Previous Top News: 2016
- EPIC Urges Wisconsin Legislature to Safeguard Student Privacy. In testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Wisconsin adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. EPIC's State Policy Project is monitoring privacy bills nationwide. (Aug. 17, 2016)
- EPIC and Coalition Recommend Improvements to Health Agency’s Open Government Rules. In comments to the Department of Health and Human Services, EPIC and a coalition of open government advocates urged the agency to update its FOIA rules to keep in line with the FOIA Improvement Act of 2016. The coalition pressed the agency to “go further to ensure greater access to public interest information.” Signed into law by President Obama on the FOIA’s 50th anniversary, the FOIA Improvement Act creates a new portal for requesters, requires the proactive disclosure of frequently requested records, strengthens the FOIA ombudsman, and codifies the presumption of openness. (Aug. 17, 2016)
- Data Protection 2016: Nationwide Hotel Data Breach. Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have announced that hotel payment records were breached beginning as early as March 2015. Malware discovered in at least 20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels said that they will not notify individual customers of the breach. Almost every state in the country has a mandatory breach notification law. Hyatt announced another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election. (Aug. 15, 2016)
- EPIC’s Rotenberg Debates FBI Director at ABA Conference. EPIC President Marc Rotenberg and FBI Director James Comey debated "Emerging Issues in National Security and Law Enforcement" at a plenary session of the ABA annual conference in San Francisco. Comey stated that Americans have "never had absolute privacy." Rotenberg replied that the Fifth Amendment grants absolute privacy as a Constitutional right. In response to the Director's comments that the FBI has 650 phones it can not decrypt, Rotenberg pointed out that in 2013, more than 3.1 million cell phones were stolen. "Crime would be much higher in United States if cell phone users did not have strong encryption," said Rotenberg. The EPIC amicus brief in Apple v. FBI highlighted the risk of weak encryption, and noted that stolen cell phones are tied to identity theft and financial fraud. (Aug. 7, 2016)
- Appeals Court Affirms Consumers May Sue for Violations of Federal Law. A federal appeals court has held that consumers can sue when companies fail to comply with legal obligations established by Congress. The case concerned a hospital that sent debt collection letters to consumers without disclosures required by the Fair Debt Collections Practices Act. The court concluded that “Congress has created a new right—the right to receive the required disclosures.” As a result, the consumer can bring a lawsuit when a company fails to comply with the law. EPIC has filed several amicus briefs defending the right of consumers to sue for violations of federal privacy laws. (Aug. 5, 2016)
- EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public. EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights. (Aug. 5, 2016)
- White House Hosts Drone Workshop, FAA OKs Commercial Use, Ignores Privacy. The White House hosted “Drones and the Future of Aviation.” The FAA Administrator announced that the FAA will approve drone operations over people before the end of the year. The FAA also announced an industry-led task force that will promote voluntary privacy best practices. In EPIC v. FAA, EPIC challenged the FAA's failure to establish drone privacy regulations following a petition endorsed by more than 100 experts and organizations. The FAA has repeatedly acknowledged the privacy risks of drones, but has refused to establish privacy safeguards. (Aug. 4, 2016)
- FTC Finds Unauthorized Data Disclosure is "Substantial Injury" to Consumers. The Federal Trade Commission unanimously reversed an administrative law judge's dismissal of the FTC's complaint against LabMD, finding that LabMD's poor data security practices are "unfair" under the FTC Act. The Commission concluded that the judge had "applied the wrong legal standard for unfairness." The FTC's opinion explained that "the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury." The FTC's authority to enforce data security standards was upheld last year in FTC v. Wyndham. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (Aug. 2, 2016)
- Data Protection Experts Recommend New Protections for Internet Communications. The International Working Group on Data Protection in Telecommunications adopted new recommendations to improve the privacy and security of Internet Telephony technologies. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. "Privacy and Security Issues in Internet Telephony (VoIP)" focuses on the gap in "the legal protection and confidentiality of communications." The experts urge service provide to adopt "similar privacy and data protection" safeguards to all services. EPIC presented a comprehensive country report at the last meeting of the Working Group outlining recent developments in the United States. EPIC will host the 60th meeting of the International Working Group in Washington DC in April 2017. (Aug. 2, 2016)
- Privacy Shield Sign-ons Begin. The European Commission announced that the EU-U.S. Privacy Shield data transfer arrangement is "fully operational" and U.S. "companies are able to sign up with the Department of Commerce." The framework was adopted by the European Commissioner objection by European data protection authorities, the European Data Protection Supervisor, the European Parliament, and EU and US NGOs. The deal will be subject to future legal scrutiny and experts predict that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC has urged the EU and US to strengthen safeguards for transborder data flows including redress mechanisms. (Aug. 2, 2016)
- European Data Protection Supervisor Calls for Stronger Protections for Electronic Communications. The top European data protection official, the European Data Protection Supervisor, has called for strong privacy protections in the "ePrivacy Directive", an updated framework to safeguard personal information. "The scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used." The Data Protection Supervisor also said the legislation should "allow users to use end-to- end encryption without back doors". NGOs and data protection officials have also called for the reform of the European legislation after the adoption of the General Data Protection Regulation. EPIC has urged the FCC to establish a comprehensive framework for communications privacy, noting the work now underway in Europe to update privacy laws. (Jul. 27, 2016)
- EPIC, Consumer Coalition Oppose Robocalls by Government Contractors. EPIC and a coalition of consumer groups have petitioned the FCC to reverse its recent decision to exempt federal contractors from restrictions on telemarketing and robocalls. The FCC incorrectly determined that the Telephone Consumer Protection Act (TCPA) “does not apply to calls made by or on behalf of the federal government in the conduct of official government business.” The petition, led by the National Consumer Law Center, warns of significant increases in unwanted robocalls from government contractors that consumers would be powerless to stop. EPIC supports robust telephone privacy protections and filed an amicus brief in support of the FCC’s 2015 order that strengthened consumer protections under the TCPA. (Jul. 26, 2016)
- EPIC Explains to Federal Appeals Court that Mobile App Users Protected by Video Privacy Law. EPIC has filed an amicus brief defending the privacy rights of users of video apps. In the case, a CNN mobile app users challenged the disclosure of his video viewing history and personal information as a violation of federal privacy. In the brief for the federal appeals court, EPIC explained that that the privacy protections in the Video Privacy Protection Act apply to mobile apps that provide video service. EPIC said that the video privacy law covers the personal information collected by mobile apps, including the unique identifiers of the user’s device, and also that the privacy obligations apply to all companies that collect the viewing records of Internet users. EPIC previously filed a brief in a similar case concerning the collection of video viewing records. (Jul. 26, 2016)
- EPIC Ask FTC to Investigate Privacy Risks of Pokemon GO. EPIC has urged the FTC to launch an investigation of Pokemon GO and the app's developer Niantic. When the augmented-reality app was first released, Niantic granted itself "full access" to users' Google accounts in violation of federal privacy law. Even after recent changes, the company continues to collect detailed location history and has access to smartphone cameras. Pokemon GO "raises complex and novel privacy issues that require close FTC scrutiny," EPIC told the Commission. Senator Al Franken recently sent a letter to the company asking for clarification on the scope and purpose of its data collection. Niantic has close ties to Google and its CEO oversaw Google's controversial Street View project, which was found to collect private wifi data transmissions. (Jul. 22, 2016)
- EPIC Defends Right of Data Breach Victims to Seek Legal Relief. EPIC has filed an amicus brief urging a federal appeals court to protect a consumer’s ability to sue companies that fail to protect their personal information. A group of consumers sued a grocery chain after faulty security practices left their credit card information exposed to hackers. A lower court dismissed the privacy case because consumers had not yet suffered from fraudulent transactions. In its brief, EPIC explained that the court misunderstood the relevant law, confusing the legal obligations of companies to maintain good security with the harm that consumers eventually suffer. For the purposes of filing a lawsuit, EPIC said courts should focus on whether companies have violated a legal obligation such as safeguarding personal data, including credit card information. EPIC regularly files briefs defending consumer privacy. (Jul. 20, 2016)
- Federal Appeals Court Strikes Down Texas Voter ID Law. A federal appeals court has ruled that a Texas voter ID law violates the Voting Rights Act. In a fractured opinion, the court held that Senate Bill 14 had a “discriminatory effect” on minorities’ voting rights, and remanded the case to the lower court. The appeals court instructed the district court to provide interim relief for individuals, which could include suspending the voter ID requirement, ahead of the November 2016 election. EPIC filed an amicus brief in the case, arguing that SB 14 also places an unconstitutional burden on voters’ rights to informational privacy because of the excessive collection of personal data. (Jul. 20, 2016)
- Irish Court Approves EPIC as Amicus in Schrems Case. The Irish High Court has accepted EPIC's application to participate in a case about data protection rights and Facebook's contractual clauses. The case follows Max Schrems' complaint to the Irish Data Protection Commissioner after the European Court of Justice's decision to strike down the Safe Harbor arrangement. EPIC will provide the Irish Court, and perhaps also the Court of Justice, expert opinion on U.S. surveillance law. EPIC recently joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues. (Jul. 19, 2016)
- Wisconsin Supreme Court Upholds Use of Sentencing Algorithms, But Recognizes Risks. The Wisconsin Supreme Court this week rejected a challenge to the use of a risk-assessment algorithm in a sentencing proceeding. These algorithms score an individual's risk of committing future crime. The Court sanctioned the use of such algorithms, provided they are not the exclusive determining factor of a sentence, and judges receive written warnings about the algorithm's shortcomings. Professor Danielle Citron warned that the court's faith in the secret techniques is "unwarranted" particularly because "human beings have a tendency to rely on automated decisions even when they suspect system malfunction." EPIC has advocated for algorithmic transparency and maintains a website describing the use of algorithms in the criminal justice system. (Jul. 16, 2016)
- US Government Loses on Overseas Data Searches. A federal appeals court has ruled that the U.S. government cannot seize user data in foreign data centers under the Stored Communications Act. The decision reverses a lower court opinion that would have required Microsoft to hand over the contents of an email account stored in Ireland. The appeals court concluded that the purpose of the Act was to protect “users’ privacy interests in stored communications” not the creation of law enforcement powers that could reach overseas. The decision will likely bolster efforts to keep data in jurisdictions with stronger privacy safeguards. EPIC has recommended US ratification of the International Privacy Convention to preserve trans border data flows. (Jul. 14, 2016)
- EPIC FOIA: Transportation Department Releases New Drone Meeting Documents. In response to an EPIC Freedom of Information Act lawsuit, the Department of Transportation has released to EPIC another set of documents from the agency's secret meetings with industry groups about drone policy. The newly released documents, which summarize an extensive three-day meeting between the FAA and industry groups, is conspicuously silent on privacy, despite public comments urging the agency to address privacy concerns. In a related development, the FAA final rule on commercial drones failed to address the privacy risks of deploying drones in the United States. (Jul. 14, 2016)
- FAA Reauthorization Grounds Drone Privacy Safeguards . Shortly before adjourning, Congress passed the FAA Extension, Safety and Security Act of 2016 without drone privacy provisions authored by Senator Markey, included in the original legislation. Senator Markey said "Now is the time to prevent these eyes in the skies from becoming spies in the skies." EPIC urged Congress and the FAA to establish limits on drone surveillance. In EPIC v. FAA, EPIC challenged the FAA's failure to establish drone privacy regulations following a petition endorsed by more than 100 experts and organizations. EPIC's proposal to require remote identification of drones was incorporated in the legislation enacted by Congress. (Jul. 13, 2016)
