Previous Top News: 2020


  • Last week, Pennsylvania’s State Supreme Court ordered election officials not to count so-called “naked ballots” in the 2020 Election. These are mail-in ballots that arrive without an inner secrecy envelope. Pennsylvania's two-envelope ballot system includes a "secrecy envelope" that does not have personally identifiable information. The purpose of the secrecy envelope is to ensure that voter privacy is protected, but the state Supreme Court has now ruled that failure to lose the envelope would invalidate a ballot. There is a concern that voters who are submitting their ballots by mail for the first time might not understand the two-envelope system. The state has committed to increasing voter outreach and education to ensure that voters understand the need to use the secrecy envelope. Voters should check the Pennsylvania Mail-in & Absentee Ballots webpage and instructional video for more information on how to properly vote by mail. If Pennsylvania voters provide their email when registering for a mail-in ballot, they can receive ballot application and processing information. Voters can also track the status of their ballots online. Pennsylvania voters' mail-in ballot must be postmarked or returned to a designated drop off location by 8pm on Election Day. Anyone who is voting by mail or absentee should track the status of their ballots, and EPIC recently launched an interactive map to link voters to their state election resources. (Sep. 24, 2020)

  • In a report, the Department of Homeland Security's Office of Inspector General found that Customs and Border Protection failed to safeguard pictures of travelers obtained for a facial recognition pilot program, the Biometric Entry-Exit Program. The pictures were exposed in a data breach of a CBP subcontractor, Perceptics, LLC. OIG found that the CBP failed to undertake sufficient information security practices to prevent Perceptics from obtaining the data. At least 17 of the images were ultimately released on the dark web. EPIC leads an ongoing campaign to Ban Face Surveillance. In 2018 EPIC urged CBP to suspend its Biometric Entry-Exit Program. EPIC previously obtained documents on that program through a FOIA lawsuit. (Sep. 24, 2020)

  • In a statement to the Senate Commerce Committee before a hearing on the need for federal privacy legislation, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency. EPIC laid out the FTC's typical privacy playbook: consent decrees, infrequent penalties, and no meaningful changes in business practices. "The FTC does not have the motivation or the tools necessary to enforce meaningful privacy and data protection rights in 2020," EPIC said, pointing to settlements the FTC had reached with Facebook, Google, YouTube, Uber, and Equifax. EPIC also noted the FTC's failure to use its existing authority to regulate privacy, including its rulemaking authority under Section 5 to establish stronger data security standards. "If the FTC fails to use these authorities, then the Commission is not capable of protecting Americans’ privacy, and the Commission should no longer be trusted to do so," EPIC stated. EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency.

    (Sep. 22, 2020)

  • EPIC has sent demand letters to Oracle and TikTok warning both of their legal obligation to protect the privacy of TikTok users if the companies enter a partnership. Last week, following President Trump's threat to effectively ban TikTok from the United States, Oracle reached a tentative agreement to serve as TikTok's U.S. partner and to "independently process TikTok's U.S. data." But the deal, which would pair one of the largest brokers of personal data with a social network of 800 million users, presents grave privacy and legal risks. "Absent strict privacy safeguards, which to our knowledge Oracle has not established, [the] collection, processing, use, and dissemination of TikTok user data would constitute an unlawful trade practice," EPIC wrote. EPIC warned Oracle and TikTok that unless they "adequately protect the privacy of TikTok users"—for example, by committing not to sell TikTok user data or merge it with Oracle products—EPIC intends to bring a lawsuit against both companies under the D.C. Consumer Protection Procedures Act. EPIC previously used the same law to force AccuWeather to stop deceptively gathering users' location data. EPIC and a coalition of consumer groups recently filed a Federal Trade Commission complaint against TikTok for violating the Children's Online Privacy Protection Act. (Sep. 21, 2020)

  • The Justice Department, as part of an open government lawsuit brought by EPIC, has released another round of previously unpublished material from the Mueller Report. The newly disclosed passages are listed in the "Redaction" column of a DOJ spreadsheet—though outside of their original context from the Mueller Report. The spreadsheet was originally drafted to answer questions from Judge Reggie B. Walton, who is conducting an "in camera" review of the complete Mueller Report after determining that Attorney General Bill Barr's redactions may have been "self-serving." Among the newly disclosed material is an excerpt from an Internet Research Agency document that describes the Russian government's goal of "spread[ing] distrust towards the candidates and the political system in general" and states that "All the primaries are purchasable." The DOJ previously released new passages from the Mueller Report in June, and the court is expected to decide soon whether additional material must be published. EPIC's Freedom of Information Act case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Sep. 18, 2020)

  • Senators Roger Wicker, John Thune, Marsha Blackburn, and Deb Fischer have introduced the “SAFE DATA Act,” which relies on the outdated notice-and-choice model that allows companies to diminish the rights of consumers and use personal data to benefit the company but not the individual. "Senator Wicker’s SAFE DATA Act allows companies to collect any personal data it pleases as long as it discloses it in its privacy policy,” said EPIC Policy Director Caitriona Fitzgerald. "And it prohibits states from adopting or enforcing any data privacy or data security laws. The SAFE DATA Act is very weak compared to Senator Gillibrand’s Data Protection Act, Senator Brown’s discussion draft, and the Online Privacy Act introduced in the House.” EPIC's recent report on federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency. (Sep. 18, 2020)

  • In comments to the Federal Communication Commission's Technological Advisory Council, EPIC urged the FCC to "support the establishment of a strong regulatory framework to ensure AI transparency and accountability within the agency and the private sector." EPIC's comments are directed to the TAC's AI Working Group, which analyzes the role of AI in telecommunications networks and services. EPIC recently submitted comments to the EU urging the European Commission to enact comprehensive AI legislation. In February, EPIC filed a petition with the FTC calling for a rulemaking on the use of AI in commerce. EPIC recommends that governments rely on the Universal Guidelines for AI and the OECD AI Principles as a baseline for AI policy. (Sep. 18, 2020)

  • Rep. Will Hurd (R-TX) and Rep. Robin Kelly (D-IL) released a resolution Wednesday proposing a set principles for AI policy in the United States. The recommendations include enacting federal privacy legislation "to build trust [and] prevent harm"; developing AI standards in order to ensure "technologies that are safe, secure, reliable, and comport with the norms and values of the United States"; and conducting regular oversight of AI use in the executive branch. The resolution comes after the two representatives released multiple reports on AI with the Bipartisan Policy Center. EPIC advocates for comprehensive data protection legislation, has evaluated existing proposals for federal privacy legislation, and recommends the Universal Guidelines for AI and the OECD Principles on AI as a baseline for AI policy. (Sep. 17, 2020)

  • A federal court in Washington, D.C. will hold a closed-door hearing with the Department of Justice today in EPIC's case for disclosure of the complete, unredacted Mueller Report. Judge Reggie B. Walton is currently conducting an "in camera" review of the full Report to determine what additional information must be released to public. In June, Judge Walton said that he could not "assess the merits of certain redactions without further representations from the Department" and ordered the DOJ to attend an "ex parte" (one-on-one) hearing. After several delays due to COVID-19, that hearing will be held this afternoon. The DOJ also provided written responses to the court in July, which revealed that Judge Walton had questioned every legal basis asserted by the DOJ to withhold material in the Mueller Report. As part of those responses, the DOJ conceded that it would have to disclose additional material from the Report. EPIC's Freedom of Information Act case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Sep. 15, 2020)

  • This week, Mauritius signed and ratified the Modernized International Privacy Convention. Mauritius became the sixth state to officially ratify the modernized Convention 108, and the 36th country to become a signatory. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data, algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups have long urged the United States to ratify the international Privacy Convention. (Sep. 15, 2020)

  • The House of Representatives has passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) “The Internet of Things grows every single day, and, by the end of next year, it will include more than 20 billion devices. The result is an astounding, unimaginable amount of data—90% of the data in the entire world was created in the last two years. America needs to keep up with this incredible trend, and that means ensuring proper security and protections—the IoT Cybersecurity Improvement Act is a step in that direction,” said Hurd. The Senate Homeland Security Committee advanced a similar bill last year. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards. (Sep. 15, 2020)

  • In advance of a Senate Judiciary Committee hearing on "Stacking the Tech: Has Google harmed competition in online advertising?," EPIC argued in a Medium post that the answer to that question is obviously yes, but Congress shares some of the blame. "There are many problems with today's online advertising systems," EPIC wrote, "[b]ut it didn't have to be this way. More active regulation by the government could have sustained online advertising models that were good for advertisers and businesses and for consumers, journalism, and democracy." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (Sep. 15, 2020)

  • The Bipartisan Policy Center, along with Rep. Will Hurd (R-TX) and Rep. Robin Kelly (D-IL), recently released white paper outlining recommendations for Congress to regulate the use Artificial Intelligence. The recommendations include enacting federal data privacy legislation, funding the National Institute of Standards and Technology to develop optional technological standards, and publicly releasing benchmark datasets for some applications of AI. The Center also published a report on Artificial Intelligence and National Security report this summer. EPIC advocates for the enactment of a federal comprehensive data privacy law, tracks privacy legislation, and recommends baseline mandatory technical standards for AI. (Sep. 15, 2020)

  • Oracle, of the nation's largest data brokers, has agreed a deal with TikTok's parent company ByteDance to become a "trusted technology provider" to the U.S. The U.S. government previously raised concerns about the protection of user data collected by the popular video sharing app, especially given the power of the Chinese government to obtain data from TikTok. The full details of the agreement between TikTok and Oracle are unknown, but the White House and the Committee on Foreign Investments in the U.S. still need to approve this deal. Treasury Secretary Steve Mnuchin said that the department plans to review the deal, and the department acknowledged its obligation to review the service's data protection standards. Earlier this year, EPIC and a coalition of child advocacy, consumer, and privacy groups filed a complaint to the Federal Trade Commission to investigate TikTok's failure to protect children’s privacy. (Sep. 14, 2020)

  • In a recent Boston Globe op-ed Professors Woody Hartzog, an EPIC Advisory Board member, and Neil Richards assert that Clearview AI's claim of a First Amendment right to scrape, analyze, and disseminate publicly available photos is a threat to privacy that misunderstands the right to free speech. Clearview AI's claim is a response to a lawsuit filed under Illinois' Biometric Information Privacy Act (BIPA) challenging the company’s collection of photos and sale of facial recognition services. EPIC filed an amicus brief before the 9th Circuit defending an individual's right to sue companies who violate BIPA and other privacy laws. Recently EPIC filed FOIA requests with several government agencies revealed as users of Clearview AI technology. Earlier this year, EPIC and over 40 organizations urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (Sep. 14, 2020)

  • In comments to the European Commission, EPIC urged the EU to enact robust legislation covering all uses of AI in order to protect fundamental rights. The comments came in response to the Commission's Inception Impact Statement, which presented legislative options ranging from non-regulation of AI to regulating only "high-risk" AI to regulating all forms of AI. "Oversight of both public and private uses of AI will help avoid inappropriate applications of the technology, minimize the opacity of AI decision-making, and avoid arbitrary actions and determinations," EPIC wrote. EPIC explained that is essential to regulate all forms of AI—rather than just "high risk" applications—because "[i]nformation collected under one purpose not previously determined as 'high-risk' can easily be used in a 'high-risk' purpose" later. EPIC recommends that governments rely on the Universal Guidelines for AI and the OECD AI Principles as a baseline for AI policy. (Sep. 14, 2020)

  • In a letter to the Direction of National Intelligence John Ratcliffe, EPIC joined a coalition of other groups calling for the continuation of in-person briefings to Congress on election security. The letter states, "[e]fforts to interfere with American elections are a serious threat to our democratic process and undermine public confidence in our institutions." The group emphasized that "it is critical that [ODNI] continue responding to all congressional oversight inquiries and continue to appear in-person to answer questions." EPIC is currently suing the Department of Homeland Security for records about the agency's assessment of election vulnerabilities following the 2016 presidential election and its ongoing role in protecting election systems as critical infrastructure. The agency has released hundreds of pages of records to EPIC about its role in election cybersecurity, including: DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report. (Sep. 11, 2020)

  • The Irish Data Protection Commissioner has reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (Sep. 10, 2020)

  • The Portland City Council has passed two ordinances banning the use of facial recognition. One ordinance prohibits the city from using facial recognition. A second ordinance prohibits private companies from using facial recognition in public spaces. The ordinances note the technologies demonstrated "biases against Black people, women, and older people." Portland joins a growing list of cities that have banned the facial recognition technology, including Boston, Oakland, and San Francisco. EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. Earlier this year, an EPIC-led coalition called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (Sep. 10, 2020)

  • A report by the Government Accountability Office found that Customs and Border Protection needs to address privacy issues with the agency's deployment of facial recognition technology at ports of entry. CBP currently deploys facial recognition at 27 airports as part of their Biometric Entry-Exit Program. The GAO found that CBP has not provided adequate privacy notices or information on opting out of facial recognition to the public. Additionally, the agency has failed to implement a plan to audit privacy compliance by airline partners involved in the program. EPIC has previously explained to Congress and the CBP that its Biometric Entry-Exit program unfairly burdens travelers exercising their rights to opt-out of facial recognition. EPIC has called on Congress to suspend facial recognition at airports and earlier this year urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (Sep. 3, 2020)

  • EPIC has filed an amicus brief in the U.S. Supreme Court case Van Buren v. United States, which concerns whether a police officer violated the Computer Fraud & Abuse Act by accessing personal data in a government database for non-law enforcement purposes. EPIC’s brief argues that the CFAA was enacted “to protect personal information stored in recordkeeping systems” and the scope of the law “should be co-extensive with its data protection purpose.” EPIC wrote that government databases “hold vast quantities of some of the most sensitive personal data imaginable” and that “we need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems.” The brief also responds to concerns about the potential scope of CFAA liability by noting that “any limiting principle should be tethered to the underlying purpose of” the provision, which is “to protect sensitive data from exposure and subsequent misuse.” EPIC has participated as amicus in LinkedIn v. hiQ Labs, which concerns the application of the CFAA to companies that scrape social media user data. The petition for review in the LinkedIn case is pending in the U.S. Supreme Court. (Sep. 3, 2020)

  • The Ninth Circuit U.S. Court of Appeals ruled today that the NSA's bulk collection of phone call metadata violated the Foreign Intelligence Surveillance Act and was likely unconstitutional. EPIC and a coalition of groups filed an amicus brief in the case, United States v. Moalin, arguing that call metadata is protected under the Fourth Amendment. "We hold that the telephony metadata collection program exceeded the scope of Congress's [FISA] authorization," the Ninth Circuit wrote. The court rejected the argument that individuals lack a Fourth Amendment expectation of privacy in call metadata simply because the data is held by phone companies. The public is "likely to perceive as private several years' worth of telephony metadata collected on an ongoing, daily basis—as demonstrated by the public outcry following the revelation of the metadata collection program," the court explained. The court cited to the coalition amicus brief and to the work of EPIC advisory board member Laura K. Donohue. However, the court declined in this particular case to exclude the unlawfully collected metadata as evidence. In In re EPIC, EPIC petitioned the Supreme Court to end the NSA's bulk phone record collection program, which occurred with the 2015 passage of the USA Freedom Act. (Sep. 2, 2020)

  • In a report released this week, AlgorithmWatch analyzed how 16 countries throughout the European Union have adopted automated decision-making tools in response to the COVID-19 pandemic. Deployment of these tools is widespread across the EU, including voluntary exposure notification apps, a mandatory app recently greenlit by Slovenian government, and an app used in Poland and Hungary that relies on geolocation and face surveillance to enforce quarantine rules. The report notes that the effectiveness of automated contract tracing "lack[s] hard evidence . . . even months after the first deployments." EPIC has published recommendations on preserving privacy during the pandemic and has called on Congress to establish privacy safeguards for digital contact tracing. (Sep. 2, 2020)

  • Documents recently disclosed in Arizona's consumer protection lawsuit against Google show that the company's employees admitted Google's location privacy settings were "confusing" and potentially misleading. The suit, brought by Arizona Attorney General Mark Brnovich, alleges that Google violated the Arizona Consumer Fraud Act by collecting and storing location data on mobile devices—even after users believed they had turned off location tracking. A newly-unsealed version of Arizona's complaint reveals that Google employees knew the interface was "[d]efinitely confusing from a user point of view[.]" One employee wrote that Google's interface "feels like it is designed to make things possible, yet difficult enough that people won't figure it out." In July, twenty-seven members of EPIC's advisory board signed a letter urging the court to reject Google's efforts to delay a decision on unsealing the documents. In 2018, EPIC told to the Federal Trade Commission that Google's surreptitious tracking of user location data violated the FTC's 2011 Google consent order. The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations. (Sep. 1, 2020)

  • EPIC, as part of the open government case EPIC v. AI Commission, has obtained additional records from the National Security Commission on Artificial Intelligence. The documents produced include a delegation letter from AI Commission chair and former Google CEO Eric Schmidt, as well as reports on AI research and "workforce automation." In June, a federal court ruled in EPIC's case that the AI Commission is subject to the Federal Advisory Committee Act. Judge Trevor N. McFadden ordered the Commission to hold open meetings, which the Commission did for the first time in July. The Commission approved a set of recommendations to Congress at the meeting. Judge McFadden previously ruled that the AI Commission is subject to the Freedom of Information Act, and the Commission began disclosing its records to EPIC in January. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Sep. 1, 2020)

  • Apple and Google today announced "Exposure Notification Express," an updated version of the companies' joint digital contact tracing technology. The revised system will allow public health agencies to conduct digital contact tracing without having to develop their own independent apps. In jurisdictions that have adopted the Apple-Google system, mobile users will now be automatically notified that the contact tracing tool is available, though the system will remain opt-in only. In response to Apple and Google's original proposal for a COVID-19 contact tracing system, EPIC told Congress that it is "essential that government agencies and private companies implement standards that safeguard privacy." For digital contact tracing techniques, EPIC recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency." EPIC has also obtained records from Utah and North Dakota that underscore the privacy risks of both states' COVID-19 contact tracing apps. (Sep. 1, 2020)

  • Despite the exceptional privacy risks of biometric data collection and opaque, unproven algorithms, Amazon last week unveiled Halo, a wearable device that purports to measure "tone" and "emotional well-being" based on a user's voice. According to Amazon, the device "uses machine learning to analyze energy and positivity in a customer's voice so they can better understand how they may sound to others[.]" The device also monitors physical activity, assigns a sleep score, and can scan a user's body to estimate body fat percentage and weight. In recent years, Amazon has come under fire for its development of biased and inaccurate facial surveillance tools, its marketing of home surveillance camera Ring, and its controversial partnerships with law enforcement agencies. Last year, EPIC filed a Federal Trade Commission complaint against Hirevue, an AI hiring tool that claims to evaluate "cognitive ability," "psychological traits," and "emotional intelligence" based on videos of job candidates. EPIC has long advocated for algorithmic transparency and the adoption of the Universal Guidelines for AI. (Sep. 1, 2020)

  • Brazil’s Lei Geral de Proteção de Dados (or LGPD), enacted in 2018, will go into effect this month. The LGPD is similar to the EU's General Data Protection Regulation, granting individual rights and placing obligations on companies processing personal data. The Brazilian law also creates a National Data Protection Authority. EPIC has long advocated for the enactment of comprehensive privacy legislation and the creation of data protection agency. EPIC’s report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law. (Sep. 1, 2020)

  • EPIC has obtained additional documents related to federal efforts to respond to election cybersecurity threats in its suit against the Department of Homeland Security. The documents include summaries of: the DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report. The incident logs reveal difficulties contacting campaign officials in the lead up to the 2016 Election and concern voiced within the agency about "unbalanced" outreach. And DHS contacts with state election officials were somewhat limited as some were wary that the critical infrastructure designation "would at a later time lead to regulation on states." In the September 2016 Election Infrastructure Cyber Risk Characterization Report, the DHS Office of Cyber and Infrastructure Analysis found that compromises in voter registration databases resulted in the potential release of personally identifiable information but not the modification of the underlying records. The DHS determined that exposure of this information could undermine public confidence in election systems. The DHS also counseled strongly against untested voting technologies, finding that the "introduction of new technologies in the voting system will increase vulnerabilities to the election system in the future," particularly the implementation of internet-connected voting systems. The case is EPIC v. DHS, 17-2047 (D.D.C.). (Aug. 19, 2020)

  • The FAA, DOJ, FCC, and DHS jointly issued the "Advisory on the Application of Federal Laws to the Acquisition and Use of Technology to Detect and Mitigate Unmanned Aircraft Systems." The advisory covers the applicable federal laws that non-federal or private entities might violate if they sought to detect or mitigate drone threats, including the Wiretap Act and Computer Fraud and Abuse Act. Congress previously granted the DOJ and DHS broad authority to detect and mitigate drone "threats" in the Preventing Emerging Threats Act of 2018 that was incorporated into the FAA Reauthorization Act of 2018. The FAA Reauthorization Act of 2018 required a report on drone surveillance risks but did not establish any baseline privacy safeguards. EPIC has repeatedly urged both Congress and the FAA to take decisive action to limit the use of drones for surveillance and to establish a national database detailing drone surveillance capabilities. (Aug. 19, 2020)

  • An algorithm was used by the UK Office of Qualifications and Examinations Regulation (Ofqual) to assign grades to students after exams were cancelled due to the COVID-19 pandemic. The tool downgraded 36% of A-level grades suggested by instructors, and students form poorer neighborhoods and state-run schools were downgraded disproportionately. After threats of lawsuits and significant public outrage, OfQual announced they will use teacher evaluations rather than the products of the algorithm. In July, the International Baccalaureate program used an opaque algorithm to assign scores that were key to college admissions. EPIC has advocated for Algorithmic Transparency and the adoption of the Universal Guidelines for AI. (Aug. 19, 2020)

  • None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (Aug. 18, 2020)

  • The U.S. Government Accountability Office has released a key report about privacy and discrimination risks posed by the commercial use of facial recognition. The GAO completed the report in response to research showing the disparate impact the technology has on minorities, including a National institute of Science and Technology study which found that facial recognition systems misidentify Black women at disproportionately high rates. The GAO report finds that, despite improvements in facial recognition technology, "differences in performance exist for certain demographic groups." The GAO report reiterates the office’s 2013 recommendation urging Congress to update the federal consumer privacy framework to reflect changes in technology. EPIC advocates for a comprehensive federal privacy law and has called for a moratorium on face surveillance. (Aug. 13, 2020)

  • The D.C. Circuit has ruled that it lacks jurisdiction to hear the appeal of CareFirst customers whose data was stolen in a 2014 data breach. The lower court in Attias v. CareFirst dismissed most of the plaintiffs and claims in the case for failure to allege damages and certified the dismissed claims for appeal. The D.C. Circuit determined that some of the claims could not be appealed until the remaining claims were resolved by the lower court, and it was not clear whether the district court judge intended to certify the claims of the dismissed plaintiffs alone. The decision comes over a year after the parties briefed the substantive questions on appeal. EPIC filed an amicus brief that urged the court to impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data they collect. EPIC also filed an amicus brief in the case the last time it was in the D.C. Circuit on a challenge to consumer standing. The D.C. Circuit held that the CareFirst consumers had standing to sue for the data breach. (Aug. 11, 2020)

  • Through a Public Information Act request to the Texas Department of Public Safety, EPIC obtained records about the department's use of two Pilatus surveillance planes, including videos recorded during the George Floyd protests. Reports have indicated that these planes, purchased by the state for border operations, were used to surveil cities hundreds of miles from the border. EPIC obtained flight logs from January 1, 2018 to June 15, 2020, plane technical specifications and the department's video retention policy. The flight logs revealed that the surveillance planes flew an average of one flight per day between May 25 to June 15, 2020, with a total of 103 hours of total flight time. In over ninety percent of these flights, the planes recorded no video. The planes reportedly cost an average of $474 an hour to fly, and the Texas DPS spent roughly $49,000 to record three videos over the three-week span. The Texas DPS withheld three videos recorded between May 25 to June 15, 2020, during the height of the George Floyd protests, despite its video retention policy stating that "all retained video copies...will be subject to open records requests." EPIC has long highlighted the privacy and civil liberties implications of aerial surveillance technology and has called on Congress to "establish drone privacy safeguards that limit the risk of public surveillance." (Aug. 10, 2020)

  • The New Jersey Supreme Court ruled today in State v. Andrews that an exception to the Fifth Amendment privilege against self-incrimination allows the government to compel decryption of a cell phone if the government has a valid search warrant and knows the identity of the phone’s owner. The court determined that compelled disclosure of a passcode is a testimonial act, but found that the foregone conclusion exception can apply to force decryption under certain circumstances. Importantly, the court stressed that, because the scope of the search in this case was very narrow, the decision did not license a “fishing expedition.” The court also signaled that it would apply the same restrictions to biometric passcodes as alphanumeric passcodes, stating that applying different standards to the two types of passcodes would be “problematic.” EPIC filed an amicus brief and presented oral argument in the case. Citing Riley v. California and Carpenter v. United States, EPIC argued that the vast troves of personal data stored in cell phones “justifies strong constitutional protections.” During oral argument, EPIC urged the court to adopt one rule for biometric and alphanumeric passcodes. (Aug. 10, 2020)

