creating an "Eraser Button" that would allow parents and children to delete publicly available personal information. The bill would also prohibit targeted advertising to children, mandate data security standards for internet-connected devices sold to children, and establish a "Digital Marketing Bill of Rights for Minors" that would limit the collection of children's personal information, including geolocation information. EPIC recently warned the Federal Trade Commission not to weaken existing rules under COPPA that safeguard children's privacy. EPIC and a coalition of consumer groups have also urged the FTC to stop companies from selling dangerous, internet-connected "toys that spy". (May. 23, 2018)

  • The 12th international conference on Computers, Privacy and Data Protection will take place in Brussels, January 30 to February 1, 2019. The theme of the conference is "Data Protection and Democracy." CPDP is seeking panel proposals from academic consortia, research projects, think tanks and other research organizations. The deadline is June 21, 2018. CPDP2018 offered 85 panel sessions with 420 international speakers from academia, public and private sectors and civil society. More than 1,000 people from from 55 countries attended CPDP2018. EPIC is an event sponsor of CPDP and will present the 2019 International Champion of Freedom Award on January 30, 2019. (May. 23, 2018)

  • EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the FTC about the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating," a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. According to EPIC, "the UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens." EPIC pointed to objective, provable, and transparent rating systems such as ELO as far preferable. EPIC has championed "Algorithmic Transparency" as a fundamental human right. Earlier this month, the Council of Europe adopted the modernized Privacy Convention that establishes a legal right for individuals to obtain "knowledge of the reasoning" for the processing of personal data. (May. 23, 2018)

  • After EPIC obtained the FBI cyberattack victim notification procedures in Freedom of Information Act lawsuit EPIC v. FBI, a D.C. federal court has ruled that the agency may withhold remaining records explaining FBI's response to the Russian interference in the 2016 election. EPIC had argued that the FBI had failed to demonstrate that releasing records of the agency's response to cyberattacks would interfere with its investigation of the Russian interference. The "Victim Notification Procedures" obtained by EPIC led to Associated Press investigation which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. EPIC is currently pursuing related FOIA cases about Russian interference in the 2016 election, including EPIC v. IRS (Release of Trump Tax Returns) and EPIC v. DHS (election cybersecurity). (May. 23, 2018)

  • In advance of a hearing on the Internet of Things (IoT), EPIC wrote to Congress on the need for privacy and security regulations for IoT consumer products. EPIC explained that regulation is necessary "because neither the manufacturers nor the owners of those devices have incentive to fix weak security." EPIC has called upon the Consumer Product Safety Commission to regulate IoT products, saying that the privacy and security of IoT devices, such as Internet-connected door locks and thermostats, are critical concerns for American consumers. Last week, EPIC testified before the Safety Commission on IoT hazards and promoted baseline standards to protect consumer safety. EPIC previously testified before Congress on the "Internet of Cars." (May. 22, 2018)

  • EPIC has filed a "friend of the court" brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breach case. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In a 2011 case NASA v. Nelson, EPIC urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government. (May. 18, 2018)

  • The Council of Europe has updated Convention 108, the first international treaty for privacy and data protection. Among other changes, the amending protocol requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights including algorithmic transparency. EPIC and consumer coalitions have urged the United States to ratify the International Privacy Convention. The complete text of the Privacy Convention is contained in the Privacy Law Sourcebook, available at the EPIC Bookstore. (May. 18, 2018)

  • EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Samsung's "always on" SmartTV, which surreptitiously records consumers' private conversations and transmits their unencrypted voice recordings to third parties. EPIC also warned the FTC that "Samsung is now collecting viewing data from consumers," a practice the FTC found unlawful in a recent settlement with VIZIO. EPIC originally filed this complaint with the FTC on February 24, 2015, but the Commission took no action. EPIC routinely files complaints with the FTC. EPIC's complaints against Uber, Facebook and Google all led to FTC settlements with the companies. Last week, EPIC renewed its complaint against Google for tracking consumers' in-store purchases. (May. 18, 2018)

  • Immigration and Customs Enforcement has dropped a plan to use machine learning software to determine if a visa applicant might commit a crime or terrorist act. Last year, EPIC joined over 50 privacy, civil liberties, and civil rights groups to oppose the plan, stating that the "initiative was tailor-made for discrimination." EPIC has pursued several FOIA cases to uncover the use of secret algorithms by government agencies to score people, including EPIC v. CBP about the "Analytical Framework for Intelligence" that generated secret "risk assessments" on US travelers. In testimony for the 9-11 Commission, EPIC warned that "the use of information technology to identify individuals that may pose a specific threat to the United States" is a "complex problem [that] necessarily involves subjective judgments." (May. 18, 2018)

  • EPIC testified before the Consumer Product Safety Commission at the hearing on "The Internet of Things and Consumer Product Hazards." EPIC International Law Counsel Sunny Kang urged the Commission to focus on privacy and security. EPIC's Kang told the Commission that "IoT is the weakest link to privacy and security vulnerabilities in consumer products." EPIC recommended baseline rules for IoT device manufacturers adopted by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups previously urged the Commission to recall the Google Home Mini device which was designed to always record conversations. (May. 17, 2018)

  • EPIC Consumer Privacy Counsel Sam Lester testified before the House Ways and Means Committee at a hearing on "Securing Americans' Identities: The Future of the Social Security Number." EPIC's Lester emphasized that "the SSN was never meant to be an all-purpose identifier," and its widespread use has contributed to the epidemic of data breaches, identity theft and financial fraud. Lester called on Congress to prohibit the use of the SSN in the private sector without explicit legal authorization. Lester also warned Congress against creating a national biometric identifier that would raise serious privacy and civil liberties risks. EPIC frequently testifies before Congress. EPIC President Marc Rotenberg recently testified before the Senate Banking Committee and the House Financial Services Committee on the need to update U.S. privacy law. EPIC also maintains an archive of information about the SSN online. (May. 17, 2018)

  • In advance of a hearing on Cambridge Analytica and the Future of Data Privacy, EPIC has sent a statement to the Seante Judiciary Committee. EPIC said that "It has become increasingly clear that even as we are asked to give up our privacy, companies have become ever more secretive about how they profile and target voters." In 2014, EPIC challenged Facebook's manipulation of users' News Feeds for psychological research. "If Facebook used data manipulation to shape users' emotions, it can use data manipulation to shape voters' practices," EPIC told the Committee. (May. 15, 2018)

  • In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a revised settlement with Uber. The FTC reached a settlement with Uber back in August of 2017 for its numerous privacy abuses, including secretly tracking riders and using software to evade authorities. But shortly after announcing the settlement, the FTC discovered that Uber had hid a massive data breach and used its bug bounty program to pay off the hackers. As a result, the FTC required Uber to submit all of its privacy assessments to the Commission. While EPIC supported the FTC’s action, EPC said that "the FTC should make Uber's privacy assessments public so that consumers can evaluate whether the company is meeting its obligations under the Consent Order." The FTC's initial investigation and subsequent settlement with Uber were prompted by EPIC's complaint against Uber's in 2015. (May. 15, 2018)

  • Through a Freedom of Information Act request, EPIC obtained declassified memorandums from former FBI Director James Comey detailing his conversations with President Trump from January to April 2017. The conversations include President Trump asking about the possibility of imprisoning journalists, dropping the investigation of former advisor Michael Flynn, and the need to "lift the cloud" of the Russia investigation. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several FOIA cases concerning Russian interference with the 2016 election including: EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). (May. 15, 2018)

  • Incoming Federal Trade Commissioner Rohit Chopra issued a memo today warning that the FTC will enforce its consent orders against companies that violate the law. "FTC orders are not suggestions," said Chopra. Chopra said the FTC should seek structural remedies as well as monetary fines. EPIC has repeatedly told the FTC to enforce its orders, and even sued the agency, EPIC v. FTC, for failing to enforce the order against Google following the Buzz fiasco. More recently, EPIC and a coalition of consumer groups told the FTC that the Cambridge Analytica breach could have been avoided had FTC enforced the 2011 Consent Order against Facebook. The FTC has since confirmed that it is investigating Facebook for the breach. According to the former Acting Director of the FTC's Bureau of Consumer Protection, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." (May. 14, 2018)

  • The U.S. Supreme Court ruled today that a driver in lawful possession of a rental car has a reasonable expectation of privacy regardless of a rental car agreement. The Court held in Byrd v. United States that, "the mere fact that a driver in lawful possession or control of a rental car is not listed on the rental agreement will not defeat his or her otherwise reasonable expectation of privacy." EPIC filed an amicus brief in the case, joined by 23 technical experts and legal scholars members of the EPIC Advisory Board, which stated that "relying on rental contracts to negate Fourth Amendment standing would undermine legitimate expectations of privacy." EPIC also urged the Court to recognize that a modern car collects vast troves of personal data and "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Microsoft Corp., Dahda v. United States, and United States v. Jones. (May. 14, 2018)

  • The Supreme Court has ruled in Dahda v. United States, a case about the federal Wiretap Act and the suppression of evidence obtained under an overly broad wiretap order. A lower court permitted the evidence, relying on a novel interpretation of the Act. EPIC filed an amicus brief in the case, arguing that "it is not for the courts to create textual exceptions" to federal privacy laws. The Supreme Court agreed with EPIC that it "makes little sense" for the court to rewrite the statute. However, the Court declined to suppress the evidence, finding that it was a lawful search under a narrow interpretation of the Wiretap Act. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, including Byrd v. United States (a case in which the Court rejected suspicionless searches of rental cars) and Carpenter v. United States (a case about warrantless searches of cellphone location records). (May. 14, 2018)

  • In a letter to DHS Secretary Kirstjen Nielson, Senators Edward Markey (D-MA) and Mike Lee (R-UT) urged the agency to promptly conduct a public rulemaking on the agency's biometric exit program prior to any expansion of the program. The program, currently implemented in nine U.S. airports, requires travelers on departing international flights to submit to facial recognition identification. The Senators requested that DHS determine the accuracy of the technique and the procedures for collecting passenger data. EPIC is currently pursuing documents about the biometric exit program, but documents EPIC obtained about a related program that tested iris and facial recognition scanning at the border revealed that the technology did not perform operational matching at a "satisfactory" level. An earlier EPIC lawsuit against the DHS led to the removal of backscatter x-ray devices — "body scanners" — at US airports. (May. 11, 2018)

  • EPIC has submitted a Freedom of Information Act request seeking records about the Irish Data Protection Commissioner's inquiries regarding Facebook’s compliance with the FTC's Consent Order. In 2011, the Austrian privacy group Europe-v-Facebook and other parties filed formal complaints to the Irish Data Protection Commissioner about third party access to Facebook user data. The Irish Data Protection Commissioner then initiated an audit of Facebook to assess its compliance with both Irish Data Protection Law and EU law. The 2011 Irish audit found that the safeguards for third party applications did not ensure security for user data. In a 2012 re-audit, the Irish on Commissioner found a "satisfactory response" from Facebook regarding preventing third party applications. Following the 2012 re-audit, the FTC and the Data Protection Commissioner signed a Memorandum of Understanding to exchange information to enforce compliance with privacy laws in each respective country. Two years after the Data Protection Commissioner found a "satisfactory response" from Facebook regarding third party applications, a third party application harvested the data of over 87 million users and transferred the data to Cambridge Analytica. (May. 11, 2018)

  • The White House has established the "Select Committee on Artificial Intelligence" to advise the President and coordinate AI policies among executive branch agencies. The Office of Science and Technology Policy, NSF, and DARPA will lead the interagency committee. According to the White House, the goals of the Committee are (1) prioritize funding for AI research and development; (2) remove barriers to AI innovation; (3) train the future American workforce; (4) achieve strategic military advantage; (5) leverage AI for government services; and (6) lead international AI negotiations. The Committee will also coordinate efforts across federal agencies to research and adopt technologies such as autonomous systems, biometric identification, computerized image and video analysis, machine learning and robotics. It is unclear whether the Committee will include public perspectives in its work. In 2014, EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the OSTP to accept public comments on a White House project concerning Big Data. The petition stated, "The public should be given the opportunity to contribute to the OSTP's review of 'Big Data and the Future of Privacy' since it is their information that is being collected and their privacy and their future that is at stake." In 2015 EPIC launched an international campaign for Algorithmic Transparency and recently urged Congress to establish oversight mechanisms for the use of AI by federal agencies. (May. 10, 2018)

