Cahen v. Toyota Motor Corporation

Whether drivers can sue for privacy and security vulnerabilities in connected cars

Summary

Cahen v. Toyota Motor Corp., currently before the U.S. Court of Appeals for the Ninth Circuit, concerns a class action challenge brought by drivers of Toyota and General Motors cars. Modern cars are "connected" -- they contain hundreds of computer systems that are connected to the internet and control almost everything in the car, including the engine, braking, airbags, door locks, seats, and infotainment systems. The plaintiffs allege that Toyota and GM violated California law by selling cars that are susceptible to hacking and collecting private driver data. The lower court dismissed the plaintiffs claims for lack of standing and for failure to state a claim.

Top News

  • Bipartisan Internet of Things Security Bill Passes Congress: Both branches of Congress have now passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) in the House and Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate. "While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security," said Sen. Warner. The bill now heads to the President's desk for signature. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards. (Nov. 20, 2020)
  • IoT Security Bill Passed in House of Representatives: The House of Representatives has passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) “The Internet of Things grows every single day, and, by the end of next year, it will include more than 20 billion devices. The result is an astounding, unimaginable amount of data—90% of the data in the entire world was created in the last two years. America needs to keep up with this incredible trend, and that means ensuring proper security and protections—the IoT Cybersecurity Improvement Act is a step in that direction,” said Hurd. The Senate Homeland Security Committee advanced a similar bill last year. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards. (Sep. 15, 2020)
  • More top news »
  • Department of Transportation Releases Voluntary Guidelines for Driverless Vehicles » (Jan. 10, 2020)
    The Department of Transportation announced AV 4.0, voluntary guidelines for driverless vehicles. The guidelines "use a holistic, risk-based approach to protect the security of data and the public's privacy as AV technologies are designed and integrated." EPIC commented on an earlier version of the guidelines, saying the agency "should promulgate mandatory rather than voluntary cybersecurity guidelines." EPIC warned that "the very real possibility of remote car hacking poses substantial risks to driver safety and security." EPIC also testified before Congress in 2015, explaining that "current approaches, based on industry self-regulation, are inadequate and fail to protect driver privacy and safety."
  • Senators Press NHTSA on Dangers of Internet-Connected Cars » (Aug. 22, 2019)
    Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) sent a letter to the National Highway Traffic Safety Administration to ask about the steps taken to protect consumers from the security vulnerabilities of internet-connected cars. The senators wrote: "We are concerned by the lack of publicly-available information about the occurrence and handling of cyber vulnerabilities in internet-connected cars, and believe that NHTSA should be aware of these dangers in order to take possible regulatory action." In comments to NHTSA, EPIC called for national safety standards for connected cars. EPIC also underscored the privacy risks of modern vehicles in a recent amicus brief to the Supreme Court.
  • IoT Security Bill Moves Forward in Senate » (Jun. 19, 2019)
    The Senate Homeland Security Committee has advanced a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. "This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices," said sponsor Senator Mark Warner (D-VA). EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards. The Committee also advanced a bill by Senators Gary Peters (D-MI) and Rob Portman (R-OH) that would promote coordination between the Department of Homeland Security and state and local governments in protecting against cyber threats.
  • EPIC Tells Senate Consumer Safety Commission Responsible for IoT Safety » (Jun. 19, 2019)
    In advance of an oversight hearing for the Consumer Product Safety Commission, EPIC wrote to the Senate Commerce Committee to say that the CPSC must do more to protect consumers and ensure security of IoT devices. EPIC advised the Commission to require manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques. EPIC told the Senate committee that "CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream." In 2017, EPIC and other consumer privacy groups petitioned the CPSC to recall Google Home Mini after it became known that a defect in the product set record to always on. In recent comments to the CPSC, EPIC urged the agency to regulate Internet of Things devices.
  • EPIC to Congress: Safety Commission Must Regulate Internet-connected Devices » (Apr. 5, 2019)
    In advance of a hearing on “Protecting Americans from Dangerous Products," EPIC wrote to the House Commerce Committee that the Consumer Product and Safety Commission must do more to protect consumers and ensure security of IoT devices. In recent comments to the CPSC, EPIC urged the agency to regulate Internet of Things devices, pointing to weak privacy and security safeguards. EPIC advised the Commission to require manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques. EPIC told the House committee that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.”
  • Supreme Court Won’t Disturb Data Breach Decision » (Mar. 25, 2019)
    The Supreme Court today declined to review Zappos.com, v. Stevens, a decision that allowed consumers to sue the online retailer following a breach of their personal data. More than 24 million Zappos customers were affected by the breach, which included account numbers and passwords. Zappos tried to block the lawsuit, claiming that consumers had to show additional damages. The Ninth Circuit rejected that argument, and the Supreme Court left the decision of the appeals court in place. EPIC has filed amicus briefs in similar data breach cases, including Attias v. Carefirst, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges.
  • Internet of Things Legislation Introduced in Senate, House » (Mar. 14, 2019)
    Bipartisan legislation governing the Internet of Things was introduced this week in the Senate and House of Representatives. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) along with Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 in the Senate, and Reps. Robin Kelly (D-IL) and Will Hurd (R-TX) filed the bill in the House. The legislation would require the National Institute of Standards and Technology to set baseline security standards for Internet-connected devices. EPIC has diligently advocated for stronger regulation of IoT, and called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit.
  • EPIC Urges European Commission to Regulate Connected Toys » (Dec. 11, 2018)
    In comments to the European Commission, EPIC highlighted the safety and security risks of IoT toys and wrote "There should be 'smart' regulations for 'smart' toys." The European Commission sought public comment on the EU Toy Directive, which establishes toy safety guidelines to protect children's health and safety but ignores connected toys. EPIC has repeatedly demonstrated the risks of IoT and smart toys before Congress, the Federal Trade Commission, and the Consumer Product Safety Commission in testimony, agency comments, petitions, and investigative complaints.
  • EPIC Urges Department of Transportation to Improve Framework on Connected Car Safety » (Dec. 10, 2018)
    In detailed comments to the Department of Transportation EPIC urged the agency to establish national privacy and safety standards for connected cars. The agency requested comment on its revised framework that establishes "voluntary guidance" for the development of autonomous vehicles. "A connected car is the ultimate Internet of Things device," EPIC explained, highlighting the risks of autonomous vehicles. EPIC has diligently advocated for stronger regulation of IoT. EPIC has called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit.