  • EPIC, as part of the open government case EPIC v. AI Commission, has obtained more documents from the National Security Commission on Artificial Intelligence. The records include a third-party presentation provided to the AI Commission about the use of "psychology and AI" to "help prepare an AI-enabled workforce." The presentation endorses the use of AI job screening tools like HireVue and claims that "reducing time-to-hire is as important as making good decisions." EPIC filed a Federal Trade Commission complaint last year highlighting HireVue’s unlawful failure to meet baseline standards for AI decision-making. The presentation also argues that "sociometers can be used to train AI about effective communication" in the workplace. Sociometers are "wearable electronic device[s] capable of automatically measuring the amount of face-to-face interaction, conversational time, physical proximity to other people, and physical activity levels using social signals derived from vocal features, body motion, and relative location." Separately, EPIC obtained a presentation from IARPA on "Artificial Intelligence and Threats." The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Aug. 7, 2020)

  • The Home Office of the UK has announced that it will halt the use of its "Visa Streaming" algorithm. This change is the result of a settlement in a lawsuit brought to challenge use of the algorithmic decision system by the UK Government. The system produced a "traffic light" assessment of visa applicants (Green, Yellow, or Red ) that informed how they would be treated during the visa approval process. The algorithm used for the assessments is not transparent, and critics have raised concerns that the system was discriminating against individuals based on their nationality in a discriminatory form. The challengers in the suit alleged that the program violated the Equality Act of 2010, in that the algorithm exacerbated unequal treatment for Visa applicants from particular countries. Secretary of the Home office Priti Patel committed to redesign the program and to consider "issues around unconscious bias and the use of nationality" in the visa application process.  EPIC advocates for algorithmic transparency, has counseled the US and EU on responsible AI, and maintains a resource on algorithms used in the US Criminal Justice System. (Aug. 7, 2020)

  • The Massachusetts Supreme Judicial Court ruled this week that the Massachusetts Declaration of Rights protects the right to privacy in the areas around one's home from warrantless pole camera surveillance over several months. The court held that residents are constitutionally protected against extended surveillance when, "in the aggregate, [it] expose[s] otherwise unknowable details of a person's life." The court also refused to make privacy rights "contingent upon an individual's ability to afford to install fortifications and a moat around his or her castle." The court cited Commonwealth v. Connolly, which declared that Massachusetts residents have a right to be free from warrantless GPS surveillance under the Declaration of Rights. EPIC filed a friend of the court brief in Connolly. EPIC regularly files briefs in cases that involve emerging privacy and civil liberties issues. (Aug. 6, 2020)

  • In comments to the Federal Aviation Administration, EPIC reminded the agency of the importance of addressing the privacy risks of drones as they are integrated into the national airspace. EPIC was responding to a notice of a petition for exemption to conduct drone deliveries. EPIC urged the FAA to use the exemption process to require the implementation of privacy safeguards. Starting with a 2012 petition, EPIC has recommended that the FAA establish drone privacy regulations and to ensure that drones broadcast an ID. Earlier this year, EPIC, joined by other organizations, submitted comments to the FAA regarding the agency's proposed rule for drone IDs. (Aug. 5, 2020)

  • In a statement to the Senate Commerce Committee before a Federal Trade Commission oversight hearing, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency. "When it comes to data protection, the FTC is not up to the task. It is time to establish an independent federal data protection agency in the United States," EPIC wrote. EPIC pointed to the FTC's failure to both stop mergers that threaten consumer privacy and enforce its own consent orders. EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency. (Aug. 4, 2020)

  • In an amicus brief, EPIC has urged the Supreme Court to cabin agency use of the deliberative process privilege to withhold documents from FOIA requesters. The case, U.S. Fish & Wildlife Service v. Sierra Club, concerns opinions from two federal agencies about a proposed EPA rule. Parts of the agencies’ opinions and recommendations were transmitted to the EPA, and the EPA revised its rule based on this information. Nevertheless, the agencies claim that the documents are deliberative and refused to disclose them under the FOIA. EPIC’s brief argues that “agencies have taken an unjustifiably broad view of the deliberative process privilege, often improperly withholding documents that are clearly not deliberative.” EPIC has many years of experience litigating FOIA cases, and provided the Court with examples where agencies have taken an overbroad view of the privilege, such as EPIC v. DOJ (Predictive Policing Report) and EPIC v. DOJ (Warrantless Wiretapping Memoranda). EPIC regularly litigates FOIA cases and files amicus briefs on open government issues. (Aug. 3, 2020)

  • A bipartisan group of lawmakers led by Senators Ron Wyden [D-Ore.] and BIll Cassidy [R-La.] today called on the Federal Trade Commission to investigate the online ad economy. Wyden, Cassidy and other members asked the FTC to investigate how personal data, including the tracking of individuals at places of worship and protests, collected from Americans’ phones to deliver advertisements is being obtained by data brokers and sold without the knowledge or consent of users. The lawmakers urged the FTC to open a 6(b) investigation into the matter. Earlier this year, consumer groups called on the FTC to use its 6(b) authority to conduct a study on companies collecting data on children. No action has been taken on that request. In addition to Sens. Wyden and Cassidy, the letter is signed by Sens. Maria Cantwell, D-Wash., Sherrod Brown, D-Ohio, Elizabeth Warren, D-Mass., and Edward Markey, D-Mass. Reps. Anna Eshoo, D-Calif, Zoe Lofgren, D-Calif., Yvette D. Clarke, D-N.Y., and Ro Khanna, D-Calif., signed as well. EPIC has filed many detailed complaints with the FTC regarding consumer privacy and has called for the creation of a U.S. Data Protection Agency due to the FTC's lack of action on privacy issues. (Jul. 31, 2020)

  • A study conducted by the National Institute of Standards and Technology showed that face masks undermine the accuracy of facial recognition algorithms. The NIST study tested digitally applied masks of various shapes on 89 commercial algorithms. The result were error rates between 5% and 50%. The algorithms tested were all created pre-Covid-19. NIST plans to test facial algorithms developed with face masks in mind later this summer. A previous NIST study released at the end of last year found that false positives are up to 100 times more likely for Asian and African American faces when compared to White faces. EPIC has previously launched a Ban Face Surveillance campaign and called for a facial recognition moratorium across the globe, as well as suspension across the federal government and in U.S. schools. (Jul. 30, 2020)

  • In advance of a hearing on "Online Platforms and Market Power, Part 6: Examining the Dominance of Amazon, Apple, Facebook, and Google," where the CEOs of Amazon, Apple, Facebook, and Google will testify, EPIC told the House Judiciary Subcommittee on Antitrust that the U.S. needs a Data Protection Agency. EPIC told lawmakers that merger review must consider data protection. "The United States stands virtually alone in its unwillingness to address privacy as an increasingly important dimension of competition in the digital marketplace," EPIC said. EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC noted that if the FTC approves Google's acquisition of Fitbit, it will be the 230th firm that Google/Alphabet has acquired "with little action from U.S. antitrust regulators." EPIC also urged the Subcommittee to hold a hearing on H.R. 4978, the Online Privacy Act. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress, sets out the key elements of a modern privacy law, including federal baseline legislation and the creation of a Data Protection Agency. (Jul. 28, 2020)

  • The Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups, urged EU Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross to stop negotiations for a new data transfer agreement following the invalidation of the EU-U.S. Privacy Shield. In Data Protection Commissioner v. Facebook & Max Schrems, the European Court of Justice (CJEU) found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. In its letter, TACD claims the CJEU's decision is "crystal clear," and that any future data transfer deal will not be valid until the U.S. enacts comprehensive federal privacy legislation. EPIC participated as an amicus curiae in the Schrems case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (Jul. 28, 2020)

  • In a statement to the Senate Commerce Committee, EPIC supported reforms to Section 230 of the Communications Decency Act. The Committee is considering the bipartisan Platform Accountability and Consumer Trasparency (PACT) Act, which requires online platforms to give notice of their content moderation policies and to make a complaint system available, and sets deadlines by which platforms must process complaints. EPIC urged the Committee to expand the Act's provisions on injunctive relief, which currently only requires platforms to take down content if ordered by a court to do so in limited types of cases. "When a court finds that content has been posted illegally or in violation of an individual’s rights, there should be a legal mechanism to order online platforms to remove that content," EPIC said. "The bill should be amended to make clear that platforms must comply with court orders to remove content deemed unlawful regardless of the type of legal claim involved." In an amicus brief in Herrick v. Grindr, EPIC objected to a court decision that found "online platforms bear no responsibility for the harassment and abuse their systems enable." (Jul. 27, 2020)

  • In an unusual development, the White House directed EPIC this week to delete a set of records that EPIC recently obtained from the Office of Science & Technology Policy—a request which EPIC declined. On Tuesday, EPIC published hundreds of records about the White House’s response to the COVID-19 pandemic and proposals to use location data for public health surveillance (1, 2, 3, 4). Hours later, a White House attorney sent EPIC a letter “order[ing]” EPIC “to immediately cease using and disclosing" one set of records and to “destroy all electronics copies.” The letter stated that OSTP had "inadvertently and erroneously" provided EPIC with an unredacted copy of the records. Although EPIC voluntarily decided to redact personal contact information contained in the documents, EPIC informed the OSTP that it would still make the records available to the public. Under the Freedom of Information Act, a federal agency is not entitled to “claw back” a record that it discloses to a requester. EPIC has filed numerous FOIA requests concerning the federal government’s COVID-19 response and has compiled a resource page about privacy and the pandemic. (Jul. 23, 2020)

  • The Department of Justice, as part of the open government case EPIC v. DOJ, has announced in a court filing that it will disclose additional material from the Mueller Report. The DOJ said it had "determined that certain information in the Report now could be released without harming government interests or pending matters." However, the DOJ asserted that it would not publish the additional material until "after the Court has issued its ruling on the redactions" to the Report. Judge Reggie B. Walton is currently conducting an "in camera" review of the complete Mueller Report to determine which passages must still be released. The court recently posed a series of questions to the DOJ about its redactions to the Report, and the DOJ responded to the court this week. Both filings are sealed from the public, but a heavily redacted version of the DOJ’s response shows that Judge Walton questioned every legal basis asserted by the DOJ to withhold material in the Report. EPIC’s case previously forced the DOJ to disclose additional material from the Mueller Report concerning Roger Stone. The case is EPIC v. DOJ , No. 19-810. (Jul. 23, 2020)

  • EPIC has released a report on Pretrial Risk Assessments. The report, Liberty at Risk: Pre-trial Risk Assessment Tools in the U.S., provides an overview of Risk Assessment Tools that practitioners and scholars can use to understand the nature of these systems, understand the broader context in which they are used, and help focus their evaluations of the fairness of these systems. EPIC hosted a panel on the topic on July 8, available to watch here. EPIC advocates for Algorithmic Transparency and maintains a resource on Algorithms in the Criminal Justice System. (Jul. 22, 2020)

  • EPIC has obtained hundreds of pages of records (1, 2, 3, 4) from the Office of Science and Technology Policy about the White House’s response to the COVID-19 pandemic and proposals to use location data for public health surveillance. The documents were produced in response to an EPIC Freedom of Information Act request. The records show that a tech sector task force closely aligned with the White House sought to aggregate “non-clinical location data” for “disease surveillance,” including cell phone location data, Uber trip data, and Google search data. OSTP described the location tracking proposals as “certainly interesting” and sought to “establish a portal/clearinghouse” for such submissions, but also told the tech sector task force that it was “not engaged in any activities relating to location data.” In one example from March, the executive director of the National Fusion Center Association proposed an “automate[d] contact tracing and notification” system to the White House. Fusion Centers are centralized systems that pool and analyze intelligence from federal, state, local, and private sector entities. EPIC has laid out numerous recommendations concerning privacy and the pandemic and has called on Congress to establish privacy safeguards for digital contact tracing. (Jul. 21, 2020)

  • EPIC, the Consumer Federation of California, and Consumer Action have filed an amicus brief urging the California Supreme Court to preserve its long-standing rule requiring all parties to consent to the recording of a call. Consumers in the case, Smith v. LoanMe, sued the online lender for surreptitiously recording customer calls in violation of the California Invasion of Privacy Act. A lower court dismissed the case because it interpreted the law as only applying to third-party eavesdroppers, not parties to the call. The California Supreme Court is reviewing the decision. The amicus brief argues that “recording a call poses unique threats to privacy because a permanent record of the private communication can be made surreptitiously without the consent, or even knowledge, of the caller.” The brief also explains that “the need to preserve California’s all-party consent law is more urgent now than ever before” because COVID-19 has forced millions of Californians “to conduct their personal and business lives remotely, relying on voice and video calls to complete their work, to pursue their education, to preserve their relationships, and to maintain basic human connections.” EPIC routinely files amicus briefs in cases implicating consumer privacy. (Jul. 21, 2020)

  • EPIC has filed a request to submit an amicus brief in the International Criminal Court concerning the recognition of an international right to privacy in cell site location information (“CSLI”). Investigators in the case, The Prosecutor v. Yekatom & Ngaïssona, obtained two years of defendant Yekatom’s cell location data from a telecommunications company in the Central African Republic without prior judicial authorization. EPIC wrote that “there is increased recognition in the international community that cell phone metadata, and CSLI in particular, can reveal sensitive personal information by allowing investigators to track an individual’s movements over time and infer their habits, social associations, and even political and religious beliefs.” Should the ICC grant EPIC’s application, EPIC will file a full amicus briefs arguing that the international right to privacy includes privacy in cell location data. EPIC filed an amicus brief in Carpenter v. United States, in which the U.S. Supreme Court determined that law enforcement could not obtain historical cell location data without a warrant. EPIC has also participated as amicus curiae in cases involving the right to privacy under international law, including most recently Irish Data Protection Commissioner v. Facebook & Schrems, in which the top European court invalidated the EU-US Privacy Shield. (Jul. 21, 2020)

  • The National Security Commission on Artificial Intelligence held its first public meeting on Monday. A recording is available here, and materials for the meeting can be found here. Public access to the meeting is the result of a recent court ruling in EPIC v. AI Commission that the Commission is subject to the transparency requirements of the Federal Advisory Committee Act. Judge Trevor N. McFadden ordered the Commission to hold open meetings and regularly publish its records in the future. Judge McFadden previously ruled that the AI Commission is subject to the Freedom of Information Act, and the Commission has disclosed thousands of pages of records to EPIC since January. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Jul. 20, 2020)

  • Judges on a federal appeals court took aim yesterday at predictive policing, the practice of using algorithmic analysis to predict crime and direct law enforcement resources. The Fourth Circuit ruled that Richmond police violated the Fourth Amendment when they stopped and searched the defendant, Billy Curry, simply because he was walking near the scene of a shooting. In a dissent, Judge J. Harvie Wilkinson called the court’s decision a “gut-punch to predictive policing.” But others on the court responded to highlight the dangers and failings of the practice. Chief Judge Roger Gregory questioned whether predictive policing is "a high-tech version of racial profiling.” Judge James A. Wynn highlighted the “devastating effects of over-policing on minority communities” and explained that predictive policing “results in the citizens of those communities being accorded fewer constitutional protections than citizens of other communities.” Judge Stephanie D. Thacker warned that “any computer program or algorithm is only as good as the data that goes into it” and that predictive policing “has been shown to be, at best, of questionable, effectiveness, and at worst, deeply flawed and infused with racial bias.” EPIC has long highlighted the risks of algorithms in the criminal justice system and recently obtained a 2014 Justice Department report detailing the dangers of predictive policing. (Jul. 16, 2020)

  • Today the European Court of Justice issued a decision in Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. Specifically, the court considered the validity of transfers made from companies in the EU to companies in the U.S. pursuant to standard contracts or to the EU-U.S. Privacy Shield agreement, both of which had been authorized by the European Commission. But the court held that the Privacy Shield was invalid and that transfers could not be made under the contracts where personal data is not adequately protected. Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad, under Section 702 of FISA, it "cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter." EPIC participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O’Dwyer, SC. [PRESS RELEASE] (Jul. 16, 2020)

  • Last week, the D.C. Circuit reversed a lower court decision and ruled that electronic surveillance records in closed federal investigations are subject to public access. Investigative journalist Jason Leopold and the Reporters Committee for Freedom of the Press litigated for years to unseal electronic surveillance records that allow law enforcement to collect different types of electronic information for surveillance, including metadata about a telephone subscriber's activity or cell site location information. The lower court incorrectly determined that administrative burden to providing public access to these seal records was enough to justify the interminable sealing of these records. But the D.C. Circuit reversed the lower court's decision stating "although administrative burden is relevant to how and when documents are released, it does not justify precluding release forever...Production may be time-consuming, but time-consuming is not the same thing as impossible." The D.C. Circuit noted that providing public access to judicial records like the electronic surveillance records at issue "is a fundamental element of the rule of law" and "is the duty and responsibility of the Judicial Branch." EPIC is currently litigating a case against the Department of Justice seeking the public release of information about the agency's collection of cell site location information through "§ 2703(d) orders" and warrants. The case is EPIC v. DOJ, No. 18-1814 (D.D.C.) (Jul. 13, 2020)

  • Just days after upholding the federal robocall ban against a First Amendment challenge, the U.S. Supreme Court has agreed to decide the scope of the ban in a new case, Duguid v. Facebook. Following the D.C. Circuit’s invalidation of the FCC’s definition of an “autodialer”—the technology companies use to automatically dial vast numbers of consumers— federal appeals courts have split on how to interpret the term. Telemarketers argue that an autodialer must generate random or sequential numbers, while consumers and consumer groups like EPIC maintain that the law bans systems that automatically call numbers from lists. In Gadelhak v. AT&T, EPIC argued that adopting the telemarketers’ autodialer definition “would undermine the law's effectiveness by inviting easy circumvention and rendering the restriction obsolete.” EPIC routinely files amicus briefs in cases on the Telephone Consumer Protection Act. (Jul. 9, 2020)

  • EPIC has joined a group of organizations across the political spectrum—EFF, Americans for Prosperity, the Brennan Center, FreedomWorks, and TechFreedom—to urge a federal appeals court to revive a challenge to an NSA surveillance program. A lower court judge in the case, Wikimedia v. NSA, found that Wikimedia could not demonstrate that its communications had actually been intercepted under the Upstream surveillance program—and that further litigation was barred for national security reasons. The amicus brief argues that “it is critical that those directly affected by mass foreign intelligence surveillance be able to obtain judicial review” because “FISA is broken.” EPIC has participated as amicus in several previous cases challenging FISA surveillance, including Smith v. Obama and Clapper v. Amnesty International. EPIC also brought the first challenge to the NSA telephone records surveillance program, In re EPIC, in the U.S. Supreme Court. (Jul. 9, 2020)

  • The U.S. Supreme Court ruled Thursday that a New York grand jury can obtain President Trump’s tax returns from the President’s accounting firm. In its decision from Trump v. Vance, the Court rejected the President's attempt to block the grand jury's subpoena. "Two hundred years ago, a great jurist of our Court established that no citizen, not even the President, is categorically above the common duty to produce evidence when called upon in a criminal proceeding," the Court wrote. "We reaffirm that principle today and hold that the President is neither absolutely immune from state criminal subpoenas seeking his private papers nor entitled to a heightened standard of need." EPIC filed an amicus brief in the case supporting disclosure. EPIC explained that President Trump broke with 40 years of precedent by concealing his tax records, even as he sought to collect sensitive voter and citizenship data from the public. "This is inverted liberty: privacy for the President and compelled disclosure of personal data for the public," EPIC argued. "That is antithetical to the structure and practice of modern democracies which safeguard the privacy of citizens and impose transparency obligations on political leaders, most notably the President." EPIC previously sought public release of President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. In EPIC v. IRS II, EPIC is seeking "offers-in-compromise" and related tax records of President Trump and his businesses. (Jul. 9, 2020)

  • On Wednesday, EPIC hosted Liberty At Risk, an event focused on pre-trial algorithmic risk assessment tools. EPIC was joined by Sean Hill, Visiting Assistant Professor at Ohio State University Moritz College of Law, Vincent Southerland, Executive Director at the NYU Law Center for Race, Inequality and the Law, and Megan Stevenson, Associate Professor at University of Virginia School of Law. The panelists discussed how the use of these tools further encode systemic biases, and offered guidance for advocates navigating bail reform and the use of these tools. A video of the panel is available here. EPIC maintains a resource tracking the use of Criminal Justice algorithms. (Jul. 8, 2020)

  • A federal court has rejected a challenge from internet services providers to Maine’s broadband privacy law. Enacted last year, the law prohibits broadband providers from using, disclosing, or selling consumers’ personal data without express consent. The ISPs had argued that the Maine law conflicted with Congress’s 2017 overturning of broadband privacy rules issued by the Federal Communications Commission and the FCC’s 2018 disclaimer of regulatory authority over broadband providers. But the ISPs’ “attempt to manufacture a conflict in this case is unavailing,” Judge Lance E. Walker wrote. The court also refused to hold that the Maine law violates the First Amendment or is unconstitutionally vague. EPIC has long advocated for comprehensive privacy legislation that would protect states’ ability to enact stronger privacy laws. (Jul. 7, 2020)

  • The National Security Commission on Artificial Intelligence will hold its first public plenary meeting on July 20, the Commission said today. The announcement comes after a ruling in EPIC v. AI Commission that the Commission is subject to the transparency requirements of the Federal Advisory Committee Act. Judge Trevor N. McFadden ordered the Commission to hold open meetings and regularly publish its records in the future. Judge McFadden previously ruled that the AI Commission is subject to the Freedom of Information Act, and the Commission began disclosing its past records in January. Registration for the Commission’s July 20 meeting will open July 8. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Jul. 6, 2020)

  • A federal court, as part of an open government lawsuit brought by EPIC, has ordered the Department of Justice to answer a series of questions concerning the DOJ’s redactions to the Mueller Report. Judge Reggie B. Walton recently announced that he could not “assess the merits of certain redactions without further representations from the Department” and ordered the DOJ to attend an “ex parte” (one-on-one) hearing on July 20. Under today’s order, the DOJ is also required to file written answers by July 14. Both Judge Walton’s questions and the DOJ’s responses will be sealed from the public, the court stated. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Jul. 6, 2020)

  • The U.S. Supreme Court declared that the government debt exception to the Telephone Consumer Protect Act violates the First Amendment and severed the exception, preserving the law’s important privacy protections. The case, Barr v. American Association of Political Consultants, concerned a First Amendment challenge to the law that protects consumers from robocalls and the proper remedy when an exception to a statute violates the First Amendment. EPIC defended the TCPA in an amicus brief. EPIC said that the robocall ban is "constitutionally permissible and serves important governmental interests." EPIC explained that cell phone adoption has made "the harm caused by unwanted automated calls" greater than when the robocall ban was enacted in 1991. EPIC said that "without the autodialer ban, the assault of unwanted calls could make cell phones unusable." EPIC also argued that "a minor amendment to an otherwise constitutional law, passed decades after the original enactment, should not take down an act of Congress." EPIC frequently files amicus briefs on the TCPA, including in the related case, Gallion v. Charter Communications. (Jul. 6, 2020)

  • EPIC, as part of the open government case EPIC v. AI Commission, has obtained more documents from the National Security Commission on Artificial Intelligence. Among the records is a report concerning best practices for advisory commissions that was delivered to the AI Commission in early 2019. Notably, the report contains no recommendations about transparency or public participation in the Commission’s work. A federal court recently ruled in EPIC’s case that the AI Commission is subject to the Federal Advisory Committee Act. Judge Trevor N. McFadden ordered the Commission to hold open meetings and regularly publish its records in the future. Judge McFadden previously ruled that the AI Commission is subject to the Freedom of Information Act, and the Commission began disclosing its prior records in January. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Jul. 6, 2020)

  • The Senate Judiciary today unanimously approved the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020 (S. 3398) by a vote of 22-0. In a statement to the Committee on a previous version of the EARN IT Act, EPIC supported both end-to-end encryption and reform to Section 230 of the Communications Decency Act. EPIC pointed out that actual end-to-end encryption "protects users, promotes commerce, and ensures cybersecurity." The Committee today adopted an amendment from Senator Patrick Leahy that clarified that companies that provide end-to-end encryption are not subject to liability because they cannot access user communications. In an amicus brief in Herrick v. Grindr, EPIC objected to a court decision that found "online platforms bear no responsibility for the harassment and abuse their systems enable." (Jul. 2, 2020)

  • The U.S. Supreme Court will hear a case this fall over a Congressional subpoena for the complete Mueller Report, the Court announced today. The Court will review a decision by the D.C. Circuit Court of Appeals, which ruled in March that the House Judiciary Committee was entitled to redacted grand jury material from the Report. EPIC is currently litigating a Freedom of Information Act lawsuit for disclosure of the complete Mueller Report. EPIC’s suit led to the disclosure of new material from the Report last month. Judge Reggie B. Walton is also conducting an “in camera” review of the complete Mueller Report following the court’s March 5 ruling in EPIC’s case. The court is expected to decide as early as next month whether more material must be released. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Jul. 2, 2020)

  • Today, EPIC and a coalition privacy, civil liberties, and civil rights groups urged Congress to "take action to prevent the harms associated with face recognition and other invasive and discriminatory surveillance technologies." The Coalition called upon Congress to pass the Facial Recognition and Biometric Technology Moratorium Act of 2020, cease funding police use of invasive and discriminatory technologies, and ensure policing reform bills prevent the use of facial recognition on body cameras and dash cams. Last year, EPIC launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. EPIC previously testified before the Massachusetts Legislature in support of a bill to establish a moratorium on the use of facial recognition by state agencies. (Jul. 2, 2020)