- Trade Agreements Undermine Data Protection, New Study Shows. A new report "Trade and Privacy" argues that trade agreements are at odds with EU laws that protect privacy and data protection. The study concludes "current measures used by the EU to safeguard its data protection laws in trade agreements are not sufficient." The report recommends a comprehensive exemption for data protection rules in all trade agreements, based on GATS Article XIV. EU NGOs previously recommended that consumer privacy and data policy be excluded from the Transatlantic Trade and Investment Partnership negotiations. The study was authored by scholars at the Institute for Information Law at the University of Amsterdam and commissioned by BEUC, TACD, EDRi and CDD. EPIC's Marc Rotenberg will speak about trade agreements, privacy and the internet at IGF USA 2016. (Jul. 13, 2016)
- European Commission Signs Off on Flawed "Privacy Shield". The European Commission has approved the "Privacy Shield" which will allow companies to transfer personal data of Europeans to the U.S. without legal protections. European data protection authorities, the European Data Protection Supervisor, and EU and US NGOs identified flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework, Max Schrems and Jan-Philipp Albrecht predicted that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC and other consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US increased by 47% between 2014 and 2015. (Jul. 12, 2016)
- EPIC Scrutinizes FBI's Massive Biometric Database. In comments to the FBI, EPIC criticized the Bureau’s proposal to remove Privacy Act safeguards from a database containing biometric data on millions of citizens, much of it unrelated to law enforcement. Through a FOIA lawsuit, EPIC obtained documents about the “Next Generation Identification” database that revealed an error rate up to 20% for face recognition searches. EPIC warned the FBI of the privacy and civil liberties risks as well as the potential for data breaches. EPIC urged the FBI to limit the scope of data collection, reduce the retention of data, and maintain the protections of the Privacy Act. (Jul. 7, 2016)
- EPIC Tells FCC to Reject "Notice and Choice" Approach to Privacy. EPIC has filed reply comments with the Federal Communications Commission on the proposed broadband privacy rules. EPIC said that the proposed rules are a modest first step and that the FCC has legal authority to do more to safeguard American consumers. EPIC also responded to erroneous statements from industry groups that the FTC's "notice and choice" framework safeguards consumer privacy. EPIC described numerous shortcomings, including lack of enforcement, frequent changes in privacy policies, and data breaches. "Notice and choice" is “directly at odds with baseline privacy standards,” EPIC said. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data. (Jul. 7, 2016)
- Coalition Urges President to Nominate New Member for Oversight Board. EPIC and many privacy and civil liberties organizations have urged President Obama to promptly nominate a new member to the Privacy and Civil Liberties Oversight Board with a strong civil liberties background. The coalition argued that the Oversight Board’s “role is too important to allow it to slip back into dormancy, even for a few months.” The previous Chair David Medine recently stepped down, leaving a vacancy on the five-member panel, responsible for overseeing privacy protection. EPIC has urged the Board to review surveillance under Executive Order 12333 and recommended the Board ensure Privacy Act compliance across the federal government. (Jul. 6, 2016)
- EPIC Sues for Release of Government Oversight Reports. EPIC has filed a FOIA lawsuit against the Department of Justice to obtain the agency’s secret watchdog reports. The mission of the Office of the Inspector General is “to detect and deter waste, fraud, abuse, and misconduct.” However, many of the reports are kept secret. Those reports, EPIC explained in the complaint, "are critical for the public to understand the measures taken to increase the efficiency and effectiveness of the DOJ, and as a mechanism to hold the agency accountable.” EPIC previously obtained oversight reports on the CIA surveillance of muslims in New York, and CIA spying on Senate staff. (Jul. 5, 2016)
- U.N. Passes Resolution Condemning Internet Shutdowns. The United Nations Human Rights Council passed a resolution to support human rights online. The resolution condemns internet shutdowns that have become more common around the world. In accordance with the Universal Declaration of Human Rights, the resolution reaffirms the U.N.'s stance that "the same rights people have offline must also be protected online." EPIC joined an international coalition of civil society organizations to reject disruption of Internet access. EPIC previously sued the Department of Homeland Security to obtain public release of the US shutdown policy following the suspension of cell phone service during a peaceful protest at a BART transit station in San Francisco. Portions of the government policy "Standard Operating Procedure 303" were eventually released to EPIC. (Jul. 5, 2016)
- White House Releases Flawed Privacy Research Agenda. The White House has announced the National Privacy Research Strategy, which the authors state "will enable the U.S. to benefit from innovative data use while protecting privacy." The National Strategy focuses on measuring the "privacy desires" of users rather than the extent of the problem or goals to safeguard privacy, such as coding Fair Information Practices, developing genuine Privacy Enhancing Techniques, or complying with Privacy Act obligations. The "National Strategy" follows from a similar report in 2014 that embraced big data without considering actual privacy risks in data collection. In 2015, the federal government lost 21.5 million records of federal employees and their families. A recent book from EPIC "Privacy in the Modern Age: The Search for Solutions" outlines several new approaches for privacy protection, and builds on earlier work by members of the EPIC Advisory Board. (Jul. 5, 2016)
- Wiretaps Increase Sharply in 2015, No Evidence of Government Surveillance "Going Dark". In 2015, combined state and federal wiretap applications increased 16% from 3,555 to 4,148. But while government surveillance applications went up dramatically, the number of cases where investigators encountered encryption dropped significantly. Encryption was encountered in only 13 cases in 2015. The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to 7 in 2015. Law enforcement claims of "going dark” continue to be undermined by surveillance reports. EPIC has repeatedly cited the Wiretap Reports as a model of transparency for government surveillance activities and maintains comprehensive charts about the reports. The reports reveal, for example, that drug offenses were the most prevalent type of criminal offense investigated using wiretaps: 79 percent of all applications for intercepts (3,292 wiretaps) in 2015 cited illegal drugs as the most serious offense under investigation. (Jul. 1, 2016)
- President Obama Signs FOIA Reform Bill Into Law. Celebrating 50 years since enactment of the Freedom of Information Act, the Congress has passed, and the President has signed the FOIA Improvements Act of 2016. The Act creates a new portal for requesters, requires the proactive disclosure of frequently requested records, strengthens the Office of Government Information Services, and codifies the "Presumption of Openness" in the processing of requests for information about government. Senator Patrick Leahy (D-Vt.), a champion of open government, stated "Our founders had the revolutionary vision to create a government of, by, and for the people. Today we have helped strengthen that ideal." EPIC and many open government advocates urged the President to support these reforms. EPIC also established the website FOIA.ROCKS. (Jul. 1, 2016)
- Privacy Shield Revisions Fail to Satisfy Legal Requirements. A revised draft of the Privacy Shield included some modifications on the scope of US bulk data collection, the role of the "ombudsperson," and data erasure but fails to resolve flaws previously identified by European data protection authorities and the European Data Protection Supervisor. EPIC and an international coalition of NGOs previously called for substantial changes in the Privacy Shield to respect the fundamental rights to privacy and data protection. (Jun. 29, 2016)
- In EPIC FOIA Case, Court Orders DEA to Explain Secrecy about Massive Telephone Data Program. A federal court in Washington, DC ruled today that the DEA’s explanation for withholding from EPIC certain information about "Hemisphere," a massive telephone record collection program, was legally insufficient. The Court ordered the DEA to release the information requested to EPIC or provide specific reasons for the withholding. EPIC filed the FOIA lawsuit after press reports about Hemisphere, which is broader in scope than the NSA’s bulk data program. DEA continues to keep secret the names of the companies involved and the federal agencies given access to the telephone records of American consumers. (Jun. 27, 2016)
- Court Misunderstands Internet Tracking in Video Privacy Case. The Third Circuit today rejected claims brought against Nickelodeon under the Video Privacy Protection Act, holding that IP and MAC addresses are not “personally identifiable information.” The opinion contradicts a First Circuit decision from earlier this year, which found that a unique Android ID and GPS coordinates constituted PII under the VPPA. The circuit split increases the possibility of U.S. Supreme Court review. The Court did find that plaintiffs could sue under state privacy law. EPIC filed an amicus brief, arguing that Congress defined PII as “purposefully broad to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.” (Jun. 27, 2016)
- High Court Extends Fourth Amendment Protections to DUI Blood Tests. In Birchfield v. North Dakota, the U.S. Supreme Court today held that states cannot criminalize an individual’s refusal to submit to a warrantless blood test. The Court also found that the Fourth Amendment does not allow warrantless blood tests incident to arrest, but does permit warrantless breath tests. In the 2013 case Maryland v. King, EPIC urged the Supreme Court to protect genetic privacy by extending Fourth Amendment protections the collection of DNA from arrestees. In that case, the Supreme Court held that a cheek swab incident to an arrest was permissible. (Jun. 23, 2016)
- EPIC, Coalition Demand Congressional Oversight of FBI's Vast Biometric Database. Today EPIC and a coalition of 45 organizations urged Congress to hold a hearing on the FBI’s massive biometric database and the risks of facial recognition technology. The letter follows the FBI’s recent proposal to exempt the "Next Generation Identification” database from Privacy Act safeguards—including requirements for accuracy, relevancy, and transparency. The civil liberties organizations said that “the FBI is retaining vast amounts of personal information and exposing millions of people to a potential data breach.” In the EPIC v. FBI FOIA case, EPIC obtained documents which revealed high error levels in the biometric database. (Jun. 23, 2016)
- EPIC Promotes Privacy, Data Protection at OECD Ministerial. Speaking at the OECD Ministerial Conference on the Digital Economy, EPIC President Marc Rotenberg emphasized that there cannot be trade-offs between innovation and human rights. Citing widespread public concerns, Rotenberg urged the OECD member countries to address the challenge of privacy and security. "We cannot have a sustainable, inclusive economy if we cannot solve the problem of trust." EPIC collaborated with civil society groups to host the forum "Toward an Inclusive, Equitable, and Accountable Digital Economy." (Jun. 22, 2016)
- FOIA Ombudsman Recommends Changes to Use of "Still Interested" Letters. The FOIA ombudsman has issued the third part of a report on the use of "still interested" letters (part 1, part 2). Such letters are used by federal agencies to prematurely terminate FOIA requests. In 2014, an EPIC-led coalition urged the Office of Government Information Services to investigate the pervasive use of such letters. Today’s report recognizes that this agency practice is "not addressed in the FOIA statute or in agency regulations,” and that reporting on the practice is inconsistent. The FOIA ombudsman urged agencies to provide additional guidance on the use of such letters, and to document the practice in annual reporting. Congress recently passed legislation to strengthen the FOIA, which the President is expected to sign. (Jun. 21, 2016)
- FAA Approves Commercial Drones Without Privacy Safeguards. The FAA released the final rule on commercial drones today. Despite nearly 180 comments regarding the privacy risks of drones, the FAA failed to address the privacy risks of deploying commercial drones into the national airspace. EPIC previously filed suit against the FAA after more than 100 groups and experts petitioned the agency to conduct a rulemaking on drone privacy. EPIC also recommended the FAA implement a national database detailing the surveillance capabilities of commercial drones. The FAA has repeatedly acknowledged the privacy risks of drone deployment, but has so far refused to adopt any privacy safeguards. (Jun. 21, 2016)
- States Adopt New Student Privacy Safeguards. Several states have recently enacted new student privacy laws. Colorado and Connecticut’s laws impose strict requirements on those who collect student data. Connecticut also requires that parents are notified each time a school district enters into a contract that involves student data. North Carolina enacted a student privacy law modeled after California's Student Online Personal Information Protection Act. The National Association of State Boards of Education reported that 38 states considered student privacy legislation in 2016. Ten of those states passed student privacy laws. EPIC has urged the enactment of a comprehensive student privacy bill of rights. EPIC's State Policy Project is monitoring privacy bills nationwide. (Jun. 21, 2016)
- EPIC Scrutinizes DoD “Insider Threat” Database. In comments to the Department of Defense, EPIC criticized a proposed “Insider Threat” database that would gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. EPIC urged DoD to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DoD data practices pose a risk to federal employees. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases, and recently filed comments on a similarly flawed DHS database. (Jun. 20, 2016)