  • Senator Markey Insists on Privacy, Safety for Self-Driving Vehicles » (Dec. 6, 2018)
    In a statement this week, Senator Markey said he would not permit legislation on self-driving cars to proceed until the bill created meaningful "safety, cybersecurity, and privacy protections" for consumers. In January, EPIC wrote to the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has long supported baseline protections in self-driving vehicles. EPIC has appeared before Congress, written to federal agencies, and provided amicus briefs about the privacy and security risk of autonomous vehicles. In comments to the European Commission this week, EPIC identified several key concerns related to connected cars.
  • EPIC Urges European Commission to Address Security Risks of Connected Cars » (Dec. 5, 2018)
    In comments to the European Commission, EPIC identified several key privacy and security concerns related to the development of connected cars. EPIC emphasized the need for comprehensive regulation to ensure the safety of connected vehicles and encouraged the Commission to require developers to build in safety measures, and not place new burdens on drivers. "Safety features should be under the hood, not on the dash board," EPIC wrote. EPIC has diligently advocated for stronger regulation of the Internet of Things , including connected vehicles. EPIC has highlighted the risks of connected cars in testimony before Congress, at the Federal Trade Commission, in comments to federal agencies, and in amicus briefs.
  • California Bans Anonymous Bots, Regulates Internet of Things » (Oct. 2, 2018)
    California Governor Jerry Brown recently signed two modern privacy laws, including a first in the nation law governing the security of the Internet of Things. SB327 sets baseline security standards for IoT devices. EPIC recently submitted comments to the Consumer Product Safety Commission recommending similar action. Governor Brown also signed a bill banning anonymous bots. The law makes it illegal to use a bot, or automated account, to mislead California residents or communicate without disclosing the identity of the actual operator. EPIC President Marc Rotenberg had earlier proposed that Asimov's Laws of Robotics be updated to require that robots reveal the basis of their decisions (Algorithmic Transparency) and that robots reveal their actual identity.
  • EPIC Urges Safety Commission to Regulate Privacy and Security of IoT Device » (Jun. 15, 2018)
    EPIC submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques (“PETs”). EPIC recently told Congress that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” EPIC has also called out the CPSC for its reluctance to address the privacy and security challenges of IoT. In the statement to Congress, EPIC described the increasing risks to American consumers.
  • EPIC to Senate Commerce: Work with NTIA to Update U.S. Privacy Laws » (Jun. 12, 2018)
    EPIC sent a statement to the Senate Commerce Committee in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC urged Congress and the NTIA to work together to update U.S. privacy laws and establish a data protection agency. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • Amazon Echo Secretly Recorded And Disclosed User's Private Conversation » (May. 24, 2018)
    "Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices.
  • EPIC Urges Congress to Regulate the Internet of Things » (May. 22, 2018)
    In advance of a hearing on the Internet of Things (IoT), EPIC wrote to Congress on the need for privacy and security regulations for IoT consumer products. EPIC explained that regulation is necessary "because neither the manufacturers nor the owners of those devices have incentive to fix weak security." EPIC has called upon the Consumer Product Safety Commission to regulate IoT products, saying that the privacy and security of IoT devices, such as Internet-connected door locks and thermostats, are critical concerns for American consumers. Last week, EPIC testified before the Safety Commission on IoT hazards and promoted baseline standards to protect consumer safety. EPIC previously testified before Congress on the "Internet of Cars."
  • EPIC Testifies Before Safety Commission on IoT Privacy Hazards » (May. 17, 2018)
    EPIC testified before the Consumer Product Safety Commission at the hearing on "The Internet of Things and Consumer Product Hazards." EPIC International Law Counsel Sunny Kang urged the Commission to focus on privacy and security. EPIC's Kang told the Commission that "IoT is the weakest link to privacy and security vulnerabilities in consumer products." EPIC recommended baseline rules for IoT device manufacturers adopted by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups previously urged the Commission to recall the Google Home Mini device which was designed to always record conversations.
  • Safety Groups Urge Congress to Regulate "Autonomous Vehicles" » (May. 6, 2018)
    A coalition of consumer safety groups wrote to senators asking them to delay passing the AV START Act (S. 1885) until the National Transportation Safety Board finished its investigation of two recent crashes involving autonomous vehicles. The groups said: "we are very concerned that provisions in the bill put others sharing the road with AVs at unnecessary and unacceptable risk." EPIC has called for national safety standards for connected cars in comments to NHTSA. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data.
  • EPIC Advises Safety Commission on Dangers of IoT » (May. 2, 2018)
    EPIC submitted comments to the Consumer Product Safety Commission for an upcoming hearing on "The Internet of Things and Consumer Product Hazards." EPIC urged the Commission to focus on privacy and security issues, which the Commission claims are outside its scope. EPIC told the Consumer Product Safety Commission that "Holding a hearing in the year 2018 to discuss IoT without addressing privacy and security is akin to holding a hearing in the last century about kitchen appliances without addressing the risk that a toaster might catch fire because of bad wiring." EPIC recommended that the Commission implement thirteen rules for manufacturers of IoT devices that were laid out by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups preciously urged the Commission to order the recall of the Google Home Mini "smart speaker" and received a response saying that it does not pursue privacy or data security issues.
  • Safety Commission Responds to EPIC's Google Home Mini Complaint » (Apr. 2, 2018)
    The Consumer Product Safety Commission responded to a complaint from EPIC and a coalition of consumer groups, urging the Commission to order the recall of the Google Home Mini "smart speaker." The touchpad on the device was permanently set to "on" so that Google recorded all conversations without a consumer's knowledge or consent. The groups wrote "this is a classic manufacturing defect that places consumers at risk. The defect in Google Home Mini is well within the purview of the Consumer Product Safety Commission." In the response, the Commission claimed that it monitors the hazards of IoT but said that it does not pursue privacy or data security issues. IoT devices are frequently the target of botnet attacks. According to Hacker News, "the DDoS threat landscape is skyrocketing" and the UK National Cyber Security Centre's report has called for comprehensive safeguards for IoT devices. EPIC Senior Counsel Alan Butler has written about products liability for IoT manufacturers.