  • A federal appeals court has ruled that U.S. border officials may not conduct a forensic search of a mobile device without a "reasonable suspicion" that the device contains evidence of a crime. The court's decision followed Riley v. California, a 2014 Supreme Court case holding that the Fourth Amendment requires police to obtain a warrant to search a cell phone. EPIC filed an amicus brief in the Riley case, cited by the Supreme Court, about the detailed personal data stored in cell phones. EPIC's Alan Butler predicted that the Riley decision would lead courts to require "reasonable suspicion" for border searches. EPIC recently filed a FOIA suit against against a federal agency for information about the warrantless searches of cell phones. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border. (May. 10, 2018)

  • In response to an industry proposal to diminish safeguards for children's privacy, EPIC reminded the FTC that industry guidelines must comply with the Children's Online Privacy Protection Act. EPIC also highlighted recent updates in the COPPA regulations that minimize data collection concerning children. EPIC wrote, "COPPA has evolved to address changes in technology and business practices." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA. (May. 9, 2018)

  • In advance of a hearing on "Program Integrity for the Supplemental Nutrition Assistance Program," EPIC has sent a statement to the House Oversight Committee. A provision of the Agriculture and Nutrition Act of 2018 would establish a federal database of Supplemental Nutrition Assistance Program recipients for the purpose of denying food assistance. The SNAP program provides assistance to low-income households and is administered by the states. However, Section 4001 would create a federal database with personal data, such as social security numbers, employment status, and income amounts, with the aim of denying food assistance. EPIC warned that if Congress decides to create this federal database, then the Department of Agriculture will be subject to Privacy Act obligations, including potential liability for the data breaches that may result. Last year, EPIC successfully challenged the efforts of a federal commission to establish a national voter database, noting that voting is a state function. (May. 8, 2018)

  • The Transatlantic Consumer Dialogue, a coalition of more than 70 consumer organizations in Europe and North America, has made available "10 Things to Know About the GDPR." The analysis details key elements of the new European privacy law. TACD wrote, "People's data should be treated with the highest privacy protections no matter where they are based. Privacy is a fundamental human right and data protection is intrinsically linked to it." Last month, TACD sent a letter to Mark Zuckerberg urging Facebook to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD will host a press conference on GDPR with EPIC in Washington DC on May 16. EPIC makes available the complete text of the GDPR and related materials in the Privacy Law Sourcebook. (May. 8, 2018)

  • In advance of a hearing on the 2020 Census, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau." (May. 8, 2018)

  • According to the Office of Director National Intelligence 2017 report, the number of Foreign Intelligence Surveillance Act orders to collect call records more than tripled last year, from 151 million records in 2016 to 534 million in 2017. In 2012, EPIC testified before Congress on the need for more public reporting concerning the use of FISA authorities. Several of EPIC's recommendations, including better reporting on government surveillance activities, were incorporated in the USA FREEDOM Act. (May. 7, 2018)

  • EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Google's tracking of consumer purchases. EPIC told the FTC that "this tracking of consumer purchases is without precedent and also raises questions as to what else Google does with the consumer data it obtains." EPIC originally filed the Complaint with the FTC on July 31, 2017. The Complaint alleges that Google collects billions of credit and debit card transactions and links that data to the activities of Internet users. Google claims to protect privacy but refuses to provide any details about a secret algorithm it uses, making it impossible for consumers to verify that their privacy is protected. EPIC has filed numerous complaints with the FTC, including the complaints that led to the FTC's 2011 Google Buzz Order and the 2011 Facebook Order. The FTC recently welcomed a new Chairman and three new Commissioners. (May. 7, 2018)

  • In advance of a Senate hearing "Keeping Pace with Innovation - Update on the Safe Integration of Unmanned Aircraft Systems into the Airspace," EPIC submitted a statement to inform the committee of EPIC's ongoing work to establish transparency and oversight for the use of unmanned aircraft in the United States. EPIC believes that strong drone privacy rules are vital for the safe integration of commercial drones in the National Air Space. EPIC is now proceeding in the U.S. Court of Appeals of the D.C. Circuit against the FAA for the agency's failure to establish drone privacy safeguards. EPIC has also filed suit to enforce the transparency obligations of the Drone Advisory Committee, a body created by the FAA to study and make recommendations on U.S. drone policy. EPIC has also pursued several open government matters regarding the FAA's decision making process, which appears intended to purposefully avoid the development of meaningful privacy safeguards. (May. 7, 2018)

  • A coalition of consumer safety groups wrote to senators asking them to delay passing the AV START Act (S. 1885) until the National Transportation Safety Board finished its investigation of two recent crashes involving autonomous vehicles. The groups said: "we are very concerned that provisions in the bill put others sharing the road with AVs at unnecessary and unacceptable risk." EPIC has called for national safety standards for connected cars in comments to NHTSA. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data. (May. 6, 2018)

  • The Irish High Court has denied Facebook's request to halt review of Data Protection Commissioner v. Facebookby Europe's top court. The case, which was recently referred to the European Court of Justice, concerns whether Facebook's transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans' personal data. Ruling against Facebook's request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook's conduct in the case. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law. (May. 3, 2018)

  • EPIC and a coalition of consumer organizations have sent a letter to Mick Mulvaney urging the Acting Director not to ban public access to the CFPB consumer complaint database. "The public complaint database is a tool that empowers individuals to inform and protect themselves in the marketplace," the groups stated. In recent remarks at a banking industry conference, Mulvaney said that he is considering closing off access to the database. The database has helped expose wrongdoing by numerous financial institutions-including failures by Equifax following its data breach, as detailed in a report just released by three Senators. EPIC has called on the CFPB to more vigorously pursue its investigation of Equifax, and has filed a Freedom of Information Act request to obtain communications about that investigation. (May. 3, 2018)

  • EPIC submitted comments to the Consumer Product Safety Commission for an upcoming hearing on "The Internet of Things and Consumer Product Hazards." EPIC urged the Commission to focus on privacy and security issues, which the Commission claims are outside its scope. EPIC told the Consumer Product Safety Commission that "Holding a hearing in the year 2018 to discuss IoT without addressing privacy and security is akin to holding a hearing in the last century about kitchen appliances without addressing the risk that a toaster might catch fire because of bad wiring." EPIC recommended that the Commission implement thirteen rules for manufacturers of IoT devices that were laid out by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups preciously urged the Commission to order the recall of the Google Home Mini "smart speaker" and received a response saying that it does not pursue privacy or data security issues. (May. 2, 2018)

  • A controversial provision of the Agriculture and Nutrition Act of 2018 would establish a federal database of Supplemental Nutrition Assistance Program recipients for the purpose of denying food assistance. The SNAP program provides assistance to low-income households and is administered by the states. However, Section 4001 would create a federal database with personal data, such as social security numbers, employment status, and income amounts, with the aim of denying food assistance. Privacy scholars have explained that government agencies often subject individuals living in poverty to excessive surveillance. Last year, EPIC successfully challenged the efforts of a federal commission to establish a national voter database, noting that voting is a state function. (May. 2, 2018)

  • Senators Warren (D-MA), Schatz (D-HI) and Menendez (D-NJ) have published a report examining thousands of consumer complaints filed with the Consumer Financial Protection Bureau after Equifax's massive data breach last fall. The report, entitled "Breach of Trust," reveals the extent of Equifax's failure to address significant harms consumers faced as a result of the breach. The Senators sent their report along with a letter to the CFPB demanding the agency hold Equifax accountable. Despite the massive number of complaints, the CFPB has yet to announce any action against Equifax eight months after the breach. The Senators also admonished Director Mulvaney for his recent suggestion that he would end public access to the CFPB's complaint database. In testimony before the House Financial Services Committee in February, EPIC called on Congress to ensure that the CFPB takes action against Equifax. A February Reuters story indicated that the CFPB had halted its investigation into Equifax, but Mulvaney since confirmed that an investigation is still ongoing. EPIC submitted a Freedom of Information Act request to obtain information about the CFPB's Equifax investigation. (May. 1, 2018)

  • The House Permanent Select Committee on Intelligence has published a redacted version of its report on Russian interference with the 2016 Presidential Election. The report concludes that Russia did conduct cyberattacks on U.S. political institutions in 2015 and 2016. It also found that the FBI's "notification to numerous Russian hacking victims was largely inadequate." The report recommends that the FBI improve cyberattack victim notification. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents state that "[b]ecause timely victim notification has the potential to completely mitigate ongoing and future intrusions and can mitigate the damage of past attacks while increasing the potential for the collection of actionable intelligence, CyD's policy regarding victim notification is designed to strongly favor victim notification." However, the FBI did not follow this procedure following cyber attacks on the DNC and RNC during the 2016 Presidential Election. The Committee also recommended measures to strengthen U.S. election systems, such as paper ballots, protection of voter registration systems, and funding for risk assessment of state election agency computer systems. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. (Apr. 30, 2018)

  • The Supreme Court today granted certiorari to address for the first time whether a class action settlement that awards cy pres but provides no direct relief to class members is "fair, reasonable, and adequate." The case, Frank v. Gaos, involves a settlement arising from Google's tracking of Internet users by circumventing their browsers' privacy settings. The settlement awarded cy pres funds to several organizations but resulted in no change in Google's business practices nor payments to class members. EPIC objected to the proposed settlement on three separate occasions, arguing that, "The proposed settlement is bad for consumers and does nothing to change Google's business practices. The company will simply revise its notice so that it may continue to engage in the privacy-invading practice that class counsel claimed at one time provided the basis for class action certification and monetary relief." EPIC has routinely opposed class action settlements that fail to compensate class members or change business practices. In 2013, Chief Justice John Roberts wrote that the Court would soon need to address "fundamental concerns" surrounding the use of cy pres in class action settlements. EPIC has proposed an objective basis to evaluate cy pres awards. (Apr. 30, 2018)

  • EPIC joined dozens of human rights organizations condemning Russia's attempt to block encrypted messaging app Telegram. In an open letter, the coalition states Russia's attempts to block the app have "resulted in extensive violations of freedom of expression and access to information, including mass collateral website blocking." The groups call on international organizations and governments to challenge Russia's actions, and on tech companies to resist government attempts to compromise fundamental rights. EPIC has historically campaigned in support of strong encryption. In April 1994, EPIC initiated the campaign to stop the Clipper Chip, a key escrow encryption scheme developed by the NSA. (Apr. 30, 2018)

  • In a letter to Axon's Artificial Intelligence Ethics Board, EPIC and a coalition of civil rights and civil liberties groups called upon the Board to prevent Axon, the largest provider of police body cameras, from implementing real-time facial recognition. The letter states that "real-time facial recognition would chill the constitutional freedoms of speech and association." In 2015, EPIC forewarned that body cameras implemented for police accountability "could easily become a system of mass surveillance." EPIC also highlighted at the time that "the benefits of body cameras as a tool of police accountability have not been established." Last year, the largest study to date of police body cameras concluded that the cameras had no impact on police use of force and civilian complaints. (Apr. 26, 2018)

  • In advance of a hearing on Filtering Practices of Social Media Companies, EPIC has sent a statement to the House Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But last year, after a seven year investigation, the European Commission found that Google rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors. (Apr. 25, 2018)

  • The Administrative Office of the U.S. Courts has issued the 2017 report on activities of the Foreign Intelligence Surveillance Court. Scrutiny of FISA applications increased substantially in 2017. The 2017 FISA report reveals that there were 1,614 FISA applications in 2017, of which 1,147 were granted, 391 were modified, 50 were denied in part, and 26 were denied in full. As compared to 2016, the FISA court denied nearly two times as many applications in part, and denied nearly three times as many applications in full. EPIC testified before Congress in 2012 on the need to improve review of FISA applications. In recent comments on US surveillance authority, EPIC noted the reauthorization of 702 spying authorities without sufficient safeguards. (Apr. 25, 2018)

  • EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing with the Commissioner of Customs and Border Protection. EPIC urged the Committee to ask the CBP Commissioner about the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC is currently seeking records from the federal agency concerning the accuracy of facial recognition. EPIC also recommended the Committee examine how CBP will comply with state laws prohibiting warrantless aerial surveillance when deploying drones at the border. As a result of an earlier FOIA lawsuit, EPIC found that the CBP is deploying drones with facial recognition technology without warrant authority. (Apr. 24, 2018)

  • EPIC submitted a statement to the Senate Homeland Security Committee in advance of a hearing on "Cyber Threats Facing America." Last year, the White House National Security Strategy report set out the administration's goals for global policy. EPIC supports several of the goals in the National Strategy report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the Senate Committee to seek assurances that those goals will remain priorities for this administration. Quoting former world chess champion Garry Kasparov, EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time." (Apr. 24, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit to obtain the release of the unredacted Facebook Assessments from the FTC. The FTC Consent Order. required Facebook to provide to the FTC biennial assessments conducted by an independent auditor. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, 2017 Facebook Assessments and related records. EPIC's FOIA request drew attention to a version of the 2017 report available at the FTC website. But that version is heavily redacted. EPIC is suing now for the release of unredacted report. EPIC has an extensive open government practice and has previously obtained records from many federal agencies. The case is EPIC v. FTC, No. 18-942 (D.D.C. filed April 20, 2018). (Apr. 20, 2018)

  • EPIC has obtained a redacted version of the 2017 Facebook Assessment required by the 2012 Federal Trade Commission Consent Order. The Order required Facebook to conduct biennial assessments from a third-party auditor of Facebook's privacy and security practices. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, and 2017 Facebook Assessments as well as related records. The 2017 Facebook Assessment, prepared by PwC, stated that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. This assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users. In a statement to Congress for the Facebook hearings last week, EPIC noted that FTC Commissioners represented that the Consent Order protected the privacy of hundreds of millions of Facebook users in the United States and Europe. (Apr. 20, 2018)

  • Senator Richard Blumenthal (D-CT) has called for "monetary penalties that provide redress for consumers and stricter oversight" in a letter to the Federal Trade Commission. Senator Blumenthal focused on the FTC's 2011 Consent Order that EPIC, and a coalition of consumer groups obtained, after preparing a detailed complaint in 2009. Referring to the Cambridge Analytica scandal, Senator Blumenthal wrote that "three of the FTC's claims concerned the misrepresentation of verification and privacy preferences of third-party apps." Senator Blumenthal also raised questions about the FTC's monitoring of the consent order, noting that "even the most rudimentary oversight would have uncovered these problematic terms of service." And the Senator stated, "The Cambridge Analytica matter also calls into question Facebook's compliance with the consent decree's requirements to respect privacy settings and protect private information." EPIC and other consumer groups recently urged the FTC to reopen the investigation. The FTC has confirmed that an investigation of Facebook is now underway. (Apr. 20, 2018)

  • A coalition of 14 consumer groups in Latin America has sent a letter to Facebook CEO Mark Zuckerberg, urging him to comply with the EU General Data Protection Regulation (GDPR) at a global level. The groups wrote, "The GDPR provides a solid foundation for the protection of personal data: it establishes clear responsibilities for companies that collect and process personal data and provides data subjects, Facebook users whose data your company collects and processes, with clear rights. These are protections that all users should be entitled to, regardless of where they are located." Earlier this month, the Transatlantic Consumer Dialogue (TACD), a coalition of consumer groups in North America and Europe, also sent a letter to Facebook advocating for the GDPR to be implemented as a baseline standard of data protection for all users. (Apr. 19, 2018)

  • In advance of a hearing on "Game Changers: Artificial Intelligence Part III, Artificial Intelligence and Public Policy," EPIC told the House Oversight Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. EPIC also said that Congress should amend the E-Government Act to require disclosure of the logic of algorithms that profile individuals. EPIC made similar comments to the UK Privacy Commissioner on issues facing the EU under the GDPR. A recent GAO report explored challenges with AI, including the risk that machine-learning algorithms may not comply with legal requirements or ethical norms. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency. (Apr. 19, 2018)

  • In advance of a hearing on "Abusive Robocalls and How We Can Stop Them" EPIC recommended reforms that would combat fraud while protecting privacy. EPIC supports regulations that would (1) allow phone providers to proactively block numbers that are unassigned, unallocated, or invalid; (2) block invalid numbers without requiring consumer consent; (3) provide strong security measures for any database of blocked numbers; and (4) prohibit spoofing with the intent to defraud or cause harm. EPIC played a leading role in the creation of the Telephone Consumer Protection Act and continues to defend the Act. (Apr. 17, 2018)

  • In advance of a hearing on the Census Bureau, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau." (Apr. 17, 2018)

  • EPIC has filed a second Freedom of Information Act lawsuit to obtain President Trump's tax records. EPIC is seeking information about IRS settlements involving the President and his businesses—information which the agency is required to disclose to the public upon request. The IRS agreed to process EPIC's request in February but has failed to release any records to date. EPIC previously sued the IRS for the release of the President's personal tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's own lawyers. That case, EPIC v. IRS, is now before the D.C. Circuit Court of Appeals. EPIC is litigating several other FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Apr. 17, 2018)

  • The Supreme Court has vacated United States v. Microsoft, a case concerning whether a U.S. communications law can be used by a U.S. law enforcement agency to obtain personal data stored outside of the U.S. While the case was pending, the Congress quickly passed the CLOUD Act, which requires internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Court then determined that there was no longer a matter to adjudicate and ended the proceeding. EPIC's amicus brief to the Supreme Court argued that human rights law and privacy standard should govern law enforcement access to personal data stored abroad. In recent comments to the UN, EPIC explained that the CLOUD Act "undermines communications privacy protections." (Apr. 17, 2018)

  • In advance of a hearing regarding IRS oversight, EPIC sent a statement to a House committee urging the release of President Trump's tax returns. As EPIC explained, "candidates for the Presidency have routinely released tax record information to the American public. Mr. Trump broke with that tradition even though he pledged to make this information publicly available." As a consequence, EPIC brought a FOIA suit for the release of the President's tax returns. EPIC recently filed the opening brief in EPIC v. IRS, now before the D.C. Circuit Court of Appeals. EPIC told the court that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"--a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC explained to the Court and to Congress, "there has never been a more compelling FOIA request presented to the IRS." (Apr. 17, 2018)

  • EPIC submitted a statement following the Senate nomination hearing on Mike Pompeo for Secretary of State. EPIC said that the US Secretary of State should uphold privacy as a fundamental human right around the world. The United States Department of State publishes an annual human rights report that covers "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements." EPIC also said that "international agreements provide the best opportunity to establish data protection standards" and urged the Secretary of State to ratify the International Privacy Convention. Privacy experts and advocates have also called for adoption of the Madrid Privacy Declaration, a comprehensive framework for data protection. (Apr. 16, 2018)

  • The Article 29 Working Party has released a statement on encryption policy. The Working Party stated "strong and efficient encryption is a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy." The Working Party found that "backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner. Any obligation aiming at reducing the effectiveness of those techniques in order to allow law enforcement access to encrypted data could seriously harm the privacy of European citizens." The Working Party is a group of leading privacy officials in the European that often issues reports and opinions on emerging privacy issues. Under the GDPR, the Working Party will become the European Data Protection Board with new legal authorities. Communications services with escrow encryption, and other similar techniques, could be prohibited under the GDPR. EPIC began in April 1994 with the first internet petition, the campaign to stop the Clipper Chip, a key escrow encryption scheme developed by the NSA. (Apr. 16, 2018)

  • EPIC has submitted extensive comments on proposed guidance for Data Protection Impact Assessments. The new European Union privacy law - the "GDPR" — requires organizations to carefully assess the collection and use of personal data. In comments to UK privacy commissioner, EPIC said that disclosure of the technique for decision making is a core requirement for Data Protection Impact Assessments. EPIC supports "Algorithmic Transparency". EPIC has pursued criminal justice FOIA cases, and FTC consumer consumer complaints to promote transparency and accountability. EPIC has warned Congress of the risks of "citizen scoring." (Apr. 13, 2018)

  • EPIC has submitted a Freedom of Information Act request to the Department of Homeland Security seeking Privacy Impact Assessments and other records related to the solicitation for "media monitoring services." The DHS posted a solicitation to compile a database of journalists and "media influencers," including bloggers and social media influencers. The DHS is seeking to identify journalists based on their beat, publication, contact information, and articles published. Agency officials plan to search lists and analyze news coverage. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that contains personally identifiable information. In a prior FOIA lawsuit, EPIC obtained Privacy Impact Assessments from the FBI that were not publicly available. And in EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year. (Apr. 13, 2018)

  • The Federal Trade Commission has strengthened its 2017 settlement with Uber because the company hid a massive data breach and bug bounty program in 2016. Under the revised settlement, Uber must submit all of its privacy audits to the FTC, and will face civil penalties if it fails to disclose another breach. In February 2018, EPIC advised Congress that "bug bounty programs do not excuse non-compliance with data breach notification laws." The FTC's 2017 settlement with Uber was the result of EPIC's 2015 complaint to the Commission detailing Uber's numerous privacy abuses. In public comments, EPIC advised the FTC to strengthen the settlement by making all of Uber's privacy audits available to the public. (Apr. 12, 2018)

  • The Irish High Court has sent eleven questions to the European Court of Justice for review in Data Protection Commissioner v. Facebook. The case considers whether Facebook's transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines "standard contractual clauses" and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US "Privacy Shield" matters. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law. (Apr. 12, 2018)

  • EPIC has filed suit to enforce the open government obligations of the Drone Advisory Committee, an industry-dominated committee that advises the Federal Aviation Administration on U.S. drone policy. For over a year, the Committee has conducted much of its work in secret and ignored the privacy risks posed by the deployment of drones, even after the Committee identified privacy as a top public concern. EPIC's lawsuit would force the Committee to disclose its work to the public. EPIC has a long history of promoting government transparency. EPIC's case to establish drone privacy regulations, EPIC v. FAA, No. 16-1297, is pending before the D.C. Circuit Court of Appeals. (Apr. 12, 2018)

  • In advance of a hearing regarding challenges facing the IRS, EPIC sent a statement to the Senate Finance Committee urging the release of President Trump's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election. EPIC recently filed the opening brief in the case before the D.C. Circuit Court of Appeals. EPIC told the court that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"--a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." (Apr. 12, 2018)

  • In response to a series of questions from Rep. Gene Green, (D-TX), Facebook CEO Mark Zuckerberg confirmed that Facebook will comply with the new European Union privacy law - "the GDPR" - in all jurisdictions. Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, sent a letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process." (Apr. 11, 2018)

  • The Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, has sent a letter to Facebook CEO Mark Zuckerberg urging him to comply with the EU General Data Protection Regulation (GDPR) as a baseline standard, not just for EU consumers as it is required, but for all Facebook services. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and the democratic process. The GDPR provides a solid foundation for data protection, establishing clear responsibilities for companies that collect personal data and clear rights for users whose data is gathered. These are protections that all users should be entitled to no matter where they are located." Zuckerberg will testify before the Senate and House this week on Facebook's failure to protect user data. The TransAtlantic Consumer Dialogue was established in 1998 and works to promote the consumer interest in EU and US policy making. (Apr. 9, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's use of mobile forensic technology to conduct warrantless searches of mobile devices. ICE has contracts with a company called Cellebrite for techniques to unlock, decrypt, and extract data from mobile devices, including personal data stored in cloud-based accounts. Privacy complaints regarding the search of mobile devices at the border continue to increase. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact the rights of U.S. citizens. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border. (Apr. 9, 2018)

  • EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy for the 63rd meeting of the International Working Group on Data Protection. The Working Group includes Data Protection Authorities and experts from around the world who work together to address emerging privacy challenges. The EPIC 2018 report details the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the ongoing investigation of the Russian interference in the 2016 election, federal nominees to the FTC and PCLOB, recent legislative proposals on Artificial Intelligence, and more. The 64th meeting of the IWG will take place in Queenstown, New Zealand on November 29-30. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Apr. 9, 2018)

  • In advance of a joint hearing about Facebook's failure to protect the personal data of users, EPIC has sent a comprehensive statement to the Senate Committee on the Judiciary and the Senate Committee on Commerce. EPIC is urging the Senators to focus on the 2011 Consent Order between Facebook and the Federal Trade Commission. In 2009, EPIC and a coalition of consumer groups presented the FTC with a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook. The FTC adopted a Consent Order in 2011, based on EPIC's Complaint, but failed to enforce the Order even after EPIC sued the agency in a related matter. In numerous comments to the FTC, EPIC and others urged the FTC to enforce its consent order. In the statement to the Senate this week, EPIC contends that the Cambridge Analytica debacle could have been prevented if the FTC enforced the Order. (Apr. 9, 2018)

  • EPIC has submitted input to the UN Office of the High Commissioner for Human Rights for an upcoming report on the right to privacy in the digital age. The OHCHR is soliciting information for a report to Human Rights Council on the right to privacy around the world. EPIC's comments detail shortcomings in US privacy law, including the CLOUD Act, the reauthorization of FISA Section 702, and FTC's failure to enforce consumer privacy guarantees. EPIC also highlighted the need for the Special Rapporteur on Privacy to promote fundamental privacy rights, particularly Article 12 of the Universal Declaration of Human Rights. (Apr. 6, 2018)

  • EPIC and a coalition of consumer groups have filed a complaint with the FTC, charging that Facebook's use of facial recognition techniques threaten user privacy and "in multiple ways" violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." In 2011 EPIC and consumer groups urged the FTC to investigate Facebook’s facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." EPIC President Marc Rotenberg said today, "Facebook should suspend further deployment of facial recognition pending the outcome of the FTC investigation." (Apr. 6, 2018)

  • EPIC and a coalition of consumer groups will file a complaint with the FTC on Friday charging that Facebook's use of facial recognition techniques threaten user privacy and violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." The FTC has confirmed that an investigation is now underway. The FTC said, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements." Facebook CEO Mark Zuckerberg will testify next week before the Senate Judiciary Committee and the House Commerce Committee. In 2011 EPIC urged the FTC to investigate Facebook's facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." (Apr. 5, 2018)

  • Congressional leaders have announced the establishment of the Congressional Artificial Intelligence Caucus. The Caucus will bring together experts from academics, government, and the private sector to inform policymakers of the technological, economic and social impacts of advances in AI. The Congressional AI Caucus is bipartisan and co-chaired by Congressmen John Delaney (D-MD) and Pete Olson (R-TX). This is one of several initiatives in Congress to pursue AI policy objectives. Rep. Delaney introduced the FUTURE of Artificial Intelligence Act (H.R. 4625) and Rep. Elise Stefanik (R-NY) introduced a bill (H.R. 5356) that would create the National Security Commission on AI. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the growing of opaque and unaccountable techniques in automated decision-making. (Apr. 3, 2018)

  • The D.C. Circuit Court of Appeals has refused to void an earlier ruling in EPIC's case to halt the collection of state voter data by the Presidential Election Commission. Although the Commission was disbanded in January, last year's decision by a three-judge panel of the D.C. Circuit remains on the books. The panel wrongly held that EPIC, a privacy and open government organization, did not have standing to challenge the Commission's failure to conduct and publish a privacy impact assessment required by law. EPIC asked the full D.C. Circuit to take the rare step of revisiting the panel's decision, but the court declined. EPIC's lawsuit previously led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, delete the voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission's efforts to collect state voter data. EPIC will continue to pursue the case, which is eligible for appeal to the U.S. Supreme Court. The case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Apr. 2, 2018)

  • EPIC has filed a consumer protection lawsuit against AccuWeather for deceptively tracking the location of subscribers who downloaded the company’s app. In papers filed in the District of Columbia, EPIC charged that AccuWeather tracked consumers even when they expressly opted out of location tracking. EPIC also charged that AccuWeather failed to disclose that it transferred location data to third-party advertisers. EPIC alleges that these practices violate the District of Columbia Consumer Protection Procedures Act. EPIC has long advocated for the privacy of location data. EPIC filed a “friend of the court” brief with the US Supreme Court in a case concerning police surveillance and a complaint with the Federal Trade Commission concerning Uber’s tracking of subscribers. EPIC also opposed Apple’s tracking of iPhone users. EPIC also maintains detailed webpages on location privacy. (Apr. 2, 2018)

  • French President Emmanuel Macron has expressed support for "Algorithmic transparency" as a core democratic principle. In an interview with Wired magazine, President Macron said that algorithms deployed by the French government and companies that receive public funding will be open and transparent. President Macron emphasized, "I have to be confident for my people that there is no bias, at least no unfair bias, in this algorithm." President Macron's statement echoed similar comments in 2016 by German Chancellor Angela Merkel, "These algorithms, when they are not transparent, can lead to a distortion of our perception, they narrow our breadth of information." EPIC has a longstanding campaign to promote transparency and to end secret profiling. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right. In recent comments to UNESCO, EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decision-making, based on opaque algorithms. (Apr. 2, 2018)

  • The Consumer Product Safety Commission responded to a complaint from EPIC and a coalition of consumer groups, urging the Commission to order the recall of the Google Home Mini "smart speaker." The touchpad on the device was permanently set to "on" so that Google recorded all conversations without a consumer's knowledge or consent. The groups wrote "this is a classic manufacturing defect that places consumers at risk. The defect in Google Home Mini is well within the purview of the Consumer Product Safety Commission." In the response, the Commission claimed that it monitors the hazards of IoT but said that it does not pursue privacy or data security issues. IoT devices are frequently the target of botnet attacks. According to Hacker News, "the DDoS threat landscape is skyrocketing" and the UK National Cyber Security Centre's report has called for comprehensive safeguards for IoT devices. EPIC Senior Counsel Alan Butler has written about products liability for IoT manufacturers. (Apr. 2, 2018)

  • In a Federal Register notice released today, the State Department is proposing that all visa applicants submit social media identifiers to the federal government. EPIC previously opposed the agency’s plan, warning that "this proposal leaves the door open for abuse, mission creep, and the disproportionate targeting of Muslim and Arab Americans." Earlier this year, EPIC and a broad coalition of civil rights organizations submitted a Freedom of Information Act request seeking details of the Trump Administration’s “extreme vetting” initiative, including the collection and use of social media information. (Mar. 30, 2018)

  • In detailed comments, EPIC advised the FTC to strengthen a proposed settlement with PayPal concerning Venmo, a mobile app for peer-to-peer payments. The FTC complaint found that Venmo made misrepresentations about privacy and security practices. EPIC recommended that the FTC require PayPal to (1) change the default setting to private, (2) require affirmative consent for subsequent changes, (3) make the privacy assessments public, (4) require multi-factor authentication, and (5) comply with Fair Information Practices. The FTC is obligated to consider public comments before finalizing a proposed settlement and must provide a “reasoned response” if it fails to modify an order. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. (Mar. 29, 2018)

  • An internal investigation has revealed the FBI was not transparent about its technical capabilities before suing Apple to unlock an encrypted iPhone. Department of Justice Inspector General reports that FBI personnel failed to communicate to agency leadership that the FBI was very close to opening the phone. Investigating the 2015 mass shooting San Bernardino, the FBI filed suit to force Apple to create custom technology to decrypt an iPhone. The Agency's case relied on the fact that it "cannot access" that phone's content. EPIC filed an amicus brief in Apple v. FBI arguing that the "security features in dispute in this case were adopted to protect consumers from crime." (Mar. 28, 2018)

  • EPIC joined Consumer Watchdog and a coalition of consumer organizations to urge Facebook to cease all campaign contributions and electioneering activity. The groups also recommended that Facebook retain Jimmy Carter and the Carter Center to audit Facebook's use of personal information for election advertisements. Last week, EPIC and a coalition of consumer groups called on the Federal Trade Commission to investigate Facebook. EPIC has also urged the Federal Election Commission to provide transparency for online political ads. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity. (Mar. 28, 2018)

  • The Department of Commerce announced that the 2020 census will include a question on citizenship status. The decennial census has not included a citizenship question since 1950. Critics argue that the question will result in unreliable data collection and skew census results. Senator Menendez (D-NJ) has introduced S. 2580, a bill that would prohibit the census from including a citizenship question. Last week EPIC submitted a Freedom of Information Act request seeking documents on the Department's consideration of the many complicated issues related to the question. The census raises significant privacy risks. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. (Mar. 27, 2018)

  • The D.C. Circuit has set the briefing schedule for the OPM Data Security Breach case, concerning a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC recently informed the Court that it will file an amicus brief, which will now be due on May 17, 2018. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies. (Mar. 26, 2018)

  • A bipartisan group of 37 State Attorneys General is investigating Facebook's business practices and lack of privacy protections. "Businesses like Facebook must comply with the law when it comes to how they use their customers' personal data," Pennsylvania Attorney General Josh Shapiro said. "State Attorneys General have an important role to play in holding them accountable." The Federal Trade Commission also announced today that it is investigating Facebook. Senate Judiciary Chairman Grassley has also said there will be hearings on the Facebook matter when Congress returns. (Mar. 26, 2018)

  • President Trump has signed the CLOUD Act, requiring internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Act also allows the executive branch to create agreements with foreign countries to provide direct access to personal data stored in the United States. EPIC submitted an amicus brief in United States v. Microsoft arguing that law enforcement access to data abroad should be resolved by international consensus and comply with human rights norms. Many organizations and privacy experts have endorsed the Madrid Privacy Declaration, which would establish international protections for personal data. (Mar. 26, 2018)

  • Through a Freedom of Information Act request, EPIC obtained records of email communications between Consumer Financial Protection Bureau staff members regarding the Equifax data breach investigation. The emails reveal that the CFPB was contacted by a Reuters reporter days before the article alleging the CFPB halted the Equifax investigation was published to confirm certain facts about the story. At that time, the CFPB did not correct the allegations in the article but instead provided the reporter a brief official statement stating they will not comment to ongoing investigations but the CFPB has the "desire, expertise, and know-how, in-house, to vigorously hypothetically pursue matters such as these." In the aftermath of the Reuters Equifax article, the CFPB exchanged emails about how to respond to the story and one staffer stated, "no more specific reaction than 'reports are incorrect.'" Acting Director Mick Mulvaney has since publicly confirmed that the CFPB's Equifax investigation is still ongoing. (Mar. 26, 2018)

  • The Federal Trade Commission has confirmed an investigation into Facebook for the company's failure to protect the personal data obtained by Cambridge Analytica. Facebook likely violated the FTC's 2011 Consent Order with the company. Last week, EPIC and a coalition of consumer organizations urged the FTC to reopen the investigation. EPIC and other consumer organizations brought the complaint that led to the FTC's 2011 Order. Thomas Pahl, the Acting Director of the FTC's Bureau of Consumer Protection stated today, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent article for Techonomy, EPIC President Marc Rotenberg emphasized that "the transfer of 50 million user records to the controversial data mining and political consulting firm could have been avoided if the Federal Trade Commission had done its job." (Mar. 26, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Department of Commerce seeking information about a proposed citizenship question on the 2020 census. Secretary Wilbur Ross stated today that the Department of Commerce will make a decision as to whether to include the controversial question in the 2020 census by March 31. Secretary Ross also said, “there are probably 15 or 20 different very complicated issues involved in the request.” EPIC specifically requested information about these issues. The census raises significant privacy risks. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to DHS after 9-11. (Mar. 22, 2018)