  • The Association of Computing Machinery's U.S. Technology Policy Committee published a statement today calling for the "immediate suspension of the current and future private and governmental use of FR technologies in all circumstances known or reasonably foreseeable to be prejudicial to established human and legal rights." The statement notes that facial recognition technology "often compromise[s] fundamental human and legal rights of individuals to privacy, employment, justice and personal liberty." Last year, EPIC filed a complaint with the FTC against HireVue for the company's unfair and deceptive practices involving the use of facial recognition technology in evaluating job applicants. EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. EPIC is supporting the recently introduced Facial Recognition and Biometric Technology Moratorium Act, which would prohibit the use of facial recognition and other biometric technologies by federal agencies. (Jun. 30, 2020)

  • EPIC has filed a cross motion for summary judgement in EPIC v. DHS seeking records about the agency's assessment of election vulnerabilities in 2016 and 2018. EPIC filed the Freedom of Information Act lawsuit against the Department of Homeland Security after the agency designated election systems as "critical infrastructure" in 2017. The agency has released hundreds of pages of records to EPIC about the agency's role in election cybersecurity, but continues to withhold four categories of records including: (1) documents concerning contacts between DHS and state election officials, (2) Election Security Task Force meeting minutes, (3) the agency's assessment of cybersecurity risks to election infrastructure in September 2016, and (4) incident reports concerning vulnerabilities to election systems. EPIC explained that “[t]here is a profound and urgent public interest in the release of [these] records" because it "is necessary for the public to evaluate DHS's response to past incidents, to assess future threats to election systems, and to ensure accountability of the federal agency with the legal authority to safeguard our election systems." With the 2020 presidential election mere months away, it is critical that the public and Congress have access to these records so they can assess the effectiveness of the agency's election cybersecurity program and what steps the agency has taken to protect our democratic institutions. The case is EPIC v. DHS, No. 17-2047 (D.D.C.). (Jun. 26, 2020)

  • Senator Edward J. Markey (D-Mass.), along with Senator Jeff Merkley (D-Ore.), Congresswoman Pramila Jayapal (WA-07) and Congresswoman Ayanna Pressley (MA-07) today introduced legislation to stop government use of biometric surveillance, including facial recognition tools. The Facial Recognition and Biometric Technology Moratorium Act prohibits the use of facial recognition and other biometric technologies by federal agencies, including Customs and Border Protection. “The use of face surveillance technology needs to end. Face surveillance violates Americans’ right to privacy, treats all individuals as suspicious, and threatens First Amendment-protected rights,” said Caitriona Fitzgerald, EPIC Interim Associate Director and Policy Director. “The technology has been shown time and time again to be biased and inaccurate, frequently misidentifying people of color. EPIC has repeatedly called for a moratorium on the use of face surveillance and the Facial Recognition and Biometric Technology Moratorium Act of 2020 would stop the use of this dangerous technology. EPIC is proud to support it.” EPIC recently settled a Freedom of Information Act lawsuit against Customs and Border Protection regarding the agency's "alternative screening procedures" to determine whether travelers are able to to opt-out of facial recognition at airports. EPIC has launched a campaign to Ban Face Surveillance. Previously, EPIC and a coalition urged the Privacy and Civil Liberties Oversight Board to suspend the use of face surveillance systems across the federal government. And last year, the Public Voice coalition called for a global moratorium on face surveillance. (Jun. 25, 2020)

  • Yesterday, the Boston City Council voted unanimously to ban the use of facial recognition technology by the city of Boston. The ordinance noted the "racial bias in face surveillance" and makes it illegal for the city of Boston to "obtain, retain, possess, access, or use any face surveillance system." Several municipalities in Massachusetts have already banned the use of facial recognition. EPIC previously testified before the Massachusetts Legislature in support of a bill to establish a moratorium on the use of facial recognition by state agencies. EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. An EPIC-led coalition has also called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (Jun. 24, 2020)

  • EPIC has settled a Freedom of Information Act lawsuit against Immigration and Customs Enforcement. EPIC sought records about the agency's use of mobile forensic technology used to conduct warrantless searches of mobile devices. EPIC obtained ICE contracts with Cellebrite and documents showing that Cellebrite's mobile forensic technology can bypass passcodes to extract email, voicemails, video, audio, photos, web browsing activity, and historical location data. A slide entitled "Legal Considerations" explicitly cited the U.S. v. Riley case, which held in an unanimous decision that police generally require a warrant to search cell phones. EPIC's amicus brief in that case, which was joined by twenty-four legal scholars and technical experts from the EPIC Advisory Board, was cited twice in the Court's opinion. (Jun. 24, 2020)

  • In an important decision for data privacy, Germany's Federal Court of Justice sided with antitrust regulators in a case challenging Facebook’s practice of combining user data across different sources, including WhatsApp and Instagram. The Court held that Facebook’s terms of use were abusive because they did not allow users to use the platform without also consenting to Facebook’s collection of their data from other sites. The decision emphasized Facebook’s dominant market position in Germany and recognized that Facebook thus had a special responsibility towards maintaining market competition. EPIC has repeatedly urged U.S. antitrust agencies to more aggressively regulate Facebook and other platforms, whose large mergers compromise user privacy and consolidate market power in a handful of companies. EPIC recently objected to the FTC’s settlement with Facebook. EPIC continues to work with international stakeholders to ensure user privacy. (Jun. 24, 2020)

  • Senators Lindsey Graham, Tom Cotton, and Marsha Blackburn introduced the “Lawful Access to Encrypted Data Act” yesterday. The bill would would make it illegal for manufacturers to build systems that cannot be accessed by law enforcement. EPIC strongly opposes this measure. “The Lawful Access To Encrypted Data Act will make it easier for bad actors to access people’s communications. You cannot build a backdoor that only law enforcement can access. That’s not how encryption works,” said Alan Butler, EPIC Interim Executive Director. EPIC recently told the Senate Judiciary Committee that "now is not the time to undermine the systems that we all rely upon to secure our data and communications." EPIC cited growing problems of data breach and cyber attack. EPIC led the effort in the United States in the 1990s to support strong encryption tools and played a key role in the development of the international framework for cryptography policy that favored the deployment of strong security measures to safeguard personal information. EPIC also filed an amicus brief in Apple v. FBI in support of encryption. (Jun. 24, 2020)

  • The Indiana Supreme Court ruled today that the Fifth Amendment right against self-incrimination prevents law enforcement from compelling an individual to unlock their smartphone. The court declared that an exception to the Fifth Amendment did not apply because the government had not demonstrated sufficient knowledge of the files it intended to access. The court also questioned whether the exception should apply to cell phones at all because the type and amount of information cell phones contain make compelled production of their contents different than compelled production of physical documents, citing the Supreme Court’s decisions in Riley v. California and Carpenter v. United States. The court wrote that “the Supreme Court has hesitated to apply even entrenched doctrines to novel dilemmas, wholly unforeseen when those doctrines were created.” EPIC urged the New Jersey Supreme Court to adopt the same reasoning in State v. Andrews, arguing that, under Riley and Carpenter, individuals cannot be compelled to decrypt their cell phones unless the government has specific knowledge about the files it will access. The New Jersey court has not issued a ruling in the case. (Jun. 23, 2020)

  • EPIC has filed comments to the Election Assistance Commission on the Voluntary Voting System Guidelines 2.0 Requirements. EPIC urged the Commission to remove a provision allowing "recallable ballots," which are ballots that have already been cast but can be "individually retrieved." By their very definition, recallable ballots require linking the voter’s identity with the voter’s cast ballot. "This is too great a risk to our democracy and violates the VVSG 2.0 Principles themselves, as well as many state laws and constitutional provisions," EPIC told the Commission. Though states are not mandated to comply with the Voting System Guidelines, the Guidelines shape the election security market. In 2016, EPIC published a report on the importance of the secret ballot, finding that all fifty states have constitutional provisions or statutes that require a secret ballot. EPIC has a long history of working to protect voter privacy and election integrity. (Jun. 22, 2020)

  • The Justice Department, as part of an open government lawsuit brought by EPIC, today disclosed previously unreleased portions of the Mueller Report concerning Roger Stone (Volume 1, Volume 2, Appendices). The disclosure marks the first time that new material from the Mueller Report has been published since a redacted version of the report was released in April 2019. Stone was convicted of obstruction and other charges in connection with Special Counsel Robert S. Mueller's investigation into Russian interference in the 2016 presidential election. The Justice Department previously argued that disclosure of information concerning Stone would interfere with his criminal case, but as EPIC noted in a recent filing, Stone's trial court proceedings have now ended. Judge Reggie B. Walton is also conducting an “in camera” review of the complete Mueller Report following the court’s March 5 ruling in EPIC’s case. The court is expected to decide as early as next month whether more material must be released. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Jun. 19, 2020)

  • Yesterday the New York City Council passed the Public Oversight of Surveillance Technology (POST) Act, a law that enables public oversight of surveillance technologies used by the New York Police Department. The POST Act will require the police to publish documents explaining their use of surveillance technologies, accept public comments about them, and provide a final surveillance impact and use policy to the public. EPIC has worked for years to focus public attention on the privacy impact of emerging surveillance technologies, and has pursued open government cases against the FBI and other law enforcement agencies to release information about cell site simulators and other surveillance technologies. EPIC has recently launched a project to track and review algorithms used in the criminal justice system. (Jun. 19, 2020)

  • Ohio Senator Sherrod Brown announced today that he will introduce the Data Accountability and Transparency Act of 2020, a comprehensive privacy and data protection bill. The bill would (1) prohibit both private companies and government agencies from collecting personal data unless it is “strictly necessary” to carry out one of a few specified purposes; (2) ban the use of facial surveillance technology; (3) prohibit discrimination on the basis of personal data; (4) require accountability and transparency for algorithmic decisionmaking; (5) establish a federal data protection agency with the power to issue rules and enforce dozens of federal privacy laws; (6) enable individuals and state attorneys general to enforce the law in court; and (7) allow states to enact more restrictive privacy laws if they choose to. “The Data Accountability and Transparency Act of 2020 sets a strong standard for data protection,” said Caitriona Fitzgerald, EPIC Interim Associate Director. “Senator Brown’s bill creates enforceable privacy rights and limits the amount of data companies can collect and keep about us.” EPIC has long advocated for the enactment of comprehensive privacy legislation and the creation of data protection agency. EPIC’s report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law. (Jun. 18, 2020)

  • EPIC and a coalition of over 20 organizations sent a letter to the House Judiciary Committee urging the committee to remove Section 343 from the Justice in Policing Act of 2020. In response to mass protests against police brutality and systemic racism in the wake of George Floyd's death, more than 200 members of Congress introduced the Justice in Policing Act 2020 to combat police misconduct, use of excessive force, and racial bias in law enforcement. Section 343 limits the release of information about law enforcement officers who engage in racial profiling under the Freedom of Information Act. The letter states, "[I]nformation on law enforcement agencies' compliance with requirements to eliminate racial profiling is vital to the public interest, including information on public officials." The letter further emphasized that provision "undercuts the bill's own proposed reforms" and that the "FOIA already contains exemptions that balance personal information with the public interest." The bill includes a ban on law enforcement using facial recognition software. EPIC has advocated for the suspension of face surveillance systems across the federal government, including federal law enforcement. EPIC advocates for strong government oversight and accountability through its Open Government Project, routinely using the FOIA to obtain information to ensure that the public is fully informed about the activities of the government. (Jun. 18, 2020)

  • Zoom announced Wednesday that it will make enhanced encryption measures available to all users of the videoconferencing platform who provide a cell phone number—not just those who pay for the service. Earlier this month, Zoom said it would allow some of its users to fully encrypt their video communications, a response to the security and privacy flaws that EPIC and others have identified. But the company initially stated that Zoom administrators would retain the ability to access the real-time communications of non-paying users. Last year, EPIC sent a detailed complaint to the FTC citing numerous privacy and security flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April, EPIC urged the FTC to open an investigation. Zoom’s rollout of enhanced encryption follows a recent settlement with the New York Attorney General over the company’s consumer safeguards. (Jun. 18, 2020)

  • Today, EPIC and a group of over 100 privacy, civil rights, and civil liberties organizations urged Congress to halt funding of surveillance technology recently used against peaceful protesters and disproportionately aimed at communities of color. The group stated the need "to address the unconstitutional and dangerous use of surveillance by state, local and federal police officers against demonstrators protesting the murder of George Floyd and so many others perpetuated by systemic police brutality." In response to reports that the government conducted surveillance of peaceful protesters, EPIC filed a series of Freedom of Information Act requests directed at the FBI the DEA and CBP. Earlier this year, EPIC filed similar FOIA requests with several government agencies after it was revealed that the agencies were using Clearview AI, the controversial facial recognition company. (Jun. 17, 2020)

  • The Justice Department, as part of the open government case EPIC v. DOJ, has agreed to reprocess the Mueller Report by June 19 and potentially release additional material pertaining to Roger Stone. The Justice Department has withheld significant portions of the Mueller Report on the theory that disclosure would interfere with the criminal case against Stone. But as EPIC noted in a recent filing, trial court proceedings in the Stone case have now ended. Judge Reggie B. Walton is currently conducting an “in camera” review of the complete Mueller Report following the court’s recent ruling in EPIC’s case. Earlier this week, the court ordered the Justice Department to appear before the court on July 20 and provide more information about its redactions to the Mueller Report. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Jun. 12, 2020)

  • Amid nationwide protests against police brutality and racist policing, three major technology firms said this week that they would abandon or prohibit law enforcement agencies from using their facial surveillance technologies. On Monday, IBM announced that it would no longer offer “general purpose IBM facial recognition or analysis software” and that it opposes the use of such technology for “mass surveillance, racial profiling, [and] violations of basic human rights and freedoms.” On Wednesday, Amazon said it would prohibit law enforcement agencies from using its facial surveillance software for one year and urged Congress to “place stronger regulations to govern the ethical use of facial recognition technology.” And on Thursday, Microsoft reiterated that it will “not sell facial-recognition technology to police departments in the United States until we have a national law in place, grounded in human rights, that will govern this technology.” EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30-plus countries. An EPIC-led coalition has also called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (Jun. 11, 2020)

  • EPIC and a group of over 80 consumer, privacy, civil rights, and civil liberties organizations have sent a letter to the House and the Senate that endorses "principles to protect the civil rights and privacy of all persons." The group stated that technology used in response to Covid-19 "must only be allowed if it is non-discriminatory, effective, voluntary, secure, accountable, and used exclusively for public health purposes." EPIC and a coalition of organizations previously sent a letter to the Coronavirus Task Force, urging the federal government to set guidelines that protect privacy and ensure equity in responding to the COVID-19 pandemic. The coalition raised concerns about public-private partnerships that utilize technology to respond to COVID-19 without the necessary privacy safeguards. Earlier this year, EPIC wrote to Congress stating that it is "essential that government agencies and private companies implement standards that safeguard privacy." EPIC has laid out several recommendations related to privacy and the pandemic. (Jun. 11, 2020)

  • Yesterday, the Boston City Council held a public hearing on an ordinance to ban the use of facial recognition technology by the city of Boston. Several municipalities in Massachusetts have already banned the use of facial recognition. EPIC previously testified before the Massachusetts Legislature in support of a bill to establish a moratorium on the use of facial recognition by state agencies. EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. An EPIC-led coalition has also called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (Jun. 10, 2020)

  • EPIC has filed an amicus brief that urges the Fifth Circuit to decline to extend the border search exception to the Fourth Amendment warrant requirement to searches of cell phones. The case, Anibowei v. Wolf, is a civil suit brought by a U.S. citizen attorney to challenge the warrantless searches of his cell phones at the Dallas-Fort Worth International Airport. EPIC argued that the court should “follow the reasoning of Riley and Carpenter and decline to extend the border search exception to cell phones.” EPIC filed amicus briefs in the U.S. Supreme Court concerning the privacy interests in cell phone data in both Riley v. California and Carpenter v. United States. The Chief Justice cited EPIC’s brief in his majority opinion in Riley. (Jun. 9, 2020)

  • The Justice in Policing Act, a sweeping police reform bill introduced this week, includes a ban on federal law enforcement’s use of facial recognition software to scan body camera footage without a warrant. Section 372 of the bill says body cam footage may not be “subjected to facial recognition or any other form of automated analysis unless [...] a judicial warrant providing authority is obtained” and the court finds "there is probable cause to believe that the requested use of facial recognition is relevant to an ongoing criminal investigation." Earlier this year, EPIC and over 40 organizations urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. And last year, the Public Voice coalition called for a global moratorium on face surveillance. Over 100 organizations and several hundred experts from over 40 countries endorsed the Public Voice declaration. (Jun. 9, 2020)

  • A federal court, as part of EPIC v. DOJ, has ordered the Justice Department to appear before the court and provide more information about its redactions to the Mueller Report. Judge Reggie B. Walton is currently conducting an “in camera” review of the complete Mueller Report following the court’s recent ruling in EPIC’s case. But in Monday’s order, Judge Walton wrote that he “cannot assess the merits of certain redactions without further representations from the Department.” The court ordered the DOJ to appear at an “ex parte” (one-on-one) hearing on July 20 to discuss the undisclosed portions of the Mueller Report. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Jun. 9, 2020)

  • The enhanced encryption measures announced by Zoom this week will only protect paying customers of the videoconferencing platform, according to the company’s CEO. Although Zoom said it will allow paying users to fully encrypt their video communications—a response to the security and privacy flaws that EPIC and others have identified—the platform will still be able to access the real-time communications of non-paying users. “Free users for sure we don't want to give [end-to-end-encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said. Last year, EPIC sent a detailed complaint to the FTC citing numerous privacy and security flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April, EPIC urged the FTC to open an investigation. Zoom’s announcement follows a recent settlement with the New York Attorney General over the company’s consumer safeguards. (Jun. 5, 2020)

  • The tragic deaths of George Floyd, Ahmaud Arbery, and Breonna Taylor remind us that the needle has not moved on systemic issues of racism and police brutality in the United States. Across the country, protestors are demanding justice and challenging us to do our part to ensure this type of violence never happens again. EPIC understands that this problem is multi-layered. Black, brown, and indigenous communities are targets of more surveillance and policing than any other. This must end.

    The consistent and disproportionate mistreatment of black people by police and other government entities further solidifies our commitment to government accountability, transparency, and the protection of civil liberties. We will continue to enforce open government obligations, expose illegal and intrusive behaviors by government bodies, and advocate for legislation that protects marginalized communities.

    EPIC stands in solidarity with protestors, community groups, and advocates that fight against systemic oppression. We will not remain silent in the face of social injustice. EPIC will amplify the black voices working in our space, financially support programming aimed at supporting the black community, and be an ally to organizations fighting for racial justice. EPIC is not only looking outward in our efforts to protect the privacy and civil liberties of the black community, but we are also committed to upholding an inclusive workplace by eradicating the conscious and unconscious biases we hold.

    Black Lives Matter. (Jun. 3, 2020)

  • A federal court, ruling in EPIC v. AI Commission, has ordered the National Security Commission on Artificial Intelligence to open its meetings to the public. The Commission is charged with developing recommendations on the use of AI in national security and defense contexts. But after the Commission conducted much of its work in secret and without public input, EPIC filed an open government lawsuit against the Commission last year. In Monday’s decision, Judge Trevor N. McFadden ruled that the Commission is subject to the Federal Advisory Committee Act and must therefore hold open meetings and regularly publish its records. “Today, the Court holds that Congress can and did impose Janus-like transparency obligations upon the AI Commission,” Judge McFadden wrote. “No rule of law forced Congress to choose just one.” EPIC previously won a court ruling that the AI Commission is subject to the Freedom of Information Act, and the Commission recently began disclosing its past records. The case is EPIC v. AI Commission, No. 19-2906. (Jun. 1, 2020)

  • Through a Freedom of Information request, EPIC has obtained records concerning Utah’s "Healthy Together” COVID-19 app. The documents include a presentation from Twenty Holdings, Inc., the company that developed the app, and include details of its development. The records reveal that “[o]nce the economy resumes normalcy, the App will continue to provide the mechanism to monitor any emerging risks.” It has been reported that Twenty hopes to sell the app and app back end to other states and private companies. The developers of the app plan to integrate the Apple/Google API when it is available. The app current methodology relies on collated location data from all users, rather than decentralized proximity tracking. The Utah Governor’s Office of Management and Budget found no records of any audits or independent privacy assessments of the contact tracing app. EPIC has called on Congress to ensure that government agencies and private companies establish privacy safeguards for digital contact tracing. But without audits and independent privacy assessments, contact tracing apps like Healthy Together cannot be "robust, scalable, and provable." (May. 29, 2020)

  • The National Security Commission on Artificial Intelligence is seeking public comments on federal AI policy—a step that EPIC has repeatedly urged the Commission to take. The Commission is charged with developing recommendations on the use of AI in national security and defense contexts. But the Commission has conducted much of its work in secret and without public input, leading EPIC to file an open government lawsuit against the Commission. EPIC won a court ruling that the AI Commission is subject to the Freedom of Information Act, and the Commission has begun disclosing its records. EPIC is also litigating to enforce the Commission's obligation to hold open meetings. Public comments to the AI Commission are due by September 30, 2020. (May. 29, 2020)

  • Members of Congress have introduced two bills to restrict the microtargeting of online political advertisements. EPIC supports both bills. The Banning Microtargeted Political Ads Act, sponsored by Rep. Anna Eshoo (CA-18), would prohibit online platforms from targeting ads at users on the basis of their personal data. "This is an important step forward in protecting Americans’ privacy and in protecting our democratic institutions," said Caitriona Fitzgerald, EPIC Interim Associate Director and Policy Director. The Protecting Democracy from Disinformation Act would restrict microtargeting of political ads based on demographic characteristics and personal data collected online. "This bill will help ensure that the democratic process isn't distorted by privacy-invasive and discriminatory targeting of political ads," said John Davisson, EPIC Counsel. The bill is sponsored by Rep. David Cicilline (RI-1) and co-sponsored by Reps. Sean Casten (IL-6), Alcee Hastings (FL-20), Jahana Hayes (CT-5), Henry Johnson (GA-4), and Stephen Lynch (MA-8). Both bills would allow consumers to sue platforms that engage in illegal microtargeting. EPIC’s report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law. (May. 27, 2020)

  • Through a government records request EPIC has obtained the contract between North Dakota and ProudCrowd, LLC for the Care19 contact tracing app launched in response to the COVID-19 pandemic. The one-year software license agreement between ProudCrowd and North Dakota provides the state use of the contact tracing app and use of server space. According to the state, the Care19 app generates a random ID number for each user when it is tracking users' movements. North Dakota's privacy policy states that the location data is kept private (not sent to third parties) and stored securely on ProudCrowd servers. The state has not explained why it would store private health data on a storage system not controlled by the government. But a recent report indicates that the Care19 app sends location data and a unique user identifier to Foursquare and a software bug tracking company called Bugfender. The app also sends the phone's advertising ID to Google. ProudCrowd states that it will update the app and its privacy policies in the future. EPIC has told Congress that private companies must establish privacy safeguards for digital contact tracing. (May. 26, 2020)

  • The Pennsylvania Supreme Court has determined that a state agency can fire an employee for a post to a private Facebook group. In weighing the state’s interests against the employee’s speech interests, the court in Carr v. Department of Transportation ignored the U.S. Supreme Court’s decision in Packingham v. North Carolina, which called social media “the modern public square.” In an amicus brief, EPIC urged the Pennsylvania Supreme Court to protect the right of public employees to speak on matters of public concern on social media without fear of dismissal, citing to Packingham. EPIC warned that "allowing the Government to fire a public employee for posts made in a private Facebook group would encourage government supervisors to surveil employees across social media." EPIC has frequently argued that the First Amendment protects the right of individuals to engage in activities free from government surveillance, in cases including City of Los Angeles v. Patel, Doe v. Reed, and Americans for Prosperity v. Becerra. (May. 21, 2020)

  • The Conseil d'État, France's highest administrative court, issued a decision banning French authorities from using drone surveillance to track individuals violating social distancing rules. The Court cited privacy issues with drone surveillance and stated that drone surveillance by police would be banned until technology is added to prevent the filming and identification of individuals or approval was given by France's privacy regulator, the Commission nationale de l'informatique et des libertés. EPIC recently argued argued before the D.C. Circuit Court of Appeals in EPIC's open government case against the FAA Drone Advisory Committee. EPIC filed suit in 2018 after the Advisory Committee largely ignored the privacy risks posed by drones. Despite the Committee's disregard for privacy, documents obtained by EPIC showed the Committee identified privacy as a top public concern. EPIC also recently settled a Freedom of Information Act lawsuit against DHS for a report detailing the status of implementing privacy, civil liberties, and civil rights protections against DHS' use of surveillance drones. (May. 19, 2020)

  • EPIC, as part of the open government case EPIC v. AI Commission, has obtained more documents from the National Security Commission on Artificial Intelligence and the Department of Defense. The records provide the first public look at the work of the AI Commission’s closed-door working groups. Yet the records contain only a single reference to the privacy risks posed by the use of AI. The Commission's disclosure follows a court ruling in EPIC v. AI Commission that the Commission is subject to the FOIA. The AI Commission has regularly held closed-door meetings with tech firms and defense contractors without soliciting input from the American public. EPIC is also litigating to enforce the Commission's obligation to hold open meetings. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (May. 15, 2020)