  • EPIC to Congress: Examine "Connected Devices," Safeguard Consumer Privacy » (Mar. 6, 2018)
    EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC Warns Senate of Dangers of Connected Cars » (Jan. 24, 2018)
    In advance of a hearing on self-driving cars, EPIC submitted a statement to the Senate on the privacy and security risks of autonomous vehicles. Researchers have been able to hack connected cars, and the vehicles have caused several accidents. EPIC told the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has worked extensively on the privacy and data security implications of connected cars, having testified on "The Internet of Cars" and submitted numerous comments to the National Highway and Transportation Safety Agency. In a recent amicus brief to the Supreme Court, EPIC underscored the privacy risks of modern vehicles, which collect vast troves of personal data.
  • EPIC Warns Congress of Risks of "Internet of Things" » (Jan. 18, 2018)
    In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars."
  • FTC Report on Connected Cars Lacks Privacy Recommendations » (Jan. 9, 2018)
    The Federal Trade Commission released a brief report summarizing a June 2017 workshop, co-hosted with the National Highway Traffic Safety Administration, on connected vehicles. While the report acknowledges consumer privacy interests, the report offers no concrete proposals for how the FTC will address the privacy and safety risks of connected cars. EPIC submitted comments to the FTC and NHTSA and gave a presentation at the FTC workshop, calling for national safety standards for connected cars. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data. The Senate is currently considering a bill on connected cars and the NHTSA recently released revised guidance for connected cars, but both lack mandatory safety standards and encourage industry self-regulation.
  • Federal Appeals Court Dismisses Privacy Case Against Connected Car Makers » (Dec. 21, 2017)
    A federal appeals court has ruled that consumers don't have the right to seek legal relief from automakers whose connected cars endanger their privacy because the risk of remote hacking is "speculative." EPIC filed an amicus brief in the case warning that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury." EPIC urged the court to allow consumers to "the opportunity to present legal claims stemming from the defendants' sale of vehicles that place them at risk." But the court wrongly downplayed the consumers' privacy injuries and dismissed the case. EPIC recently urged the Supreme Court to reject warrantless searches of rental cars, which today collect vast troves of personal data. EPIC has filed numerous other amicus briefs defending consumer privacy rights, and EPIC has repeatedly warned the National Highway Traffic Safety Administration, the Federal Trade Commission, and the U.S. Congress about the privacy and consumer safety risks posed by connected vehicles.
  • EPIC, Coalition Urge Action on Toys that Spy » (Dec. 19, 2017)
    EPIC and a coalition of consumer privacy groups have asked the Federal Trade Commission to crack down on companies that sell internet-connected toys and smartwatches. The statement highlights an FTC complaint concerning My Friend Cayla and I-Que Intelligent Robot, toys that recorded and analyzed children's conversations filed more than a year ago. Many retailers worldwide have pulled these toys from their shelves, but the FTC has yet to take action on the complaint. "Connected toys raise serious privacy concerns," said EPIC President Marc Rotenberg. "Kids should play with their toys and their friends, and not with surveillance devices dressed as dolls." EPIC has backed many efforts to limit the risks of internet-connected toys. Recently, EPIC joined consumer groups in asking Mattel to cancel plans to sell Aristotle, an "always on" device that records the private conversations of young children. EPIC also supported a coalition letter asking the FTC to investigate smartwatches that track the location of children. The Norwegian Consumer Council has uncovered similar problems with Cayla and i-Que, and recently released a report on toys that track children.
  • White House Cancels Safety Rule for Connected Vehicles » (Nov. 1, 2017)
    The Trump administration has set aside a proposed rule by the National Highway Transit Safety Association to regulate vehicle-to-vehicle (V2V) technology for all new cars and light trucks. V2V technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA and safety advocates have touted V2V technology as life-saving, noting that traffic fatalities have surged over the past two years with the increased use of cellphones. The rule was also supported by automakers to establish baseline safety standards. EPIC commented on the proposed rule and urged NHTSA to adopt stronger privacy protections. EPIC also submitted comments to the FTC and NHTSA for a workshop on connected vehicles, recommending that the agencies do more to protect consumer data. Security researchers have provided numerous examples of remote hacking of vehicles. The administration has denied that it has made any final decision on the rule, but it was removed from an OMB list of upcoming regulatory actions.
  • Consumer Groups Ask Safety Commission to Recall Google Home » (Oct. 13, 2017)
    EPIC and a coalition of leading consumer groups have asked the Consumer Product Safety Commission to recall the Google Home Mini "smart speaker." The touchpad on the Google device is permanently set to "on" so that it records all conversations without a consumer's knowledge or consent. The consumer groups said that "as new risks to consumers arise in consumer products, it is the responsibility of the Consumer Product Safety Commission to respond." The groups also urged the Safety Commission to enforce the Duty to Report to CPSC against manufacturers of "IoT" devices. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of young children. The Cayla complaint spurred a Congressional investigation and toy stores across Europe removed the doll from their shelves.
  • Mattel Cancels "Aristotle," an Internet Device that Targeted Children » (Oct. 5, 2017)
    Mattel will scrap its plans to sell Aristotle, an Amazon Echo-type device that collects and stores data from young children. The Campaign for a Commercial-Free Childhood sent a letter and 15,000 petition signatures to the toymaker, warning of privacy and childhood development concerns. CFCC said that "young children shouldn't be encouraged to form bonds and friendships with data-collecting devices." Senator Markey (D-MA) and Representative Barton (R-TX) also chimed in, demanding to know how Mattel would protect families' privacy. EPIC backed the CFCC campaign and urged the FTC in 2015 to regulate "always-on" Internet devices. A pending EPIC complaint at the FTC concerns the secret scoring of young athletes.
  • Connected Vehicles Bill Moves Forward in Senate, Privacy Reporting Added » (Oct. 4, 2017)
    Today the Senate Commerce Committee favorably reported the "AV START Act," a bill that aims to facilitate the deployment of connected vehicles. The Committee adopted Senator Edward Markey's (D-MA) amendment that directs the National Highway Traffic Safety Administration to create a publicly accessible database to determine the personal data collected by connected cars, how that information is used, data minimization and retention practices, security measures, and privacy policies of car manufacturers. EPIC has long supported privacy protections for automated vehicles.