- EPIC, NGOs Host Civil Society Forum at OECD Ministerial. EPIC, in coalition with civil society organizations from around the world, is hosting "Toward an Inclusive, Equitable, and Accountable Digital Economy." The forum is organized under the auspices of the Civil Society Information Society Advisory Council (CSISAC), "the voice of civil society at the OECD," in conjunction with the OECD Ministerial on the Digital Economy. The CSISAC Forum features NGO leaders, technology experts and government decision makers. The Forum is an out growth of the Public Voice campaign to promote civil society participation in decisions concerning the future of the Internet. Similar NGO meetings were held in Ottawa in 1998 and Seoul in 2008. (Jun. 20, 2016)
- Supreme Court Weakens Fourth Amendment Protections During Police Stops. In Utah v. Strieff, the U.S. Supreme Court held today that an outstanding arrest warrant can attenuate “the connection between an unlawful stop and the evidence seized incident to arrest.” The holding reverses the Utah Supreme Court, which had suppressed evidence obtained by an officer who stopped Strieff illegally and ran his ID to look for outstanding warrants. EPIC and 22 technical experts filed an amicus brief, warning the Court that reversing the Utah court would allow vast amounts of personal data stored in government databases—much of it inaccurate—to provide post hoc justification for unlawful seizures. (Jun. 20, 2016)
- EPIC's Rotenberg Outlines Need for International Privacy Framework. Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from European consumer groups, NGOs, privacy officials, and the EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts endorsed the Council of Europe Privacy Convention. In 2010 members of the EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention. (Jun. 17, 2016)
- GAO Report: FBI’s Use of Face Recognition Fails on Privacy and Accuracy. The Government Accountability Office released a report today detailing the FBI’s failure to conduct a privacy audit of the agency’s use of facial recognition or adequately test the accuracy of the technology. EPIC and a coalition of public interest groups recently urged the Justice Department to extend the public comment period for the FBI’s Next Generation Identification database, which includes facial recognition capabilities. Previous Freedom of Information Act requests by EPIC showed that the agency had numerous agreements with states to access driver license photos for facial recognition searches and that technical specifications allowed for a 20% search error rate. (Jun. 15, 2016)
- EPIC Tells Congress FCC is "Under Reaching" on Privacy. EPIC has sent a letter to the House Energy and Commerce Committee in advance of a hearing on “FCC Overreach: Examining the Proposed Privacy Rules.” EPIC described the shortcomings of the ”notice and choice” privacy framework and pointed to growing levels of public concern in the United States about Internet privacy. EPIC said that the FCC’s proposed privacy rules are a modest first step and that the Communications Communication has legal authority to go much further to safeguard American consumers. EPIC has repeatedly urged the Commission to broaden the scope of the proposed privacy rules. (Jun. 13, 2016)
- House to Consider Overdue FOIA Reform Bill. Congress is poised to take up a FOIA reform bill next Monday. The bill would require federal agencies to operate under a "presumption of openness" and places time limits on agency responses, improvements that EPIC has long supported. EPIC routinely uses the Freedom of Information Act to promote government oversight and agency accountability. July 4, 2016 will mark the 50th anniversary of the enactment of the FOIA. (Jun. 10, 2016)
- EPIC Presses House Leaders on "Data Protection". At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016. (Jun. 10, 2016)
- EPIC Hosts Policy Forum at National Press Club. EPIC brought together privacy, security, and policy experts for a panel discussion at the National Press Club around the theme “Data Protection 2016.” Panelists explored voter privacy issues, including voter ID and online voting, and also privacy issues that could arise in the 2016 election cycle. Participants included members of the EPIC Advisory Board, representatives of the Brennan Center and Verified Voting, and the UN Rapporteur on the Right to Privacy. (Jun. 10, 2016)
- EPIC FOIA: Secret Drone Task Force Ignored Privacy Concerns. A second batch of previously secret documents show that the government’s secret drone task force ignored public concerns about drone surveillance. Included in the documents are opening remarks by FAA Administrator Michael Huerta, who urged the task force to take into consideration “the interests of all stakeholders,” but who declined to invite any privacy or consumer advocates to the closed door meetings. The newly released records stem from EPIC v. DOT, a lawsuit filed to uncover records relating to the private meetings held last November in Washington, DC between agency officials and industry representatives. EPIC expects to obtain more documents from the agency. (Jun. 9, 2016)
- EPIC Gives Awards to Gertner, Soltani, and Wolf. At the National Press Club in Washington, DC, EPIC presented the 2016 EPIC Lifetime Achievement Award to lawyer Chris Wolf, the 2016 EPIC Privacy Champion Award to technologist Ashkan Soltani, and the 2016 EPIC Champion of Freedom Award to judge and law professor Nancy Gertner. The EPIC awards are presented annually to those who protect privacy, open government, and democratic institutions with courage and integrity. Manoush Zomorodi, podcaster of Note to Self, and Bruce Schneier, security technologist, cohosted. (Jun. 7, 2016)
- EPIC, Coalition Petitions Education Department for Data Security Rules for Student Records. EPIC, legal scholars, technical experts, and many leading privacy organizations have petitioned the Education Department to establish a data security rule to protect student records. The experts and groups explained that data breaches now plague schools and colleges across the country, following recent changes to the Family Educational Rights and Privacy Act. The petition calls for the establishment of rules for encryption, privacy enhancing techniques, and breach notification. (Jun. 6, 2016)
- EPIC Propose Privacy, Security Protections for “Internet of Things".
EPIC has recommended new safeguard for the “Internet of Things.” EPIC proposed laws requiring companies to adopt Privacy Enhancing Technologies, promote data minimization, and ensure security for IoT devices. EPIC also recommend a prohibition on tracking, profiling, and monitoring of consumers using IoT services. As EPIC explained, “Protecting consumer privacy will become increasingly difficult as the Internet of Things becomes increasingly prevalent.” EPIC has worked extensively on the risks of the Internet of Things, including connected cars and “smart homes.” An EPIC complaint concerning “always on” devices, such as “smart TVs,” is pending at the Federal Trade Commission.
- . EPIC has recommended news safeguard for the “Internet of Things.” EPIC proposed laws requiring companies to adopt Privacy Enhancing Technologies, promote data minimization, and ensure security for IoT devices. EPIC also recommend a prohibition on tracking, profiling, and monitoring of consumers using IoT services. As EPIC explained, “Protecting consumer privacy will become increasingly difficult as the Internet of Things becomes increasingly prevalent.” EPIC has worked extensively on the risks of the Internet of Things, including connected cars and “smart homes.” An EPIC complaint concerning “always on” devices, such as “smart TVs,” is pending at the Federal Trade Commission. (Jun. 4, 2016)
- EPIC, Coalition Seeks Time to Review FBI Biometric Database. EPIC and a coalition of civil rights, privacy, and transparency groups urged the Department of Justice to extend the public comment period for the FBI’s Next Generation Identification database. The FBI database contains biometric data, such as fingerprint and retinal scans, on millions of Americans and raises significant privacy risks. The FBI is proposing to exempt the database from Privacy Act obligations, including legal requirements to maintain accurate records, permit individual access, and provide civil remedies. Errors plague the NGI database. In a FOIA case, EPIC v. FBI, EPIC obtained documents, which showed that the FBI accepted a 20% error rate for facial recognition matches. (Jun. 1, 2016)
- Top European Privacy Official Rejects EU-US "Privacy Shield". The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection. (May. 31, 2016)
- EPIC Calls for Strong Communications Privacy Rules. EPIC has urged the Federal Communications Commission “to fully apply" the Consumer Privacy Bill of Rights to all communications services. The FCC's proposed privacy rules would regulate only broadband services and are based on the weak "notice and choice" framework.EPIC said the agency should endorse data minimization requirements, promote Privacy-Enhancing Technologies, and require opt-in consent. EPIC also urged the Commission to regulate all companies that gather consumer data for communications services. (May. 27, 2016)
- Federal Court Leaves Digital Search Law Unresolved. A federal appeals court ruled today that the government did not violate the Fourth Amendment by keeping a copy of files for more than two years after an investigation because it acted in "good faith." EPIC argued that the government must adopt data minimization practices and that the use of evidence was unlawful. In a dissenting opinion, Judge Chin wrote that the search violated the Fourth Amendment. (May. 27, 2016)
- Amendment Would Overturn Model Facial Recognition Privacy Law. The Illinois Biometric Information Privacy Act is one of the strongest facial recognition laws in the country. Enacted in 2008, the law prohibits the use of biometric recognition technologies without consent and provides for meaningful enforcement. But a proposed amendment would undercut legal protections, exempting facial recognition software from the law. A pending lawsuit against Facebook alleges that the company violates the law by amassing a database of users’ faceprints “without even informing its users — let alone obtaining their informed written consent.” EPIC has urged a moratorium for such surveillance techniques, pending the enactment of strong privacy laws such as those in Illinois. In much of the world, facial recognition software is illegal. (May. 27, 2016)
- European Parliament Requires Changes to Privacy Shield. The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers. (May. 26, 2016)
- EPIC to OPM: "If You Can't Protect It, Don't Collect It". In comments to the Office of Personnel Management, EPIC urged the federal agency to limit the personal data it collects from job applicants. OPM currently gathers detailed personal information, including biometric data, Social Security numbers, educational history, medical records, foreign travel, drug use, and financial records. In 2015, OPM lost the personal data of 21.5 million people in a massive data breach. The OPM Director and CIO were forced to resign. OPM now proposes to collect even more personal data on more people, including distant relatives of job applicants. EPIC has previously urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information. (May. 25, 2016)
- EPIC, Coalition Recommend Improvements to U.S. Open Government Plan. EPIC and a coalition of open government groups have urged the country’s trade agency to improve the open government plan for the United States. The coalition called on the United States Trade Representative to (1) make public the rules for trade negotiations, (2) publish comprehensive updates after each round of negotiation, and (3) appoint an independent transparency officer. EPIC and others also developed model Freedom of Information Act Regulations that would apply across the government. (May. 23, 2016)
- Federal Court Strikes Down Obstacle to Student FOIA Requests. A federal appeals court has ruled that government agencies must give students who pursue Freedom of Information Act requests favorable fee treatment. The case involved a Ph.D. student who was charged $900 to process a FOIA request. The Department of Defense contended that students are not entitled to the favorable fee standards of “educational institutions." The D.C. Circuit disagreed and ruled today that “[s]tudents who make FOIA requests to further their coursework or other school-sponsored activities are eligible for reduced fees under FOIA because students, like teachers, are part of an educational institution.” In 2011, EPIC criticized the practice of charging students extra fees for FOIA requests, calling the government’s position “absurd.” (May. 20, 2016)
- Senate Examines "Do Not Call" Law. The Senate Commerce Committee held a hearing yesterday on the Telephone Consumer Protection Act. The "TCPA" bars telemarketers and robocallers from contacting consumers by phone or fax without prior express consent. In January, EPIC filed an amicus brief to provide greater TCPA protections for consumers. EPIC said that widespread use of cellphones “has amplified the nuisance and privacy invasion caused by unwanted calls and text messages.” EPIC has testified before Congress about the TCPA and submitted many comments concerning the implementation of the consumer privacy law. (May. 19, 2016)
- Senators Introduce Bill to Block Broad Remote Hacking Rules. Senators Wyden, Paul, Baldwin, Daines, and Tester have introduced the Stop Mass Hacking Act of 2016. The law would block amendments to Rule 41 of the Federal Rules of Criminal Procedure that were recently issued by the Supreme Court. The amendments authorized judges to issue "remote access" warrants to search computers even when the targets are outside the jurisdiction of the court. EPIC criticized the Rule 41 change in a statement last year. Unless Congress takes action to block the Rule 41 amendments by December 1, the government’s surveillance authority will be expanded significantly. (May. 19, 2016)
- Justice Department Releases 2016 FOIA Reports. The Justice Department has released an assessment of the 2016 FOIA compliance reports. Every year, federal agencies prepare reports describing steps taken to implement President Obama's Memo and former AG Eric Holder's Guidelines. The DOJ grades FOIA compliance in five areas: applying the presumption of openness, effective and responsive systems, proactively releasing information, utilizing technology, and reducing backlogs and improving response times. The Senate recently passed by unanimous consent the Freedom of Information Improvement Act of 2015; the bill is now in the House. EPIC and other open government organizations have called on President Obama to strengthen the FOIA. (May. 19, 2016)