  • Congresswoman Elise Stefanik (R-NY) has introduced a bill (H.R. 5356) that would create the National Security Commission on Artificial Intelligence (AI).Congresswoman Stefanik said, “It is critical to our national security but also to the development of our broader economy that the United States becomes the global leader in further developing this cutting edge technology.” The Commission would conduct a comprehensive review of AI technologies, assess the risks to national security, identity actionable items, and provide recommendations to the President and Congress. The Commission’s recommendations would also address: data and privacy, international law and ethics, competitiveness, technological advantages, cooperation and competition, investments and research, and workforce and education. In 2015, EPIC launched an international campaign for Algorithmic Transparency. EPIC has also warned Congress about the use of opaque technique in automated decision-making. (Mar. 22, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained the FBI’s “Policy for Biometric Information Sharing with Domestic and International Agencies.” The documents EPIC obtained also contain details of the United States’ agreement with Iraq to exchange biometric data, including to not subject the information to any dissemination restrictions of the US or Iraq. The FBI maintains one of the world's largest biometric databases, known as the "Next Generation Identification” system, which includes facial IDs gathered from international conflicts. In 2007, EPIC, Privacy International, and Human Rights Watch warned the Secretary of Defense that the “system of biometric identification contravene international privacy standards and could lead to further reprisals and killings.” EPIC noted in 2010 "President Obama’s address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict." (Mar. 22, 2018)

  • At a Senate Intelligence Committee hearing on Election Security this week. Senator Diane Feinstein said “America is the victim and America has to know what’s wrong. And if there are states that have been attacked, America should know that.” In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents state that “[b]ecause timely victim notification has the potential to completely mitigate ongoing and future intrusions and can mitigate the damage of past attacks while increasing the potential for the collection of actionable intelligence, CyD’s policy regarding victim notification is designed to strongly favor victim notification.” However, the FBI did not follow this procedure following cyber attacks on the DNC and RNC during the 2016 Presidential Election. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several additional FOIA cases concerning Russian interference with the 2016 election, EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).
    (Mar. 22, 2018)

  • EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission, seeking the privacy assessments required by the FTC's 2012 Consent Order. Facebook is required to produce independent privacy assessments every two years for the next 20 years. Each assessment should "identify Facebook's privacy controls maintained during the reporting period, explain the appropriateness of these controlsin relation to Facebook's activities and sensitivity of information, as well as explain how these controls meet or exceed the protections" required in the 2012 Consent Order. Facebook is also required to identify an independent privacy auditor, approved by the FTC. EPIC previously obtained the 2012 Initial Compliance Report as well as the 2013 Initial Assessment through an earlier FOIA request. EPIC is now seeking the 2015 and 2017 reports which cover the period for the data transfers to Cambridge Analytica. (Mar. 20, 2018)

  • In a statement issued today, EPIC and a coalition of consumer groups have called on the Federal Trade Commission to determine whether Facebook violated a 2011 Consent Order when it facilitated the transfer of personal data of 50 million Facebook users to the data mining firm Cambridge Analytica. The groups had repeatedly urged the FTC to enforce its own legal judgements. EPIC even sued the agency in 2012 for its failure to enforce a consent order against Google. "The FTC's failure to act imperils not only privacy but democracy as well," the groups warned. Between 2009 and 2011 EPIC and other consumer groups undertook extensive work to document Facebook's privacy abuses that led to the consent order in 2011. (Mar. 20, 2018)

  • EPIC has sent a statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The Committee held a hearing today to discuss the FY19 budget for the Department of Commerce. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by this week's report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency. (Mar. 20, 2018)

  • In 2009, EPIC and a coalition of US consumer privacy organizations petitioned the Federal Trade Commission to establish comprehensive privacy safeguards after Facebook changed user privacy settings and secretly transferred user data to third parties. In 2011, the FTC agreed with the privacy groups and established a far-reaching settlement with the company, that prevented such disclosures, prohibited deceptive statements, and required annual reporting. But the FTC failed to enforce its consent order, even after EPIC sued the agency and consumer groups repeatedly urged the Commission to act. This weekend the Washington Post and the New York Times reported that Facebook disclosed the personal data of 50 million users without their consent to Cambridge Analytica, the controversial British data mining firm that sought to influence the 2016 presidential election. (Mar. 19, 2018)

  • A federal appeals court ruled today in a closely watched case concerning robocalls. The rule under review in ACA International v. FCC concerned the FCC's regulations for the Telephone Consumer Protection Act. EPIC filed a friend of the court brief in the case in support of the FCC regulations. EPIC said that companies "seeking to engage in privacy-invading business practices" bear "the burden of proving consent." The court agreed that consumers could withdraw consent by all "reasonable means." However, the court vacated other aspects of the rule, including the definition of automated telephone dialing system and proposed procedures for calls to reassigned numbers. (Mar. 16, 2018)

  • EPIC has provided comments to UNESCO on a proposed framework for Internet Universality Indicators. The UNESCO framework emphasizes Rights, Openness, Accessibility, and Multistakeholder participation. UNESCO said that the framework will help guide protections for fundamental rights. EPIC also proposed "Algorithmic Transparency" as a key indicator of Internet Universality. EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decisionmaking, based on opaque algorithms. EPIC has worked closely with UNESCO for over 20 years on Internet policy issues. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right. (Mar. 16, 2018)

  • EPIC has informed the D.C. Circuit Court of Appeals that it will file an amicus brief in the OPM Data Security Breach case. The case concerns a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies. (Mar. 15, 2018)

  • Today the Federal Election Commission voted unanimously, at a public meeting, to publish a proposed rule concerning transparency requirements for online political ads. The FEC noted EPIC's comments—arguing that internet companies should be held to the same standard as broadcast companies—in its proposal. The FEC will publish the proposal in the Federal Register, accept comments from the public, and then hold a public hearing on June 27, 2018. After Russian interference in the 2016 election, EPIC launched the Democracy and Cybersecurity Project to preserve the integrity of elections and democratic institutions. In comments to the FEC in November 2017, EPIC explained the "need to protect democratic institutions from foreign adversaries has never been greater...To help ensure the integrity of U.S. elections, the Federal Election Commission should not exempt technology companies from notification requirements for Internet communications." (Mar. 14, 2018)

  • In advance of the hearing on the nomination of Lieutenant General Paul M. Nakasone to be the Director of the National Security Agency, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged the Committee to ask the nominee whether he agrees with the January 2017 assessment of the Intelligence Community that the Russians interfered with the 2016 Presidential election and whether he believes that the United States has taken sufficient steps to prevent Russian meddling in the mid-term elections. In the latest FOIA gallery, EPIC highlighted four new EPIC FOIA lawsuits to uncover details of the Russian interference in the 2016 Presidential election. One EPIC's FOIA cases, EPIC v. FBI, revealed that the Bureau failed to warn the DNC and the RNC that they were targeted by a Russian cyber attack. (Mar. 14, 2018)

  • U.K. privacy officials have blocked WhatApp from transferring personal data to Facebook until the company complies with the GDPR, the new European privacy law. The Information Commissioner's Office found that WhatsApp's proposed data transfer would have violated the U.K. Data Protection Act. "People have a right to have their personal data kept safe," explained Commissioner Elizabeth Denham in a blog post. EPIC has twice urged the FTC to block WhatsApp's transfer of personal data to Facebook, but the FTC has failed to act. The FTC approved Facebook's acquisition of WhatsApp in 2014 after both companies assured the Commission and the public that they would protect users' privacy, but in 2016 WhatsApp announced that it would begin transferring the names and phone numbers of its users to Facebook. France blocked the data transfer and the EU fined Facebook $122 million for misleading European authorities about the data transfer. (Mar. 14, 2018)

  • EPIC has filed an amicus brief with the Eleventh Circuit Court of Appeals in Jackson v. McCurry, stating that teachers may not search a student's cell phone unless they have followed an explicit school policy that complies with Fourth Amendment requirements. Citing a recent Supreme Court opinion, EPIC explained, "after Riley, searches of students' cell phones require heightened privacy protections." Noting that "most teenagers today could not survive without a cellphone," EPIC wrote that searches of cell phones should be "limited to those circumstances when it is strictly necessary." EPIC previously participated as amicus curiae in Riley v. California, arguing that the search of a cellphone requires a warrant, and Commonwealth v. White, a case before the Massachusetts Supreme Judicial Court, arguing that a warrant is required before a school may turn over a student's cell phone to the police. Both cases produced favorable outcomes. (Mar. 13, 2018)

  • In advance of the Senate hearing on the Freedom of Information Act (FOIA), EPIC submitted a statement highlighting recent FOIA cases. EPIC told the committee about documents EPIC has obtained through FOIA requests and litigation, including documents obtained last week that show federal voting rights officials sought to "clean up" state voter rolls. EPIC also discussed its case against the IRS seeking the release of President Trump's tax returns. Since 2001, EPIC has produced an annual FOIA gallery in honor of Sunshine Week to feature EPIC's FOIA work over the past year. (Mar. 12, 2018)

  • In celebration of Sunshine Week, a national recognition of public access to information, EPIC has unveiled the 2018 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases. In 2017, EPIC obtained the "victim notification procedures" that the FBI did not follow during the 2016 Presidential election, revealed that the FBI also failed to follow internal guidance for using intelligence data for criminal investigations, and uncovered problems with the border security biometric matching program. In the latest FOIA gallery, EPIC also highlighted four new EPIC FOIA lawsuits to uncover details of the Russian interference in the 2016 Presidential election and records, obtained by EPIC, revealing federal voting rights officials discussing ways to "clean" state voter rolls. (Mar. 12, 2018)

  • Officials from four different federal agencies discussed joint plans to "clean" state voter rolls last year, according to documents obtained by EPIC through a Freedom of Information Act request. The records show that the Election Assistance Commission, the Presidential Election Commission, the Department of Justice, and the Department of Homeland Security explored ways to cooperate on "cleaning" and "maintenance" of state voter registration databases. The documents also reveal that the Presidential Election Commission and the DOJ discussed "election integrity" issues just two weeks before both agencies issued sweeping requests for state election records on the same day. After EPIC brought suit against the Commission last yet to halt its unlawful gathering of personal voter data, the Commission temporarily suspended its data collection, discontinued the use of an unsafe computer server, deleted voter information that was illegally obtained, and ultimately disbanded. (Mar. 12, 2018)

  • A federal appeals court has ruled that consumers affected by a Zappos.com data breach have the right to sue the online retailer. The 2012 breach exposed the personal data of more than 24 million Zappos customers. A lower court previously held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN (where the Ninth Circuit also held for consumers), Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Mar. 9, 2018)

  • The International Working Group on Data Protection has adopted new recommendations to enhance the privacy of website registration data. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The "Working Paper on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory" highlights privacy risks of the current registration system. When registering a new website with ICANN, the personal data of website owners is published in a widely accessible database. The Working Group recommends limitations on disclosure consistent with the purpose of registration - to provide limited contact information to resolve technical concerns. Registration data is also subject to the GDPR. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Mar. 9, 2018)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain the public release of information about the use of drones for domestic surveillance. EPIC cited a Presidential Memorandum that required all federal agencies to prepare public reports on drone deployment. EPIC's lawsuit charges that the DHS has failed to make these reports public. In a previous lawsuit against the DHS, EPIC obtained records which revealed that DHS drones had the capability to intercept electronic communications and identity humans at a distance. EPIC has also brought a lawsuit against the FAA to establish drone privacy regulations in the United States. (Mar. 9, 2018)

  • EPIC has announced the newest members of the EPIC Advisory Board. They are Professor Woodrow Hartzog, Dr. Rush D. Holt, Len Kennedy, and Roger McNamee. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy who contribute to EPIC’s work on privacy and civil liberties. The publication of the EPIC Advisory Board members are available at the EPIC Bookstore. Dr. Whitfield Diffie, Professor Harry Lewis, and Professor Jennifer Daskal recently joined the EPIC Board of Directors. The 2018 EPIC Champion of Freedom Awards will be presented on June 6, 2018 at the National Press Club. Press Release. (Mar. 6, 2018)

  • EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices. (Mar. 6, 2018)