  • Privacy Officials from Around the World Adopt Resolutions on Connected Vehicles, Collaboration, and Enforcement » (Sep. 28, 2017)
    The International Conference of Data Protection and Privacy Commissioners, meeting in Hong Kong, has adopted three resolutions on emerging privacy issues. The resolution on Data Protection in Automated and Connected Vehicles urges all parties to "fully respect the users' rights to the protection of their personal data and privacy." The resolution on Collaboration between Data Protection and Consumer Protection Authorities calls for joint efforts at the international level to "protect citizens and consumers in the digital economy." And the resolution on "Future Options for International Enforcement" builds on the OECD Recommendations for Cross-Border Cooperation. EPIC and other NGOs convened a Public Voice event in Hong Kong to promote a dialogue on emerging privacy issues with data protection officials and seek progress on the Madrid Privacy Declaration.
  • Houses Automated Vehicle Bill Lacks Privacy Standards, Would Preempt State Safeguards » (Sep. 7, 2017)
    The House of Representatives has passed the "SELF DRIVE Act" to encourage the deployment of "automated vehicles" in the United States. Responding to widespread privacy concerns, the bill requires manufacturers to create "privacy plans" and asks the FTC to prepare a privacy study on the automated vehicle industry. The bill supports the development of "Privacy Enhancing Techniques," such as anonymization. But the SELF DRIVE Act lacks essential privacy and safety standards and would preempt stronger state laws. EPIC has repeatedly urged Congress and federal agencies to establish strong public safety standards for automated vehicles. EPIC also backs state efforts to develop privacy and safety safeguards.
  • Pew Survey Explores the Future of Online Trust » (Aug. 14, 2017)
    The Pew Research Center has released a report of its survey of experts on "The Fate of Online Trust in the Next Decade." Although nearly half (48%) of the over 1,000 respondents said that they expected trust to increase, 24% predicted that trust would decrease. "Technology is far outpacing security, privacy and reliability," said EPIC President Marc Rotenberg in the survey. "The problem will intensify with the Internet of Things, as the internet connects more machines in the physical world." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • House Releases Text of Automated Vehicle Bill, Preempts State Action » (Aug. 10, 2017)
    The House Committee on Energy & Commerce recently approved text for a bill on automated vehicles. The bill prevents the states from issuing any rule or regulation that is not identical to a Federal Motor Vehicle Safety Standard, preventing states from issuing their own safety and privacy regulations to safeguard consumers. The bill also calls for automated vehicle manufacturers to have cybersecurity and privacy plans, however it does not address who owns the data collected by automated vehicles or how consumers can access or delete their data. EPIC has opposed federal preemption for automated vehicle regulation and has repeatedly urged federal agencies and Congress to allow states to craft their own privacy and security regulations to protect public safety. EPIC has also recommended that consumers control the personal information that is created and stored by the vehicles they operate, rent, and own.
  • Senators Introduce Legislation to Strengthen Cybersecurity for Internet of Things » (Aug. 1, 2017)
    A bipartisan group of Senators, including Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT), have introduced legislation to improve security of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require "Internet of Things" devices purchased by the U.S. government to meet minimum security standards. IoT device manufacturers who sell products to the federal government must commit that their IoT devices: (1) are patchable; (2) do not contain known vulnerabilities; (3) rely on standard protocols; and (4) do not contain hard-coded passwords. "The proliferation of insecure Internet-connected devices presents an enormous security challenge," said EPIC Advisory Board member Bruce Schneier, "The risks are no longer solely about data; they affect flesh and steel." EPIC has been at the forefront of policy efforts to establish safeguards for IoT devices, connected cars, "smart homes," consumer products, and "always on" devices. A 2015 report from the Aspen Institute also explores "Policies for the Internet of Things."
  • EPIC Provides Suggestions for "Self-Driving" Vehicle Legislation » (Jul. 5, 2017)
    EPIC has sent a statement to Congress ahead of a hearing to discuss proposed self-driving vehicle legislation. The House Energy & Commerce Committee drafted several bills related to the development and deployment of "self-driving" vehicles. EPIC urged the Committee not to pre-empt states from issuing their own self-driving vehicle regulations, to encourage developers to be transparent in the development of autonomous vehicles, and to urge that advocacy groups be included in connected car advisory councils. EPIC has been a leading advocate for privacy and safety in the development of connected and autonomous vehicle and has participated in workshops, written to NHTSA, and actively informed Congress of privacy and safety related developments in connected and autonomous vehicles.
  • EPIC Recommends National Safety Standard for "Self-Driving" Vehicles » (Jun. 28, 2017)
    In remarks today to a joint workshop of the FTC and NHTSA, EPIC President Marc Rotenberg called for the establishment of national safety standards prior to the deployment of "self-driving" vehicles on the nation's highways. "Given the current vulnerabilities of networked communications, self-driving vehicles are simply unsafe at any speed," said Mr. Rotenberg. EPIC has participate in numerous NHTSA rule makings on auto safety, proposed stronger data protection standards for connected vehicles, and sided with consumers in a case concerning the risks of autonomous vehicles. In extensive comments for the FTC/NHTSA workshop, EPIC pointed to known vulnerabilities with bluetooth communications, auto hacking, "level 3" control, malware and ransomware, auto repossession remote deactivation, and safety defects. EPIC urged the FTC and NHTSA to focus on "data protection, vehicle safety, consumer protection, and privacy." EPIC also said that the ability of states to develop safety standards must be maintained. EPIC warned that the failure to establish robust safety standards could be "catastrophic."
  • FTC Updates Guidance on Children's Privacy Law, Includes Connected Toys » (Jun. 27, 2017)
    The Federal Trade Commission has updated its guidance for businesses on complying with the Children's Online Privacy Protection Act. The new guidance clarifies that connected toys, Internet of Things devices, and other products intended for children must comply with the Act. "When companies surreptitiously collect and share children's information, the risk of harm is very real," FTC acting Chair Maureen Ohlhausen recently wrote. An EPIC-led coalition filed a complaint with the FTC in 2016 alleging that Intenet-connected dolls violate U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves. The FTC acknowledged EPIC's complaint but has yet to act on it.