  • The Senate voted today to pass an amended version of the USA FREEDOM Reauthorization Act of 2020, which was passed by the House in March. The bill would end the NSA’s bulk telephone metadata program and make further reforms to the Foreign Intelligence Surveillance Act. The Senate agreed this week to further amendments by Senators Lee and Leahy that expand FISA protections, but rejected amendments proposed by Senators Wyden and Daines that would have protected Americans’ internet browsing and search histories. The adopted Leahy/Lee amendment strengthens the role of “amici curiae,” who are independent, expert advisors to the Foreign Intelligence Surveillance Court, by increasing their access to information, their power to raise issues with the Court, and the number of cases they are appointed in. Since amendments were adopted, the bill now returns to the House of Representatives for consideration. Members of both parties have expressed support for reform of the controversial NSA surveillance program. EPIC closely tracks the use of FISA authority. EPIC has advocated for significant FISA reforms, and recently advised Congress to limit Section 702 surveillance and to allow Section 215 to expire. (May. 15, 2020)

  • EPIC has filed two government records requests to Utah and North Dakota seeking information about their contact tracing apps launched in response to the COVID-19 pandemic. Utah launched Healthy Together, an app that tracks individual movements using Bluetooth and location tracking services. North Dakota similarly launched its own contact tracing app called Care19, which collects GPS location data, WiFi data, and cell phone tower data to track an individual's movements over time. Both Utah and North Dakota claim that the use of the apps are voluntary and that users can delete the sensitive data collected. But neither state has disclosed any privacy assessments or independent audits conducted on the apps. On the federal level, EPIC is pursuing a Freedom of Information Act request with the Department of Justice seeking DOJ legal analysis about the collect of GPS and cell phone location data. EPIC has also told Congress that government agencies and private companies must establish privacy safeguards for digital contact tracing. (May. 14, 2020)

  • Representatives Anna G. Eshoo (CA-18), Jan Schakowsky (IL-09), Suzan DelBene (WA-01), and U.S. Senators Richard Blumenthal (D-CT), and Mark Warner (D-VA) today today introduced the Public Health Emergency Privacy Act. The bill would protect personal data collected in connection with COVID-19 from being used for non-public health purposes, and provides for both public and private enforcement. “The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, EPIC Interim Associate Director and Policy Director. (May. 14, 2020)

  • EPIC and coalition of child advocacy, consumer, and privacy groups today filed a complaint urging the Federal Trade Commission to investigate and penalize TikTok for violating the Children's Online Privacy Protection Act. TikTok paid a $5.7 million fine for violating the children's privacy law last year. But more than a year later, TikTok has failed to delete personal information previously collected from children and is still collecting kids’ personal information without notice to and consent of parents. The groups were led by the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy. (May. 14, 2020)

  • EPIC settled a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain public release of a drone status report and other related documents required by a 2015 Presidential Memorandum. The memorandum required the report to detail the status of implementing privacy, civil liberties, and civil rights protections against DHS' use of surveillance drones. The 2015 DHS status report attempted to justify the use of drones by Customs and Border Protection, but a 2018 Inspector General report called into question the CBP's drone privacy policies and procedures. The Inspector General found that CBP failed to complete a required analysis for a drone surveillance system and failed to implement effective safeguards for information collected by drones. EPIC has called on Congress to "establish drone privacy safeguards that limit the risk of public surveillance." (May. 13, 2020)

  • EPIC Counsel John Davisson will argue before the D.C. Circuit Court of Appeals Tuesday morning in EPIC's open government case against the FAA Drone Advisory Committee. The argument is scheduled to begin around 10 a.m. EPIC filed suit in 2018 against the industry-dominated committee, which largely ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the committee was forced to disclose hundreds of pages of records. But a lower court ruled that the agency could withhold records from the committee's secretive working groups. EPIC recently told the Court of Appeals that the FAA's interpretation of the Federal Advisory Committee Act would undermine the open meetings law. The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.). (May. 12, 2020)

  • The Supreme Court will hear arguments Tuesday morning in Trump v. Vance, a case concerning the release of President Trump's tax returns to a grand jury. EPIC filed an amicus brief in the case supporting disclosure. EPIC explained that President Trump broke with 40 years of precedent by concealing his tax records, even as he sought to collect sensitive voter and citizenship data from the public. "This is inverted liberty: privacy for the President and compelled disclosure of personal data for the public," EPIC argued. "That is antithetical to the structure and practice of modern democracies which safeguard the privacy of citizens and impose transparency obligations on political leaders, most notably the President." EPIC previously sought public release of President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. In EPIC v. IRS II, EPIC is seeking "offers-in-compromise" and related tax records of President Trump and his businesses. (May. 12, 2020)

  • The Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Election Assistance Commission, and the National Institute of Standards and Technology has sent a risk assessment to states warning of the “significant security risk” of online voting. “While there are effective risk management controls to enable electronic ballot delivery and marking,” the agencies said, “we recommend paper ballot return as electronic ballot return technologies are high-risk even with controls in place.” EPIC has a long history of working to protect voter privacy and election integrity. In 2016 EPIC published The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. (May. 11, 2020)

  • New York Attorney General Letitia James has announced an agreement with Zoom Video Communications following an investigation into Zoom's consumer safeguards. Zoom agreed to enhance encryption protocols, perform yearly penetration testing, and add privacy-enhancing features to its platform. The agreement also provides enhanced privacy controls for education accounts. Last month, EPIC urged the FTC to issue best practices for online conferencing. (May. 8, 2020)

  • In response to a lawsuit brought under the Illinois Biometric Information Privacy Act, Clearview AI—the controversial facial recognition company—committed to cancelling all accounts with private companies. The commitment comes as Clearview AI tries to stave off a temporary injunction that would prevent the company from using any information it has collected from Illinois residents. In an amicus brief before the ninth circuit, EPIC defended an individual's right to sue companies who violate the Illinois Biometric Information Privacy Act and other privacy laws. More recently, EPIC filed a Freedom of Information Act request to several government agencies seeking records about the government's use of Clearview AI technology. Earlier this year, EPIC and over 40 organizations urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (May. 8, 2020)

  • A bipartisan group of Senators has urged the Federal Trade Commission to launch an investigation into children's data practices in the educational technology and digital advertising sectors. In a letter to the FTC, Senators Edward Markey (D-Mass.), Josh Hawley (R-Mo.), Richard Blumenthal (D-Conn.), Bill Cassidy (R-La.), Dick Durbin (D-Ill.), and Marsha Blackburn (R-Tenn.) said "The FTC should use its investigatory powers to better understand commercial entities that engage in online advertising to children—especially how those commercial entities are shifting their marketing strategies in response to the Coronavirus pandemic and increased screen time among children." In December 2019, EPIC submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eight hours of a data breach of children's data by a company subject to COPPA. (May. 8, 2020)

  • Earlier today, the U.S. Supreme Court heard oral argument in Barr v. American Association of Political Consultants. The argument was livestreamed, with EPIC staff providing commentary on Twitter. The case asks whether an exemption to the Telephone Consumer Protection Act, a law that prohibits unwanted robocalls, is constitutional, and, if not, whether the exemption should be severed or the whole law struck down. EPIC defended the TCPA in an amicus brief. EPIC said that the robocall ban is "constitutionally permissible and serves important governmental interests." EPIC explained that cell phone adoption has made "the harm caused by unwanted automated calls" greater than when the robocall ban was enacted in 1991. EPIC said that "without the autodialer ban, the assault of unwanted calls could make cell phones unusable." EPIC also argued that "a minor amendment to an otherwise constitutional law, passed decades after the original enactment, should not take down an act of Congress." EPIC frequently files amicus briefs on the TCPA, including in the related case, Gallion v. Charter Communications. (May. 6, 2020)

  • The National Security Commission on Artificial Intelligence has released a set of privacy and civil liberties recommendations concerning digital contract tracing during the COVID-19 pandemic. The Commission urged that contact tracing tools must include data minimization, transparency, explicit user consent, and input from privacy and security professionals. The Commission also warned that contract tracing systems must address "challenges with inclusiveness and potential discrimination." The Commission advised Congress to establish technological standards and to require the Federal Trade Commission to regulate the technology. Since January, the Commission has released hundreds of pages of documents as part of the open government lawsuit EPIC v. AI Commission. EPIC is also litigating to enforce the Commission's obligation to hold open meetings. (May. 6, 2020)

  • EPIC and 14 other consumer, privacy, civil and digital rights organizations sent a letter to Coronavirus Task Force leader Vice President Mike Pence urging the federal government to set guidelines that protect privacy and ensure equity in responding to the COVID-19 pandemic. The group stated, “[t]he proper use of technology, personal and aggregate data, and data analytics has the potential to provide important public health benefits, but it must incorporate proper privacy and security safeguards, as well as protections against discrimination and violations of civil and other rights.” The group also raised concerns about public-private partnerships that utilize technology to respond to COVID-19 without the necessary privacy safeguards. The letter outlines 11 principles that form the basis for standards that the government and private sector can follow and asked Vice President Pence for a meeting to discuss their concerns. The group also asked that the Coronavirus Task Force immediately create an interdisciplinary advisory committee comprised of experts from privacy, social science, data security, public health, and members of civil society to develop standards. To Congress, EPIC has said that it is "essential that government agencies and private companies implement standards that safeguard privacy.” (May. 6, 2020)

  • A new Pew Research survey found about 62% of Americans believe it is unacceptable for the government to use location data to ensure compliance with social distancing guidelines. The Pew survey results are based on a nationally representative panel of randomly selected U.S. adults. EPIC has urged that the use of technology to combat COVID-19 must be lawful and voluntary. Last year, Pew found that 75% of Americans say there should be new regulations of what companies may do with personal data. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency. (May. 5, 2020)

  • Massachusetts Governor Charlie Baker (R) expressed skepticism about digital contact tracing yesterday in a press conference, saying in response to a reporter’s question about the apps: “That means if we incorporate something like the types of technology you’re talking about into this, we’re going to have to do it in a way that makes people feel comfortable that they’re not giving up some of their privacy and confidentiality because we incorporated an electronic app into the process.” Massachusetts has led the country in quickly building a workforce to perform manual contact tracing in partnership with Partners in Health. For digital contact tracing techniques, EPIC recently recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency." (May. 1, 2020)

  • A group of four senators has announced plans to introduce the COVID-19 Consumer Data Protection Act, a bill which would regulate businesses’ collection and use of personal health and location data in connection with the COVID-19 pandemic. The bill would require companies to obtain “affirmative express consent” before collecting personal data, to disclose details about how personal data will be used, to satisfy data minimization and security requirements, and to allow consumers to opt out. Businesses would also be required to “delete or de-identify all personally identifiable information” when it is no longer needed for the COVID-19 crisis. The bill—sponsored by Senators Roger Wicker, John Thune, Jerry Moran, and Marsha Blackburn—charges the Federal Trade Commission with enforcement. EPIC recently told Congress that “privacy and public health are complimentary goals” and that "Privacy Enhancing Techniques can be deployed to serve the public interest and protect individuals." EPIC’s report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including the creation of a Data Protection Agency and room for states to enact stronger privacy laws. (May. 1, 2020)

  • ICANN has blocked the proposed sale of the .ORG domain to a private equity fund. ICANN cited the importance of maintaining the “fundamental public interest nature of [the Public Interest Registry].” EPIC has long been involved in the governance and promotion of the .ORG domain and had argued that the sale should be blocked. (May. 1, 2020)

  • The U.S. Supreme Court has refused to review a deeply flawed ruling in EPIC v. Commerce, EPIC's suit to halt the collection of citizenship data in the 2020 Census due to the government's failure to complete required privacy impact assessments. Under the E-Government Act, federal agencies must make privacy impact assessments "publicly available" before undertaking a new collection of personal data. Yet a three-judge panel of the D.C. Circuit ruled that the statute does not "vest a general right of information in the public" that would allow EPIC—one of the leading privacy organizations in the country—to obtain information about the government's data collection practices. Last year, the Supreme Court's decision in Commerce v. New York led to the removal of the citizenship question from the 2020 Census. EPIC filed an amicus brief in support of that outcome. (Apr. 27, 2020)

  • The U.S. Supreme Court today concluded that states cannot copyright the annotations in their official codes. The case, Georgia v. Public.Resource.Org, concerned Georgia’s claim to a copyright in its official annotated code. Twenty-five other jurisdictions also claim copyrights to their official code annotations. The Court concluded that those with “authority to make or interpret the law”—such as judges and legislatures—cannot copyright their official works. EPIC filed an amicus brief in the case, signed by thirty-five experts in law and technology. EPIC’s brief urged the Supreme Court “to recognize that free access to the law is not only guaranteed by our country’s traditions but also enabled by digital technologies.” EPIC explained that “the federal government has worked to ensure that government materials, including legal materials, are broadly accessible to the public; the states should do the same.” EPIC has worked for decades to promote online access to judicial opinions and open access to government information. EPIC routinely files amicus briefs in the US Supreme Court in cases concerning emerging privacy and civil liberties issues. (Apr. 27, 2020)

  • Despite objections from EPIC and other consumer groups, a federal judge has approved the Federal Trade Commission’s settlement with Facebook over the company’s alleged violations of the 2012 consent decree and the FTC Act. The court called Facebook’s alleged conduct “stunning,” “unscrupulous,” “shocking,” and “underhanded,” and even stated that it “might well have fashioned different remedies were it doing so out of whole cloth.” The court nevertheless approved the deal because of the “deferential” standard it felt bound to apply, but the court warned that, should the FTC accuse Facebook of further violations of the law, the court “may not apply quite the same deference to the terms of a proposed resolution.” EPIC had moved to intervene in the case and filed an amicus brief arguing that the deal imposes “few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” The court denied EPIC’s motion to intervene but acknowledged that EPIC’s arguments as amicus “call into question the adequacy of laws governing how technology companies that collect and monetize Americans’ personal information must treat that information.” (Apr. 24, 2020)

  • EPIC has settled a Freedom of Information Act lawsuit against Customs and Border Protection. EPIC sought records concerning the agency's "alternative screening procedures" to determine whether travelers are able to to opt-out of facial recognition at airports. EPIC filed the request after Custom and Border Protection repeatedly modified the opt-out language, making it increasingly difficult for travelers to opt-out. EPIC obtained numerous documents, including the Standard Operation Procedure that states that the alternative procedure for U.S. citizens is a review of their U.S. passport. At the end of last year, CBP removed its proposal to require all U.S. citizens to undergo mandatory face recognition at airports. Last year, Buzzfeed featured documents from a related FOIA lawsuit about CBP's flawed airport facial recognition program. (Apr. 24, 2020)

  • A federal court has announced June 18 as a “target date” to complete its review of the unredacted Mueller Report and to decide what additional material must be released. Judge Reggie B. Walton ruled last month that he will conduct an “in camera” review of the complete Mueller Report as part of EPIC’s Freedom of Information Act lawsuit. EPIC recently urged the court to begin that review soon as possible because "time is of the essence in this case.” The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Apr. 24, 2020)

  • The personal data of 7,000 small business owners applying for COVID-19 relief was recently exposed in a Small Business Administration data breach. Names, social security numbers, and financial details were made accessible to other users of the SBA’s disaster loan website. Recent data breaches have highlighted the need for stronger data protection laws. EPIC has urged Congress to update federal privacy law and to investigate whether systems adopted in response to the pandemic safeguard the privacy of Americans. In 2018, EPIC argued in response to the OPM data breach that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." (Apr. 23, 2020)

  • EPIC and a coalition of open government groups sent a letter to both the House and Senate urging Congress to include transparency and accountability measures in the next legislative response to the COVID-19 pandemic. The group recommended that Congress: strengthen protections for inspector generals, expand the funding for open government, broaden whistleblower protections, narrow the coronavirus relief bill's (CARES Act) secrecy exemption, promote court access, fortify the coronavirus relief bill's oversight mechanisms, disclose Office of Legal Counsel opinions related to the pandemic, and fund congressional oversight. The letter stated, "[d]uring this time of national crisis, it is vital that the public has timely access to information and that oversight mechanisms are as robust as possible, so that errors and abuses that threaten public health can be swiftly rectified." Last month, EPIC at 131 other organizations issued a public statement supporting government transparency and public access to information as the U.S. responds to the coronavirus pandemic. (Apr. 22, 2020)

  • Senator Edward Markey [D-MA] has outlined nine key principles to guide federal leadership on coronavirus contact tracing in the United States. In a letter sent today to the White House Coronavirus Task Force, Senator Markey urged the administration to design and implement a comprehensive coronavirus contact tracing plan with key privacy safeguards. In a statement to the Senate and House Commerce Committees last week, EPIC said it is "essential that government agencies and private companies implement standards that safeguard privacy." EPIC's letter followed a proposal from Apple and Google for a contact tracing app to "combat the spread of the novel coronavirus." EPIC cited public health officials in support of data protection and human rights. For digital contact tracing techniques, EPIC recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency." (Apr. 22, 2020)

  • With appreciation for many years of visionary and impactful leadership, the Board of Directors of the Electronic Privacy Information Center (EPIC) announces the departure of Marc Rotenberg, its President and Executive Director. EPIC is, as you know, a renowned public interest research center headquartered in Washington, DC, best known for advocacy of privacy rights and data protection. EPIC’s longtime General Counsel Alan Butler will serve as Interim Executive Director while the international search for Mr. Rotenberg’s permanent replacement is underway.

    “Marc has contributed tremendously as a scholar and advocate to a powerful global movement in support of privacy, freedom of expression, and democratic values. He has helped shape EPIC’s values-driven policy and advocacy related to the Internet, artificial intelligence and government surveillance. While the time has come for new leadership at EPIC, Marc has helped establish a dynamic team and a solid foundation upon which we will build for many years to come,” said Anita Allen, Chair of the Board of Directors at EPIC. “We are confident in Alan’s management as he takes the helm in this moment of transition, evolution, and growth.”


    Prior to stepping in as Interim Executive Director, Alan Butler has successfully managed EPIC's litigation portfolio, including its Amicus Program, and filed numerous briefs in cutting-edge privacy and civil liberties cases before the U.S. Supreme Court and other appellate courts. With Butler’s interim leadership, an international coalition of active partners, and an experienced DC team, EPIC will continue its critical work and mission as a public voice both here in the United States and worldwide.

    (Apr. 21, 2020)

  • The OECD has released "Tracking and tracing COVID:Protecting privacy and data while using apps and biometrics." The OECD warns that "current digital solutions for monitoring and containment have varying implications for privacy and data protection." The OECD recommends that "fully transparent and accountable privacy-preserving solutions should be embedded by design to balance the benefits and the risks associated with personal data collection, process and sharing. Data should be retained only for so long as is necessary to serve the specific purpose for which it was collected." The report is one of several published by the OECD on "Tackling Coronavirus (COVID-19): Contributing to a Global Effort." Garry Kasparov was among 70 experts and NGOs who recently applauded the OECD's response to the pandemic and also urged the organization to "continue to uphold the democratic values on which the OECD is based." (Apr. 21, 2020)

  • The Supreme Court will decide whether a person who is authorized to access data for some purposes violates the Computer Fraud and Abuse Act if they access the information for other purposes. The case, Van Buren v. United States, concerns a police officer who accessed a law enforcement database to sell the information to a third party. EPIC recently urged the Supreme Court to consider whether another provision of the CFAA prohibits third parties from scraping user data when an internet company bans the practice. EPIC staff raised concerns about the civil liberties implications of the law when Congress passed the first computer crime statute in 1984. (Apr. 20, 2020)

  • EPIC has settled a Freedom of Information Act lawsuit against the National Archives for records pertaining to Justice Kavanaugh's work on surveillance in the Bush White House post-9/11. EPIC will receive attorneys fees as part of the settlement. The records released to EPIC through the lawsuit revealed that Kavanaugh discussed warrantless wiretapping with program architect John Yoo. The records released to EPIC also show that, after the New York Times exposed the program, Kavanaugh exchanged hundreds of emails with White House and DOJ staff about the program, gathered legal justifications for the program, and drafted speeches defending warrantless wiretapping. Congress ended the controversial program in 2015, following extensive hearings. On the DC Circuit Court of Appeals in 2015, Judge Kavanaugh issued a surprising opinion on surveillance authority. Senator Leahy pursued Kavanaugh's views on surveillance during the Supreme Court nomination hearing. (Apr. 20, 2020)

  • ICANN has delayed the proposed sale of the .ORG domain to a private equity fund after California Attorney General Xavier Becerra urged ICANN to reject the transfer. "Little is known about Ethos Capital and its multiple proposed subsidiaries," Attorney General Becerra said. In a letter to the ICANN board chair and the President and CEO of ICANN, the California AG wrote, "The proposed transfer raises serious concerns that cannot be overlooked." EPIC President Marc Rotenberg, a founding board member and former chair of the group that manages the .ORG, said that the secrecy of the deal was "a failure of process." He told the Financial Times "You can't make decisions about the allocation of internet domain names in the dark." In a commentary for The Hill, Rotenberg said that ICANN should block the sale. (Apr. 20, 2020)

  • The Inspector General for the Department of Transportation released an report of the FAA's drone integration system, which includes personal data for drone registration. The IG report found that the "FAA did not adequately assess privacy and security controls for protecting PII." The report also found that the "FAA's inadequate monitoring of security controls increases the risk of the systems being compromised." EPIC stated that "the FAA should adopt safeguards to protect registrants' information from improper release." EPIC also warned that "the FAA's proposed rule fails to consider the privacy implications for recreational drone operators" who will be required to provide personal information. (Apr. 20, 2020)

  • EPIC, in a filing from EPIC v. Department of Justice has urged a federal court to begin its review of the unredacted Mueller Report to determine what additional material must be released to the public. Judge Reggie B. Walton recently ordered the DOJ to turn over the complete Report, citing "grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]" EPIC noted that courts have ensured that "the federal judiciary continues its essential work" during the COVID-19 crisis and that "time is of the essence in this case." The book EPIC v. DOJ: The Mueller Report, which includes EPIC's original Freedom of Information Act request and related materials, is available for purchase at the EPIC Bookstore. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Apr. 17, 2020)

  • EPIC has filed an urgent Freedom of Information Act request with the FTC seeking records about the status of the Zoom investigation. This week, FTC Commissioner Noah Phillips declined to say whether the agency is investigating Zoom. The Commissioner's statement follows widespread reporting on privacy and security problems with the video conferencing service. In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." Last week urged the FTC to open an investigation. In a recent letter to FTC Chairman Simons, Senator Sherrod Brown stated, "I believe that the company is engaging in deceptive practices by inaccurately advertising end-to-end encryption of its virtual meetings and putting consumers' information and privacy at risk." (Apr. 16, 2020)

  • The Department of Justice has agreed to expedite EPIC's FOIA request for information about the agency's legal guidance on the use of location data. EPIC asked for records "regarding the lawfulness of the use of location data for public health surveillance." EPIC's request went to the Office of Legal Counsel which provides legal advice to the President and all executive branch agencies. EPIC has previously litigated several high-profile FOIA cases against the OLC, including EPIC v. DOJ (legality of the NSA PRISM Program) and EPIC v. DOJ (legality of the warrantless wiretapping program). Last month the Wall Street Journal reported that the White House is considering surveillance techniques, such as geolocation and facial recognition. (Apr. 16, 2020)

  • A new Pew Research survey found about half of U.S. adults said they recently opted out of a product or service because they were concerned about privacy. Respondents cited concerns about the unnecessary collection of personal data, the reliability of the service, and surveillance. The Pew survey results are based on a nationally representative panel of randomly selected U.S. adults. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency. (Apr. 15, 2020)

  • In a statement to the Senate and House Commerce Committees, EPIC said it is "essential that government agencies and private companies implement standards that safeguard privacy." EPIC's letter follows a proposal from Apple and Google for a contact tracing app to "combat the spread of the novel coronavirus." EPIC cited public health officials in support of data protection and human rights. For digital contact tracing techniques, EPIC recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency." EPIC urged Congress to update federal privacy law and to investigate whether systems adopted in response to the pandemic safeguard the privacy of Americans. (Apr. 15, 2020)

  • EPIC sent an urgent Freedom of Information Act request to the Commerce Department today, seeking records about Secretary Wilbur Ross's decision to delay the 2020 Census reporting deadlines. In a statement this week Commerce Secretary Ross and the Census Bureau Director asked Congress for a four-month delay to "deliver final apportionment counts" that would be used in congressional redistricting. Rep. Carolyn B. Maloney, Chair of the House Oversight Committee, said that the administration is "stonewalling in providing information" that is "vital in assessing" the proposed extension. In a 2018 letter to Congress, EPIC said "the Census is an essential part of understanding the changing demographics in America. The census helps ensure evidence-based policy decisions and census data is the source of much political and economic planning in the United States." (Apr. 14, 2020)