  • Today the Senate Armed Services Committee held a hearing that addressed concerns about Russian interference in upcoming elections. In his opening statement, the Director of National Intelligence Daniel Coats stated that Russia views its influence on the 2016 election as successful and emphasized the threat that Russian cyberattacks pose to U.S. democracy. Coats testified that the U.S.'s response has not been sufficient to deter Russia from interfering in the 2018 midterm elections, agreeing with testimony of Admiral Michael Rogers, the Commander of U.S. Cyber Command, in a hearing last week. Coats called the U.S.'s strategy to combat Russian interference a "whole government approach," but it concerned some Senators that there was no lead agency in charge of this effort, including Senator Mazie Hirono (D-HI) who said that it caused her to conclude that it is "not a top priority" for the President. EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election. (Mar. 6, 2018)

  • Senators Patrick Leahy (D-VT) and Steve Daines (R-MT) have introduced a bill that would place restrictions on searches and seizures of electronic devices at the border. The bill sets out detailed procedures for seizing electronic devices, including a warrant requirement prior to inspection of the device, data minimization, and exclusion of evidence that is obtained in violation of the Act. The bill also establishes reporting requirements to determine the scope and frequency of device searches. Senator Leahy stated that "no American should have to relinquish all of their privacy rights to their cell phones, laptops and other electronic devices, simply because they are coming home from a trip abroad." The bill would also require a warrant to use software to analyze seized electronic devices. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact citizens' rights. (Mar. 5, 2018)

  • The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security. (Mar. 5, 2018)

  • Today Rep. Lieu (D-CA) introduced two bills to safeguard consumer data: the "Protecting Consumer Information Act of 2018" and the "Ending Forced Arbitration for Victims of Data Breaches Act." The first bill will expand the Federal Trade Commission's enforcement authority over credit reporting agencies, while allowing state attorneys general to also bring enforcement actions. The second bill will prohibit entities from enforcing mandatory arbitrary clauses—which prohibit consumers from filing lawsuits—in data breach cases. In a press release announcing the legislation, Rep. Lieu said, "these bills forge a path forward that can both prevent future breaches and ensure victims can seek due process when they occur." Rep. Lieu's announcement came the same day that Equifax disclosed an addition 2.4 million people were impacted by last year's data breach, bringing the total to approximately 148 million people. EPIC President Marc Rotenberg recently testified before Congress to call for comprehensive privacy legislation and the creation of a federal data protection agency. (Mar. 1, 2018)

  • EPIC and a broad coalition of civil rights organizations submitted a Freedom of Information Act request today seeking details related to ICE's "Extreme Vetting" Initiative, including the collection and use of social media information. The federal is agency is making deportations and visa decisions based on vague and ambiguous criteria. The FOIA request seeks to make public the specific procedures and policies for Extreme Vetting. Last year, EPIC and a coalition of civil rights organizations sent a joint statement to the Acting Secretary of Homeland Security to oppose the Extreme Vetting Initiative. EPIC previously opposed a proposal to collect social media information for use in visa determinations. (Mar. 1, 2018)

  • Identity theft ranked second among all complaints submitted to the Federal Trade Commission in 2017. Although the total number of complaints dropped, consumers reported losing $63 million more to identity theft and fraud in 2017 than in 2016. EPIC has warned that "the FTC's failure to act against the growing threats to consumer privacy and security could be catastrophic." 2017 marked a record year for data breaches. EPIC urged the FTC to enforce data security standards as part of its 10 recommendations for the FTC's five-year strategic plan. EPIC President Marc Rotenberg also testified before the Senate and the House following the Equifax breach, calling for comprehensive data protection legislation. (Mar. 1, 2018)

  • This week, the Supreme Court heard arguments in United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority." EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping). (Feb. 28, 2018)

  • A new Axios-SurveyMonkey poll found that 55% of Americans believe the government should do more to regulate tech companies such as Google and Facebook. The poll showed bipartisan support for increased regulation, with 45% of Republicans, 64% of Democrats, and 57% of Independents saying they are "more concerned" that the government will not go far enough to regulate tech. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs. (Feb. 28, 2018)

  • In a statement to Congress in advance of a hearing on the Department of Defense's cyber operations, EPIC urged lawmakers to consider the privacy impact of cyber policies. The Cybersecurity Information Sharing Act of 2015 allowed the federal government to obtain cyber threat information from the private sector—much of which concerns the activities of individual Internet users—without privacy safeguards. EPIC urged Congress to ask Michael Rogers, the Commander of U.S. Cyber Command, about the steps the Defense Department will take to reduce privacy risks. EPIC previously sued the federal government for information regarding a Department of Homeland Security program that allowed the NSA to monitor the Internet traffic of defense contractors. (Feb. 27, 2018)

  • The Northern District of California has ruled that Facebook users have standing to pursue a class action challenging Facebook's use of facial recognition software. The court said that the Illinois Biometric Information Privacy Act requires plaintiffs only to show that Facebook has unlawfully collected their biometric data without their consent. Facebook sought to dismiss the suit by arguing that the Supreme Court's decision in Spokeo v. Robins required the plaintiffs to show additional harm. EPIC submitted a friend-of-the-court brief in Spokeo, arguing that courts should not second-guess privacy laws. The Ninth Circuit Court of Appeals recently agreed with EPIC that internet users have standing when a company has disclosed their personal information in violation of the Video Privacy Protection Act. (Feb. 27, 2018)

  • EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC previously pursued a significant lawsuit against the TSA that led to the removal of x-ray body scanners from US airports. EPIC is currently seeking records from Customs and Border Protection concerning the accuracy of facial recognition. (Feb. 26, 2018)

  • The Ninth Circuit Court of Appeals has ruled in FTC v. AT&T that the Federal Trade Commission can regulate telephone and internet companies, reversing an earlier decision by a three-judge panel that stripped the FTC of its authority over "common carriers." The full Ninth Circuit held that the common carrier exemption to the FTC Act is activity-based, not status-based. This means that the FTC can regulate AT&T's data-throttling practices. The Ninth Circuit reached the result that EPIC and a coalition of consumer advocates had urged in a friend-of-the-court brief. EPIC also vigorously defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards" in an amicus brief in FTC v. Wyndham. (Feb. 26, 2018)

  • EPIC has filed the opening brief in its case to obtain President Trump's tax returns. EPIC told the D.C. Circuit Court of Appeals that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." A Quinnipiac poll released today confirms that public overwhelmingly supports (67%) the release of the President's returns. As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). Press Release. (Feb. 22, 2018)

  • The Secure and Succeed Act (S. Amdt. 1959 to H.R. 2579), sponsored by several Republican Senators, would link DACA with hi-tech border surveillance. Customs and Border Protection would use facial recognition and other biometric technologies to inspect travelers, both US citizens and non-citizens, at airports. The bill also establishes "Operation Phalanx" that instructs the Department of Defense—a military agency—to use drones for domestic surveillance. EPIC has pursued many FOIA cases on border surveillance involving biometrics, drones, and airport body scanners, In a statement to Congress, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens." (Feb. 21, 2018)

  • The Supreme Court will hear arguments this week in Dahda v. United States, a case concerning the federal Wiretap Act and the suppression of evidence obtained following an invalid wiretap order. The Wiretap Act requires exclusion of evidence obtained as a result of an invalid order, but a lower court denied suppression in the case even though the order was unlawfully broad. In an amicus brief, EPIC wrote that "it is not for the courts to create textual exceptions" to federal privacy laws. EPIC explained that Congress enacted strict and unambiguous privacy provisions in the Wiretap Act. "If the government wishes a different outcome," EPIC wrote, "then it should go to Congress to revise the statute." EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Byrd v. United States (suspicionless searches of rental cars) and Carpenter v. United States (warrantless searches of cellphone location records). (Feb. 20, 2018)

  • The Supreme Court has denied a petition for a writ of certiorari in Carefirst, Inc. v. Attias, a case concerning standing to sue in data breach cases. Consumers had sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The federal appeals court agreed with EPIC and held that consumers may sue companies that fail to safeguard their personal data. Carefirst appealed the decision, but the Supreme Court chose not to take the case. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN, where the Ninth Circuit also held for consumers, as well as Gubala v. Time Warner Cable and In re SuperValu Customer Data Security Breach Litigation. (Feb. 20, 2018)

  • Rep. Luetkemeyer (R-MO) and Rep. Maloney (D-NY) circulated a draft bill, the "Data Acquisition and Technology Accountability and Security Act," that would set federal requirements for companies collecting personal data and require prompt breach notification. The Federal Trade Commission, which has often failed to pursue important data breach cases, and state Attorneys General would both be responsible for enforcing the law. The law would only trigger liability if the personal data breached is "reasonably likely to result in identity theft, fraud, or economic loss" and would preempt stronger state data breach laws. Earlier this week, EPIC President Marc Rotenberg testified before the House, calling for comprehensive data privacy legislation that would preserve stronger state laws. Last fall, EPIC testified at a Senate hearing on the Equifax breach, calling it one of the worst in U.S. history. (Feb. 16, 2018)

  • Special Counsel Robert Mueller has indicted thirteen Russian nationals and three Russian entities for interfering in the 2016 U.S. presidential election. "Beginning as early as 2014" the defendants began operations "to interfere with the U.S. political system" and "sow discord," the indictment explains. They also posed as U.S. persons online, reaching "significant numbers of Americans" on social media. EPIC first sought details of the Russians' "multifaceted" influence campaign in January 2017, pursuing release of the complete Intelligence Community assessment on Russian meddling. EPIC President Marc Rotenberg recently highlighted the role of the Russian Internet Research Agency, named in the Mueller indictment, explaining, "Facebook sold advertising to Russian troll farms working to undermine the American political process." EPIC launched a new project on Democracy an Cybersecurity in early 2017 to help preserve democratic institutions. (Feb. 16, 2018)

  • The Congressional Task Force on Election Security today released its final report detailing vulnerabilities in U.S. election systems. The report includes many recommendations, purchasing voting systems with paper ballots, post-election audits, and funding for IT support. The report also proposes a national strategy to counter efforts to undermine democratic institutions. Election experts have said that Congress has not done enough to safeguard the mid-term elections. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). (Feb. 14, 2018)

  • In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google. (Feb. 13, 2018)

  • The Senate Intelligence Committee held a hearing today with top officials from all U.S. intelligence agencies: Office of the Director of National Intelligence, CIA, NSA, Defense Intelligence Agency, FBI, and the National Geospatial-Intelligence Agency. The officials unanimously agreed that Russia interfered in the 2016 election and will interfere in the 2018 election, noting that they have already observed attempts to influence upcoming elections. Director of National Intelligence Dan Coats said: "There should be no doubt that Russia perceived that its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations." EPIC launched the Project on Democracy and Cybersecurity, after the 2016 presidential election, to safeguard democratic institutions. EPIC is currently pursuing several FOIA cases concerning Russian interference, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). EPIC also provided comments to the Federal Election Commission to improve transparency of election advertising on social media. (Feb. 13, 2018)

  • EPIC President Marc Rotenberg will testify before the House Financial Services Committee this week. Rotenberg will say that "Data breaches pose enormous challenges to the security of American families, as well as our country's national security." EPIC will call for comprehensive data protection legislation and the creation of a federal data protection agency. EPIC also challenged the decision of the CFPB Director to drop the investigation into the Equifax data breach. EPIC has repeatedly urged Congress to address the data protection crisis in the United States, warning that it endangers national security and international trade. Last year EPIC testified before the Senate in the wake of the Equifax breach, emphasizing the growing risks to American consumers. (Feb. 12, 2018)

  • The IRS acknowledged that it will fulfill EPIC's FOIA request seeking certain tax records of President Trump and the President's businesses. It marks the first time, to EPIC's knowledge, that the IRS has agreed to process a third-party FOIA request for the President's tax information. EPIC is seeking tax records relating to settlements with the IRS, which the agency is required to disclose to the public upon request. EPIC previously sued the IRS for the release of the President's personal tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's own lawyers. That case, EPIC v. IRS, is now before the D.C. Circuit Court of Appeals. EPIC is litigating several other FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). (Feb. 12, 2018)