  • EPIC Recommendations for Tech Week Meeting: Protect U.S. Consumers » (Jun. 20, 2017)
    In advance of a White House / OSTP meeting on "emerging technologies," EPIC has sent a statement to the Office of Science and Technology Policy. EPIC urged the Administration to focus on consumer protection and address the numerous privacy and security risks related to the "Internet of Broken Things." EPIC recommended recommended Privacy Enhancing Technologies, data minimization, and security measures for Internet-connected devices. EPIC also urged the Administration to issue regulations on drone privacy as mandated by Congress and to establish minimum safety standards for connected cars. EPIC warned that "The unregulated collection of personal data and the growth of the Internet of Things has led to staggering increases in identity theft, security breaches, and financial fraud in the United States."
  • EPIC Urges House Committee to Back Consumer Safeguards for Internet of Things » (Jun. 13, 2017)
    EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on "IOT Opportunities and Challenges." EPIC raised the "significant privacy and security risks" of the Internet of Things. A recent report from the Pew Research Center on the Internet of Things underscores the need to develop new safeguards for what some call "The Internet of Broken Things." EPIC has been at the forefront of policy efforts to establish safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC to Congress: Data Protection Needed for Financial Technologies » (Jun. 9, 2017)
    EPIC submitted a statement to a House Committee hearing on financial technologies on the risks with new financial services. Companies now use social media data and secret algorithms to make determinations about consumers. They are also reaching out, through the "Internet of Things," to control consumers. EPIC's recently filed a complaint with the CFPB about "starter interrupt devices," deployed by auto lenders to remotely disable cars when individuals are late on their payments.
  • Pew Survey Explores Internet of Things » (Jun. 6, 2017)
    The Pew Research Center has released a report surveying experts about the security implications of the Internet of Things. The survey found a broad consensus that growth in the IoT will bring with it an increased risk of real-world physical harm. "The essential problem is that it will be impractical for people to disconnect," said EPIC President Marc Rotenberg in the survey. "Cars and homes will become increasingly dependent on internet connectivity. The likely consequence will be more catastrophic events." The ACM recently released a Statement of IoT Privacy and Security, which lists principles for protecting privacy and security in IoT devices. EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • Senators Introduce Bill to Remove Personal Data from Cargo Manifests » (May. 4, 2017)
    Senators Steve Daines (R-MT) and Gary Peters (D-MI) have introduced a bill that would remove personally identifiable information from shipping manifest sheets that are released to the public. According to the bill's sponsors, the Moving Americans Privacy Protection Act seeks to protect people who make international moves from "identity theft, credit card fraud and unwanted solicitations." EPIC maintains a page on identity theft and launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.
  • EPIC Renews Call for Connected Cars Safeguards » (May. 2, 2017)
    In comments to the FTC and NHTSA ahead of a June workshop, EPIC underscored the need to safeguard consumers and improve vehicle security. EPIC also defended the role of states that are developing new safeguards for connected vehicles. For more than a decade, EPIC has been a leading advocate for privacy and security measure for connected vehicles. EPIC routinely submits comments to federal agencies regarding the unique challenges that these vehicles present. EPIC has also testified before Congress, filed amicus briefs, and submitted statements on the risks of autonomous vehicles.
  • EPIC Recommends Privacy Safeguards for Vehicle Networks » (Apr. 14, 2017)
    In comments to the National Highway Traffic Safety Administration, EPIC recommended stronger privacy protections for vehicle-to-vehicle communications. EPIC urged the agency to allow consumers to turn off pre-installed V2V communications and to required automobile manufacturers to be transparent about the collection of personal data. EPIC also urged that agency to establish basic cybersecurity safeguards and require encryption for all vehicle networks and ensure data minimization techniques. EPIC has previously submitted comments to NHTSA on connected cars and has submitted several statements to Congress.
  • EPIC Seeks Information on Sessions-Jourova Encryption Discussion » (Apr. 3, 2017)
    EPIC has filed an urgent Freedom of Information Act request for documents concerning a recent meeting between Attorney General Jeff Sessions and EU Commissioner Věra Jourová. The two reportedly discussed "a proposal [on] how to 'solve this problem'" of encryption. EPIC said in the FOIA request that "strong encryption is the cornerstone of the modern internet economy" and that encryption "is critical to preserving human rights and information security around the world." A proposal on encryption policy may be taken up at a June 2017 meeting between the United States and the European Union. EPIC has advocated for strong encryption since its founding and published the first comprehensive survey of encryption use around the world. In the FOIA request, EPIC also noted the growing risk to users of Internet-connected devices.
  • EPIC Urges Senate Commerce Committee to Back Algorithmic Transparency, Safeguards for Internet of Things » (Mar. 22, 2017)
    EPIC has sent a letter to the Senate Commerce Committee concerning "The Promises and Perils of Emerging Technologies for Cybersecurity." EPIC urged the Committee to support "Algorithmic Transparency," an essential strategy to make accountable automated decisions. EPIC also pointed out the "significant privacy and security risks" of the Internet of Things. EPIC has been at the forefront of policy work on the Internet of Things and Artificial Intelligence, opposing government use of "risk-based" profiling, and recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • Senators Markey and Blumenthal Introduce Bill to Protect Driver Privacy in Connected Cars » (Mar. 22, 2017)
    Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2017." The SPY Car Act would establish cybersecurity and privacy standards for new passenger vehicles, and establish a privacy rating system. A 2014 report from Senator Markey "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prevent the use of driver data for marketing purposes without consent. In 2015 EPIC testified before Congress on the need for privacy and safety safeguards for connected vehicles. In 2016 EPIC filed an amicus brief in federal appeals court to protect consumers in cases involving connect vehicles.
  • EPIC Urges Congress to Examine "Connected Devices," Safeguard Consumer Privacy and Protect Public Safety » (Feb. 2, 2017)
    EPIC sent a letter to a House Subcommittee on Communications and Technology in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing recent examples of hacks of devices, including home locks and cars, connected to the internet. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • Trump Order Threatens Consumer Protection, Public Safety » (Jan. 31, 2017)
    The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance.