  • EPIC has submitted an amicus brief in LinkedIn v. hiQ Labs, urging the Supreme Court to review a decision that prevents internet companies from blocking web scrapers who gather personal data on websites in violation of privacy policies. The lower court ruled that LinkedIn must allow hiQ, a data analytics firm, to scrape the personal data of LinkedIn users. In the amicus brief, EPIC explained that the decision "makes it impossible" for companies to protect personal data and sets "a dangerous precedent that could threaten the privacy of user data." The EPIC amicus brief highlighted the business practices of Clearview AI, a company that scraped billions of photographs to create a secretive facial recognition system, used now by foreign intelligence agencies. EPIC said that the lower court decision will lead to more "unethical and unexpected uses" of personal data. EPIC previously filed an amicus brief in support of LinkedIn users in the Ninth Circuit. EPIC routinely files amicus briefs in consumer privacy cases. (Apr. 13, 2020)

  • EPIC has filed a brief urging the U.S. Supreme Court to review the D.C. Circuit decision in EPIC v. Commerce. In that case, the Court of Appeals denied EPIC the right to obtain privacy impact assessments concerning citizenship question on the 2020 Census. EPIC argued that the Census Bureau was required to publish the impact assessments before attempting to include the citizenship question. EPIC told the Supreme Court that the lower court decision conflicts with earlier Supreme Court precedent and that the government had "failed to rebut" the arguments EPIC set out in its initial petition for review. Last year, the Supreme Court's decision in Commerce v. New York led to the removal of the citizenship question from the 2020 census. EPIC filed an amicus brief in support of that outcome. (Apr. 13, 2020)

  • The U.S. Supreme Court announced today that it will hold oral arguments by teleconference in light of the COVID-19 crisis, including two cases in which EPIC filed amicus briefs. "The Court anticipates providing a live audio feed of these arguments to news media," the Court said in a statement. It marks the first time that the Supreme Court has held arguments remotely or made a live broadcast available. The cases to be argued next month include Trump v. Vance, in which EPIC urged the Supreme Court to allow the release of President Trump's tax returns to a grand jury, and Barr v. American Association of Political Consultants, in which EPIC defended the Telephone Consumer Protection Act as a check against unwanted robocalls. (Apr. 13, 2020)

  • Senators Mark Warner (D-VA) and Richard Blumenthal (D-CT) and Representative Anna Eschoo (D-CA) sent a letter to White House Senior Advisor Jared Kushner, raising concern about his efforts to establish a national COVID-19 surveillance system. The members of Congress stated, "We fear that further empowering technology firms and providing unfettered access to sensitive health information during the COVID-19 pandemic could fatally undermine health privacy in the United States." They stressed that, "absent a clear commitment and improvements to our health privacy laws -these extraordinary measures could undermine the confidentiality and security of our health information and become the new status quo." EPIC recently filed a Freedom of Information Act request with Health and Human Services for the March memo from health technology companies that touted their ability to gather patient information. The letter from Congress to Kushner reflected several of the issues raised in EPIC's original FOIA request. (Apr. 10, 2020)

  • Apple and Google announced today "a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design." The companies are proposing "Privacy-Preserving Contact Tracing." EPIC has previously testified in Congress in support of genuine Privacy Enhancing Techniques, which EPIC President Marc Rotenberg has defined as technologies that "minimize or eliminate the collection of personally identifiable information." But EPIC has also warned that these techniques must be "robust, scalable and provable." And EPIC has repeatedly stated that notice and consent is not the basis of data protection. (Apr. 10, 2020)

  • Through a Freedom of Information Act request EPIC obtained documents about a 2016 meeting with the leaders of the tech industry on countering violent extremism. The meeting included Attorney General Loretta Lynch, FBI Director Jame Comey, and Director of National Intelligence James Clapper. The documents EPIC obtained reveal the attendees, agenda items, and email discussions in preparation for the meeting. Reports at the time indicated that tech leaders and administration officials were concerned about extremist content on social media. Administration officials also raised concerns about encryption. EPIC has long supported strong encryption to protect Internet users from financial fraud, identity theft, and other crimes. EPIC filed a "friend of the court" brief in support of Apple's challenge in the FBI's decryption order, noting that far more cellphones were lost or stolen than were obtained by law enforcement agencies in the course of an investigation. (Apr. 10, 2020)

  • EPIC and a coalition of civil society organizations called on Congress today to protect the independence of federal inspectors general. "To operate effectively, IGs need independence both from the agency they are overseeing, and from the president," the groups wrote in a statement. In recent days, President Trump abruptly removed Inspector General of the Intelligence Community and replaced the inspector general overseeing the federal government's use of COVID-19 relief funds. "There's a reason why inspectors general have traditionally always had bipartisan support in Congress: their work is paramount to a functioning government that's built on checks and balances," the groups explained. EPIC has long fought for stronger oversight of U.S. intelligence agencies and has pursued FOIA lawsuits against the CIA, the FBI, the ODNI, and the NSA. (Apr. 10, 2020)

  • In detailed comments, EPIC criticized the DHS's proposed "Insider Threat" database that would give the agency vast amounts of personal data. EPIC urged DHS to limit the scope of data collection and to drop proposed Privacy Act exemptions that would diminish the agency's responsibilities for the data gathered. Citing the surge in data breaches, EPIC warned that DHS data practices pose a risk to federal employees. EPIC previously recommended privacy protections in background checks and warned against inaccurate, insecure, and overbroad government databases. (Apr. 9, 2020)

  • EPIC joined a coalition of civil liberties and privacy groups to urge the Port of Seattle Commission to reverse an earlier decision to deploy facial recognition technology at SeaTac International Airport. The organizations stated that the Port Commission should not back the Customs and Border Protection's unauthorized use of facial recognition technology. Previously, EPIC and a coalition urged the Privacy and Civil Liberties Oversight Board to suspend the use of face surveillance systems across the federal government. And last year, the Public Voice coalition called for a global moratorium on face surveillance. Over 100 organizations and several hundred experts from over 40 countries endorsed the Public Voice declaration. (Apr. 9, 2020)

  • The Ninth Circuit Court of Appeals ruled today that Facebook users whose privacy was violated by Facebook's tracking of web browsing can bring suit against the social media platform. The court held that consumers had the legal right, or "standing," to sue Facebook and that most legal claims could go forward. Chief Judge Sidney Thomas wrote "that Facebook set an expectation that logged-out user data would not be collected, but then collected it anyway." EPIC filed an amicus brief in the case explaining that "Facebook's tracking techniques are designed to escape detection, and the company routinely ignores users' privacy protections." EPIC argued that Facebook's "cookie tracking practices" cause "harm to the privacy of the large and diffuse group of Facebook users." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including United States v. Facebook, Attias v. Carefirst, Frank v. Gaos, and Rosenbach v. Six Flags. (Apr. 9, 2020)

  • EPIC has filed an urgent FOIA request for a memo outlining a nationwide COVID-19 surveillance system sought by White House senior adviser Jared Kushner. According to POLITICO, the memo describes "a national coronavirus surveillance system to give the government a near real-time view of where patients are seeking treatment and for what, . . . .” In a statement, Senator Ed Markey (D-MA) said that the administration is not "capable of creating or maintaining a massive health data network in a manner that doesn’t undermine our fundamental right to privacy.” EPIC is pursuing FOIA requests with the Department of Justice and other federal agencies about efforts to track and monitor Americans during the pandemic. (Apr. 8, 2020)

  • EPIC has filed an urgent FOIA request to obtain information about a system, proposed by Oracle CEO Larry Ellison, to track COVID patients who are given experimental drug therapies. Oracle's "COVID-19 Therapeutic Learning System" urges healthcare companies to provide sensitive health information to Oracle. President Trump recently stated that federal agencies will be able to access data from the system. Ellison proposed a national identity card after the attacks on the United States on 9-11. Congress rejected that plan and made clear that L[national identification systems are not authorized] in the United States. EPIC has also filed FOIA requests to the Department of Justice and other federal agencies concerning the tracking and monitoring of Americans during the pandemic. (Apr. 8, 2020)

  • The Secretary General of the Council of Europe, Marija Pejčinović Burić, has issued recommendations for governments across Europe on human rights, democracy and the rule of law during the COVID-19 crisis. The report covers (1) Derogation from the European Convention on Human Rights, (2) Respect for the rule of law and democratic principles, including limits on emergency measures, (3) Fundamental human rights standards including freedom of expression, privacy and data protection, protection of vulnerable groups from discrimination and the right to education, and (4) Protection from crime and the protection of victims of crime, in particular regarding gender-based violence. The EU Fundamental Rights Agency has also published a new report "Protect human rights and public health in fighting COVID-19." As the FRA explains, "Respecting human rights and protecting public health is in everyone's best interest - they have to go hand-in-hand." Video blog Michael O'Flaherty: COVID-19. (Apr. 8, 2020)

  • In a FOIA lawsuit, EPIC has obtained more documents from the Commission on Artificial Intelligence. The records include internal correspondence and an unattributed report about China's social scoring, facial recognition tools, and AI-based surveillance. The internal report highlights the "draconian" consequences of China's AI use but states that "Mass surveillance is a killer application" for AI and that "having streets carpeted with cameras is good infrastructure for smart cities[.]" The Commission's disclosure to EPIC follows a ruling in EPIC v. AI Commission that the Commission is subject to the FOIA. The AI Commission held over 200 secret meetings with tech firms, defense contractors, and others. EPIC is also litigating to enforce the Commission's obligation to hold open meetings. The case is EPIC v. National Security Commission on AI, No. 19-2906 (D.D.C.). (Apr. 7, 2020)

  • President Trump has removed Inspector General of the Intelligence Community Michael Atkinson from his post. The President cited Atkinson's referral to Congress of a whistleblower complaint concerning Trump's efforts to have Ukraine investigate former Vice President Joe Biden. Atkinson was required by law to transmit the report to Congress. EPIC has long fought for stronger oversight of U.S. intelligence agencies, and has pursued FOIA lawsuits against the CIA, the FBI, the ODNI, and the NSA. In EPIC v. Department of Justice, EPIC is currently seeking release of the complete Mueller Report, which details foreign interference in the 2016 presidential election. The DOJ recently submitted the full Mueller Report to a federal judge, who will determine what additional material must be released to the public. (Apr. 7, 2020)

  • EPIC has filed a detailed FOIA request with the Department of Justice for information about Predictive Policing and Risk Assessment programs, funded by the federal government. The programs are described in a 2014 Justice Department report that EPIC obtained in the lawsuit, EPIC v. DOJ. The 2014 DOJ report warned that "individual liberty is at stake" with predictive policing, but many of these systems have gone forward nonetheless. EPIC maintains a comprehensive resource on risk assessments systems in the Criminal Justice System. (Apr. 7, 2020)

  • The U.S. Supreme Court held today, 8-1, that police can stop a vehicle if a database says that the registered owner has a suspended license. Justice Sotomayor dissented. EPIC filed an amicus brief in the case, Kansas v. Glover, arguing that the Court should not allow the police to stop a vehicle simply because the registered owner's license is expired. EPIC described the growing use of Automated License Plate Readers, and warned the Court that permitting police stops based on the registered owner's status would "dramatically alter police practices" and "unfairly burden disadvantaged communities." EPIC provided empirical data for the Supreme Court which indicate that ALPRs are more widely used in disadvantaged communities and also that car sharing is more prevalent in these communities. Justice Kagan's concurrence noted that car sharing and database inaccuracies, issues that EPIC raised in its brief, could lead to unreasonable searches. EPIC routinely files amicus briefs in cases before federal and state courts concerning emerging privacy issues. In Herring v. United States (2012), EPIC explained to the Supreme Court that government databases are "filled with errors, according to the federal government's own reports." (Apr. 6, 2020)

  • Former world chess champion Garry Kasparov has joined a statement to OECD Secretary General Ángel Gurría that urges the international organization to "continue to uphold the democratic values on which the OECD is based." Kasparov helped launch the OECD work on Artificial Intelligence policy that led to the OECD AI Principles, adopted by the OECD member countries, the G-20, and others. The statement to the Secretary General Gurria, signed by more than 70 experts and NGOs, applauds the important work of the OECD in response to the pandemic. The expert statement also asks the OECD SG to "make clear the ongoing importance of the OECD policy frameworks that safeguard fundamental rights, from the OECD Privacy Guidelines of 1980 to the OECD AI Principles of 2019." The statement further asked the SG to "continue to use the powerful analytical tools of the OECD to demonstrate that there are many uses of data that do not require 'trade-offs' or 'balancing' and to "urge colleagues at the G-7, the G-20, UNESCO, the ITU to uphold fundamental rights." The OECD statement was coordinated by both the Civil Society Information Society Advisory Council to the OECD and the Public Voice coalition. @CSISAC @thepublicvoice @EPICprivacy (Apr. 6, 2020)

  • In a letter to FTC Chairman Joe Simons, EPIC urged the FTC to "open an investigation of Zoom's business practices and to issue, as soon as practicable, Best Practices for Online Conferencing Services." The EPIC letter followed a 2019 complaint from EPIC warning that Zoom had "placed at risk the privacy and security of the users of its services." EPIC also explained to the FTC that Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." In the April 2020 letter to the Commission, EPIC reminded the Commission that it acted on similar complaints from EPIC concerning Facebook and Google but failed to act on the Zoom complaint. EPIC cited widespread reports of privacy and security flaws with the online conferencing service. EPIC wrote, "Now more than ever, the Federal Trade Commission has a responsibility to safeguard American consumers. We urge you to act." (Apr. 5, 2020)

  • In response to EPIC's Freedom of Information Act request to the Justice Department for information about the use of location data, including cell phone records, to counter the pandemic the DOJ wrote there are no "responsive records." EPIC had asked for "all legal memos, analysis, communications, and guidance documents, in the possession of the Department of Justice, concerning the collection or use of GPS data and cell phone location data for public health surveillance." The DOJ forwarded EPIC's request to its Office of Legal Counsel to see if responsive records exist in that office. EPIC will continue to seek information about the DOJ's views on the use of location data, and particularly phone records. After 9-11, the Justice Department supported the warrantless surveillance of Americans, a program that was later terminated after the New York Times broke the story, and EPIC pursued a FOIA lawsuit and then a Supreme Court petition. (Apr. 3, 2020)

  • The Attorneys General from several states including New York, Connecticut, and Florida are investigating Zoom's privacy and security practices. The New York AG stated that she was "concerned that Zoom's existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network." Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had "placed at risk the privacy and security of the users of its services." EPIC's 22-page analysis detailed how Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." The Federal Trade Commission failed to act on EPIC's 2019 Zoom complaint. (Apr. 3, 2020)

  • Health and Human Services announced today it will reduce privacy safeguards for personal health data. Under the federal patient privacy law (HIPAA), a third party "business associate" that receives personal data from a health care provider or insurer must have express permission to redisclose the data. HHS has now suspended that protection, as long as "business associates" disclose personal health data in "good faith" for "public health activities" and provide notice within 10 days.There was no opportunity for public comment on the rule change. Previously, HHS announced that it would not take enforcement action against health care providers that violate the HIPAA when consulting with patients remotely. (Apr. 3, 2020)

  • The Senate Commerce Committee has announced an hearing on Thursday, April 9, to explore "Enlisting Big Data in the Fight Against Coronavirus." The Committee said it would "examine recent uses of aggregate and anonymized consumer data to identify potential hotspots of coronavirus transmission and to help accelerate the development of treatments." The Senate Committee "will also examine how consumers' privacy rights are being protected and what the U.S. government plans to do with COVID-related data collected at the end of this national emergency." Since the start of the Coronavirus outbreak, EPIC has worked closely with technology experts, legal scholars, NGOs, public health officials, data protection authorities, human rights experts, and international organizations to promote an effective response to the pandemic and to safeguard privacy and fundamental rights. EPIC's key recommendations include (1) a fundamental emphasis on effective public health measures and evidence-based policy, (2) strong enforcement of privacy obligation and robust techniques for deidentifcation, (3) new accountability measures for data uses and due process safeguard, and (4) avoidance of a centralized system of mass surveillance that will be difficult to dismantle after the pandemic. EPIC President Marc Rotenberg recently told Buzzfeed, "People say, 'well, we need to strike a balance between protecting public health and safeguarding privacy' — but that is genuinely the wrong way to think about it. You really want both. And if you're not getting both, there's a problem with the policy proposal." (Apr. 3, 2020)

  • The Global Privacy Assembly, the international network of data protection officials, has published Data protection and Coronavirus (COVID-19) resources. The GPA stated that it "recognises the unprecedented challenges being faced to address the spread of Coronavirus (COVID-19). Data protection authorities across the world stand ready to help facilitate swift and safe data sharing to fight COVID-19, while still providing the protections the public expects." EPIC is also tracking privacy statements from UN Human Rights experts, the Council of Europe, German data protection experts, NGOs, the European Data Protection Board, and the World Health Organization. (Apr. 3, 2020)

  • According to the Statement of Work, Immigration and Customs Enforcement is seeking to connect the agency's facial recognition system to the DHS Gang Intelligence Application database. ICE recently solicited contracts to overhaul the agency's interface with the Gang Intelligence Application database to establish a face template for all photos added to the database. EPIC has filed a Freedom of Information Act request seeking details of ICE's use of Clearview AI's facial recognition technology. The secretive tech company scraped billions of facial images from Internet websites. EPIC and more than a hundred organizations have called for a moratorium on facial recognition technology. (Apr. 2, 2020)

  • EPIC joined civil society groups from around the world to urge governments to respect human rights as they consider digital technologies to combat the coronavirus pandemic. The coalition warned that "efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance." The civil society groups insisted that governments not implement surveillance measures unless lawful, time-limited, only for the specific purpose of combating the pandemic, and the data collected is absolutely necessary. EPIC recently joined 131 other organizations in a public statement supporting public access to information as the U.S. responds to the coronavirus pandemic. EPIC is pursuing a Freedom of Information Act request with the Department of Justice seeking DOJ legal analysis about the collection of GPS and cell phone location data. (Apr. 2, 2020)

  • EPIC has released an updated report on the privacy bills in Congress. EPIC's report - Grading on a Curve: Privacy Legislation in the 116th Congress - reviews recent developments, sets out a model bill, and assesses pending legislation. According to EPIC, Representative Eshoo and Lofgren's Online Privacy Act ranks #1. The bill would establish a data protection agency, create meaningful privacy safeguards, and hold companies accountable for the collection and use of personal data. Senator Gillibrand's Data Protection Act, S. 3300, solves one critical privacy problem very well by creating an independent Data Protection Agency in the United States. The US is one of the few democratic countries in the world without a federal data protection agency. The updated EPIC report also scores Senator Moran and Senator Wicker's privacy proposals. (Apr. 1, 2020)

  • The Department of Homeland Security has published a Systems of Record Notice for the "Enterprise Biometric Administrative Records." The DHS seeks to link personal data in the IDENT biometric database to unique machine-generated identifiers. IDENT contains personal data on both U.S. citizens and non-U.S. persons.The IDENT database is tied to biometric databases maintained by the FBI, the Department of Defense, and the State Department. DHS also announced a Notice of Proposed Rulemaking that proposes to exempt the Enterprise Biometric Administrative Records database from many of the protections of the Privacy Act. EPIC is currently pursuing a Freedom of Information lawsuit against the State Department for information about the disclosure of personal biometric data to other federal agencies. Public comments on the Enterprise Biometric Administrative Records System of Record Notice or Notice of Proposed Rulemaking are due April 10 and April 15 respectively. EPIC will urge the DHS to suspend the project. And if the agency goes forward, EPIC will urge the agency to comply with all of the requirements of the federal Privacy Act. (Apr. 1, 2020)

  • Five U.S. Senators have sent a follow-up letter to Google requesting more information about the company's plans to protect user data on the coronavirus screening website. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker had sent a letter to the White House expressing concern about the website two weeks ago. The Senators wrote now to say that personal data should "not be used for any commercial purposes in the future, and Verily should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA)." The Senators asked for responses to several questions by April 6, 2020. Google is under a consent order that gives the FTC authority to oversee the company's privacy practices as a consequence of EPIC's complaints about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google. (Apr. 1, 2020)

  • Senator Richard Blumenthal has called on video conference platform Zoom to provide clear answers about its consumer data privacy rules and safety practices. "Zoom has a troubling history of software design practices and security lapses that have posed significant risks to the privacy and safety of its users," Senator Blumenthal said. Senator Blumenthal asked for responses to six questions by April 14, 2020. Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had "placed at risk the privacy and security of the users of its services." EPIC's 22-page analysis detailed how Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." The Federal Trade Commission failed to act on EPIC's 2019 Zoom complaint. (Apr. 1, 2020)

  • A report from the Department of Justice's Inspector General has uncovered widespread abuse of FISA surveillance authority by the DOJ. The Inspector General "identified apparent errors or inadequately supported facts" in each of the 25 surveillance applications it reviewed. The report follows an earlier investigation by the Inspector General which found the FBI personnel investigating Russian interference in the 2016 presidential election "fell far short of the requirement in FBI policy that they ensure that all factual statements in a FISA application are 'scrupulously accurate.'" EPIC closely tracks the use of FISA authority. EPIC has advocated for significant FISA reforms for more than a decade, and recently advised Congress to reform Section 702 of FISA and to sunset Section 215 of the Patriot Act. Members of both parties have recently expressed support for reforming U.S. surveillance authorities. (Apr. 1, 2020)

  • POLITICO reports that eight European countries are taking part in a "privacy-preserving proximity tracing" app that uses Bluetooth signals between mobile phones to track users who are close enough to infect each other. The software uses privacy-enhancing techniques such as encryption, data anonymization, and data minimization in order to provide effective tracing while maintaining Europe's high data protection standards under the General Data Protection Regulation (GDPR). EPIC Advisory Board member Ron Rivest and colleagues at MIT have published a paper that explores "A simple proximity-based approach to contact tracing." (Apr. 1, 2020)

  • A Georgia federal court has granted EPIC's request to file an amicus brief urging the court to protect the secret ballot. Plaintiffs presented the court with evidence that Georgia’s ballot-marking devices, which rely on large display screens, make voter choices easily viewable by others in the polling place. EPIC wrote in the amicus that "the right to cast a secret ballot in a public election is a core value in the United States." This is the second amicus brief EPIC has submitted in the case, Curling v. Raffensperger. In the earlier amicus brief, EPIC urged the court to stop Georgia's use of Direct Recording Electronic voting machines, which EPIC explained were unreliable and easily hacked. The court ruled that Georgia must replace the machines before the 2020 election. (Mar. 31, 2020)

  • The Department of Justice today submitted the complete Mueller Report to federal Judge Reggie B. Walton for review. The judge will now determine whether the federal agency properly withheld information EPIC sought in the open government case EPIC v. Department of Justice. The judge's review of the Mueller Report marks one of the most significant "in camera" reviews in the history of the Freedom of Information Act. Judge Walton will also examine a related memo obtained by EPIC to determine what additional material must be released to EPIC and the public. Judge Walton previously ordered the DOJ to turn over the full Mueller Report in EPIC's case, citing "the need for the American public to have faith in the judicial process." The court also rebuked Attorney General Barr and raised "grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]" The book EPIC v. DOJ: The Mueller Report, which includes EPIC's original FOIA request and related materials, is available for purchase at the EPIC Bookstore. EPIC's case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810. (Mar. 30, 2020)

  • Apple has launched a COVID-19 Screening Tool that provides information about the coronavirus, information about social distancing and current guidance on COVID-19 testing. Apple states "Apple is not collecting your answers from the screening tool. To help improve the site, Apple collects some information about how you use it. The information collected will not personally identify you." In a press statement, the CDC said the "tool provides CDC recommendations on next steps including guidance on social distancing and self-isolating, how to closely monitor symptoms, recommendations on testing, and when to contact a medical provider." In a comment on Twitter, Apple CEO Tim Cook said "the data is yours and your privacy is protected. Stay safe and healthy." In 2015, Tim Cook received the EPIC Champion of Freedom Award. (Mar. 30, 2020)

  • Today the Council of Europe published a Joint Statement on The Right to Data Protection in the Context of the COVID-19 Pandemic. The statement was published by Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe. The COE Statement advises that "States have to address the threat resulting from the COVID-19 pandemic in respect of democracy, rule of law and human rights, including the rights to privacy and data protection." The Council further states that even during a public health crisis, "human rights(such as the International Covenant on Civil and Political Rights and the European Convention on Human Rights) cannot be suspended but only derogated or restricted by law, to the extent strictly required by the exigencies of the situation, while respecting the essence of the fundamental rights and freedoms." The COE notes that "anonymised data is not covered by data protection requirements. The use of aggregate location information . . . would thus not be prevented by data protection requirements." EPIC has worked closely with the Council of Europe on updates to the Council of Europe Privacy Convention, recommended US ratification of the Convention, and recently advised the COE on AI policy. The text of the COE Privacy Convention is contained in the EPIC Policy Law Sourcebook. (Mar. 30, 2020)

  • Dr. Michael Ryan, a key advisor for the World Health Organization, again this week emphasized the need to safeguard privacy and data protection in the responses to the coronavirus. “We take the issues of personal data protection and intrusion very, very seriously,’ said Dr. Ryan (video). He said that the WHO is working to ensure that "all of the initiatives we’re involved with, while aiming to develop good public health information, in no way interfere with the individual rights to privacy and protections under the law. It is important when we talk about surveillance and the surveillance society that in the case of public health the gathering of information about individuals, their movements must be done with the consent of the community and in many cases of the individual themselves." (Mar. 27, 2020)