  • EPIC filed a Freedom of Information Act request to the Department of Homeland Security seeking records about DHS's investigation of state voter fraud. Since the termination of the Presidential Advisory Commission on Election Integrity, President Trump suggested that the DHS investigate voter fraud, which falls outside the agency's jurisdiction. The agency has stated that its top priority is securing election systems from cyberattacks. This week, the DHS admitted that Russian hackers successfully penetrated election systems in the 2016 Presidential Election. EPIC had earlier submitted a statement to Congress seeking assurances that DHS will not continue the work of the disbanded Commission. (Feb. 9, 2018)

  • EPIC and other leading open government organizations urged Congress to promote transparency and accountability of the Intelligence agencies. The groups called for the release of annual public reports, all significant opinions by the Foreign Intelligence Surveillance Court, and an accounting on the number of Americans subject tp foreign intelligence surveillance. EPIC previously called on lawmakers to require federal agencies to obtain a warrant before searching information about Americans in foreign intelligence databases. Through a Freedom of Information Act lawsuit, EPIC obtained a report detailing the FBI's failure to follow procedures regarding the use of foreign intelligence data for a domestic criminal investigation. EPIC has also testified in Congress on reforms to the Foreign Intelligence Surveillance Act. (Feb. 9, 2018)

  • A group of 31 Senators wrote to Acting Director Leandra English and Director Mick Mulvaney of the Consumer Financial Protection Bureau about the agency's failure to pursue the probe of the 2017 Equifax breach. The Senators wrote that "the CFPB has a clear duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary." Earlier this week, EPIC urged the Senate Banking Committee to investigate the CFPB. EPIC also filed a FOIA request seeking records about Mulvaney's decision to halt the CFPB's Equifax investigation. (Feb. 8, 2018)

  • EPIC has filed an urgent Freedom of Information Act request for records about Acting Director Mulvaney's decision to shut down the CFPB investigation of Equifax. The 2017 data breach, likely undertaken by a foreign adversary, compromised the personal data of 143 million Americans. Last year CFPB warned that US servicemembers were at particular risk as a result of the Equifax breach. EPIC is seeking communication between Mulvaney and Equifax officials, as well as records of meetings and any related memos regarding the decision to close the investigation. In a letter to the Senate Banking Committee yesterday, EPIC recommended that the Committee undertake a thorough investigation of the CFPB's recent decision regarding the investigation. (Feb. 7, 2018)

  • According to recent reports, the Consumer Financial Protection Bureau has shut down the investigation of the 2017 Equifax data breach that exposed the personal data of 145.5 million Americans. CFPB Acting Director Mulvaney failed to seek subpoenas or obtain sworn testimony from Equifax executives. Mr. Mulvaney also ended plans to test Equifax’s security systems, and rejected offers from regulators to assist with the investigation. EPIC urged the Senate Banking Committee to investigate, stating: “If the reports are accurate, Director Mulvaney’s failure to pursue a thorough investigation of the Equifax matter verges on malfeasance.” Last fall, EPIC President Marc Rotenberg testified at a Senate hearing on the Equifax breach. EPIC described the data breach as one of the worst in U.S. history. EPIC’s Christine Bannan also proposed steps to strengthen data protection safeguards for American consumers.

    (Feb. 6, 2018)

  • EPIC submitted a statement to the Senate in advance of a hearing to examine the October 2016 Uber breach and the value of bug bounty programs. Last fall, Uber admitted that hackers stole the data of 57 million Uber customers and drivers and that the company paid the hackers $100,000 to delete the data. This has raised legal questions about Uber's failure to notify those affected by the breach and about "bug bounty" programs, where companies pay hackers that bring vulnerabilities to their attention. EPIC explained to the Senate that, "bug bounty programs do not excuse non-compliance with data breach notification laws." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other similar transportation companies. (Feb. 5, 2018)

  • EPIC has filed a new Freedom of Information Act request with the IRS, seeking tax-related records for President Trump's businesses. The new EPIC request follows EPIC's pending lawsuit for the release of Trump's personal tax returns. The request seeks the release of tax records concerning settlements with the IRS, which the agency is required to disclose to the public upon request. EPIC previously called on the IRS to release the President's tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's lawyers. EPIC v. IRS, which is now before the D.C. Circuit Court of Appeals, is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election. EPIC is also litigating EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). (Feb. 5, 2018)

  • EPIC has filed an amicus brief with a federal appeals court urging the court to reject a proposed class action settlement over Facebook's practice of scanning private messages. EPIC challenged the settlement because it did not require Facebook to stop scanning private messages. In fact, the company can continue scanning messages by simply burying a notice on its website. Also, there was no compensation to Internet users for the prior violation of federal and state laws. EPIC is dedicated to class action fairness in privacy cases and has objected to many similar settlements that failed to provide actual benefits to Internet users. EPIC recently opposed a settlement with Google that allows the company to continue tracking web users. EPIC also opposed a settlement with Facebook in 2014 that allowed the company to continue an unlawful practice. (Feb. 2, 2018)

  • Senators Jerry Moran (R-KS) and Richard Blumenthal (D-CT) wrote Federal Trade Commission Acting Chair Maureen Ohlhausen to urge the FTC to investigate companies that use fraudulent automated accounts to influence social media. The techniques, known as "amplification bots," follow, retweet, and like social media content to boost a client's visibility. The Senators' letter follows a recent New York Times report on Devumi, a company engaged in such practices. Devumi's bots often steal identities, using the photos and personal information of real people, some of whom are minors. The Senators called these practices a "unique kind of social identity theft" that "have the effect of distorting the online marketplace and creating a false sense of celebrity, credibility, or importance in people, companies, or institutions that may not deserve it." The practice also violates state privacy laws concerning "the right of publicity," which EPIC has defended. (Feb. 1, 2018)

  • In response to a white paper on data protection from the Indian government, EPIC provided detailed comments, backing comprehensive legislation. The white paper analyzes data protection laws from around the world, comparing the approaches of different countries. The Indian government proposes a data protection framework based on seven principles: (1) technology agnosticism, (2) holistic application, (3) informed consent, (4) data minimization, (5) controller accountability, (6) structured enforcement, and (7) deterrent penalties. In comments on the proposal, EPIC backed India's efforts to adopt data protection legislation, and recommended also a private right of action and breach notification. Last year, the Supreme Court of India ruled that privacy is a fundamental right. EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world. (Jan. 31, 2018)

  • Professor Jennifer Daskal, Dr. Whitfield Diffie and former Dean Harry Lewis have joined the EPIC Board of Directors. Daskal is an Associate Professor at the Washington College of Law and a leading expert in criminal law, national security law, and constitutional law. Diffie is an American cryptographer, one of the pioneers of public-key cryptography, and a recipient of the Turing Award, the most prestigious award in the field of computer science. Lewis is a professor of computer science at Harvard University, former dean of Harvard College, and the author of several books on technology and education. The members of the EPIC Board of Directors are chosen from the EPIC Advisory Board, distinguished experts in law, technology, and public policy. (Jan. 31, 2018)

  • EPIC, the Center for Commercial Free Childhood, and others have urged Mark Zuckerberg to shutter Facebook's "Messenger Kids" app. The groups cited rising concern about social media among adolescents and wrote it is irresponsible to encourage preschoolers to use Facebook products. Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have questioned Facebook about the Messenger Kids app. EPIC recently backed a campaign that led Mattel to cancel a device that spies on young children. EPIC also led efforts to require Facebook to respect the privacy rights of WhatsApp users. (Jan. 30, 2018)

  • In advance of a hearing on "Protecting Privacy, Promoting Policy: Evidence-Based Policymaking and the Future of Education," EPIC wrote a statement to the House committee, expressing support for both evidence-based policy and student privacy. EPIC explained that privacy enhancing technologies are necessary to protect student data, because even where data has been de-identified it may still possible to extract personal data. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. EPIC also testified before the Commission on Evidence-Based Policymaking, and recommended innovative privacy techniques to protect personal data that also enable informed public policy decisions. (Jan. 30, 2018)

  • The Court of Justice of the European Union, following an advisory opinion, has determined that Max Schrem's class action in Austria cannot proceed against Facebook, but individual privacy claims can. The Court granted Schrems standing, recognizing that "the activities of publishing books, giving lectures, operating websites," and similar activities does not entail the loss of "a user's status as a 'consumer.'" However, the Court found that "the consumer forum cannot be invoked" in "claims assigned by other consumers." The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges that Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. Max Schrems recently launched NYOB to pursue class actions under the General Data Protection Regulation. In 2013, Max Schrems received the EPIC International Champion of Freedom Award. (Jan. 30, 2018)

  • Rep. Ros-Lehtinen (R-FL) and Rep. Schneider (D-IL) introduced the Defending Elections from Threats by Establishing Redlines Act of 2018 to deter foreign interference in U.S. elections. The bipartisan legislation stipulates that if the Director of National Intelligence determines that the Russian government knowingly interfered in a U.S. election, the President is required to impose sanctions on Russia's aerospace, banking, defense, energy, intelligence and mining industries. The bill is a direct response to Russian interference in the 2016 Presidential election. EPIC is currently pursuing several related FOIA cases, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). (Jan. 29, 2018)

  • 2017 marked the "worst year ever" for data breaches, according to a pair of reports by Thales and the Online Trust Alliance. Data breaches nearly doubled from 2016 to 2017, and 73% of all U.S. companies have now been breached. Noteworthy were the data security failures of Equifax and Uber. In testimony before the Senate Banking Committee following the Equifax breach last year, EPIC called on Congress to enact meaningful reforms, including default credit freezes and prompt data breach notification. Two years ago, EPIC launched the DataProtection2016 campaign to promote stronger privacy safeguards in the U.S. (Jan. 25, 2018)

  • EPIC presented the 2018 International Privacy Champion Award to Gus Hosein, director of Privacy International, and Professor Artemi Rallo, the former chair of the Spanish Data Protection Agency. The award to Hosein recognized his work, "defending privacy in the UK and around the world." The award to Rallo described him as a "constitutional scholar, data protection advocate, friend of civil society." Announcement. Photo. The 2018 EPIC Champion of Freedom Awards will be held at the National Press Club in Washington, DC on June 6, 2018. (Jan. 25, 2018)

  • The U.S. Court of Appeals for the D.C. Circuit will hear arguments this week in EPIC v. FAA, a lawsuit concerning the FAA's failure to establish privacy rules for commercial drones. EPIC's case is based on an Act of Congress requiring a "comprehensive plan" for drone deployment in the United States and a petition, backed by more than one hundred organizations and privacy experts, calling for privacy safeguards. As EPIC argued in a brief to the Court, "It is not possible to address the hazards associated with drone operations without addressing privacy in the final rule for small commercial drones." Arguments will be held Thursday morning at the American University Washington College of Law. EPIC Senior Counsel Alan Butler will argue the case. EPIC's case is EPIC v. FAA, No. 16-1297 (D.C. Cir.). (Jan. 24, 2018)

  • EPIC submitted a statement to the Senate Armed Services Committee in advance of a hearing on "Global Challenges and U.S. National Security Strategy." Last year, the White House released a National Security Strategy report that laid out the administration's goals. EPIC supports many of the goals stated in the report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the committee to seek assurances that those goals will remain priorities for this administration. EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time." (Jan. 24, 2018)

  • In advance of a hearing on self-driving cars, EPIC submitted a statement to the Senate on the privacy and security risks of autonomous vehicles. Researchers have been able to hack connected cars, and the vehicles have caused several accidents. EPIC told the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has worked extensively on the privacy and data security implications of connected cars, having testified on "The Internet of Cars" and submitted numerous comments to the National Highway and Transportation Safety Agency. In a recent amicus brief to the Supreme Court, EPIC underscored the privacy risks of modern vehicles, which collect vast troves of personal data. (Jan. 24, 2018)