  • Aspen Institute Report Explores Artificial Intelligence » (Jan. 30, 2017)
    The Aspen institute released a report on the Artificial Intelligence workshop on connected cars, healthcare, and journalism. "Artificial Intelligence Comes of Age" explored issues at "the intersection of AI technologies, society, economy, ethics and regulation." The Aspen report notes that "malicious hacks are likely to be an ongoing risk of self-driving cars" and that "because self-driving cars will generate and store vast quantities of data about driving behavior, control over this data will become a major issue." The Aspen report discusses the tension between privacy and diagnostic benefits in healthcare AI and describes "some of the alarming possible uses of AI in news media." EPIC has promoted Algorithmic Transparency and has been at the forefront of vehicle privacy through testimony before Congress, amicus briefs, and comments to the NHTSA.
  • EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills » (Jan. 24, 2017)
    EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules.
  • EPIC Urges Senate Committee to Press Transportation Nominee on Drones, Connected Cars » (Jan. 12, 2017)
    EPIC has sent a statement to the Senate Commerce Committee, highlighting two significant privacy issues: drones and autonomous vehicles. The Senate Committee met this week to consider the nomination of Elaine Chao for Secretary of Transportation. EPIC sued the FAA, an agency subject to the Committee's oversight, for its failure to establish drone privacy rules, as required by Congress. EPIC also testified last year before the Committee on the risks of connected cars, EPIC has recently submitted comments on federal automated vehicles policy and filed an amicus brief in federal appeals court on the risks to consumers of connected vehicles.
  • FTC Sues D-Link Over Poor Security in Internet Routers and Cameras » (Jan. 12, 2017)
    The Federal Trade Commission has filed a lawsuit against Internet of Things device maker D-Link. The complaint alleges that D-Link failed to use adequate security in its internet cameras and routers despite promises that the devices were "easy to secure" and used "advanced network security." The poor security practices alleged by the FTC include using easily-guessed default passwords, mishandling code-signing keys, and storing usernames and passwords in plaintext. EPIC has worked extensively on the risks of the Internet of Things, recommending safeguards for connected cars, "smart homes," and "always on" devices. In 2013, EPIC submitted comments to the FTC addressing the security and privacy risks of IoT devices.
  • Senate Explores Security of Ground Transportation, Witnesses Express Privacy Concerns » (Dec. 9, 2016)
    The Senate Commerce Committee examined security issues in road and railroad transportation. Witnesses expressed concerns about the cybersecurity of commercial trucking networks, customer data, and hacking of a truck's braking systems. Witnesses also proposed a credentialing system for access port facilities. EPIC has submitted comments to NHTSA and testified before Congress on the safety and privacy risks of automated vehicles.
  • Congress to Examine Artificial Intelligence » (Nov. 30, 2016)
    Today the Senate Commerce Committee will hold a hearing on "The Dawn of Artificial Intelligence." Experts from industry and academia will provide "a broad overview of the state of artificial intelligence, including policy implications and effects on commerce." In a prepared statement, EPIC urged the Committee to support "Algorithmic Transparency," an essential public policy strategy to make AI accountable. The hearing follows two White House reports -Preparing for the Future of Artificial Intelligence and the National Artificial Intelligence Research and Development Strategic Plan. EPIC is currently litigating several "AI" cases including EPIC v. FAA (drone surveillance), Cahen v. Toyota (autonomous vehicles), EPIC v. CPB (U.S. traveler "risk assessments"), and Secret DNA Forensic Source Code.
  • EPIC Recommends Privacy and Safety Standards for Autonomous Vehicles » (Nov. 23, 2016)
    In comments to the National Highway Traffic Safety Administration, EPIC has backed strong privacy and safety standards. Responding to the "Federal Automated Vehicles Policy," EPIC said self-regulation would not be enough to protect drivers in the United States. EPIC urged the safety agency to mandate the Consumer Privacy Bill of Rights, establish new oversight authority, and protect state privacy rules for autonomous vehicles. EPIC is on the front lines of vehicle privacy as well as efforts to regulate the "Internet of Things." EPIC also defends the right of states to develop strong privacy laws.
  • European Parliament Explores Algorithmic Transparency » (Nov. 7, 2016)
    A hearing today in the European Parliament brought together technologists, ethicists, and policymakers to examine "Algorithmic Accountability and Transparency in the Digital Economy." Recently German Chancellor Angela Merkel spoke against secret algorithms, warning that that there must be more transparency and accountability. EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), Cahen v. Toyota (autonomous vehicles), and algorithms in criminal justice. EPIC has also proposed two amendments to Asimov's Rules of Robotics, requiring autonomous devices to reveal the basis of their decisions and to reveal their actual identity.
  • House Members Urge FTC to Examine Internet-of-Things » (Nov. 4, 2016)
    In the wake of October's massive distributed denial of service attack, two members of Congress have sent a letter to Federal Trade Commission Chairwoman Edith Ramirez urging the FTC to protect consumers from insecure Internet of Things devices. Rep. Frank Pallone, Jr. and Rep. Jan Schakowsky, senior members of the House Energy and Commerce Committee, wrote that the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures." EPIC is at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," 'consumer products, and "always on" devices. EPIC recently urged the federal government to establish legal requirements to promote Privacy Enhancing Technologies, limit user tracking, minimize data collection, and "ensure security in both design and operation of Internet-connected devices."
  • White House Releases Reports on Future of Artificial Intelligence » (Oct. 13, 2016)
    The White House has released two new reports on the impact of Artificial Intelligence on the US economy and related policy concerns. Preparing for the Future of Artificial Intelligence surveys the current state of AI, applications, and emerging challenges for society and public policy. The report concludes "practitioners must ensure that AI-enabled systems are governable; that they are open, transparent, and understandable; that they can work effectively with people; and that their operation will remain consistent with human values and aspirations." A companion report National Artificial Intelligence Research and Development Strategic Plan proposes a strategic plan for Federally-funded research and development in AI. President Obama will discuss these issues on October 13 at the White House Frontiers Conference in Pittsburgh. #FutureofAI EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), and Cahen v. Toyota (autonomous vehicles).