  • EPIC President Marc Rotenberg has endorsed a statement of German privacy experts that emphasizes, "even in the corona crisis, personal rights remain - in the words of the German Federal Constitutional Court - 'an elementary functional condition of a free and democratic society based on the ability of its citizens to act and participate.'" The experts state, "data protection demands data minimisation, ensuring that data is used for specific purposes only and that measures and any new legal powers are clearly limited in time." The statement also calls attention to "principles and guidelines on data protection in the Corona crisis." The statement was organized by Peter Schaar, Chairman of the European Academy for Freedom of Information and Data Protection (EAID) and the former Federal Data Protection Commissioner for Germany. (Mar. 27, 2020)

  • The European Commission has reportedly asked telecom companies to turn over anonymized cell phone location data, citing a need to track the spread of the novel coronavirus. The planned transfer would give the Commission access to location information and other data from hundreds of millions of cell phone users. European Data Protection Supervisor Wojciech Wiewiórowski, responding to the proposal, warned that “effective anonymisation requires more than simply removing obvious identifiers” and called on the Commission to “clearly define the dataset it wants to obtain and ensure transparency towards the public.” The European Data Protection Board explained that any use of location data in connection with the coronavirus must be “strictly limited to the duration of the emergency at hand” and “in accordance with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.” EPIC recently submitted a Freedom of Information Act request to the U.S. Department of Justice seeking legal analysis concerning the collection and use of GPS and cell phone location data for public health surveillance. (Mar. 27, 2020)

  • EPIC Policy Director Caitriona Fitzgerald will testify this week before the Election Assistance Commission in support of the Voluntary Voting System Guidelines 2.0. Fitzgerald’s prepared statement said that the Voting Guidelines are "vital to protecting our democratic institutions.” The Voting Guidelines are open for public comment through June 22. EPIC, along with the Association for Computing Machinery, previously recommended principles for voter privacy, ballot secrecy, and data protection. EPIC and the ACM also urged the Commission to ban internet-connected voting machinery, citing the risks to voting integrity and democratic institutions. The EAC adopted these suggestions, banning internet-connected voting systems and retaining strong provisions on voter privacy, ballot secrecy, and data protection. Though states are not mandated to comply with the Voting System Guidelines, the Guidelines shape the election security market. EPIC has a long history of working to protect voter privacy and election integrity.
    (Mar. 26, 2020)

  • The Department of Homeland Security announced that the agency is extending the REAL ID enforcement deadline to October 1, 2021. DHS plans to publish a notice of the new deadline in the Federal Register in the coming days. The REAL ID Act requires states to gather certain personal data and issue documents that comply with federal standards. The failure to have a REAL ID-compliant document can restrict the freedom to travel. EPIC, along with a broad coalition, opposed REAL ID because it created a de facto national identity system and has exposed Americans to data breaches. Criminal hackers compromised the authenticating documents in state DMVs including Oregon, North Carolina, and California. EPIC has urged the DHS to limit the data collection and ensure transparency and accountability in implementing REAL ID. (Mar. 26, 2020)

  • Dr. Michael Ryan, a key advisor for the World Health Organization, said this week at a briefing on the novel coronavirus that there is a "tremendous amount" of innovation and enthusiasm for new products. But he also cautioned (video) that "when collecting information on citizens or tracking their movements there are always serious data protection and human rights principles involved." Dr. Ryan said, "we want to ensure that all products are done in the most sensitive way possible and that we never step beyond the principles of individual freedoms and rights." UN human rights experts and European privacy officials are urging governments to safeguard privacy in the effort to contain the novel coronavirus. Yuval Noah Harari wrote recently "We can and should enjoy both privacy and health. We can choose to protect our health and stop the coronavirus epidemic not by instituting totalitarian surveillance regimes, but rather by empowering citizens." (Mar. 26, 2020)

  • EPIC has submitted a Freedom of Information Act request to the Department of Justice seeking legal analysis concerning the collection and use of GPS and cell phone location data for public health surveillance. EPIC explained "The Department of Justice plays a key role advising the President regarding the lawfulness of proposed activities, and particularly the proposed expansion of government authorities during a time of national crisis." EPIC wrote, "If the Department of Justice is considering the use of cell phone data to address the public health crisis, it should first consider whether the use is lawful and that analysis should be made available to the public." EPIC pursued a FOIA lawsuit during the Bush Administration, EPIC v. DOJ, for the legal memos concerning the warrantless wiretapping program that was later repealed by Congress. (Mar. 24, 2020)

  • EPIC has submitted a Freedom of Information Act request to the Office of Science and Technology Policy seeking information about the White House plan to use cell phone location data for public health surveillance. According to news reports, the White House has sought the assistance of large tech companies including Facebook, Apple, and Google, to use cell phone location data. It is not clear at this time whether the U.S. program is lawful or how the data will be used. EPIC has asked the OSTP to provide "all policies, proposals, and guidance documents for the collection of cell phone location data in connection with the coronavirus" and also "any privacy assessments, including but not limited to privacy threshold assessments and privacy impact assessments, related to the collection of cell phone location data in connection with the coronavirus." (Mar. 24, 2020)

  • European NGOs called on EU countries to ensure that fundamental rights are upheld while taking public health measures to tackle COVID-19.The members of the European Digital Rights Initiative (EDRi) urged Member States to limit the collection and use of personal data and to implement exceptional measures only for the duration of the crisis. The NGOs also highlighted the danger of internet shutdowns during a pandemic, stating that: "During this crisis and beyond, an accessible and open internet will play a significant role in keeping us safe." The groups warned that "companies should not abuse the extraordinary circumstances to monetise information at their disposal." Privacy International has created a resource to track the privacy implications of the various responses to the Coronavirus by tech companies, governments, and international agencies. The EPIC Public Voice Fund supports the work of EDRi. (Mar. 23, 2020)

  • The European Data Protection Board, the committee of national European privacy officials, has published a statement advising data processors on their legal obligations in light of the pandemic. The EDPB statement addresses the lawfulness of processing during a public health emergency, the use of mobile location data, and the protections of health data of employees. The Board cautioned that: "Personal data that is necessary to attain the objectives pursued should be processed for specified and explicit purposes." The EDPB advises processors that: "The least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved." EPIC and 131 other organizations issued a public statement supporting government transparency and public access to information when the U.S. is taking measures to respond to the coronavirus pandemic. (Mar. 23, 2020)

  • Senators Amy Klobuchar and Senator Ron Wyden have introduced the "Natural Disaster and Emergency Ballot Act of 2020," which would expand early in-person voting and no-excuse absentee vote-by-mail to all states. Twenty-six Senators have co-sponsored S. 3529. Senator Klobuchar said, "we should act swiftly to pass my legislation to ensure that every American has a safe way to participate in our democracy during a national emergency." According to the National Conference on State Legislatures, five states currently conduct all elections entirely by mail, and at least 21 other states have laws that permit some elections to be conducted by mail. EPIC has a long history of working to protect voter privacy and election integrity. In 2016 EPIC published The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. (Mar. 23, 2020)

  • EPIC and 131 other organizations issued a public statement supporting government transparency and public access to information when the U.S. is taking measures to respond to the coronavirus pandemic. The groups caution that agencies should not take advantage of the public's inability to attend large gatherings to conceal critical policy decisions. The group "encourage[s] the custodians of information at all levels of government to take this opportunity to leverage technology to make governance more inclusive and more credible, not to suspend compliance with core accountability imperatives." The statement emphasized that "the legitimacy of government decision-making requires a renewed commitment to transparency." Last week, the White House ordered federal health officials to treat top-level coronavirus meetings as classified, "an unusual step that has restricted information and hampered the U.S. government's response to the contagion," according to a report by Reuters. (Mar. 20, 2020)

  • EPIC, through a FOIA request, lawsuit, and negotiated settlement, has obtained a 2014 report from the Department of Justice to former President Obama warning about the dangers of predictive analytics and algorithms in law enforcement. The Justice Department report highlights the risks of "making decisions about sentencing—where individual liberty is at stake in the most fundamental way—based on historical data about other people,” stating that “equal justice demands that sentencing determinations be based primarily on the defendant’s own conduct and criminal history." Even when algorithms "seem neutral, any model is susceptible to importing any biases reflected in the underlying data,” the report Predictive Analytics in Law Enforcement explains. Former U.S. Attorney General Eric Holder has said that "basing sentencing decisions on static factors and immutable characteristics . . . may exacerbate unwarranted and unjust disparities that are already far too common in our criminal justice system and in our society." The case, which was before the D.C. Circuit Court of Appeals, has now settled and EPIC will receive attorneys fees for its work on the matter. The case is EPIC v. DOJ, No. 18-5307 (D.C. Cir.).

    (Mar. 20, 2020)

  • In an amicus brief, EPIC has asked a Georgia federal court to protect the secret ballot. Plaintiffs presented the court with evidence that Georgia's ballot-marking devices, which rely on large display screens, make voter choices easily viewable by others in the polling place. EPIC wrote in the amicus that "the right to cast a secret ballot in a public election is a core value in the United States." This is the second amicus brief EPIC has submitted in the case, Curling v. Raffensperger. In the earlier amicus brief, EPIC urged the court to stop Georgia's use of Direct Recording Electronic voting machine, which EPIC explained were unreliable and easily hacked. The court ruled that Georgia must replace those voting machines before the 2020 election. (Mar. 19, 2020)

  • According to the Washington Post, the U.S. Government is in active discussions with tech companies about tracking telephone customers to monitor the spread of the coronavirus. Cellphone data is currently protected under federal privacy law. In the Carpenter case, the Supreme Court made clear that government access to location information implicates the Fourth Amendment. EPIC has long advocated for protection of location privacy. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. The FCC recently announced fines against T-Mobile, AT&T, Verizon, and Sprint for selling customers' location information. (Mar. 19, 2020)

  • In a letter to the California Attorney General, several advertising associations called for a six-month delay in implementation of the California Consumer Privacy Act. The business groups cited the coronavirus as the reason they should not comply with the law as planned. The California privacy law establishes new privacy rights for California residents, and busineses are required to bring their practices into compliance. The California Attorney General will begin enforcement actions on July 1, 2020. EPIC expressed support for the new privacy law in comments to the Attorney General on proposed regulations. EPIC's recommendations for baseline federal privacy legislation and the creation of a Data Protection Agency are detailed in Grading on a Curve: Privacy Legislation in the 116th Congress. (Mar. 19, 2020)

  • Privacy International has created a resource to track the privacy implications of the various responses to the Coronavirus by tech companies, governments, and international agencies. Some responses to the pandemic involve mass surveillance and locational tracking that impact on privacy and human rights. For example, Israel plans to use cellphone data for contact tracing and a U.S. company Athena Security has proposed mass surveillance for temperature monitoring. U.S. Senators have written to the Federal Trade Commission and the White House expressing concern over the privacy implications of the Administration's plan to allow Google to establish a virus screening website for COVID-19. (Mar. 19, 2020)

  • The Department of Justice has released the 2019 FOIA Litigation and Compliance Report which details the DOJ's efforts to encourage agency compliance with the FOIA across federal agencies. DOJ updated the Guide to the Freedom of Information Act, with recent court decisions. The DOJ report also summarizes agency guidance, including the application of Exemption 4 after the Supreme Court expanded the definition of "confidential" information. On that issue, EPIC filed an amicus brief in Food Marketing Institute v. Argus Leader Media telling the Supreme Court that access to commercial records is critical for government oversight. EPIC celebrated Sunshine Week with the 2020 EPIC FOIA Gallery, highlighting important EPIC FOIA work from the past year, including EPIC's case for the release of the Mueller Report, EPIC v. Department of Justice. (Mar. 19, 2020)

  • Five U.S. Senators have sent a letter to the White House expressing concern over the privacy implications of the Administration's plan to allow Google to establish a virus screening website for COVID-19. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker said "If the Administration and the private company responsible for launching and maintaining the website does not establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination." The Senators asked for responses to thirteen questions by March 30, 2020. Google is under a consent order that gives the FTC authority to oversee the company's privacy practices. The FTC consent order followed complaints by EPIC about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google. (Mar. 19, 2020)

  • Today, U.S. Sens. Mark R. Warner (D-VA) and Richard Blumenthal (D-CT) wrote to FTC Chairman Joe Simons about Google's ad targeting practices for products such as face masks and hand sanitizer. The Senators presented evidence that Google continues to run ads that capitalize on COVID-19 fears despite claiming to ban such ads. The Senators said that the ads "create widespread social harms to our nation's response to the crisis." The also said, "consumers should b able to rely on representations regarding a company's business practices...if consumer cannot rely on a company's representations, then the FTC must intervene." EPIC has long advocated privacy protections for medical information. EPIC helped establish the FTC's authority to oversee Google, but EPIC has since criticized the agency's effectiveness and called for the establishment of a U.S. Data Protection Agency. (Mar. 17, 2020)

  • The Department of Health & Human Services announced today that it is rolling back privacy protections for electronic medical appointments during the coronavirus outbreak. HHS stated it will not take enforcement action against health care providers that violate the federal patient privacy law (HIPAA) when consulting with patients remotely, as long as providers act in "good faith." Normally, remote communications tools used for medical purposes must comply with strict privacy rules. Health care providers are still prohibited from using "public facing" applications such as Facebook Live and TikTok to consult with patients, HHS said. EPIC has long advocated privacy protections for medical information and filed a brief in IMS v. Sorrell urging the Supreme Court to safeguard prescription data. (Mar. 17, 2020)

  • The Senate voted late Monday to extend certain national security authorities for 75 days that were set to expire. Last week the House passed a bill that included several reforms. EPIC and other civil liberties groups backed a bill that would establish a warrant requirement for location data and internet browsing history, increase transparency, and strengthen the Privacy and Civil Liberties Oversight Board. Members of both parties have expressed support for reform of the controversial NSA surveillance program. EPIC closely tracks the use of FISA authority. EPIC has advocated for significant FISA reforms, and recently advised Congress to limit Section 702 surveillance and to allow Section 215 to expire. (Mar. 17, 2020)

  • A federal court, ruling in EPIC v. Department of Justice, has decided to review the unredacted version of key memo by Special Counsel Mueller to determine whether additional material must be released. The memo, which summarizes Mueller's investigation of a suspected "unregistered agent of a foreign government," was partially disclosed to EPIC in response to EPIC's Freedom of Information Act request. Earlier, the court ruled in EPIC's case that it would review the sections of the Mueller Report that the government has withheld from the public. The court also rebuked Attorney General Barr, citing "grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]" The book EPIC v. DOJ: The Mueller Report, which includes EPIC's original FOIA request and related materials, is available for purchase at the EPIC Bookstore. The case is EPIC v. Department of Justice, No. 19-810. (Mar. 16, 2020)

  • In celebration of Sunshine Week, EPIC has unveiled the 2020 FOIA Gallery. Since 2001, EPIC has annually published highlights of EPIC's most significant open government cases. For example, last year EPIC filed the first lawsuit in the country for the public release of the Mueller Report. The federal court rebuked Attorney General Barr and agreed to review the complete Mueller Report to determine what additional material must be released. EPIC also prevailed in EPIC v. the Commission on AI. A federal court ruled that the Commission on Artificial Intelligence is subject to the FOIA. Following the court's decision, the AI Commission released documents about its activities to EPIC. In this year's FOIA gallery, EPIC also highlighted pre-trial risk assessment reports, documents about Justice Kavanaugh's role in the warrantless surveillance program, a DHS drone status report, the Census data transfer plan, and more than 29,000 complaints against Facebook pending at the FTC. (Mar. 16, 2020)

  • United Nations human rights experts are urging government leaders not to abuse emergency powers in response to the coronavirus outbreak. UN High Commissioner for Human Rights Michelle Bachelet stated: "Being open and transparent is key to empowering and encouraging people to participate in measures designed to protect their own health and that of the wider population, especially when trust in the authorities has been eroded." Andrea Jelinek, Chair of the European Data Protection Board, also released a statement, saying: "even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects." Some countries, such as Israel, intend to use cellphone data to track coronavirus, threatening civil liberties. A recent book by EPIC Advisory Board Member Professor Francisca Bignami on EU Law in Populist Times at the EPIC Bookstore explores derogations for national security. (Mar. 16, 2020)

  • EPIC submitted comments on the OMB draft Guidance for Regulation of Artificial Intelligence Applications. The OMB Guidance instructs federal agencies to regulate private sector use of AI. EPIC recommended that the OMB guidance also apply to government uses of AI, that OMB establish prohibitions on secret profiling and unitary scoring, and require transparency to ensure fairness and accountability in automated decisions concerning people. EPIC has recently petitioned the FTC to undertake a rulemaking for AI in commerce. EPIC has published the AI Policy Sourcebook, the first reference book on AI policy. (Mar. 13, 2020)

  • Last minute lobbying by big tech companies blocked passage of the Washington Privacy Act. The state privacy law have given consumers the right to access, correct and delete their personal data held by tech firms. EPIC and a broad coalition of privacy groups backed a comprehensive bill that would include, as privacy laws typically do, the right of consumers to bring legal action but that was opposed by industry groups. The Washington legislature did pass a modest bill limiting the government use of facial recognition technology. EPIC has long supported federal baseline legislation and the creation of a data protection agency. EPIC has also called for a moratorium on face surveillance. The EPIC State Policy Project monitors privacy bills nationwide. (Mar. 13, 2020)

  • EPIC has announced the newest members of the EPIC Advisory Board. They are Joy Buolamwini, Professor Margot Kaminski, Professor Kate Klonick, Professor William McGeveran, Professor Priscilla Regan, Rashida Richardson, and Vivian Schiller. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy who contribute to EPIC's work on privacy and civil liberties. The publication of the EPIC Advisory Board members are available at the EPIC Bookstore. Press Release. (Mar. 13, 2020)

  • In a statement to the Senate Judiciary Committee on the EARN IT Act, EPIC supported both end-to-end encryption and reform to Section 230 of the Communications Decency Act. EPIC backed the plan to establish Best Practices to limit the distribution of child sexual exploitation material, but cautioned "against recommendations that would reduce privacy and security for Internet users." EPIC pointed out that actual end-to-end encryption "protects users, promotes commerce, and ensures cybersecurity." In an amicus brief in Herrick v. Grindr, EPIC objected to a court decision that found "online platforms bear no responsibility for the harassment and abuse their systems enable." (Mar. 12, 2020)

  • EPIC joined the National Consumer Law Center and other consumer groups in an amicus brief supporting review of recent decision that limits consumer robocall protections. In Gadelhak v. AT&T Services, the Seventh Circuit concluded that consumers who receive an automated text message can sue under the federal anti-robocall law, but only if the autodialer has a random number generator. The decision deepened a split among federal appeals courts over the scope of federal robocall protections. EPIC and NCLC also filed an amicus brief during the court's original consideration of the case. The EPIC brief explained that allowing telemarketers to auto-dial consumers "would undermine the law's effectiveness by inviting easy circumvention and rendering the restriction obsolete." EPIC routinely files amicus briefs on consumer privacy issues, including several amicus briefs on the TCPA. (Mar. 12, 2020)

  • In response to EPIC's FOIA Request, the DC Pretrial Services Agency produced several documents about its risk assessment instrument developed and validated by Maxarth. The government reduced the number of factors in risk factors from 70 to 43 in 2019 after review, and place more emphasis on recent criminal charges. EPIC also obtained a 2019 Validation Study and a Predictive Bias report. The Validation Study rated the predictive ability "sufficient." EPIC has obtained documents about pre-trial risk assessments nationwide as well as a scoring system developed by the DHS to assign risk assessments to travelers, including US citizens. EPIC has urged government agencies to make transparent algorithmic-based decision making to ensure fairness and accountability. (Mar. 11, 2020)

  • The D.C. Circuit Court of Appeals has granted Congress access to the grand jury materials referenced in the Mueller Report. The appeals court upheld a lower court decision to disclose the grand jury records to the House Judiciary Committee, citing the "compelling need for the material and the public interest." Last week, the court in EPIC v. Department of Justice ruled that it would review the unredacted Mueller Report to determine what additional material must be released to EPIC. The court in EPIC's case also rebuked Attorney General Barr, citing "grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]" The book EPIC v. DOJ: The Mueller Report, which includes EPIC's original FOIA request and related materials, is available for purchase at the EPIC Bookstore. EPIC's case is EPIC v. Department of Justice, No. 19-810. (Mar. 10, 2020)

  • Congress is reviewing proposals to reform the Foreign Intelligence Surveillance Act. Several bills have been introduced, including a bill backed by EPIC and other civil liberties groups that would establish a warrant requirement for location data and internet browsing history, increase transparency, and strengthen the Privacy and Civil Liberties Oversight Board. Members of both parties have expressed interest in reform of the controversial NSA surveillance program. Even the FISA court has criticized the program, following abuses uncovered by the Inspector General. EPIC closely tracks the use of FISA authority. EPIC has advocated for significant FISA reforms, and recently advised Congress to limit Section 702 surveillance and to allow Section 215 to expire. The Section 215 program is scheduled to sunset on March 15. (Mar. 10, 2020)

  • EPIC has filed a reply brief in EPIC v. AI Commission urging a federal court in Washington, DC to enforce the Commission's obligation to hold open meetings and publish its records on a regular basis. The court previously ruled that the AI Commission must comply with the Freedom of Information Act. In briefs with the court, EPIC explained that the Commission must also comply with the Federal Advisory Committee Act, citing the law enacted by Congress. "It is not for the Government or the courts to second-guess that legislative choice simply because the AI Commission's transparency obligations flow from two statutes rather than one," EPIC wrote. In a recent report for Congress and the President, the Commission recommended weakening privacy safeguards for Americans but never consulted with the public as the Federal Advisory Committee Act would require. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.). (Mar. 10, 2020)

  • The OMB is seeking comments on the proposed Guidance for Regulation of Artificial Intelligence Applications. The Guidance recommends that federal agencies "promote advancements in technology and innovation, while protecting American technology, economic and national security, privacy, civil liberties, and other American values, including the principles of freedom, human rights, the rule of law, and respect for intellectual property." The US AI Guidance follows from the OECD AI Principles, which the United States has endorsed, as well as some of the Universal Guidelines for AI, a human rights framework for AI endorsed by more than 250 experts and 60 associations in 40 countries. EPIC will recommend that the OMB regulation apply to all government uses of AI, include prohibitions on secret profiling and unitary scoring, and require transparency to ensure fairness and accountability in automated decisions concerning people. EPIC has recently petitioned the FTC to undertake a rulemaking for AI in commerce. Comments to the OMB are due Friday, March 13 and can be submitted through the Federal Register. EPIC has published the AI Policy Sourcebook, the first reference book on AI policy. (Mar. 9, 2020)

  • The Department of Health and Human Services finalized rules that require insurance and healthcare companies to provide patient access to their medical data in a format suitable for cellphones and other electronic devices. However, federal privacy protections under HIPAA no longer apply once patients transfer their data to consumer apps, creating serious risks to medical privacy. The CEO of the American Medical Association warned regulators that "These practices jeopardize patient privacy, commoditize an individual's most sensitive information, and threaten patient willingness to utilize technology to manage their health." Tech firms pushed for these changes. Last year, the Wall Street Journal reported that Google's 'Project Nightingale' intends to amass health data on millions of Americans. There will be a six-month period before the rule goes into effect. EPIC has recommended strong safeguards for medical records in agency comments and briefs for the Supreme Court. (Mar. 9, 2020)

  • In EPIC's open government case concerning US AI policy, a federal court has ordered the National Security Commission on Artificial Intelligence to process 800 pages of records a month for disclosure to EPIC. The order follows the court's previous ruling in EPIC v. AI Commission that the Commission is subject to the Freedom of Information Act. The Commission recently released a report to Congress that criticizes the EU General Data Protection Regulation and calls for greater "government access to data on Americans." Before issuing its report, the Commission held more than two hundred secret meetings with tech firms, defense contractors, and others but did not gather opinions from the American public. EPIC is also litigating to enforce Commission's obligation to hold open meetings. (Mar. 9, 2020)

  • EPIC has filed a Freedom of Information Act request to several government agencies seeking records about the government's use of Clearview AI technology. Clearview AI permits law enforcement agencies to conduct suspicionless searches of people in public spaces. The company scraped billions of facial images, without permission, from websites, including Facebook, Youtube, Venmo, and Twitter. Clearview's recently stolen client list revealed that the company has sold its surveillance technology to more than 2,200 law enforcement and government agencies, and companies across 27 countries. EPIC, and more than a hundred organizations, have called for a moratorium on facial recognition technology. (Mar. 6, 2020)

  • A federal Court, ruling in EPIC v. Department of Justice, today rebuked Attorney General Barr and agreed to review the complete Mueller Report to determine what additional material must be released. Judge Reggie B. Walton wrote, "The Court has grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]” The Court cited the summary of the principal findings prepared by the Attorney General. Judge Walton explained that "the need for the American public to have faith in the judicial process” requires that the court review the Mueller Report without redactions. "Adherence to the FOIA’s objective of keeping the American public informed of what its government is up to demands nothing less,” wrote Judge Walton. The Court also denied the Department of Justice’s motion for summary judgment. EPIC filed the first case in the nation for the disclosure of the complete Mueller Report. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. The case is EPIC v. Department of Justice, No. 19-810. (Mar. 5, 2020)