- EPIC Urges Appeals Court to Strike Down Voter ID Law. EPIC has urged a federal appellate court to find unconstitutional a Texas law that requires voters to obtain photo IDs. A lower court held that Senate Bill 14 violates the Voting Rights Act and burdens the constitutional right to vote. Texas appealed. In response, EPIC argued that the ID requirement also burdens the constitutional right of informational privacy. “Individuals should not be subject to excessive identification requirements to exercise fundamental democratic rights,” EPIC stated. EPIC has previously filed amicus briefs defending the right to informational privacy. (May. 17, 2016)
- Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey. A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election. (May. 16, 2016)
- Supreme Court Remands Consumer Privacy Case for Further Consideration. The Supreme Court has ruled in Spokeo v. Robins, a case brought under the Fair Credit Reporting Act concerning the sale of inaccurate personal data. The Court said it was necessary to determine whether plaintiffs injuries were sufficiently "concrete." Justice Ginsburg, in a dissenting opinion, wrote that remand was unnecessary, "Spokeo's misinformation 'cause[s] actual harm to [his] employment prospects.'" EPIC filed an amicus brief, joined by thirty-one technical experts and legal scholars, citing the national epidemic of data breaches. EPIC wrote this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." (May. 16, 2016)
- FTC Issues Guidelines for Employment Background Screening. The Federal Trade Commission has issued new guidelines for companies that sell employment background checks. Under the Fair Credit Reporting Act companies must ensure “maximum possible accuracy” in reports about job applicants. The FTC warns that a background report incorrectly listing a criminal conviction based on bad records match —for instance, a person with a different middle name than the applicant—could violate FCRA. EPIC recently filed an amicus brief in a case brought by David A. Smith, who was denied employment after a background report incorrectly included the criminal records of David O. Smith. (May. 15, 2016)
- Senator Leahy Calls for FISA Reforms. The Senate Judiciary Committee held a hearing on the FISA Amendments Act, a law that grants the government broad surveillance powers over Internet communications. The Act, commonly referred to as "Section 702,: is the basis for the NSA’s “PRISM” program. EPIC testified before the House Judiciary Committee in 2012 on the need to limit the scope of Section 702 surveillance and to improve transparency of the Foreign Intelligence Surveillance Court. US and EU NGOs have since called for the end of the section 702. This week Senator Patrick Leahy (D-VT) stated that "additional reforms are needed to protect Americans’ privacy, and restore global trust in the U.S. technology industry." (May. 13, 2016)
- Top EU Legal Advisor Says IP Addresses are PII. The Advocate General, top advisor to the European Court of Justice, has issued an opinion today about Internet anonymity. He found that dynamic IP addresses are personal data subject to data protection law. The opinion concerns the case of German pirate party politician and privacy activist Patrick Breyer who is suing the German government over logging visits to government websites. "Generation Internet has a right to access information on-line just as unmonitored and without inhibition as our parents read the paper," says Breyer. The opinion is not legally binding but "is usually a good indication of how the court will eventually rule". EPIC has supported Internet anonymity since the 1990s and brought a similar challenge to the US government tracking of users of government website. (May. 12, 2016)
- EPIC Urges Senate to Back Comprehensive Communications Privacy Protection. EPIC has sent a letter to the Senate Judiciary Committee in advance of a hearing on "Examining the Proposed FCC Privacy Rules." EPIC pointed to growing public concerns about the loss of privacy and the need to update federal privacy laws. EPIC explained that the neither Federal Communications Commission or the Federal Trade Commission has done enough to safeguard consumer privacy. EPIC warned that the "failure to modernize our privacy law is imposing an enormous cost on American consumers and businesses." (May. 10, 2016)
- Court Rules EPIC Must Wait to Challenge Missing Drone Privacy Rules. The federal appeals court in Washington, DC ruled today that EPIC’s suit against the Federal Aviation Administration must be set aside because the agency has not yet finalized the rules for drone operations in the United States. EPIC previously filed suit against the FAA after more than 100 groups and experts petitioned the agency to conduct a rulemaking on drone privacy. The FAA has repeatedly acknowledged the need to address privacy in drone operations, but has so far refused to adopt any privacy rules. In a related case, EPIC recently uncovered the minutes of a secret FAA drone task force. According to one of the participants, the “Current state of non-regulation negatively affects the public perception of drones. There is no regulatory recourse for anyone who is negatively affected by a small UAV [drones]." (May. 10, 2016)
- EPIC FOIA - Secret Drone Task Force Records Disclosed. In response to EPIC's FOIA lawsuit, the Department of Transportation has released the minutes of a secret meeting of the FAA drone task force. The task force included industry groups such as GoogleX, Amazon, and DJI, but consumer groups and privacy advocates were excluded from the hastily created advisory committee. The documents shed light on the secret meetings held last November. Several participants warned about privacy risks in drone deployment. The minutes also stated, "Current state of non-regulation negatively affects the public perception of drones. There is no regulatory recourse for anyone who is negatively affected by a small UAV [drones]." EPIC has urged the agency to do more to safeguard the public, and in EPIC v. FAA, challenged the FAA's failure to establish privacy regulations for drones. (May. 9, 2016)
- Federal Court Upholds Photo Tagging Suit Against Facebook. A federal judge has rejected Facebook's argument that the company did not violate an Illinois law that requires companies to obtain consent from consumers before collecting biometric data such as a "faceprint." Describing the biometric privacy law, the court said that Facebook's position was "antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology." In 2011, EPIC filed a complaint with the Federal Trade Commission, arguing that the facial identification of users was an unfair and deceptive trade practice. In 2012, EPIC urged the FTC to suspend facial recognition "until adequate safeguards and privacy standards are established." Canada and Europe have since required Facebook to suspend the use of photo tagging. (May. 8, 2016)
- EPIC Urges California Supreme Court to Protect Open Records Law. EPIC has urged the California Supreme Court to reverse a lower court decision that blocked public release of records about "automated license plate readers" operated by the state police. The lower court held that information about the public surveillance system was an “investigative record” under California law. EPIC’s amicus brief stated, "Public scrutiny is essential to counter the unique threats posed by these programs of broad-scale surveillance." EPIC had obtained documents about the FBI’s license plate reader program under the FOI law. Those records revealed that the FBI failed to address the system's privacy implications. (May. 6, 2016)
- White House Report Points to Risks with Big Data. A new White House report "Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights" points to risks with big data analytics. According to the authors, "[t]he algorithmic systems that turn data into information are not infallible--they rely on the imperfect inputs, logic, probability, and people who design them." An earlier White House report warned of "the potential of encoding discrimination in automated decisions." EPIC launched a campaign on "Algorithmic Transparency" after warning about the risks of secretive decision making coupled with "big data." (May. 5, 2016)
- FAA Announces Drone "Advisory Committee". Yesterday FAA Administrator Michael Huerta announced that the FAA will establish a Drone Advisory Committee. According to Administrator Huerta, the committee "will help identify and prioritize integration challenges and improvements." Intel CEO Brian Krzanich will chair the committee. The Federal Advisory Committee Act requires federal agencies to ensure that advisory committees are “objective and accessible to the public.” EPIC previously criticized the FAA Drone Registration Task Force, which met in secret and includes no consumer groups. EPIC is currently suing the FAA for the secret meeting records of the Registration Task Force. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit Court of Appeals. (May. 5, 2016)
- NY Attorney General Reports 40% Increase in Data Breaches.
New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
(May. 5, 2016) - Intelligence Court Skeptical of Some FISA Applications. The Department of Justice has published the 2015 FISA report, which summarizes the use of the Foreign Intelligence Surveillance Act. The report also details the number of applications rejected or modified by the FISA Court (FISC). Overall, the Government’s applications for FISA warrants has declined since 2003 but there was a slight uptick this year with 1,456 orders granted. A significant number of orders were modified by the FISC. The FISC modified 80 orders and the Government even withdrew one application. Prior to the USA FREEDOM Act, which limited bulk collection under section 215, the FISC modified many of those orders. (May. 3, 2016)
- EPIC Sues TSA to Block Mandatory Body Scanners at US Airports. EPIC has filed a lawsuit challenging the Transportation Security Administration's regulation for airport body scanners. The TSA announcement came nearly five years after a federal appeals court ordered the agency to "promptly" solicit public comments on the controversial screening procedure. Public comments overwhelmingly favored less invasive security screenings. But the TSA decided it may now mandate body scanners at US airports. In 2011, EPIC challenged the intrusive and ineffective TSA screening procedure. EPIC's new lawsuit challenges the regulation because it "denies passengers the right to opt out" of body scanner screening. EPIC also challenged the effectiveness of airport body scanners and the TSA's failure to recommend less invasive security screening. (May. 2, 2016)
- Supreme Court Approves Remote Computer Hacking by Police. The U.S. Supreme Court has voted to approve changes to Rule 41 of the Federal Rules of Criminal Procedure, which will allow judges to issue "remote access" warrants. These warrants authorize mass computer searches, even when the targets are outside the jurisdiction of the court. EPIC criticized the proposal in a statement last year, arguing that the procedure enables searches outside traditional Fourth Amendment requirements and would not provide adequate notice to those subject to search. Congress can amend or reject the proposal. Senator Ron Wyden said today he would introduce legislation to reverse the proposal. (Apr. 28, 2016)
- FTC Increases Scrutiny of Google's Practices, Implicating Antitrust and Privacy Interests. The FTC has reportedly expanded its investigation into Google's use of the Android operating system to exclude or demote competing services. The Commission’s increased scrutiny comes shortly after the European Commission filed formal antitrust charges against Google. Last fall, the FTC began looking at whether Google unfairly prioritizes its own products after earlier ending a similar investigation in 2012 though staff recommended litigation. EPIC previously urged the Senate and the FTC to investigate Google's dominance of essential Internet services, warning that monopoly practices implicate privacy interests. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of Commissioner Pamela Harbor, who cited the connection between monopoly practices and privacy violations. (Apr. 27, 2016)
- House Passes Narrow ECPA Update. The Email Privacy Act of 2016 has passed the House 419-0 The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. Senator Leahy tweeted that "Long past time to protect American people's emails & info stored in the cloud from warrantless searches." EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Apr. 27, 2016)
- FOIA Ombudsman Releases First Part of "Still Interested" Report. In response to a letter from EPIC and open government advocates, the FOIA ombudsman has issued the first part of a report on the use of "still interested" letters by federal agencies. The DHS and other agencies have sent these letters to prematurely terminate FOIA requests. In 2014, an EPIC-led coalition urged the Office of Government Information Services to investigate the pervasive use of such letters. In today's report, OGIS found that there is no "guidance or standard for reporting requests that agencies close" through "still interested" letters, and that it does not yet understand the impact such letters have on FOIA requesters. (Apr. 27, 2016)
- Google Wants User Data, Opposes FCC Privacy Rules. Google has opposed new privacy rules for consumer data even as it backed the FCC's proposal to open up the set-top box. Google described new privacy safeguards as “unnecessary." The FCC’s proposal would allow Google to gain access to the TV market and consumer viewing data. EPIC has urged the FCC to enforce strong privacy rules for all companies seeking access to user data. (Apr. 27, 2016)
- TSA Releases New Body Scanner Document to EPIC. In response to an EPIC FOIA request, the Transportation Security Administration has released a document describing the technical capabilities of the airport body scanners. EPIC previously obtained documents from TSA revealing that body scanners can record, store, and transmit digital strip search images of airline passengers. Last month, the TSA issued a regulation on airport body scanners, nearly five years after a federal appeals court ordered the agency to "promptly” undertake a rule making. In 2011, EPIC successfully challenged the TSA's unlawful deployment of airport body scanners. Despite public comments that overwhelmingly favor less invasive security screenings, the TSA plans to use invasive body scanners at US airports. The TSA also said it may mandate airport body scanners, even though the agency previously told the D.C. Circuit that the body scanner program was optional and the federal appeals court upheld the program, relying on the agency’s statements. (Apr. 25, 2016)