  • U.S. Proposes Voluntary Guidelines for "Automated Vehicles," Privacy and Safety Issues Remain a Challenge » (Sep. 20, 2016)
    The Department of Transportation has released federal guidelines for the automated vehicle industry. The Federal Automated Vehicles Policy backs the deployment of self-driving cars in the United States. The agency acknowledges privacy concerns and endorses the Consumer Privacy Bill of Rights, which EPIC supports, however the framework lacks compliance obligations and  enforcement mechanisms.  The agency also proposes to preempt existing state regulations that may provide stronger protections. Last year in testimony before Congress, EPIC warned of public safety risks associated with automated vehicles. And yesterday Secretary of Commerce Penny Pritzker warned the Commission on Enhancing National Cybersecurity that "as cars go driverless . . . the cyberthreats we face will only grow more widespread." The Transportation Department seeks public comments on the Guidelines for Automated Vehicles. The deadline is November 22, 2016.
  • EPIC, Consumer Coalition Tells FCC to Protect Privacy, Security in Connected Cars » (Aug. 30, 2016)
    EPIC has joined a coalition of consumer groups in a letter to the FCC supporting safety rules for connected cars. The consumer groups endorsed a petition for rulemaking, filed earlier this year, that would establish safeguards for car communications networks. EPIC has testified before Congress on the risks of connected cars and recently filed an amicus brief in federal appeals court on vehicle-to-vehicle communications.
  • EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public » (Aug. 5, 2016)
    EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections  before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights.
  • Court Misunderstands Internet Tracking in Video Privacy Case » (Jun. 27, 2016)
    The Third Circuit today rejected claims brought against Nickelodeon under the Video Privacy Protection Act, holding that IP and MAC addresses are not “personally identifiable information.” The opinion contradicts a First Circuit decision from earlier this year, which found that a unique Android ID and GPS coordinates constituted PII under the VPPA. The circuit split increases the possibility of U.S. Supreme Court review. The Court did find that plaintiffs could sue under state privacy law. EPIC filed an amicus brief, arguing that Congress defined PII as “purposefully broad to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.”
  • EPIC Propose Privacy, Security Protections for "Internet of Things" » (Jun. 4, 2016)
    EPIC has recommended new safeguard for the “Internet of Things.” EPIC proposed laws requiring companies to adopt Privacy Enhancing Technologies, promote data minimization, and ensure security for IoT devices. EPIC also recommend a prohibition on tracking, profiling, and monitoring of consumers using IoT services. As EPIC explained, “Protecting consumer privacy will become increasingly difficult as the Internet of Things becomes increasingly prevalent.” EPIC has worked extensively on the risks of the Internet of Things, including connected cars and “smart homes.”  An EPIC complaint concerning “always on” devices, such as “smart TVs,” is pending at the Federal Trade Commission.
  • EPIC to OPM: "If You Can't Protect It, Don't Collect It" » (May. 25, 2016)
    In comments to the Office of Personnel Management, EPIC urged the federal agency to limit the personal data it collects from job applicants. OPM currently gathers detailed personal information, including biometric data, Social Security numbers, educational history, medical records, foreign travel, drug use, and financial records. In 2015, OPM lost the personal data of 21.5 million people in a massive data breach. The OPM Director and CIO were forced to resign. OPM now proposes to collect even more personal data on more people, including distant relatives of job applicants. EPIC has previously urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.
  • Senators Introduce Bill to Block Broad Remote Hacking Rules » (May. 19, 2016)
    Senators Wyden, Paul, Baldwin, Daines, and Tester have introduced the Stop Mass Hacking Act of 2016.  The law would block amendments to Rule 41 of the Federal Rules of Criminal Procedure that were recently issued by the Supreme Court. The amendments authorized judges to issue "remote access" warrants to search computers even when the targets are outside the jurisdiction of the court. EPIC criticized the Rule 41 change in a statement last year. Unless Congress takes action to block the Rule 41 amendments by December 1, the government’s surveillance authority will be expanded significantly.
  • EPIC to Defend Privacy Statute in Federal Appellate Case » (Dec. 8, 2015)
    EPIC appears in court today in In re Nickelodeon, a case concerning the Video Privacy Protection Act. The privacy law bars companies from disclosing personally identifiable information about users of Internet video services. Children who watch videos on Nick.com believe that Viacom disclosed their viewing records to Google for adverting purposes. The companies dispute this, claiming that cookies and IP addresses are not personally identifiable. EPIC's "friend of the court" brief argues that the definition of personal information in the privacy law is "purposefully broad to ensure that the underlying intent of the Act--to safeguard personal information against unlawful disclosure--is preserved as technology evolves." EPIC Senior Counsel Alan Butler will represent EPIC before the court.
  • EPIC to Testify on Car Privacy and Data Security » (Nov. 17, 2015)
    EPIC Associate Director Khaliah Barnes will testify at a hearing on "The Internet of Cars" before the House Oversight and Government Reform on Wednesday, November 18, 2015. The hearing will address the safety and privacy issues confronting drivers in vehicles connected to the Internet. EPIC's prepared statement urges Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. EPIC states, "New vehicle technologies raise serious safety and privacy concerns that Congress needs to address." EPIC has previously examined the privacy and data security implications of the Internet of Things and the "Internet of Cars", and recommended strong safeguards for consumers.
  • EPIC Defends Privacy Laws in Supreme Court Brief » (Sep. 8, 2015)
    In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board.
  • New OECD Report Finds Increased Privacy Concern, Lagging National Policies » (Jul. 28, 2015)
    The OECD Digital Economy Outlook 2015 explores recent developments in the digital economy. The OECD report finds that Internet "users are increasingly concerned, 64% of respondents are more concerned about privacy than they were a year ago" even as few countries include online privacy in national digital strategies.The OECD also warns that the "Internet of Things" will lead to the rise of autonomous machines. Civil society groups are planning to report to the OECD at the 2016 Ministerial Meeting on the Digital Economy.
  • Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking » (Jul. 21, 2015)
    Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2015." The SPY Car Act would establish cybersecurity and privacy requirements for new passenger vehicles, and inform consumers about the risks of remote hacking. The SPY Car Act follows a report from Senator Markey, which "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prohibit manufacturers from using consumer driver data for marketing purposes without consumer consent. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers."