  • EPIC along with a coalition of groups proposed changes to the Washington Privacy Act, a bill now pending in the Washington legislature. The Washington Privacy Act would give consumers the right to access, correct and delete personal data held by companies, and it wold require companies to uphold privacy obligations, including transparency, purpose specification, data minimization, security, and nondiscrimination. But the bill lacks an effective mechanism for enforcement, permits the deployment of facial recognition, and contains many loopholes. EPIC and the coalition urged the Washington legislature to establish a private right of action, narrow the exemptions, make risk assessments publicly accessible, and remove the provisions permitting facial recognition. At the federal level, EPIC supports H.R. 4978, the Online Privacy Act, and S. 3300, to establish a US Data Protection Agency. EPIC has also called for a moratorium on face surveillance. The EPIC State Policy Project monitors privacy bills nationwide. (Mar. 5, 2020)

  • In an amicus brief filed today, EPIC urged the Supreme Court to allow the release of President Trump's tax returns to a grand jury. EPIC explained that President Trump broke with 40 years of precedent by concealing his tax records, even as he sought to collect sensitive voter and citizenship data from the public. "This is inverted liberty: privacy for the President and compelled disclosure of personal data for the public," EPIC argued. "That is antithetical to the structure and practice of modern democracies which safeguard the privacy of citizens and impose transparency obligations on political leaders, most notably the President." EPIC previously sought public release of President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. In EPIC v. IRS II, EPIC is currently seeking "offers-in-compromise" and related tax records of President Trump and his businesses. The case before the Supreme Court, Trump v. Vance, will be argued March 31. (Mar. 4, 2020)

  • EPIC has obtained a more documents from the National Security Commission on Artificial Intelligence. The records obtained by EPIC show that the AI Commission was aware of work on algorithmic transparency and AI bias. But the Commission's recent report to Congress did not endorse these recommendations, instead criticizing EU privacy law and calling for greater "government access to data on Americans." The Commission's disclosure follows a court ruling in EPIC v. AI Commission that the Commission is subject to the FOIA. Before issuing its report, the AI Commission held regular secret meetings with tech firms and defense contractors but did not gather opinions from the American public. EPIC is also litigating to enforce Commission's obligation to hold open meetings. (Mar. 4, 2020)

  • EPIC has filed a reply brief in EPIC v. Drone Advisory Committee urging the D.C. Circuit to reverse a decision that allowed FAA to conduct much of its policy work on drones in secret. EPIC filed suit in 2018 against the industry-dominated Advisory Committee, which ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records to EPIC, but the agency withheld records from subcommittees that participated in the policy process. EPIC told the Court of Appeals that the FAA's interpretation of the Federal Advisory Committee Act would circumvent the open meetings law. The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.). (Mar. 3, 2020)

  • The Ninth Circuit decided today that consumers could bring a case against Facebook for scanning private messages, but upheld a settlement that produced only a minor change in Facebook's business practices. In Campbell v. Facebook, the appeals court found that consumers "sued to protect concrete interests" because wiretap laws "codify a context-specific extension of the substantive right to privacy." EPIC filed an amicus brief in the case, arguing that the settlement "does not prevent Facebook from resuming the practices" consumers sued to stop. EPIC explained that the settlement only requires Facebook to post a "vague notice" that is "not the basis for consent" under applicable wiretap laws. EPIC routinely files amicus briefs in cases concerning consumer privacy and standing. (Mar. 3, 2020)

  • EPIC, joined by other organizations, submitted comments to the FAA regarding the agency's proposed rule for drone IDs. EPIC urged the FAA to require real-time public access to drone ID information. EPIC also recommended that the FAA provide privacy protections for recreational users and conduct a privacy impact assessment of the risks associated with drone surveillance. In 2015, EPIC wrote "Drones should be required to broadcast their registration information to allow members of the public" to easily identify the operator and to determine the location, purpose, and surveillance capabilities of the drone. The European Union has established a drone regulation similar to the one EPIC has recommend the FAA to adopt. The Interior Department recently grounded Chinese-made drones, warning of surveillance risks. (Mar. 3, 2020)

  • In an amicus brief for the U.S. Supreme Court, EPIC today defended the Telephone Consumer Protection Act, a law that prohibits unwanted robocalls. EPIC said that the robocall ban is "constitutionally permissible and serves important governmental interests." EPIC explained in Barr v. American Association of Political Consultants that "the harm caused by unwanted automated calls" is more acute than when the robocall ban was enacted in 1991. EPIC said "without the autodialer ban, the assault of unwanted calls could make cell phones unusable." EPIC also argued that "a minor amendment to an otherwise constitutional law, passed decades after the original enactment, should not take down an act of Congress." Senator Markey, Representative Eshoo, and more than a dozen members of Congress also filed an amicus brief in support of the consumer privacy law. EPIC frequently files amicus briefs on the TCPA, including in the related case, Gallion v. Charter Communications. (Mar. 2, 2020)

  • A new poll from Gallup and the Knight Foundation found that the majority of Americans do not want political campaigns to micro-target digital ads. Democrats (69%), independents (72%), and Republicans (75%) said that internet companies should not provide information about users to political campaigns for online advertisements. 59% said Internet companies should disclose who paid for political ads, how much they cost, and to whom the ads are targeted. EPIC Consumer Protection Counsel Christine Bannan testified at an FEC hearing in 2018 and urged the Commission to promulgate rules to mandate the source of online political ads, comparable to the rule for print and broadcast publications. (Mar. 2, 2020)

  • The U.S. Supreme Court announced today it will consider a Freedom of Information Act case about the government's attempts to withhold documents from the public under the "deliberative process" exemption. In U.S. Fish and Wildlife Services v. Sierra Club, a federal appeals court ordered a federal agency to produce agency documents about a proposed regulation concerning endangered species. The Ninth Circuit held that the documents were not "predecisional." EPIC frequently litigates Freedom of Information Act cases to challenge the government withhold public records. EPIC is currently litigating for the release of the complete Mueller Report. (Mar. 2, 2020)

  • Through EPIC's lawsuit against the DHS, EPIC obtained a previously undisclosed Report about security breaches prior to the 2016 Presidential Election. The DHS/FBI report "Threats of Federal, State, and Local Government Systems" describes attacks on US elections and includes recommendations for cybersecurity risks. In the FOIA lawsuit, EPIC seeks to determine whether the DHS responded effectively to election security threats in 2016, The case is EPIC v. DHS, 17-2047 (D.D.C.). (Feb. 28, 2020)

  • Today the FCC announced proposed fines against T-Mobile, AT&T, Verizon, and Sprint for selling customers' location information. FCC Chairman Ajit Pai said: "This FCC will not tolerate phone companies putting Americans' privacy at risk." The companies are given an an opportunity to respond to the FCC before the Commission makes a final decision. EPIC has long advocated for protection of location privacy. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. And EPIC filed an amicus brief in Carpenter v. US. The Supreme Court held in that case that the Fourth Amendment protects cell site location information. (Feb. 28, 2020)

  • Speaking at the launch of the OECD AI Policy Observatory in Paris, EPIC President Marc Rotenberg urged OECD member countries to defend "the rule of law, fundamental rights, and democratic institutions." Rotenberg praised the OECD for its work on the AI Principles, noted the influence of the OECD Privacy Guidelines, but also warned that AI decisionmaking will have a profound impact on employment, education, and criminal justice. "The OECD is uniquely situated,:" Rotenberg said "to promote economic growth and protect democratic values." EPIC helped establish the OECD Civil Society Advisory Council and has gathered support for the Universal Guidelines for AI, a policy framework to protect human rights. EPIC's Rotenberg first urged "algorithmic transparency" at the OECD global forum in Japan in 2014. (Feb. 27, 2020)

  • The FTC has published "Privacy & Data Security Update for 2019." The FTC report summarizes the enforcement actions the agency pursued last year, including the proposed settlement with Facebook. EPIC challenged the settlement, arguing that the "Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC also uncovered 29,000 complaints against Facebook, currently pending at the FTC. The Court required the FTC and Facebook to respond to EPIC's objections. EPIC and other consumer organizations have many privacy complaints currently pending at the FTC that the Commission has failed to pursue. EPIC recently filed complaints with the FTC on HireVue and Airbnb for unfair and deceptive uses of AI. (Feb. 27, 2020)

  • The Privacy and Civil Liberties Oversight Board has issued a report emphasizing the minimal value of the NSA's call details records program. The Board recommended the end of the program, which the NSA suspended last year after concerns about compliance with legal standards established in the US Freedom Act. According to the PLCOB report, the government spent $100 million on the program, yet opened only one non-duplicative investigation. EPIC recently joined 44 civil liberties organizations in backing the end of the NSA surveillance program. In 2013, EPIC filed a petition with the U.S. Supreme Court, In re EPIC, challenging the lawfulness of the NSA's bulk collection of American's telephone records. (Feb. 27, 2020)

  • EPIC has filed a complaint with the FTC, alleging that Airbnb has committed unfair and deceptive practices in violation of the FTC Act and the Fair Credit Reporting Act. Airbnb secretly rates customers “trustworthiness" based on a patent that considers such factors as “authoring online content with negative language.” The company’s opaque, proprietary algorithm also considers "posts on the person’s social network account" as well the individual's relationships with others, and adjusts the "trustworthiness" score based on the scores of those associations. EPIC said the company failed to comply with "established public policies" for AI decision-making, such as the OECD AI Principles and the Universal Guidelines for AI. EPIC has recently brought complaints to the FTC about the employment screening firm HireVue and the Universal Tennis Rating secret scoring technique. EPIC has also petitioned the FTC to conduct a rulemaking for "the use of artificial intelligence in commerce." The EPIC AI Policy Sourcebook includes the OECD AI Principles, the Universal Guidelines for AI, and other AI policy frameworks. (Feb. 27, 2020)

  • Hackers have stolen the entire client database of facial recognition company Clearview AI. Clearview AI scraped over three million images from the internet to build its facial recognition database. The company sells facial recognition services to law enforcement agencies. In a statement to Clearview AI CEO Hoan Ton-That, Senator Markey wrote: "Clearview's product appears to pose particularly chilling privacy risks, and I am deeply concerned that it is capable of fundamentally dismantling Americans' expectation that they can move, assemble, or simply appear in public without being identified..." Last month Senator Markey sent a letter to Clearview AI asking about the company's collaboration with law enforcement agencies and for information about privacy protections. EPIC, and more than a hundred organizations, have called for a moratorium on facial recognition technology. (Feb. 26, 2020)

  • In a statement to Congressional leaders, California Attorney General Xaviar Becerra called for strong baseline, federal privacy legislation. Becerra wrote, "I am optimistic Congress will be able to craft a proposal that guarantees new privacy rights for consumers, includes a meaningful enforcement regime, and respects the good work undertaken by states across the country." The California Attorney General also made clear the importance of meaningful enforcement. "Congress should make clear in any legislative proposal that state attorneys general have parallel enforcement authority and that consumers also have the opportunity to protect their rights directly through a private right of action," Becerra said. EPIC has endorsed H.R. 4978, the Online Privacy Act, sponsored by Representatives Eshoo and Lofgren and S. 3300, the Data Protection Act, sponsored by Senator Gillibrand. Neither bill preempts stronger state law. (Feb. 26, 2020)

  • In comments on proposed revisions to the California Consumer Privacy Act, EPIC backed changes to strengthen consumer protections. EPIC expressed support for the work of the California Attorney General on the CCPA and provided the recommendations to "further safeguard the privacy of California consumers." EPIC's comments follow EPIC's campaign to educate Californians about the CCPA and EPIC's recent report on federal privacy legislation, Grading on a Curve. EPIC has endorsed H.R. 4978, the Online Privacy Act (Eshoo/Lofgren), and S. 3300, The Data Protection Act (Gillibrand). (Feb. 25, 2020)

  • The House Judiciary Committee will consider this week the USA FREEDOM Reauthorization Act of 2020, a bill that will repeal authority to access call detail records, declassify opinions of the FISA court, and improve the Privacy and Civil Liberties Oversight Board. EPIC has joined 44 civil liberties organizations in support of similar legislation. But the bill does not address surveillance conducted under Section 702, concerning non-US persons. EPIC recently advised Congress to reform Section 702 and to end Section 215 surveillance of Americans. (Feb. 25, 2020)

  • According to the New York Times, U.S. intelligence agencies have briefed Congress about ongoing efforts by Russia to interfere in the 2020 Presidential election. Following the briefing, the President replaced the acting Director of National Intelligence with Richard Grenell, a person with no background in intelligence or the management of federal agencies. The Senate Intelligence Committee, the U.S. Intelligence Community, and Special Counsel Robert Mueller previously confirmed Russian interference in the 2016 election. However, the full extent of Russian interference in 2016 has not yet been revealed. EPIC is seeking the disclosure of the complete and unredacted Mueller Report in the FOIA lawsuit EPIC v. DOJ. EPIC's case could provide further information about the scope and techniques of Russian election interference. A ruling is expected soon. (Feb. 21, 2020)

  • In response to a public records request, EPIC received documents from the Mississippi Department of Corrections detailing their use of risk assessment tools. The results show that the Department uses risk assessments from pre-trial through parole. The document released to EPIC also show efforts to comply with the validation requirements of state law passed in 2019. The documents disclosed include also sample scoring sheets, scripts, four different trainings, and a manual on the risk assessment software. EPIC has obtained documents about pre-trial risk assessments from several states as well as a scoring system developed by the DHS to assign risk assessments to travelers, including US citizens. (Feb. 21, 2020)

  • Through a FOIA request, EPIC has obtained documents (pt. 1, 2, 3) about the TSA's "Visible Intermodal Prevention and Response" program. Created in 2004, the VIPR teams worked with law enforcement agencies to conduct warrantless searches at public events, including festivals, sporting events, and bus stations. The TSA released to EPIC planning guidance, an operations directive, operating procedures, and activity summary reports. However, the EPIC request revealed that the TSA failed to complete civil rights and civil liberties impact assessments required by law. The VIPR program ended in 2019. The VIPR program used "risk-based" profiling and "behavior detection" to search and detain individuals. Two GAO reports (2013, 2017)questioned the reliability of TSA's behavioral indicators, which included, for example, "assessing the way an individual swallows or the degree to which an individual's eyes are open." (Feb. 21, 2020)

  • The European Parliament heard testimony today on AI in Criminal Law amidst a widespread push towards robust AI regulation in the EU. The panelists before the committee responsible for civil liberties, justice, and home affair focused on facial recognition, risk assessments, and predictive policing. The hearing explored regulation and law enforcement use, and also transparency, explainability, and accountability. The hearing in Parliament followed the release of a European Commission White Paper on AI. EPIC has called for a moratorium on face surveillance and maintains a resource about the use of risk assessments in the US Criminal Justice system. (Feb. 20, 2020)

  • This week the American Bar Association adopted new policies for the security of elections and the regulation of drone operations. Under the election cybersecurity policy, the ABA will urge Congress to provides funding to NIST to set election security standards, provide funding to secure state systems, and encourage state and local governments to secure election systems. Last year a federal court ruled that Georgia must replace its insecure voting machines, citing EPIC's amicus brief that highlighted the unreliable nature of paperless voting systems. EPIC continues to seek release of DHS records concerning ongoing election security risks. The ABA also adopted a drone privacy policy that will encourage federal, state, and local governments to regulate the deployment of drones. EPIC first petitioned the FAA to promulgate drone privacy regulations in 2012, has sued to obtain records of the agency's secretive drone advisory committees, and EPIC recently launched a Mandate Drone ID Campaign. (Feb. 20, 2020)

  • A report released by the Administrative Conference of the US with Stanford and NYU explores the use of Artificial Intelligence techniques by 142 Federal Agencies. According to the report, law enforcement agencies are most likely to use AI. The report "Government by Algorithm: Artificial Intelligence in Federal Administrative Agencies" cites documents obtained by EPIC in the FOIA lawsuit EPIC v. CBP. In that case, EPIC obtained document from the federal agent that revealed problems with biometric identification. EPIC has recommended the Universal Guidelines for AI to guide the government's use of AI and EPIC recently petitioned the Federal Trade Commission to establish regulations for the use of AI in commerce. (Feb. 20, 2020)

  • In response to EPIC's Freedom on Information Act lawsuit, EPIC v. State, the State Department has provided EPIC with several agency agreements concerning State Department facial recognition program. The Consular Consolidated Database contains millions of images from visa and passport applicants, which other federal agencies are now accessing for purposes unrelated to the processing of visa and passport application. The State Department agreements include the Labor, Interior, and Defense Departments. Several of the documents EPIC obtained concealed the name of the federal agency accessing the State Department database. In a related EPIC FOIA lawsuit, EPIC obtained documents concerning Customs and Border Protection use of images from the State Department. (Feb. 19, 2020)

  • EPIC has filed a brief urging a federal court to enforce the transparency obligations of the National Security Commission on Artificial Intelligence. EPIC explained that the AI Commission must hold open meetings and publish its records on a regular basis. The court previously ruled that the AI Commission must comply with EPIC's Freedom of Information Act request, but the Commission now claims that it is exempt from a related statute that requires advisory committees to operate transparently. EPIC told the court that "as is often the case for federal entities, the AI Commission must comply with two (or three, or more) statutory obligations at the same time." The Commission, which is tasked with developing U.S. AI policy, recently released a report to Congress criticizing the EU General Data Protection Regulation and calling for greater "government access to data on Americans." The AI Commission met frequently in secret with lobbyists and private contractors, but never gathered opinions from the American public. (Feb. 19, 2020)

  • The European Commission has published the White Paper on Artificial Intelligence(AI) and the European Data Strategy. the Commission stated that the aim is to promote "Technology that works for people; a fair and competitive economy; and an open, democratic and sustainable society." On AI and fundamental rights, the Commission warned that "biases in algorithms or training data used for recruitment AI systems could lead to unjust and discriminatory outcomes..." The Commission also warned that the "gathering and use of biometric data for remote identification purposes carries specific risks for fundamental rights" but stopped short of endorsing a moratorium on face surveillance. The EU White Paper on Artificial Intelligence is open for public consultation until May 19, 2020. The Commission is also gathering feedback on the data strategy. (Feb. 19, 2020)

  • The Seventh Circuit has concluded that consumers who receive an automated text message can sue under the federal anti-robocall law, but only if the autodialer has a random number generator. The decision in Gadelhak v. AT&T Services deepens a split among federal appeals courts over the scope of federal robocall protections. EPIC and the National Consumer Law Center filed an amicus brief in the case, arguing that an autodialer need only dial numbers from a list, such as a customer contact database. EPIC and the NCLC explained that allowing telemarketers to robocall consumers from a list "would undermine the law's effectiveness by inviting easy circumvention and rendering the restriction obsolete." The EPIC routinely files amicus briefs on consumer privacy issues, including several amicus briefs on the TCPA. (Feb. 19, 2020)

  • In a letter to school administrators, EPIC joined Fight for the Future and over 40 organizations opposing the use of facial recognition technology in schools. The coalition stated that facial recognition is an "invasive and biased technology that violates the rights of students and faculty and has no place in educational institutions." EPIC launched a campaign and resource page to ban face surveillance globally. The Public Voice declaration has the support of over 100 organizations and many leading experts across 30 plus countries. EPIC has also called on the Privacy and Civil Liberties Oversight Board to suspend face surveillance systems across the federal government. (Feb. 13, 2020)

  • Senator Kirsten Gillibrand (D-NY) has introduced S. 3300, The Data Protection Act of 2020 which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, many leading consumer and civil rights organizations, privacy experts, and scholars support Senator Gillibrand's non-partisan bill. "The US confronts a privacy crisis. Our personal data is under assault. Congress must establish a data protection agency. Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans," said Caitriona Fitzgerald, EPIC Policy Director. EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including the creation of a Data Protection Agency. [Bill text] [EPIC PRESS RELEASE] (Feb. 13, 2020)

  • Senators Cory Booker and Jeff Merkley introduced the Ethical Use of Facial Recognition Act, which would ban the federal government's use of facial recognition until Congress passes legislation regulating the technology. The bill also prevents state and local government from using federal funds for facial recognition systems and creates a commission to develop guidelines for the use of facial recognition. EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. An EPIC-led coalition has also called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. (Feb. 12, 2020)

  • Today EPIC has launched "Mandate Drone ID" to encourage the public to submit comments to the FAA regarding the agency's proposed rule for a drone ID requirement. EPIC recommends that the FAA modify the draft rule to require public access to drone ID information, including the operator identity, the purpose, and the surveillance capabilities. In 2015, EPIC wrote "Drones should be required to broadcast their registration information to allow members of the public" to easily identify the operator and responsible party. EPIC has recommended that the FAA follow the model for vessels and planes, which requires operators to broadcast location, course, and operator identity, The European Union has established real-time broadcasting requirement similar to the one EPIC has previously encouraged the FAA to implement. Comments on the FAA proposed rule are due March 2, 2020. (Feb. 12, 2020)

  • EPIC has joined 44 civil liberties organizations in endorsing the Safeguarding Americans' Private Records Act of 2020 (S. 3242 / H.R. 5675), sponsored By Senator Wyden [D-OR] and, in the House, Rep. Lofgren [D-CA]. The bills would repeal the NSA's bulk telephone surveillance program, establish a warrant requirement for location data and internet browsing history, increase transparency, and strengthen the Privacy and Civil Liberties Oversight Board. EPIC recently advised Congress to reform Section 702 of FISA and to sunset Section 215 of the Patriot Act. (Feb. 12, 2020)

  • The FTC announced plans to review acquisitions by Google, Amazon, Apple, Facebook, and Microsoft between 2010-2019. The FTC will review those acquisitions that the companies were not required by law to report at the time of acquisition. FTC Chairman Joe Simons said the initiative would "evaluate whether the federal agencies are getting adequate notice of transactions that might harm competition." In a joint statement, Commissioner Wilson and Commissioner Chopra said, "While we commend the FTC for exploring this timely and important topic, we reiterate our call for the Commission to prioritize 6(b) studies that explore consumer protection issues arising from the privacy and data security practices of technology companies, including social media platforms." EPIC filed a complaint with the FTC in 2014 opposing Facebook's acquisition of WhatsApp. EPIC is presently in federal court seeking to improve the FTC's proposed settlement with Facebook and to unwind the merger. (Feb. 12, 2020)

  • The European Parliament has passed a resolution urging the European Commission to adopt strong rules for industrial policy on artificial intelligence and robotics. The Resolution emphasizes safety, transparency, explainability, and data quality. The Resolution also seeks to "ensure that automatic decision-making is not being used to discriminate against consumers based on their nationality, place of residence or temporary location." The Resolution also supports the free flow of non-personal data to promote innovation. The European Commission is expected to announce how it will proceed with AI regulation next week. Last week, a Dutch Court ruled that an AI system to detect welfare fraud violated human rights. EPIC has promoted Algorithmic Transparency and the Universal Guidelines for AI, and also published the AI Policy Sourcebook, the first reference book on AI policy. (Feb. 12, 2020)

  • The California Attorney General has released the final draft of the regulations implementing the California Consumer Privacy Act. The draft updates key definitions, recommends an opt-out button image, and clarifies how businesses should respond to consumer access and deletion requests. The public has until February 25 to provide comments on the proposed regulation. Enforcement of the law will begin on July 1, 2020. In previous comments, EPIC urged strong enforcement of the state privacy law. The complete text of the California privacy law is available in the EPIC 2020 Privacy Law Sourcebook. EPIC has published a resource to help California residents exercise their rights under the CCPA. (Feb. 11, 2020)

  • The Technical Guidelines Development Committee has approved the Voluntary Voting System Guidelines 2.0. The Committee provides technical recommendations to the Election Assistance Commission regarding voting systems in the United States. EPIC, along with the Association for Computing Machinery, previously recommended strong principles for voter privacy, ballot secrecy, and data protection. The groups also urged the Commission to ban internet-connected voting machinery, citing the risks to voting integrity and democratic institutions. The Technical Committee recommended banning internet-connected voting systems, as well as strong provisions on voter privacy, ballot secrecy, and data protection. Though states are not mandated to comply with the Voting System Guidelines, the Guidelines shape the election security market. EPIC has a long history of working to protect voter privacy and election integrity. (Feb. 11, 2020)

  • The House passed H.R. 4357, which bans the use or purchase of foreign-made drones by the Department of Homeland Security. Last month, the Interior Department banned the use of foreign-made drones for non-emergency operations. The US government actions respond to growing concern that Chinese-made drones collect sensitive information in the United States. In 2012, EPIC and more than 100 experts petitioned the FAA to establish a rule to limit drones surveillance, but the agency failed to act. In recent comments to the FAA, EPIC warned the agency that regulating drone surveillance was essential to privacy and security. Last year, EPIC's Marc Rotenberg and Len Kennedy cited the FAA's failure to develop appropriate regulations in a commentary for the New York Times, and also warned that China's surveillance model requires "comprehensive privacy legislation to safeguard the personal data of Americans." (Feb. 11, 2020)

  • The Justice Department has confirmed to EPIC that Special Counsel Mueller did not draft any reports for Congress during the investigation into Russian interference in the 2016 election. In a filing from EPIC v. DOJ the Justice Department stated that it found no "reports, recommendations, and other compilations of information prepared for the eventual consideration of one or more members of Congress." Last year, EPIC's open government lawsuit revealed records of a previously-undisclosed Special Counsel investigation into a suspected "unregistered agent of a foreign government." EPIC is also seeking disclosure of the complete, unredacted Mueller Report. The book EPIC v. DOJ: The Mueller Report is available for purchase at the EPIC Bookstore. (Feb. 10, 2020)