- EPIC Urges FCC to Fully Enforce Cable Privacy, Extend Rules to All Set-Top Boxes. In comments filed with the FCC on a proposal to unlock the set-top box market to retail manufacturers, EPIC urged the Commission to apply the Cable Act's privacy rules directly to all companies with access to cable subscriber data. EPIC explained that the Cable Subscriber Privacy Rules are "an effective model for privacy rules in the commercial sector, particularly concerning the collection of data about cable programming." However, the FCC must clarify and enhance enforcement of these rules to address current business practices. EPIC has defended consumer privacy at the FCC for almost 20 years. (Apr. 25, 2016)
- Intelligence Court Orders Government to Report on PRISM Collection. Three decisions by the Foreign Intelligence Surveillance Court (FISC) were made public this week. The Court identified serious “compliance and implementation issues” related to the Section 702 ("PRISM") surveillance program. The FISC found that the NSA did not purge personal data as required by minimization procedures, and also that the FBI failed to exclude attorney-client communications. In 2012, EPIC testified before Congress and recommended the publication of FISC opinions to facilitate public oversight. (Apr. 20, 2016)
- EPIC Defends Right of Data Breach Victims to Bring Suit. EPIC has filed an amicus brief urging a federal appeals court to overturn a decision that limits the ability of data breach victims to sue. The plaintiffs sued a payroll company after their Social Security Numbers and other identifying information were exposed. A lower court dismissed the case because fraudulent transactions had not yet occurred. EPIC argued that data breach victims can sue without having to wait for specific damages. EPIC cataloged the epidemic of data breaches in the US, and explained why companies should be liable when they fail to protect the consumer data they collect. EPIC regularly files briefs defending consumer privacy. (Apr. 19, 2016)
- European Parliament Adopts Comprehensive Data Protection Regulation . The European Parliament finalized a historic reform of EU data protection legislation, which will have legal force in July 2018. "The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age," said Parliament Member Jan Philipp Albrecht. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. EPIC and EU and US consumer groups have supported the European law, stating that it provides "important new protections for the privacy and security of consumers." (Apr. 14, 2016)
- U.S. Government Sued Over Refusal to Notify Users of E-mail Searches. Microsoft has sued the Department of Justice, arguing that orders which prevent the company from notifying users about surveillance are unconstitutional. These secrecy orders, issued in connection with orders to disclose users’ private information, arise in thousands of cases each year. EPIC has supported similar challenges to “gag orders" and has opposed the expansion of “no notice” searches. EPIC has also recommended notice requirements for e-mail searches. (Apr. 14, 2016)
- House Moves Forward on Modest ECPA Updates. The House Judiciary Committee has voted 28-0 in favor of the Email Privacy Act, H.R. 699, a bill that would establish a warrant requirement for the disclosure of all electronic communications. The law would also require notice to customers whose communications have been collected. With 314 members of the House cosponsoring, the bill is slated to be considered by the House on April 25th. Senator Leahy, who has sponsored an identical bill in the Senate, said that "Congress has waited far too long to enact these reforms." But the bill stops short of several updates recommended by EPIC, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Apr. 14, 2016)
- EU Officials Call for Changes in Privacy Agreement. European privacy officials announced today that there must be changes in the draft proposal for EU-US data transfers. The Article 29 Working Party has "strong concerns" that the current text fails to provide adequate protection against commercial misuse and bulk surveillance. The Working Party cited the complexity of the redress mechanism, the lack of independence of the ombudsman, as well as the broad uses of personal data that would be permitted under the agreement. Privacy and consumer organizations have urged the EU to oppose the Privacy Shield proposal. (Apr. 13, 2016)
- Senate Examines FTC's Antitrust Enforcement. The Senate Judiciary Committee recently examined the scope and application of the FTC's Section 5 antitrust enforcement authority at the hearing "Section 5 and 'Unfair Methods of Competition': Protecting Competition or Increasing Uncertainty?" EPIC Advisory Board member Tim Wu testified in support of the agency's approach, which he called "an important protection for competition." EPIC has urged the FTC to use Section 5 authority to protect consumers, arguing against Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp. EPIC has also recommended a transparent process for evaluation of substantial changes in business practices by companies subject to FTC consent orders. (Apr. 13, 2016)
- EPIC Advises HHS to Safeguard Substance Abuse Patient Records. In comments to the Department of Health and Human Services, EPIC criticized the agency's proposed revisions to confidentiality rules for substance abuse patient records. The proposal would weaken consent requirements for disclosing patient records and allow linkage of substance abuse records to other databases. EPIC explained that patient privacy and public health policy require strong confidentiality protections. EPIC warned that the changes proposed by HHS would compromise record confidentiality and reduce the effectiveness of public health programs. EPIC consistently advocates for strong confidentiality protections for medical records. (Apr. 12, 2016)
- President Obama: In Digital Age, People Have New Set of Privacy Expectations. In remarks at the University of Chicago Law School yesterday, President Obama named privacy as one of the constitutional issues that will be increasingly salient in the years to come. "In a society in which so much of your life is digitized, people have a whole new set of privacy expectations that are understandable,” said the President. Obama said the encryption debate was “just the tip of the iceberg of what we’re going to have to figure out.” In its brief in Apple v. FBI, EPIC recently argued that cell phone encryption was adopted to protect consumers from crime. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. (Apr. 8, 2016)
- EPIC, Coalition Oppose NSA Data Transfer Plan. EPIC and over 30 organizations have urged the Obama Administration to halt proposed changes to Executive Order 12333 that would permit the NSA to transfer raw data collected to law enforcement agencies. The NSA’s vast data collection activities are traditionally limited to intelligence purposes. The proposal will permit use of NSA data by law enforcement and make personal data more widely available across the federal government. Last year, EPIC urged the Privacy and Civil Liberties Oversight Board to increase oversight of 12333. EPIC called for: (1) new limits on data collection and disclosure; (2) audit trails for surveillance activities; and (3) published legal justifications for surveillance programs. The Board is currently reviewing surveillance under EO 12333. (Apr. 8, 2016)
- FAA Considers Removing Safety Rules for Small Drones, Also Ignores Privacy Concerns. The report of a secret FAA committee would relax safety rules for drones operating over populated areas. The report also makes no mention of the privacy risks of aerial surveillance by small drones. Like the FAA registration task force, the FAA small drones committee was composed of mostly industry members and did not include any privacy or consumer protection groups. The report recommends allowing drones to fly within 20' above a person or within 10' next to a person. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit. EPIC also filed a FOIA lawsuit against the FAA for the records of the secret drone task force meetings. (Apr. 8, 2016)
- TACD Opposes "Privacy Shield," Urges Rejection by EU. The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States. (Apr. 7, 2016)
- DHS, Federal Agencies Publish 2016 FOIA Reports. Most federal agencies, including the Department of Homeland Security, have now published the 2016 FOIA Reports. These annual reports, required by former Attorney General Holder's 2009 FOIA Memo, describe each agency's compliance with the FOIA, including steps to taken to improve processing and promote openness. The federal FOIA ombudsman is currently investigating the practices of six DHS component agencies in response to a 2015 letter from EPIC and open government advocates. EPIC and other have recently urged the President to support bipartisan legislation aimed at improving the FOIA. (Apr. 6, 2016)
- EPIC Sues Agency for Drone Task Force Meeting Records. EPIC has filed a FOIA lawsuit against the Department of Transportation for records of the closed-door meetings of the "Drone Registration Task Force". The agency created the Task Force late last year to develop recommendations for registering commercial drones. The Task Force--whose membership included no civil liberties organizations or privacy advocates--met in secret last November before releasing a report. EPIC submitted extensive comments to the Task Force. EPIC's lawsuit was filed just after the FAA's Aviation Rulemaking Committee of industry groups and agency officials recommended easing restrictions that prohibit businesses from flying unmanned aerial vehicles. In EPIC v. FAA, EPIC has also challenged the FAA's failure to establish privacy rules for drones. (Apr. 4, 2016)
- EPIC to FTC: Google's April Fool's Disaster Likely Violates Consent Order . Google's April Fool's joke — a change in the operation of Gmail without user consent — has backfired, spectacularly. Many Gmail users inadvertently enabled the "Mic Drop" button on important emails, allowing Google to insert a GIF into their reply and then irreversibly mute the conversation. Users were outraged and Google reversed the change. EPIC informed the FTC that Google's prank also likely violates the FTC's 2011 consent order with the company following the rollout of Google Buzz. EPIC has repeatedly urged the FTC to enforce this consent order against Google, which requires the company to obtain "express affirmative consent" before changing its business practices. (Apr. 1, 2016)
- FCC Moves Forward With Narrow Privacy Rules. The Federal Communications Commission has voted to adopt a Notice of Proposed Rulemaking on consumer privacy regulations. The proposal follows Chairman Wheeler's earlier draft proposal, which EPIC explained was too limited to safeguard online privacy. During the vote, Commissioner Ajit Pai echoed EPIC's view that the rulemaking should not focus solely on ISPs. EPIC has argued that the FCC proposal ignores invasive practices by Internet firms, including search companies and social media firms that track and profile Internet users. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data. (Mar. 31, 2016)
- EPIC Scrutinizes DHS "Insider Threat" Database. In comments to DHS, EPIC criticized a proposed "Insider Threat" database that would gather vast amounts of personal data on individuals outside the federal agency. EPIC urged DHS to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases. (Mar. 29, 2016)
- EPIC Names New Advisory Board Members . EPIC has announced the 2016 members of the EPIC Advisory Board. They are Malavika Jayaram, Max Schrems, Katie Shilton, Stephen Vladeck, Anne L. Washington, and Shoshana Zuboff. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy, who contribute to EPIC's work on privacy and human rights issues. Joining the Board of Directors of EPIC in 2016 are Danielle Citron, author of "Hate Crimes in Cyberspace." and Frank Pasquale, author of "The Black Box Society: The Secret Algorithms that Control Money and Society." (Mar. 28, 2016)
- EPIC Successfully Obtains Boater Tracking Documents, Settles Case with Homeland Security . After successfully obtaining nearly 2,500 pages of documents concerning a controversial boater tracking program, EPIC has settled a Freedom of Information Act lawsuit with the Department of Homeland Security about the "Nationwide Automatic Identification Systems." According to the documents released to EPIC, the DHS believes that boaters have "no expectation of privacy with regard to any information transmitted" about the location of their boats. The documents also reveal that the agency fuses tracking data with other government data to develop detailed profiles on boaters. EPIC did not objet to the use of NAIS for marine safety; the concern is government surveillance. EPIC has also opposed a DHS plan to collect and maintain records on sea travelers. (Mar. 28, 2016)
- Ninth Circuit Sends NSA Surveillance Case Back to Lower Court. A Federal Appeals court has remanded a case challenging the NSA's bulk collection of telephone records. In Smith v. Obama, the Ninth Circuit Court of Appeals instructed the lower court to consider the impact of the USA Freedom Act, which ended the bulk data collection program. EPIC, joined by thirty-three technical experts and legal scholars, filed an amicus brief in the case, arguing that modern communications systems are "entirely unlike the telephone network of the 1970s" and that a 1977 case concerning "pen registers" no longer applied. EPIC also challenged the NSA bulk collection program in a petition to the Supreme Court. (Mar. 24, 2016)
- FTC Issues Warning on Cross-Device Tracking and Surveillance Apps . The Federal Trade Commission has issued warnings to 12 Android app developers that use audio beacons to track consumers across their devices and monitor TV viewing habits. The smartphone apps contain Silverpush software that constantly listens for inaudible signals emitted by TV commercials and secretly collects and transmits viewing data. The announcement appears to be a response to two earlier complaints filed by EPIC with the Commission. EPIC previously urged the FTC to limit "cross-device tracking" technology that links consumers' smartphone activity with what they see on their laptop or television. EPIC also urged the FTC and the Department of Justice to investigate "always-on" consumer devices for possible violations of the Wiretap Act, state privacy laws, or the FTC Act. (Mar. 22, 2016)
- EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules. EPIC has released a memo on the FCC's draft broadband privacy rules, urging the Commission to broaden its scope and strengthen its substantive data protections. The draft rules, previewed in a fact sheet on March 10, 2016, would apply to Internet service providers (ISPs) but not to email, search, or social media services. EPIC explained that the proposal's "framing of the communications privacy challenges facing US consumers is incomplete and fails to address the full range of activities that threaten online privacy." EPIC further explained that the proposal's focus on "choice, transparency and security" will fail to safeguard consumer privacy. EPIC has urged the Commission to apply the Consumer Privacy Bill of Rights to communications data. (Mar. 20, 2016)
- EPIC Intervenes in Privacy Case before European Court of Human Rights. Today EPIC filed a brief in a case before the European Court of Human Rights. The case involves a challenge brought by 10 human rights organizations arguing that surveillance by British and U.S. intelligence organizations violated their fundamental rights. In its brief, EPIC explained that the NSA's "technological capacities" enable "wide scale surveillance" and that U.S. statutes do not restrict surveillance of non-U.S. persons abroad. "The NSA collects personal data from around the world and transfer that data without adequate legal protections." EPIC routinely files amicus briefs in federal and state cases that raise novel privacy issues. This is EPIC's first brief for the Court of Human Rights in Strasbourg. (Mar. 18, 2016)
- EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance. Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision. (Mar. 17, 2016)
- President Obama Nominates Merrick Garland for Supreme Court. The President has nominated D.C. Circuit Chief Judge Merrick Garland for the United States Supreme Court. Garland, a former prosecutor and head of the Department of Justice's Criminal Division, has served on the D.C. Circuit for 15 years. EPIC has previously urged the Senate to hold hearings and explore the views of earlier Supreme Court nominees, including Justice Kagan, Justice Sotomayor, and Chief Justice Roberts. EPIC frequently files amicus briefs in the US Supreme Court, including Spokeo v. Robins and Utah v. Strieff in the current term. (Mar. 16, 2016)
- Drone Privacy Safeguards Move Forward in Senate. A Senate committee has adopted several key privacy amendments concerning drone operations in the US. The amendments, sponsored by Senator Markey (D-Mass), limit the scope of drone surveillance and require more accountability for drone operators. Markey stated, "As more and more drones take flight in our skies, the need to protect Americans' privacy is paramount." EPIC urged Congress and the FAA to establish limits on drone surveillance and recommended the FAA establish a database detailing drone surveillance capabilities. EPIC has sued the FAA for its failure to establish commercial drone privacy rules. (Mar. 16, 2016)
- NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection. More than twenty civil society groups has urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs state that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US. (Mar. 16, 2016)
- Senate Passes FOIA Reform Bill. The Senate has passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senator Patrick Leahy (D-VT) and Senator John Cornyn (R-TX), requires federal agencies to operate under a "presumption of openness," and places time limits on the FOIA's Exemption 5. Senator Leahy said that the bill "will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency." The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law. EPIC and a coalition of open government advocates urged the President to support the bipartisan legislation. (Mar. 16, 2016)
- Senate to Consider FAA Funding but Drone Privacy Safeguards Missing. On March 16, 2016 the Senate will consider the FAA Reauthorization bill. Senator John Thune introduced the legislation to fund the operations of the the federal agency responsible for aviation safety. The bill requires drone operators to post privacy policies, but provides no meaningful privacy safeguards that would limit surveillance by drone operators. EPIC has urged Congress and the FAA to establish real limits on surveillance by drones. EPIC also recommended that the FAA to establish a national database detailing the surveillance capabilities of commercial drones. And after the agency failed to establish privacy rules mandated by Congress, EPIC filed a lawsuit, EPIC v. FAA that is now pending before the DC Circuit Court of Appeals. (Mar. 14, 2016)
- EPIC to Testify before Pennsylvania Senate on Domestic Drone Surveillance. EPIC Domestic Surveillance Project Director Jeramie Scot will testify at a hearing on before the Pennsylvania Senate Majority on "Unmanned Aerial Vehicles." The hearing will address the private and public sector use of drones. In a prepared statement, EPIC’s Scott urges the Pennsylvania Senate to enact legislation to limit both law enforcement and commercial drone surveillance. EPIC states, “The increased use of drones to conduct various forms of surveillance must be accompanied by increased privacy protections.” EPIC previously sued the FAA for failing to establish federal privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit. (Mar. 14, 2016)
- EPIC Publishes 2016 FOIA Gallery. In celebration of Sunshine Week, a national recognition of public access to information, EPIC has unveiled the 2016 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases. In 2015, EPIC obtained records on e-voting tests from the Department of Defense, a secret EU-US data transfer agreement, and a massive boater tracking program operated by the DHS. In the latest FOIA Gallery, EPIC also highlights the victory in EPIC v. DOJ a FOIA case concerning electronic surveillance reports, EPIC v. NSA about cyber surveillance, and EPIC's role as "friend of the court" in an open government case before the California Supreme Court. (Mar. 11, 2016)
- FCC to Consider Privacy Rules for ISPs. The FCC will consider a proposal for consumer privacy regulations on March 31st. According to a fact sheet, the rulemaking will "apply the privacy requirements of the Communications Act" to broadband internet access services (ISPs) but not Internet websites, search services, and social media platforms. While ISPs are engaged in invasive consumer tracking and profiling practices, focusing only on these providers misses a vast amount of data collection activities by other service providers. In a previous letter to the FCC, EPIC urged the Commission to establish a broad framework for communications privacy, based on Fair Information Practices. Separately, EPIC filed a petition with the FCC, joined by 29 organizations, to end the mandatory retention of consumer data. (Mar. 10, 2016)
- FCC Reaches Settlement with Verizon over Hidden "Super Cookies". The Federal Communications Commission reached a settlement with Verizon Wireless for its practice of placing hidden, undeletable "super cookies" on customers' smartphones without their knowledge or consent. The settlement requires Verizon to notify its customers of its targeted advertising practices and to obtain opt-in consent before sharing consumer data with third parties. Verizon must also pay a $1.35 million fine. EPIC has recently urged the FCC to undertake a broad rulemaking on communications privacy issues facing consumers, including the invasive and ubiquitous tracking practices of ISPs. EPIC has also urged the Federal Trade Commission to limit the use of persistent identifiers. (Mar. 10, 2016)
- New Congressional Report Explores Legal Issues Regarding Compelled Decryption. "Encryption: Selected Legal Issues," a new report from the Congressional Research Service, explores two important legal questions that arise from government requests for compelled decryption: the Fifth Amendment right agains self-incrimination and the scope of the All Writs Act, the federal statute at issue in Apple v. FBI. EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case, pointing to the increased risk of cell phone theft and financial fraud that would result from compelled encryption. (Mar. 8, 2016)
- EPIC, Consumer Privacy Groups Urge FCC to Protect Consumer Privacy. EPIC, joined by nearly a dozen consumer privacy groups, submitted a letter to the FCC reviewing the invasive consumer tracking and consumer profiling practices of Internet service providers (ISPs), which "underscore the imperative for the FCC to exercise the full extent of its rulemaking authority to protect consumer privacy." The letter explained why encryption and virtual private networks ("VPNs") are insufficient to protect consumers from ISP surveillance. The letter described how the Federal Trade Commission's reactive, "notice and choice" approach to privacy fails to provide meaningful protections for consumers. EPIC previously urged the FCC to undertake a broad rulemaking on "the full range of communications privacy issues facing US consumers." EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years. (Mar. 7, 2016)
- DHS Privacy Office Releases 2015 Data Mining Report. The Department of Homeland Security has released the 2015 Annual Data Mining Report. The report describes several of the Agency's profiling systems that assign secret "risk assessments" to U.S. citizens. EPIC recently prevailed in a FOIA case involving a controversial DHS passenger screening program, the "Analytic Framework for Intelligence." In EPIC v. USCG, another case concerning a DHS profiling program, EPIC uncovered records about a program to track boaters operating in US waters in which DHS stated that boaters "have no expectation of privacy." The 2015 DHS report indicates expansion of agency profiling programs, including the "Automated Targeting System." (Mar. 4, 2016)
- EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case. Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment. (Mar. 3, 2016)
- Bill to Establish Digital Security Commission Introduced in House. Rep. Lieu (D-CA) has cosponsored bipartisan legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple opposes a court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Mar. 2, 2016)
- TSA Ignores Federal Court, Public Comments and Mandates Airport Body Scanners. The Transportation Security Administration has issued a final rule on airport body scanners, nearly five years after the D.C. Circuit Court of Appeals ordered the agency to "promptly" solicit public comments on the controversial scanners. In 2011, EPIC successfully challenged the TSA's unlawful deployment of airport body scanners. Despite public comments that overwhelmingly favor less invasive security screenings, the agency will continue to use invasive body scanners at airports. The agency also states that it may mandate airport body scanners. EPIC and 25 organizations have urged Congress to hold a hearing on TSA's decision to end the opt-out for airport body scanners. The agency previously informed the D.C. Circuit that the body scanner program was optional. The Court concluded because "any passenger may opt-out of AIT screening in favor of a patdown" there was no violation of the Fourth Amendment. (Mar. 2, 2016)
- Diffie, Hellman Win Turing Award for Public Key Encryption. Whitfield Diffie and Martin Hellman have received the 2016 Turing Award for the discovery of public key encryption, the cornerstone of network security. The award is named for Alan Turing, a computer scientist who helped pioneer modern computing and broke the German Enigma code, hastening the end of the Second World war. The Turing award is considered the Nobel Prize of computer science and is given for major contributions of lasting importance by the Association of Computing Machinery. Diffie, a member of the EPIC Advisory Board, was one of the founders of the Electronic Privacy Information Center and received the EPIC Lifetime Achievement Award in 2012. (Mar. 1, 2016)
- EPIC Files Brief in Suit Over Faulty Background Checks. EPIC has filed an amicus brief in Smith v. LexisNexis Screening Solutions. The case was brought by a job applicant who was denied employment after a background report incorrectly stated that he had a criminal record. A court found that LexisNexis had violated Fair Credit Reporting Act by failing to take reasonable steps to ensure "maximum possible accuracy" in the report. LexisNexis appealed. In the amicus brief, EPIC highlighted the industry practice of selling background reports with inaccurate information. EPIC argued that companies should be strictly liable when they fail to maintain accuracy in these reports. In 2005, EPIC filed a famous FTC complaint about the data broker ChoicePoint, which ultimately led to a $10 million dollar settlement. (Mar. 1, 2016)
- NY District Court Denies Government Demand to Unlock iPhone. Magistrate Judge Orenstein denied a government request under the All Writs Act to force Apple to unlock an iPhone. Judge Orenstein stated "the government's construction of the [All Writs Act] produces absurd results in application." The ruling comes the day before a Congressional hearing to address recent efforts to force Apple to decrypt iPhones. Apple is opposing a court order in another case that would require the company to make changes to the iPhone to enable government access. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Feb. 29, 2016)
- "Privacy Shield" Released, New Questions Raised. The text of the "Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the Schrems case. But the framework appears to provide less protection than the Safe Harbor arrangement it replaces. New exceptions take broad categories of personal data entirely outside the scope of the agreement. Max Schrems said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have urged the US to update its privacy laws. (Feb. 29, 2016)
- NSA to Disclose Agency Records to Other Federal Agencies, Implicating Federal Privacy Act. According to the New York Times, the NSA plans to disclose intercepted private communications to other federal agencies, including records of communications concerning US persons. The substantial change in agency practices "would relax longstanding restrictions on access to the contents of the phone calls and email." In 2013, EPIC and a group of legal scholars and technical experts, petitioned the NSA to undertake a public rule making on "the agency's monitoring and collection of communications traffic within the United States." EPIC has previously urged the Department of Defense to ensure that the NSA complies with the federal Privacy Act and has opposed expansion of the "Operations Records" database. (Feb. 26, 2016)