  • In advance of a hearing on the nomination of Adam Klein to the Privacy and Civil Liberties Oversiight Board, EPIC urged the Senate to oppose the nomination. EPIC explained that "PCLOB plays a vital role safeguarding the privacy rights of Americans and ensuring oversight and accountability of the Intelligence community." EPIC also said that the nominee "does not appreciate the full extent of the privacy interests at stake in many of the most significant debates about the scope of government surveillance authority." EPIC has a particular interest in the work of the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. (Jan. 24, 2018)

  • In a decision that could jeopardize relations with Europe, Congress has renewed "Section 702" of the Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The FISA Amendment Reauthorization Act also permits government surveillance of Americans and restarts the controversial "about" collection program. Congress rejected updates, including limits on data collection, that would preserve a privacy agreement between Europe and the United States. The European Court of Justice will also soon decide whether to allow data transfers from Ireland to the United States. EPIC served as the US NGO amicus curiae in that case. (Jan. 18, 2018)

  • In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars." (Jan. 18, 2018)

  • EPIC has filed an amicus brief in United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping). (Jan. 18, 2018)

  • In response to request for comments from the Maryland legislature, EPIC submitted a statement in support of a bill to prohibit law enforcement from obtaining data recorded by a smart meter without a warrant. Smart meters collect personal data about the use of utility services that can reveal when a person is at home and what they are doing. EPIC stated that "the routine collection of this data, without adequate privacy safeguards, would enable ongoing surveillance of Maryland residents without regard to any criminal suspicion." EPIC said that HR 56 is a "model privacy law that enables innovation while safeguarding personal privacy." EPIC has testified in Congress and submitted comments to NIST and the state of California on smart grid privacy. EPIC has also submitted amicus briefs on Fourth Amendment cases before the Supreme Court, including Carpenter v. United States and Byrd v. United States. (Jan. 16, 2018)

  • At a Senate hearing today, DHS Secretary Kristjen Nielsen stated that DHS would not undertake a new investigation of voter fraud. EPIC submitted a statement in advance of the hearing, asking Senators to seek assurances that DHS would not pursue the work of the recently disbanded Presidential Advisory Commission on Election Integrity, as former Vice Chair Kris Kobach had suggested. In response to a question from Senator Kamala Harris, Nielsen answered that Kobach does not have any role at DHS. Although Nielsen stated that DHS would not pursue any new work, she indicated that the agency would continue to work with states pursuing voter fraud investigations. EPIC recently filed a FOIA lawsuit against DHS seeking communications with the Commission regarding the transfer of personal voter data. The Commission, facing a lawsuit by EPIC, was terminated earlier this month. EPIC's lawsuit led the Commission last year to suspend the collection of voter data. (Jan. 16, 2018)

  • EPIC sent a statement to the Senate Judiciary Committee in advance of a DHS Oversight Hearing, to seek assurances that "the DHS will not continue the activities of the Presidential Advisory Commission on Election Integrity." After the Commission was disbanded in the wake of EPIC’s lawsuit, the former Vice Chair told reporters that he intended to continue the work of the Commission at the DHS. But EPIC told the Senate committee that the Commission has no authority to transfer the voter data and warned that the DHS would be subject to federal lawsuits if it assembled a database of voter information. EPIC also urged the Senate to confirm that the personal data provided by DACA applicants will not be misused by DHS, and that DHS biometric programs will not be expanded until transparency obligations are fulfilled and privacy safeguards are established. The EPIC letter follows a statement last week from civil rights and government oversight organizations to the DHS Secretary, seeking assurance that there will be no transfer or collection of state voter data. (Jan. 15, 2018)

  • EPIC has asked the D.C. Circuit Court of Appeals to void last month's ruling in which the Court refused to order the Presidential Election Commission to conduct a Privacy Impact Assessment. The Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded last week by President Trump. The Commission's sudden demise unfairly prevents EPIC from appealing the Court's legal reasoning because there is no "live" dispute left for a higher court to consider. EPIC's lawsuit led the Commission to suspend the collection of voter data last year, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. EPIC's case against the Commission is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). EPIC filed a separate lawsuit on Monday for communications between the Department of Homeland Security and the Commission regarding the transfer of personal voter data. (Jan. 11, 2018)

  • Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced legislation to hold credit reporting agencies accountable for data breaches. The Data Breach Prevention and Compensation Act establishes an office of cybersecurity within the FTC to give it direct supervisory authority over the credit reporting industry and imposes mandatory penalties for breaches involving consumer data at credit reporting agencies. The bill is a direct response to the Equifax data breach last year that exposed the sensitive personal information of over 145 million Americans. "Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers," said EPIC President, Marc Rotenberg. EPIC testified before Congress last year following the Equifax breach, urging legislation to give consumers more control over their credit reports. Senators Warren and Brian Schatz (D-HI) also introduced a bill last year that would allow consumers to freeze and unfreeze their credit reports for free. (Jan. 10, 2018)

  • As the result of a Freedom of Information Act lawsuit EPIC v. NSD, EPIC has obtained a report from the Department of Justice National Security Division detailing the FBI's use of foreign intelligence data for a domestic criminal investigation. Section 702 of the Foreign Intelligence Surveillance Act authorizes the surveillance of foreigners located abroad. However, the FBI can also use this data to investigate Americans. The report obtained by EPIC also shows that the FBI analyst failed to follow internal guidance to notify superiors of the search, raising questions about whether the FBI is accurately reporting these searches. The USA Rights Act, now pending in Congress, would require a federal agency to obtain a warrant to search foreign surveillance data for information on Americans. (Jan. 9, 2018)

  • The Federal Trade Commission released a brief report summarizing a June 2017 workshop, co-hosted with the National Highway Traffic Safety Administration, on connected vehicles. While the report acknowledges consumer privacy interests, the report offers no concrete proposals for how the FTC will address the privacy and safety risks of connected cars. EPIC submitted comments to the FTC and NHTSA and gave a presentation at the FTC workshop, calling for national safety standards for connected cars. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data. The Senate is currently considering a bill on connected cars and the NHTSA recently released revised guidance for connected cars, but both lack mandatory safety standards and encourage industry self-regulation. (Jan. 9, 2018)

  • In response to a request for comments, EPIC has urged the FBI to expand its use of name-based — rather than fingerprint-based — background checks for noncriminal purposes, such as employment. The FBI currently uses fingerprints, stored in the Next Generation Identification (NGI) database, to conduct non-criminal background checks. "Names checks" were only conducted for individuals whose fingerprints failed the NGI matching requirements. EPIC told the FBI that the "name-based background check accomplishes the same purpose as the fingerprint-based background check without requiring the collection of sensitive biometric information." EPIC has opposed the expansion of the NGI system for non-law enforcement purposes. EPIC has also pursued a series of Freedom of Information Act requests to assess the reliability of the NGI system. (Jan. 9, 2018)

  • EPIC has filed a lawsuit against the Department of Homeland Security for communications between the agency and the Presidential Commission on Elections regarding the transfer of personal voter data. EPIC filed a Freedom of Information Act request with the DHS after the Commission tried to collect records from federal agencies to match against state voter records, but the agency failed to respond to EPIC's request. Last year, EPIC filed a lawsuit against the Commission that led to the suspension of the collection of voter data. EPIC v. Commission is still pending in federal court. EPIC filed the recent suit after President Trump said he asked DHS "to determine the next course of action" after he dissolved the Commission. (Jan. 9, 2018)

  • The Supreme Court will hear arguments in Byrd v. United States, concerning the warrantless search of a rental vehicle. EPIC filed an amicus brief in the case urging the Supreme Court to recognize that a modern car collects vast troves of personal data. EPIC explained cars today "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC pointed to the routine collection of cell phone contents with a Bluetooth connection, data which is stored in the car even after "deletion." EPIC also emphasized that the status of the driver has no bearing on Fourth Amendment privacy interests. EPIC's Natasha Babazadeh prepared an explainer video of the case. (Jan. 8, 2018)

  • Through a Freedom of Information Act request, EPIC has obtained former Secretary of Homeland Security John Kelly's notes for an interview with NPR about border security. The notes include talking points about southwest border security and the construction of the southwest border wall. During the interview, Mr. Kelly also described DHS's plans to increase vetting of immigrants and coordination with the White House, despite the fact these issues were not included in the talking points. EPIC previously warned the House Oversight Committee that enhanced surveillance at the border will impact the rights of U.S. citizens. As a result of an earlier FOIA lawsuit, EPIC found that the Customs and Borders Protection is already deploying drones with facial recognition technology near the border. (Jan. 8, 2018)

  • EPIC and ten civil rights and government oversight organizations have sent a letter to DHS Secretary Nielsen, urging her not to accept any personal data from the now defunct Presidential Advisory Commission on Election Integrity. The groups explained that the Commission lacks legal authority to transfer personal data to the Commission. The groups also warned that the DHS would be subject to numerous federal laws if it were to acquire state voter data. EPIC and the organizations brought several lawsuits against the Commission. EPIC's lawsuit led the Commission to suspend the collection of voter data in July 2017. President trump disbanded the Commission on January 3, 2018. However, former Vice Chair Kris Kobach told reporters that he intends to resume the work of the Commission at the Department of Homeland Security. (Jan. 8, 2018)

  • The Center for Class Action Fairness has asked the U.S. Supreme Court to decide whether a settlement that awards funds to certain organizations and fails to compensate injured class members is fair. The settlement involved Google's tracking of Internet users in violation of users' privacy settings but resulted in no change in business practices or payment to class members. Some of the organizations that received class settlement funds are separately funded by Google. EPIC recently filed an amicus brief opposing a similar settlement in a related class action against Google. EPIC has also opposed settlements against Facebook and Google that failed to compensate class members or change business practices. EPIC President Marc Rotenberg has proposed an objective basis to evaluate settlement proposals. The Supreme Court has yet to address cy pres fairness, but Chief Justice John Roberts, in Marek v. Lane concerning Facebook's Beacon program, echoed the concerns of EPIC when he wrote that the "vast majority of Beacon's victims" got nothing. (Jan. 8, 2018)

  • The Federal Trade Commission announced a settlement with VTech Electronics over charges that the company collected personal information from children without parental consent and failed to provide data security. In 2015, Senators Edward Markey (D-MA) and Joe Barton (R-TX) inquired about VTech's privacy practices after the toy company was hacked, exposing the personal information of millions of children. EPIC and a coalition of consumer organizations recently renewed their call to the FTC to take action on toys that spy, one year after the groups filed a complaint with the FTC regarding dangerous internet-connected toys. The Children's Online Privacy Act (COPPA) sets forth strict requirements for the collection of information from children. In a recent interview with NBC Nightly News, EPIC's Sam Lester highlighted the dangers these toys pose from hackers. EPIC has supported numerous efforts to oppose toys that spy, including a successful effort in 2017 to recall Mattel's Aristotle. (Jan. 8, 2018)

  • The Presidential Election Commission, which unlawfully sought to collect state voter data on hundreds of millions of Americans, was disbanded Wednesday by President Trump. The Commission had faced an ongoing lawsuit by EPIC over its failure to conduct and publish a Privacy Impact Assessment before collecting personal data, as required by law. EPIC’s lawsuit led the Commission to suspend the collection of voter data last year, discontinue the use of an unsafe computer server, and delete voter information that was unlawfully obtained. Many states and over 150 members of Congress opposed the Commission’s efforts to collect state voter data. In a statement, the President said that he had asked the Department of Homeland Security “to determine next courses of action.” EPIC has a pending Freedom of Information Act request to the DHS for records concerning the federal government’s collection of personal data on voters. EPIC’s case against the Commission, which remains open, is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Jan. 3, 2018)

  • The Federal Trade Commission has given final approval to a settlement with Lenovo over its practice of pre-installing adware onto consumers' laptops. The complaint alleged that the adware transmitted consumers' personal information to third parties and made consumer' laptops vulnerable to cyberattacks. The settlement prohibits Lenovo from misrepresenting any pre-installed software, but imposes no fines and allows Lenovo to continue pre-installing adware onto consumers' laptops. EPIC has routinely urged the FTC to strengthen its privacy settlements, and recently emphasized the need for the FTC to step up its data protection in comments on the FTC's five-year strategic plan. (Jan. 3, 2018)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security