  • The U.S. government has indicted four members of China's military on charges of hacking Equifax to exploit the personal data of 150 million Americans. They allegedly conspired to hack into Equifax's computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of nearly half of all American citizens. EPIC President Marc Rotenberg testified before the House in 2018 and the Senate in 2017 about the Equifax breach. Rotenberg warned lawmakers and regulators that the failure of the U.S. government to safeguard the personal data of Americans has placed American consumers at risk from foreign adversaries. And in the Harvard Business Review, Rotenberg explained that "consumer privacy is not a goal achieved by markets. It must be mandated by Congress." EPIC has called for passage of the Online Privacy Act, H.R. 4978, and the creation of a U.S. data protection agency. (Feb. 10, 2020)

  • In advance of a hearing on the Department of Homeland Security's use of facial recognition technology. EPIC urged Congress to suspend the use of facial recognition for mass surveillance. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." EPIC provided to the House Committee the Public Voice Declaration, supported by more than 100 organizations and leading experts from around the world, calling for a moratorium on face surveillance. The Declaration calls on countries to (1) suspend deployment of facial recognition; (2) review systems to determine whether personal data was obtained lawfully; (3) undertake research to assess bias and risk; and (4) establish legal rules, technical standards, and ethical guidelines before further deployment occurs. EPIC recently launched a campaign and resource page to ban face surveillance globally. (Feb. 6, 2020)

  • A Dutch Court ruled that an algorithmic risk assessment technique that ostensibly detects fraud violates human rights and privacy laws. The SyRi system processed massive amounts of personal data held in a government agencies with an opaque algorithm. The Dutch court ruled "there is a risk that the use of SyRI will inadvertently make connections based on bias." EPIC tracks and publicizes the use of risk assessments in the US Criminal Justice System as well as advocates for the Universal Guidelines for AI to ensure Algorithmic Transparency in automated decision making, EPIC published the AI Policy Sourcebook, the first reference book on AI policy. (Feb. 5, 2020)

  • Today EPIC filed a petition with the Federal Trade Commission for a rulemaking "concerning the use of artificial intelligence in commerce." The EPIC petition follows two recent EPIC complaints to the FTC about the use of AI for employment screening and the secret scoring of young athletes. EPIC noted that several FTC Commissioners have called for updated regulations to address the challenges of Artificial Intelligence. EPIC pointed to the recent OMB Guidance for Regulation of Artificial Intelligence in support of the FTC rulemaking. EPIC also publishes the AI Policy Sourcebook, the first reference book on AI policy. (Feb. 3, 2020)

  • FCC Chairman Pai has announced upcoming enforcement actions against wireless carriers that disclosed subscribers' location data. Last year Members of Congress called an emergency briefing with the FCC and urged the agency to investigate companies that were selling subscribers' location data. EPIC has long advocated for protection of location data. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. And EPIC filed a amicus brief in Carpenter v. US. The Supreme Court held in that case that the Fourth Amendment protects cell site location information. EPIC maintains detailed webpages on location privacy. (Jan. 31, 2020)

  • Sen. Michael Bennet (D-CO) has criticized the White House Guidance on Artificial Intelligence as "insufficient" and "little more than gauzy generalities." In a letter to US Chief Technology Officer Michael Kratsios, Bennet said the "principles male only passing referrence to privacy protections" and "just a cursory discussion of Americans' civil rights." Bennet said also that the White House "has failed to set spending targets, establish metrics, or allocate additional funding." EPIC published the AI Policy Sourcebook, the first reference book on AI policy. The AI Sourcebook includes the Universal Guidelines for AI, an influential human rights framework for AI policy. (Jan. 31, 2020)

  • EPIC has settled a Freedom of Information Act lawsuit against Immigration and Customs Enforcement. EPIC sought records about the agency's use of Palantir's technology for mass surveillance. The documents obtained by EPIC revealed the vast capabilities of agency program to link phone numbers, GPS data, and social network data. The FALCON database, developed by Palantir, also includes sensitive data such as social security numbers, financial records, call records, ISP records. In previous comments, EPIC urged the agency to limit the data gathered, narrow the exemptions to the Privacy Act, and remove the routine use disclosures. As a consequence of the successful litigation, EPIC will receive attorneys fees. (Jan. 31, 2020)

  • This week Facebook agreed to pay $550 million to settle a lawsuit about the use of facial recognition technology. The New York Times called the settlement "A Big Victory for Privacy Groups." In 2010, EPIC objected to Facebook's collection of biometric data and urged the FTC to modify a proposed settlement to limit Facebook's use of facial recognition. EPIC filed similar complaints about facial recognition with the FTC in 2016 and 2018. EPIC also filed several amicus briefs stating that the violation of a federal privacy law is sufficient to confer "standing," the right of consumers to bring lawsuits. In response to Facebook's challenge to the Illinois Biometric Privacy Act, EPIC wrote, "Judicial second-guessing of statutory protections for biometric data established by the state legislature, following a careful weighing of the public safety concerns, will come at an enormous cost to the privacy of Illinois residents." EPIC's views were adopted by a federal court in this case, which led to the recent settlement with Facebook. The text of the Illinois privacy law is available in the 2020 EPIC Privacy Law Sourcebook at the EPIC Bookstore. And EPIC's objections to the current FTC settlement with Facebook are now pending in federal court. (Jan. 30, 2020)

  • The Interior Department announced today it will ban Chinese-made drones for non-emergency use. The Secretary's Order responds to growing concerns that information collected by aerial drones could be "valuable to foreign entities, organizations and governments." In 2012, EPIC and more than 100 experts petitioned the FAA to establish a privacy rule for drones, but the agency failed to act. Last year EPIC's Marc Rotenberg and Len Kennedy cited the FAA's failure, and also warned that China's surveillance model requires "comprehensive privacy legislation to safeguard the personal data of Americans." Senator Chris Murphy [D-CT] and Senator Rick Scott [R-FL] have introduced S. 2502, the American Security Drone Act of 2019 that would prevent federal agencies from purchasing drones manufactured in China. (Jan. 29, 2020)

  • The Banisar index has found that as of 2019, 130 countries have adopted comprehensive data protection laws to protect personal data held by private companies and government entities. In almost all of the countries, an independent data protection agency or information commission oversees and enforces the laws. EPIC's recent report on U.S. federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline legislation and the creation of a data protection agency. EPIC also makes available The 2020 Privacy Law Sourcebook at the EPIC Bookstore. (Jan. 29, 2020)

  • In comments on an FCC proposed rule, EPIC said that the agency should not track the Internet use of Lifeline subscribers. Lifeline is a federal program that provides broadband service to economically disadvantaged Americans. The FCC is proposing that Lifeline subscribers install apps to track their data usage and that companies retain detailed records about Internet use by Lifeline subscribers. EPIC said: "Americans should not be required to sacrifice their privacy to access the Internet." EPIC led a campaign and petition opposing the FCC's requirement that telephone carriers retain detailed records of American telephone customers. (Jan. 28, 2020)

  • On January 28, EPIC celebrates International Privacy Day, which commemorates Council of Europe Convention 108, the first international privacy convention. Today EPIC urged Congress to take three steps to safeguard the personal data of Americans: (1) enact comprehensive baseline legislation, (2) establish a data protection agency, and (3) ratify the International Privacy Convention. EPIC and consumer organizations have long urged the United States to endorse the Privacy Convention, which establishes a global framework for the free flow of personal data. The complete text of the Privacy Convention is in the EPIC Privacy Law Sourcebook, available at the EPIC Bookstore. Follow #DataProtectionDay. (Jan. 28, 2020)

  • EPIC has written in support of Maryland Senate Bill 34, which would prohibit the scanning or swiping of identification cards and driver’s licenses. "The best defense against data breaches is not collecting and retaining personal data in the first place,” EPIC said in testimony to the Maryland State Senate Finance Committee. The bill is sponsored by Senator Cheryl Kagan and it passed the State Senate unanimously last session. EPIC previously warned of the risks of swiping identity documents in a report on the controversial REAL ID proposal - “REAL ID Implementation Review: Few Benefits, Staggering Costs." EPIC's State Policy Project tracks privacy developments at the state level. (Jan. 28, 2020)

  • A new Pew Research survey found that 74% of U.S. adults say it is more important to keep things about themselves from being searchable online than it is to discover potentially useful information about others. And 85% say that all Americans should have the right to have potentially embarrassing photos and videos removed from online search results. EPIC advocates for the "right to be forgotten" and maintains a webpage on U.S. state laws that allow individuals to remove records containing disparaging information. EPIC publication "The Right to be Forgotten on the Internet: Google v. Spain," an account of the original case written by former Spanish Privacy Commissioner Artemi Rallo, is available in the EPIC bookstore. (Jan. 27, 2020)

  • EPIC and over 40 organizations have urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. The Board advises the government on new threats to privacy. The groups said “the rapid and unregulated deployment of facial recognition poses a direct threat to ‘the precious liberties that are vital to our way of life.’” Last year, the Public Voice coalition called for a global moratorium on face surveillance. The Declaration was endorsed by over 100 organizations and several hundred experts in over 40 countries. EPIC previously called for DHS to suspend the use of facial recognition technology. EU leaders are now considering a ban on the use of facial recognition in public spaces, “for up to five years until safeguards to mitigate the technology’s risk are in place.” (Jan. 27, 2020)

  • A new European Parliament Resolution advises the European Commission to establish strong oversight of artificial intelligence. The Resolution emphasizes safe and compliant products, human responsibility, safety, transparency, explainability, and data quality. The Resolution also supports the free flow of non-personal data to promote innovation. Several of these principles are put forward in the Universal Guidelines for AI, which EPIC recommends as the baseline for AI Policy. On February 19, the European Commission is expected to announce how it will proceed with AI regulation. EPIC has promoted Algorithmic Transparency and published the AI Policy Sourcebook, the first reference book on AI policy. (Jan. 23, 2020)

  • EPIC presented the 2020 International Privacy Champion Awards to Isabelle Falque-Pierrotin, former President of the French Data Protection Agency (the "CNIL") and British journalist Carole Cadwalladr. EPIC President Marc Rotenberg drew attention to Falque-Pierrotin's "dedication and determination" which have "given force to the right to privacy." Rotenberg cited Cadwalladr's reporting on the Cambridge Analytica data breach, which has made clear "the deep connection between data protection and the protection of democratic institutions." The ceremony took place at the annual conference on Computers, Privacy, and Data Protection in Brussels, Belgium. The 2020 EPIC Champion of Freedom Awards will be held at the National Press Club in Washington, DC on June 3, 2020. PRESS RELEASE (Jan. 22, 2020)

  • None of Your Business, the privacy NGO established by Max Schrems, has launched a new resource for those following European privacy law. GDPRhub provides summaries of decisions by national Data Protection Agencies and courts concerning the GDPR. This database offers insight into key debates on the interpretation of contentious GDPR issues. A second database, "GDPR Knowledge," offers commentaries on GDPR and DPA profiles across the EU. NOYB is also publishing GDPRtoday, which provides a "quick overview of all national decisions of the past days from all across Europe." EPIC provides the text of the GDPR in the 2020 Privacy Law Sourcebook available at the EPIC Bookstore. (Jan. 22, 2020)

  • A new Pew Research poll finds that 41% of Americans say it is acceptable for makers of fitness trackers to disclose users' data to medical researchers, while 35% believe this is an unacceptable practice and 22% are unsure. The study also found that white adults (39%) are more likely than those who are black (31%) or Hispanic (26%) to see disclosure of this data as unacceptable. EPIC told Congress that the Federal Trade Commission must block Google's plan to acquire Fitbit and that merger review must consider data protection. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency. (Jan. 22, 2020)

  • EPIC will present argument today in State v. Andrews, a New Jersey Supreme Court case about the compelled disclosure of a cell phone passcode. In its amicus brief, EPIC argued that the Fifth Amendment limits the ability of the government to obtain cellphone passcodes. Citing Riley v. California and Carpenter v. United States, EPIC said the U.S. Supreme Court has held that the vast troves of personal data stored in cell phones "justifies strong constitutional protections." EPIC also explained that limited exceptions to Fifth Amendment safeguards were adopted before personal information was "consolidated in one place." EPIC routinely files amicus briefs arguing that constitutional protections should keep pace with advances in technology. EPIC filed amicus briefs in Carpenter and Riley, which both involved the searches of cellphones. The Supreme Court cited EPIC's amicus brief in the Riley opinion. (Jan. 21, 2020)

  • The U.S. Supreme Court will leave in place a decision that allows lawsuits against Facebook for the unlawful collection of facial images. In Patel v. Facebook, the Ninth Circuit held that that an Illinois biometrics law protects "concrete privacy interests" and that violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that users can sue companies that violate rights protected by privacy laws. EPIC has long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. EPIC recently launched a campaign and resource page to ban face surveillance. (Jan. 21, 2020)

  • Facebook reversed the controversial decision to sell ads in WhatsApp. Before WhatsApp was acquired by Facebook, the company promised users it would not sell ads. But Facebook did not honor that promise to users, causing the WhatsApp founders to resign. When Facebook proposed to acquire WhatsApp in 2014, EPIC filed a complaint with the FTC advising the agency to block the sale unless adequate privacy safeguards were established for WhatsApp user data.The FTC wrote in response "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook." EPIC has challenged the proposed FTC settlement with Facebook, arguing that it is procedurally unfair and that the FTC failed to address growing concerns about the use of WhatsApp user data. The FTC is now considering blocking the integration of Facebook and WhatsApp user data. (Jan. 21, 2020)

  • POLITICO reports that EU President von der Leyen and Commissioner Vestager are considering a ban on the use of facial recognition in public spaces, "for up to five years until safeguards to mitigate the technology's risks are in place." Last fall, more than 100 organizations, and several hundred experts, from over 40 countries urged data protection officials to adopt a moratorium on facial recognition. The Public Voice petition asked countries to "establish the legal rules, technical standards, and ethical guidelines necessary to safeguard fundamental rights and comply with legal obligations before further deployment of this technology occurs." EPIC is now tracking efforts around the world to Ban Face Surveillance. (Jan. 16, 2020)

  • The EU Advocate General advised the European Court of Justice that "the means and methods of combating terrorism must be compatible with the requirements of the rule of law" in a case concerning the retention of personal data for law enforcement purposes. The AG recommended limiting retention of data to data that are essential for national security and limiting access to that data subject to prior review by courts. The opinion is not binding on the Court of Justice and the Court will issue a judgment at a later date. The AG cited EPIC's expert submissions in "Schrems 2.0," another case concerning Facebook's transfer of personal data to the United States and the adequacy of U.S. privacy law. (Jan. 16, 2020)

  • EPIC has urged Congress to implement the OECD Principles on AI and adopt the Universal Guidelines of AI. In a statement in advance of a hearing on "Industries of the Future," EPIC also highlighted the White Houses's Guidance for AI Regulation, and urged the Senate to prioritize public participation and democratic values. Senator Roger Wicker's (R-MS) bill, the "Industries of the Future Act," would promote government investment in research and development and create a government Council to advise the Office of Science and Technology Policy on future industries, including artificial intelligence. EPIC has long advocated for transparency and public participation in AI policymaking. EPIC successfully sued the National Security Commission on Artificial Intelligence to ensure public access to agency records. EPIC recently filed a complaint with the FTC alleging that recruiting company HireVue fails to comply with baseline standards for AI decision-making. EPIC also sued the DOJ to uncover documents about the use of algorithms in the criminal justice system. (Jan. 15, 2020)

  • EPIC has filed its opening brief urging the D.C. Circuit to reverse a lower court decision that allowed FAA's Drone Advisory Committee to conduct much of its work in secret. "If the decision is allowed to stand, other federal agencies could circumvent the law by creating subcommittees and task forces and developing policy in secretive meetings held by entities that agencies attempt to place beyond the reach of the [Federal Advisory Committee Act]," EPIC told the Court of Appeals. EPIC filed suit in 2018 against the industry-dominated Committee, which consistently ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records that it previously withheld. The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.). (Jan. 14, 2020)

  • A new report from Norweigian consumer group Forbrukerradet finds that dating apps transmit personal data to at least 135 different third parties involved in behavioral advertising. The data includes IP address, GPS location, age, gender, sexual orientation, and religious beliefs. EPIC joined coalition letters to Congress, the FTC, and state Attorneys General urging investigation of the business practices detailed in the report. EPIC Consumer Protection Counsel Christine Bannan said: "This report highlights the pervasiveness of corporate surveillance and the failures of the FTC notice-and-choice model for privacy protection. Congress should pass comprehensive data protection legislation and establish a U.S. Data Protection Agency to protect consumers from the privacy violations of the adtech industry." (Jan. 14, 2020)

  • The U.S. Interior Department is permanently grounding its fleet of drones over concerns that the devices will enable aerial surveillance by the Chinese government, according to the Financial Times. The Chinese-manufactured drones, which were used to monitor and map federal land, have been temporarily grounded since October. EPIC, NGOs, and leading experts had long urged the Federal Aviation Administration to regulate the privacy risks of drones. Although the FAA is set to require remote identification of drones—as EPIC first recommended five years ago—the FAA has refused to address drone surveillance. EPIC is currently challenging the FAA's failure to disclose records from the Drone Advisory Committee, which acknowledged the privacy risks posed by drones but failed to propose any privacy safeguards. (Jan. 13, 2020)

  • The Supreme Court has aqreed to hear a challenge to the constitutionality of the Telephone Consumer Protection Act, a federal law that prohibits unwanted robocalls. The law generally restricts the use of autodialers, but in 2015 Congress created an exception for robocalls to collect debts guaranteed by the federal government. Several groups have since challenged the law on First Amendment grounds, arguing that the TCPA discriminates against particular speakers. The Court will now consider the issue in Barr v. American Association of Political Consultants. EPIC filed an amicus brief in Gallion v. Charter Communications, a related case, arguing that “these challenges represent a systematic effort by companies to undermine the purpose of the TCPA and to inundates consumers with unwanted calls.” EPIC routinely files amicus briefs on consumer privacy issues, including several amicus briefs on the TCPA. (Jan. 11, 2020)

  • The Department of Transportation announced AV 4.0, voluntary guidelines for driverless vehicles. The guidelines "use a holistic, risk-based approach to protect the security of data and the public's privacy as AV technologies are designed and integrated." EPIC commented on an earlier version of the guidelines, saying the agency "should promulgate mandatory rather than voluntary cybersecurity guidelines." EPIC warned that "the very real possibility of remote car hacking poses substantial risks to driver safety and security." EPIC also testified before Congress in 2015, explaining that "current approaches, based on industry self-regulation, are inadequate and fail to protect driver privacy and safety." (Jan. 10, 2020)

  • The White House has published Guidance for Regulation of Artificial Intelligence Applications. In a statement, US Chief Technology Officer Michael Kratsios said "The White House calls on agencies to protect privacy and promote civil rights, civil liberties, and American values in the regulatory approach to AI. Among other important steps, agencies should examine whether the outcomes and decisions of an AI application could result in unlawful discrimination, consider appropriate measures to disclose when AI is in use, and consider what controls are needed to ensure the confidentiality and integrity of the information processed, stored and transmitted in an AI system." The US AI Guidance follows from the OECD AI Principles, which the United States has endorsed, as well as some of the Universal Guidelines for AI, a human rights framework for AI endorsed by more than 250 experts and 60 associations in 40 countries. The Guidance makes clear the importance of public participation in the formulation of AI policy. EPIC successfully sued the National Security Commission on Artificial Intelligence to ensure public access to agency records. (Jan. 9, 2020)

  • Prior to a hearing with voting system vendors, EPIC urged the House Administration Committee to ensure that voting systems must accurately record votes and protect the secret ballot. "The bar for voting technology and election administration should be set high," EPIC said. Earlier this year EPIC asked a federal court to stop Georgia's use of Direct Recording Electronic voting machines in an amicus brief. Experts in election security have shown that DREs are insecure, vulnerable to attack, fail to provide a paper trail, and subject to manipulation by foreign adversaries. DREs also undermine the secret ballot as particular voters could be linked to particular votes. In 2016, EPIC published "The Secret Ballot at Risk: Recommendations for Protecting Democracy," highlighting the importance of the secret ballot for American democracy. (Jan. 9, 2020)

  • In comments submitted to the USPTO's request for information, EPIC recommended limiting trade secret defenses for AI techniques that have a a significant effect on an individual. EPIC also highlighted the US endorsement of the OECD AI principles, the White House's Guidance for Regulation of Artificial Intelligence Applications, and the Universal Guidelines for Artificial Intelligence. EPIC explained that these policy frameworks make clear the importance of transparency in AI policy. In 2019, EPIC successfully sued the National Security Commission on Artificial Intelligence to ensure public access to agency records. (Jan. 9, 2020)

  • In a statement to Congress, EPIC warned that the proposed transfer of DHS data to the Census Bureau would violate the federal Privacy Act. The data include personal information about citizens, immigrants, and foreign nationals. EPIC urged the Committee to "block DHS from carrying out this proposed data transfer pending further review." EPIC previously warned the House Oversight Committee that President Trump's Executive Order on collecting citizenship data could undermine Privacy Act safeguards. EPIC opposed the citizenship question in the 2020 Census, arguing that the Bureau failed to complete required privacy impact assessments. EPIC also filed an amicus brief in the Supreme Court case warning that collecting citizenship information presents "enormous privacy and security concerns." The Supreme Court found the rational for adding the citizen question "contrived" and the question was withdrawn. (Jan. 8, 2020)

  • In a Privacy Impact Assessment, Customs and Border Protection and Immigration and Customs Enforcement announced a plan for the DNA collection of individuals detained at the border, including U.S. citizens. The change comes after a Department of Justice proposed rule that removed the authority of DHS components, including CBP and ICE, to exempt detained individuals from DNA collection. EPIC joined a coalition of civil liberties and immigrant rights organizations in comments to the Justice Department and urged the DOJ to rescind the proposed rule. The coalition stated the proposed rule was an "unacceptable and unnecessary privacy intrusion" that will impact not only the individual's DNA being collected but also family members, including American citizens. In an amicus brief to the Supreme Court, EPIC argued that law enforcement's warrantless collection of DNA is unconstitutional. (Jan. 7, 2020)

  • Facebook has announced its plan to ban "deep fakes" in advance of a House hearing on "Americans at Risk: Manipulation and Deception in the Digital Age" this week. The new policy would ban users from posting deepfakes—computer-generated, highly manipulated videos using technologies like AI—to prevent the spread of disinformation but would allow simpler forms of manipulation. Deepfakes have been used to spread disinformation about politicians, but 96% of "deep fakes" online are videos in which women's faces are superimposed into pornography without their consent. EPIC Board Member Danielle Citron testified before Congress, saying "we need a combination of law, markets, and societal resistance" to combat deepfakes and "the phenomenon is going to be increasingly felt by women and minorities." (Jan. 7, 2020)

  • The Department of Homeland Security has announced a plan to transfer detailed personal data collected from immigrants to the Census Bureau—an apparent violation of the Privacy Act. In a privacy impact assessment, published over the holiday break, the DHS revealed that it would provide names, addresses, social security numbers, and other highly sensitive data to the Census Bureau. Yet the DHS admitted that individuals weren't aware their personal data would be obtained by the Census Bureau, that the data may be inaccurate, or used for purposes unrelated to the census survey. The proposed data transfer follows a July executive order by President Trump, who vowed that the government "will leave no stone unturned" when seeking citizenship information from every person in the United States. EPIC previously warned Congress that the executive order could undermine Privacy Act safeguards. In EPIC v. Commerce, EPIC challenged the failure of the Census Bureau to conduct privacy impact assessments before adding the (later withdrawn) citizenship question to the 2020 Census. (Jan. 7, 2020)

  • The European Data Protection Board will determine whether data brokers and mobile apps comply with the General Data Protection Regulation. The EDPB has commissioned a privacy expert to provide a legal analysis of 25 mobile applications and 10 data brokers. The study is one of several launched by the EDPB to examine the impact of the GDPR. A recent report from the Transatlantic Consumer Dialogue found that Amazon, Netflix, and Spotify do not comply with GDPR and recommended for the United Sates "baseline federal data protection and privacy law that does not pre-empt stronger state privacy protections and that creates an independent data protection agency." EPIC's recent report on federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency. (Jan. 6, 2020)

  • The New Year begins with the California Consumer Privacy Act. All Californians now have the right to find out the personal data that companies collect about them, their devices, and their children, the right to opt-out of the sale of personal data, and the right to sue companies for data breaches. Californians can also request that a business delete their personal information. In comments to the California Attorney General, EPIC urged strong enforcement of the privacy law. EPIC's Mary Stone Ross, a coauthor of the law, spoke recently on NPR's All Things Considered about the new law. The complete text of the California Consumer Privacy Act is available in the EPIC 2020 Privacy Law Sourcebook. (Jan. 2, 2020)

  • Congress has passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act of 2019. The TRACED Act establishes penalties for certain robocalls and requires voice service provide to develop call authentication technologies. The FCC will develop rules to limit unwanted calls or texts from a caller using an unauthenticated number. EPIC has long advocated for stronger regulations surrounding robocalls. EPIC provided expert analysis to Congress, submitted numerous comments to the FCC, and filed multiple amicus briefs in appellate courts emphasizing the need to limit robocalls. (Jan. 2, 2020)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security