- European Commission Wrongly Denies EPIC's Request For "Privacy Shield". The European Commission has wrongly denied EPIC's Freedom of Information request for the text of the "Privacy Shield." The Commission said the adequacy decision about Safe Harbor is "in preparation" and "negotiations with the U.S. are still ongoing." The Commission confused the text of the political agreement, known as "the Privacy Shield," with a legal determination about whether the agreement meets EU data protection law. EPIC will pursue public release of the Privacy Shield, which was previously announced, and then the release of the adequacy determination when it is final. EU and US Consumer and privacy organizations have opposed the agreement because it fails to provide adequate privacy protections. (Feb. 26, 2016)
- Apple Opposes FBI Decryption Order. Today Apple filed a "motion to vacate" a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. In its brief, Apple asserts that this case is about "the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe." Apple argued that the FBI's requested court order violates the First and Fifth Amendments. Consumer Reports found that more than 3.1 million cellphones were stolen in 2013, and noted that "efforts by the telecom industry to reduce thefts don't seem to be helping matters." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Feb. 25, 2016)
- House Members Seek Answers on FBI Stingray Agreements. Two leading members of the House Judiciary Committee sent a letter to FBI Director James Comey regarding Stingray surveillance devices, which intercept cellphone communications. Representative Jim Sensenbrenner (R-Wisc) and Representative Sheila Jackson Lee (D-Tx) sharply criticized the FBI's use of "non disclosure agreements" that prohibit local law enforcement agencies from discussing the use of Stingrays, even in court proceedings. The representatives noted that such secrecy "shields the technology from debate." They asked the FBI to answer specific questions about the agreements. In 2013, EPIC first uncovered these secret Stingray agreements in a Freedom of Information Act suit against the FBI. (Feb. 25, 2016)
- Writers Side with Apple in Encryption Fight with FBI. In a letter to the Attorney General, leading writers and artists protested the FBI's "efforts to force Apple to create software that could effectively enable the U.S. government to unlock any iPhone." The letter from the PEN America Center highlights how "intrusions on privacy damage creative expression and free speech." EPIC has long supported strong encryption as key to the future of privacy and security. EPIC recently gave the 2015 Champion of Freedom Award to Apple CEO Tim Cook for his work in promoting encryption and protecting privacy and security. The 2016 EPIC Awards dinner will be held on June 6th in Washington, DC. (Feb. 24, 2016)
- EPIC FOIA - Information about Controversial DNA Forensic Technique Released. In response to EPIC's FOIA request, the California Department of Justice has released records on a controversial forensic technique. The records show that in 2014, the state agency spent more than $300,000 on STRMix, a secret technique for matching DNA. Investigators in Australia subsequently found an error in the STRMix code that produced incorrect results in 60 criminal cases, including a high-profile murder case. STRMix promises prosecutors the ability to "[c]arry out familial searches against a database, searching for close relatives of contributors to mixed DNA profiles" but the algorithm remains secret. EPIC is pursuing FOIA requests on the secret DNA matching algorithms with state agencies across the U.S. (Feb. 23, 2016)
- EPIC Recommends Greater Accountability for Government Screening Database. EPIC submitted comments to DHS urging the agency to improve transparency and privacy protections for the controversial Terrorist Screening Database that is used for Watchlist programs, such as the No Fly List, containing information that is often inaccurate and incomplete. The agency solicited comments on a proposal to remove Privacy Act safeguards while simultaneously expanding data collection and distributing data more widely across the DHS. EPIC and many other organization opposed the establishment of the Screening Database and called for the suspension pending a full review of the privacy and security implications. EPIC has testified before Congress about the risks of the Watchlist program. (Feb. 23, 2016)
- President Announces $19 billion Cybersecurity Plan. President Obama has proposed a $19 billion Cybersecurity National Action Plan that aims to modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has repeatedly urged federal agencies to uphold Privacy Act protections. (Feb. 23, 2016)
- Supreme Court to Consider Fourth Amendment ID-Check Case. The Supreme Court will hear arguments today in Utah v. Strieff. At issue is the use of evidence obtained from government databases following an illegal police stop. In a brief signed by twenty-one technical experts and legal scholars, EPIC warned about the vast amount of personal data, much of it inaccurate, stored in government databases and pointed to the failure of the Justice Department to enforce Privacy Act safeguards. EPIC argued that "a diminished Fourth Amendment standard coupled with a weakened Privacy Act is truly a recipe for a loss of liberty in America." EPIC had filed amicus briefs in several related Supreme Court cases, including Hiibel v. Sixth Judicial District, Tolentino v. New York, and Herring v. U.S.. (Feb. 22, 2016)
- California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable. A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election. (Feb. 18, 2016)
- Apple Opposes FBI Decryption Order. Apple has opposed a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. The order followed an FBI application under the All Writs Act, a law from 1789. Apple CEO Tim Cook wrote in response that the government's action "would undermine the very freedoms and liberty our government is meant to protect." In 2015, EPIC gave the Champion of Freedom Award to Mr. Cook for his work protecting privacy and promoting encryption. The EPIC 2016 Awards dinner will be held June 6 in Washington, DC. (Feb. 17, 2016)
- EPIC Prevails in Passenger Screening Lawsuit Against DHS. EPIC has prevailed in EPIC v. DHS, a case involving a controversial passenger screening program operated by Customs and Border Protection. The agency combines detailed personal information with secret algorithms to assign "risk assessments" to travelers, including US citizens. EPIC sued the DHS and argued that the agency unlawfully withheld records under the Freedom of Information Act. Today, a federal judge concluded that EPIC "has the more convincing argument" and that the agency failed to disclose information about the "Analytic Framework for Intelligence" program. (Feb. 17, 2016)
- "Judicial Redress Act" Provides Little Redress. The Judicial Redress Act of 2015, enacted by Congress and now on to the President for signature, fails to extend Privacy Act protections to non-U.S. citizens. EPIC previously recommended changes to protect transborder data flows. The bill, as adopted, coerces European countries to transfer data to the US, even without adequate protection, or be denied legal rights. Congress adopted the narrow amendment to the Privacy Act without any changes to benefit U.S. citizens even after a data breach compromised 21.5 records maintained by the Office of Personnel Management. EPIC explained that the OPM breach made clear the need for updates to the federal privacy law. (Feb. 12, 2016)
- Google Concedes "Right to be Forgotten" Applies Worldwide. After waging an unproductive battle against the privacy rights of Internet users, Google will finally remove links to sensitive personal information. Google had challenged the legal authority of the Spanish people to protect their personal information, but lost the case Google v. Spain before the top court in Europe. Google then claimed that the links to personal data should only be removed in the country where the Internet user resided. Privacy experts said Google's position made no sense for the "global Internet." The French data protection agency threatened Google with sanctions. Google again fought back, claiming it did not need to comply with decision of the Court of Justice of the European Union. Now the company has decided to comply with the law. (Feb. 11, 2016)
- Department of Commerce: Privacy Shield "does not exist". As a response to EPIC's Freedom of Information request for the "Privacy Shield," the Commerce Department responded that "the record you requested does not exist." EU and US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577. (Feb. 10, 2016)
- EPIC to Argue before Federal Appeals Court for Drone Privacy Rules. EPIC President Marc Rotenberg will argue EPIC v. FAA before the D.C. Circuit Court of Appeals on February 10, 2016. EPIC, joined by more than 100 groups and experts, petitioned the agency to conduct a public rule-making on the privacy impact of increased drone deployment in the United States. The FAA acknowledged the importance of privacy and responded in November 2014 that it would undertake the rulemaking. But in early 2015, the agency reversed course and announced it would not establish privacy safeguards for commercial drones. As of February 5, 2016, the agency has granted more than 3,300 waivers to drone operators who lack certification to demonstrate airworthiness. (Feb. 9, 2016)
- Hackers Breach US Government Database, No Recourse for Non-Americans. Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under current law, non-US persons have no legal rights when federal agencies fail to safeguard their personal data. EPIC is seeking release of the so-called "Privacy Shield" and has launched a new campaign to promote Data Protection in the United States. (Feb. 9, 2016)
- EPIC Launches "Data Protection 2016" to Make Privacy a Campaign Issue. Noting widespread concern about the state of privacy in America, EPIC has launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election. EPIC President Marc Rotenberg said, "Data breaches, identity theft, and government surveillance are critical issues facing American voters, yet the candidates have said hardly a word." Security expert Bruce Schneier said, "Privacy is a critical issue that touches many aspects of Americans' lives. The Presidential candidates need to have a plan to protect our personal information." DataProtection2016 shows widespread support for stronger privacy protections in the United States. Campaign materials, including buttons and stickers, are available. Donations will support the work of EPIC. (Feb. 7, 2016)
- Court Orders DOJ to Justify Withholding of FISA Reports in EPIC FOIA Suit. A federal court in Washington, DC ruled today that the Justice Department's explanation for withholding information about the Foreign Intelligence Surveillance Court was "manifestly insufficient." In EPIC v. Department of Justice, EPIC is seeking release of FISA surveillance reports routinely provided to Congress. The court ordered the government to submit the reports for review, and to provide specific reasons for withholding the material sought by EPIC. For almost 20 years, EPIC has made available information about FISC orders and surveillance reports. As EPIC explained to the court, release of these materials is of the "utmost importance to the public." (Feb. 4, 2016)
- EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement. EPIC has filed emergency Freedom of Information requests with the US and the EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a recent decision of the European Court of Justice. But European and American consumer organizations say the "Privacy Shield" does not provide adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously obtained the secret EU-US Umbrella Agreement in FOIA litigation. (Feb. 4, 2016)
- Privacy Commissioners to Review "Privacy Shield". The Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the "Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the Schrems judgement." (Feb. 3, 2016)
- Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield". Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have agreed to allow the continued transfer of consumer data without adequate legal protection. A virtually identical arrangement was recently struck down by the Court in the Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations urged negotiators to establish strong safeguards for the transfer of personal data. (Feb. 2, 2016)
- EPIC Urges Supreme Court to Uphold Fourth Amendment Safeguards for Police Stops . EPIC has filed a "friend-of-the-court" brief in Utah v. Strieff, a U.S. Supreme Court case about whether the Fourth Amendment allows evidence to be admitted after an illegal stop. Mr. Strieff was unlawfully detained by an officer, who checked his ID and then arrested him on an unrelated outstanding warrant. In a brief, signed by twenty-one technical experts and legal scholars, EPIC detailed a number of sweeping government databases that contain inaccurate and detailed records about Americans' noncriminal activity. EPIC argued that "a diminished Fourth Amendment standard coupled with a weakened Privacy Act is truly a recipe for a loss of liberty in America." EPIC previously argued against compelled identification during police stops in Hiibel v. Sixth Judicial District and Tolentino v. New York. (Jan. 29, 2016)
- Schrems Responds to US Lobby Groups on Safe Harbor. In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that "attempts by lobby groups and the US government to 'reinterpret' or 'overturn the clear judgement of the Union's highest court are fundamentally flawed." Schrems brought the successful case to the European Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide "protection against government surveillance and "essentially equivalent" protection against the commercial use of data by certified companies." Max Schrems received the 2013 EPIC Champion of Freedom Award. (Jan. 29, 2016)
- "Clock is ticking" on Safe Harbor, says European Consumer Organization. BEUC, the consumer organization of the European Union, has urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the Schrems decision and "guarantees that EU citizens' fundamental rights are upheld when their data is exported to the United States." Last year, 40 consumer privacy organizations in Europe and the United States urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations. (Jan. 29, 2016)
- EPIC Celebrates International Privacy Day. EPIC celebrates January 28, International Privacy Day, which commemorates the signing of Convention 108, on January 28, 1981. The Privacy Convention was the first binding international treaty for privacy and data protection. EPIC and consumer organizations have called on the United States to ratify Convention 108. NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. (Jan. 28, 2016)
- EPIC Gives 2016 Freedom Award to Viviane Reding. EPIC has awarded the 2016 International Champion of Freedom Award to former EU Justice Minister Viviane Reding. Ms. Reding led the effort in the European Common for adoption of the new European privacy law, the General Data Protection Regulation. The EPIC awards was presented at the annual conference on L3Computers Privacy and Data Protection in Brussels. The US EPIC Champion of Freedom Awards will be presented on June 6, 2016 in Washington, DC. (Jan. 28, 2016)
- U.S. Law Firm Argues U.S. Privacy Law "Essentially Equivalent". A recent report from a U.S. law firm concludes that the United States offers essentially equivalent privacy protection to Europe. The report also finds that "This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate." Of course, all travel records of Europeans are routinely transferred to the U.S. Department of Homeland Security without any legal protection. Under Section 702 of the Patriot Act, the US government routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity. Executive Order 12333 provides even broader surveillance authorities. (Jan. 27, 2016)
- Pew Survey: Americans Unhappy with How Personal Data is Used by Companies. According to the recent survey of the Pew Research Center, Americans are cautious about disclosing personal data in commercial settings. They are also frequently unhappy with how companies use their data afterwards. For example, 55% of adults said it would be unacceptable for a "smart thermostat" to track their movements around their home in exchange for a discount on their energy bill. And a majority said it would not be acceptable for a car insurance company to monitor a driver's speed and location in exchange for safe driving discounts. EPIC had urged the Federal Trade Commission to investigate Google's acquisition of Nest and has a complaint pending before the FTC regarding "always on" devices. (Jan. 26, 2016)
- EPIC and Consumer Privacy Groups File Brief Supporting FCC in Telephone Privacy Case. EPIC and six consumer privacy organizations have filed a "friend-of-the-court" brief in support of the Federal Communications Commission in ACA International v. FCC. The case was brought against the FCC by industry groups charged with violating the Telephone Consumer Protection Act. The FCC had made clear that companies cannot make automated or prerecorded calls to consumers without their consent. EPIC argued in its brief that widespread adoption of cell phones "has amplified the nuisance and privacy invasion caused by unwanted calls and text messages." EPIC and the consumer organizations urged the federal court to uphold the FCC order safeguarding consumers. (Jan. 25, 2016)
- EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement. After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation. (Jan. 25, 2016)
- EPIC Seeks to Intervene in Privacy Case Before European Court of Human Rights. EPIC has asked the European Court of Human Rights for permission to submit an amicus brief in a case concerning mass surveillance. Ten international human rights NGOs brought the case to challenge UK surveillance laws and practices. The case concerns Tempora, PRISM, and Upstream programs, and the interception of communications by UK intelligence services and the National Security Agency. EPIC proposes to assist the Court in understanding U.S. surveillance law, and to provide relevant information EPIC has obtained through freedom of information litigation. EPIC routinely files amicus briefs in cases concerning emerging privacy and civil liberties issues. (Jan. 22, 2016)
- Supreme Court Rules Settlement Offers Can't Moot Consumer Class Actions. The Supreme Court has ruled that a company cannot terminate class action litigation by strategically making a settlement offer of full relief to individual plaintiffs. The case, Campbell-Ewald Co. v. Gomez, involved a consumer who refused to drop his Telephone Consumer Protection Act lawsuit in exchange for such an offer. The defendant company argued that the offer, which exceeded the statutory damages under the TCPA, mooted his case. The Justices disagreed, ruling 6-3 that "an unaccepted settlement offer has no force. Like other unaccepted contract offers, it creates no lasting right or obligation." EPIC routinely works to protect consumer privacy interests in class action settlements. (Jan. 20, 2016)
- EPIC Urges FCC to Establish Communications Privacy Protections for Consumers. EPIC has submitted a letter to the Federal Communications Commission urging the agency to undertake a rulemaking to protect the communications privacy of consumers. EPIC asked the FCC to explore "the full range of communications privacy issues facing US consumers." EPIC proposed that the FCC implement Fair Information Practices and the Consumer Privacy Bill of Rights; adopt data minimization requirements; promote Privacy-Enhancing Technologies; and require opt-in consent for the use or disclosure of consumer data. EPIC suggested that the FCC model its communications privacy rules on the Code of Fair Information Practices for the National Information Infrastructure. EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years. (Jan. 20, 2016)
- Senator Franken Presses Google on Student Privacy. Senator Al Franken (D-MN) asked Google to explain what the company does with student data, including: what types of data Google collects, to whom Google discloses student information, and whether students and schools “have control over what data is being collected and how the data are being used?” Senator Franken stated, “I believe Americans have a fundamental right to privacy, and that right includes a student or parent’s access to information about what data are being collected about them and how the data are being used.” EPIC has called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. (Jan. 16, 2016)
- EPIC Urges Senate to Postpone Action on Judicial Redress Act . Today EPIC urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously wrote to the House Judiciary Committee to recommend updates to the Privacy Act. (Jan. 16, 2016)
- EPIC Urges FAA to Make Drone Surveillance Capabilities Public. In comments to the FAA, EPIC urged the agency to make public the surveillance capabilities of drones operated in the United Staes. EPIC also proposed privacy safeguards for personal information. EPIC stated, "It is not the personal information of the drone registrant that should be readily available to the public, but the technical capabilities of the registered drone." The FAA recently published a rule requiring drone registration, which EPIC supported. EPIC previously sued the FAA for failing to establish privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit Court of Appeals. (Jan. 15, 2016)
- Court Upholds Facebook Settlement, Allows Continued Use of Kids' Images in Ads . A federal appeals court has upheld a 2013 settlement agreement in Fraley v. Facebook, a consumer privacy class action involving Facebook's use of young children's names and images for advertising without consent. That practice is currently prohibited in seven states. Questions were also raised about the cy pres determinations. In dissent, Judge Bea stated that the "district court abused its discretion in approving the final settlement." In an amicus brief to the Ninth Circuit, EPIC urged the appeals court to overturn the deal, explaining that the settlement is unfair to class members and authorizes continued privacy violations. In 2010, EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. (Jan. 14, 2016)
- EPIC, Coalition Call for Congressional Hearings on Unlawful TSA Mandate for Body Scanners. EPIC and 25 organizations have urged Congress to hold a hearing on TSA's decision to end the opt-out for airport body scanners. Dozens of organizations petitioned the DHS secretary in 2010 to solicit public comments on the original program. In EPIC v. DHS the lawsuit that followed, the D.C. Circuit ruled that TSA violated federal law when it installed body scanners in airports without public comment. The agency said at the time that the body scanner program was optional. The Court also concluded because "any passenger may opt-out of AIT screening in favor of a patdown" there was no violation of the Fourth Amendment. (Jan. 13, 2016)
- Amid Criticism of Agency Compliance, House Passes Substantial FOIA Reforms. Congress has passed the FOIA Oversight and Implementation Act, H.R. 653, which would limit exemptions that allow agencies to withhold public records, create an online portal for FOIA requests, and require agencies to post frequently requested documents. Open government advocates and members of Congress have criticized federal agencies for lax compliance with the Freedom of Information Act. The House Oversight Committee concluded that "[e]xcessive delays and redactions" have undermined the Act." The FOIA Ombudsman criticized the Transportation Security Administration for its "weak management" and lack of a "FOIA tracking system." EPIC has pursued many FOIA cases. EPIC and a coalition previously urged President Obama to strengthen the FOIA by committing to a "presumption of openness" and narrowing the use of FOIA exemptions. (Jan. 11, 2016)
- Supreme Court Denies EPIC's Petition to Obtain Cellphone Shutdown Policy. Today, the U.S. Supreme Court declined to review EPIC v. DHS, concerning the government's cellphone shutdown policy. EPIC had pursued the secret policyafter government officials disabled cellular service at a BART station in San Francisco during a peaceful protest. A district court in Washington, D.C. ruled in EPIC's favor when the DHS sought to withhold the policy, but the court of appeals later overturned the ruling. EPIC urged the Supreme Court to review the case to resolve a conflict between the D.C. Circuit and the Second Circuit Courts of Appeals. EPIC also pointed to competing public safety interests when cell service is disabled, but the Court declined. Despite today's order, EPIC successfully obtained a redacted version of the shutdown policy. (Jan. 11, 2016)
- Uber, New York AG Reach Settlement Over Rider Data Privacy Practices . The New York Attorney General’s office has announced a settlement in its investigation of Uber’s collection and misuse of rider locational data, as well as its failure to provide timely notice of a data breach affecting 50,000 Uber drivers. The investigation was prompted by public outcry over Uber’s “God View” tool that allowed Uber employees to obtain a specific rider’s real-time and historic location data without permission. The settlement requires the Uber to encrypt rider locational data and enhance its data security. EPIC previously filed a complaint with the FTC, charging that Uber’s plan to track users and gather contact details is an unlawful and deceptive trade practice. In the Huffington Post, EPIC also recommended privacy law to regulate Uber and other companies in the ride-sharing industry. (Jan. 7, 2016)
- EPIC Urges HHS to Protect Privacy of Human Research Subjects. In comments to the Department of Health and Human Services, EPIC pointed out several flaws in proposed revisions to the "Common Rule," ethical rules regarding biomedical and behavioral research involving human subjects. While EPIC supports the agency's proposals to strengthen requirements for informed consent and to adopt a broad definition of Personally Identifiable Information, many of the proposed changes "place research interests ahead of the privacy interests" and fail to address the risks to human subjects of "Big Data" research. EPIC previously expressed concern about proposed changes to the Common Rule and continually advocates for health privacy rights. (Jan. 7, 2016)
- DHS Releases Drone Privacy Best Practices. The Department of Homeland Security has released a set of drone privacy best practices. The best practices reflect many of the recommendations made by EPIC in testimony to Congress, including limiting data collection, use, dissemination, and retention. The recommendations also propose a redress program so individuals can challenge inappropriate collection. The best practices are only guidelines, but a Presidential Memorandum on drones and privacy requires that all federal agencies to establish and publish drone privacy procedures by February 2016. EPIC has sued the Federal Aviation Administration, EPIC v. FAA to establish privacy rules for commercial drones. Oral arguments are scheduled before the D.C. Circuit Court of Appeals on February 10. (Jan. 6, 2016)
- EPIC Warns Education Department of Research Database Privacy Risks. In comments to the Education Department, EPIC objected to the Department's recent proposal to gather detailed student information. The Department plans to collect student data, including discipline records, to assess "data-driven instruction professional development." The Department also proposes to disclose the data to private contractors. EPIC suggested that the agency use aggregate data instead of students' personally identifiable information so as to reduce the risk that might result from a data breach. EPIC noted that the agency's Inspector General recently found that "information systems continue to be vulnerable to serious security threats." EPIC has called for a Student Privacy Bill of Rights, an enforceable privacy and data security framework. (Jan. 6, 2016)
- EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit . In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress. (Jan. 6, 2016)
- EPIC Opposes Sea Traveller Surveillance Program. In comments to the DHS, EPIC criticized a proposal to collect detailed records on people traveling by boat. The DHS is planning to track people arriving and departing the United States by sea, including between ports within the United States. However, DHS will ignore Privacy Act protections, and make the data collected routinely available to private companies and foreign governments. The proposal, explained EPIC, would "create a massive government database of detailed personal information that lacks accountability." EPIC has opposed other boat surveillance programs. And a FOIA case pursued by EPIC about a controversial boater tracking program revealed that the DHS fuses tracking data with other intelligence data to develop detailed profiles on boaters. (Jan. 4, 2016)
Share this page:
Support EPIC
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.