  • EPIC Urges Investigation of "Always On" Consumer Devices » (Jul. 9, 2015)
    EPIC has asked the Federal Trade Commission and the Department of Justice to conduct a workshop on 'Always-On' Consumer Devices. EPIC described the increasing presence of internet-connected devices in consumer's homes, such as TVs, toys, and thermostats, that routinely record and store private communications. EPIC urged the agencies to conduct a comprehensive investigation to determine whether "always on" devices violate the Wiretap Act, state privacy laws, or the FTC Act. Earlier this year, EPIC filed a formal complaint with the FTC concerning Samsung TV, arguing that the recording of private communications in the home is an unfair and deceptive trade practice.
  • Massive Breach Impacts Millions of Government Employees » (Jun. 10, 2015)
    The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information.
  • Pew Survey: Vast Majority of Americans Feel Strongly About Privacy, Want Control Over Personal Information » (May. 20, 2015)
    The Pew Research Center has published a new privacy poll on Americans' Views About Data Collection and Security. According to the Pew survey, 74% of Americans believe control over personal information is "very important," yet only 9% believe they have such control.Americans also value having the ability to share confidential matters with another trusted person. The vast majority of Americans want limits on how long companies retain records about their activities. And 65% of American adults believe there are not adequate limits on the telephone and internet data that the government collects.
  • EPIC Defends Privacy of Nickelodeon Viewers » (May. 5, 2015)
    EPIC has filed an amicus brief in In re Nickelodeon, a case involving the Video Privacy Protection Act. The Act protects the privacy of a consumer's personally identifiable information ("PII"). Viacom, which offers Nickelodeon and other cable channels, claimed that personal identifiers such as IP addresses and unique device IDs are not PII and could be routinely disclosed to Google for commercial purposes without any restriction. EPIC filed in opposition to Google/Viacom and explained that the definition of PII in the Act is "purposefully broad to ensure that the underlying intent of the Act– to safeguard personal information against unlawful disclosure– is preserved as technology evolves."
  • NIST Seeks Comments on De-identification Report » (Apr. 20, 2015)
    The National Institute of Standards and Technology has released a draft report on "De-Identification of Personally Identifiable Information." The agency is requesting comments by May 15. The NIST report reviews de-identification techniques and research, including work by EPIC Advisory Board members Cynthia Dwork and Latanya Sweeney. Last year, in response to a similar request for comments, EPIC recommended Privacy Enhancing Technologies that "minimize or eliminate the collection of personally identifiable information." EPIC also expressed support for Fair Information Practices and the Consumer Privacy Bill of Rights.
  • Senator Markey Report Warns of Risks with "Connected Cars" » (Feb. 10, 2015)
    A report from Senator Edward Markey (D-MA) finds lax privacy practices at leading auto manufacturers. The Senator said the safeguards in the auto industry for data collection are "inconsistent" and "haphazard." The investigation also revealed, "automobile manufacturers collect large amounts of data on driving history and vehicle performance." Senator Markey has called on the Department of Transportation and the Federal Trade Commission to issue rules to protect driver privacy and security. EPIC has urged the Department of Transportation to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and said also that "cars should not spy on drivers."
  • FTC Chair Warns About Risks of Connected Devices » (Jan. 7, 2015)
    In a speech at the CES conference this week, FTC Chair Edith Ramirez warned of the privacy risks of connected home devices. "In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored," Ramirez said. EPIC has written extensively on interconnected devices, known as the "Internet of Things." In comments to the FTC, EPIC described several risks, including the hidden collection of sensitive data. EPIC recommended that companies adopt Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: FTC and EPIC: Big Data.
  • EPIC Urges Department of Transportation to Protect Driver Privacy » (Oct. 21, 2014)
    EPIC has submitted detailed comments to the National Highway Traffic Safety Administration, urging the agency to protect driver privacy for "vehicle-to-vehicle" (V2V) technology. The technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA is in the initial stages of mandating vehicle-to-vehicle technology. EPIC's comments pointed to several privacy and security risks with V2V techniques. EPIC urged NHTSA to "complete a more detailed privacy and security assessment of V2V communications" and to: "(1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications; (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights." Last year EPIC, joined by a coalition of consumer privacy organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Internet of Things.
  • Data Protection Commissioners Urge Limits on "Big Data" » (Oct. 17, 2014)
    The International Data Protection Commissioners have adopted a resolution on Big Data. The resolution endorses several privacy safeguards, including purpose specification, data minimization, individual data access, anonymization, and meaningful consent when personal data is used for big data analysis. The data protection commissioners also passed a resolution supporting the UN High Commissioner's report on Privacy in the Digital Age and the Mauritius Declaration on the Internet of Things. Earlier this year, EPIC joined by 24 organizations petitioned the White House to accept public comments on its review of Big Data and the Future of Privacy. EPIC also submitted extensive comments detailing the privacy risks of big data and calling for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. For more information, see EPIC: Big Data and EPIC: Internet of Things.
  • Department of Transportation Seeks Public Comment on Connected Cars » (Aug. 21, 2014)
    The National Highway Traffic Safety Administration, at the Department of Transportation, is soliciting public comments on the privacy and security implications of connected "vehicle-to-vehicle" technology. According to the agency, the technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." The agency plans to mandate vehicle-to-vehicle technology. NHTSA is also soliciting comments on a connected car research report. Comments on both are due October 20, 2014. Last year EPIC, joined by a coalition of privacy and consumer rights organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Comments on the Privacy and Security Implications of the Internet of Things.
  • Senator Schumer Calls On Regulators to Make Fitness Data Private » (Aug. 14, 2014)
    Senator Charles Schumer has denounced the data collection practices of "activity trackers" such as FitBit. "Activity trackers" are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "internet of things." EPIC has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC has made several recommendations to improve the privacy protections on devices such as "activity trackers," including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information, see EPIC: FTC and EPIC: Practical Privacy Tools.
  • EPIC Submits Comments on the "Internet of Things" » (Jun. 3, 2013)
    EPIC has submitted comments to the Federal Trade Commission in advance of a workshop on the Internet of Things. The "Internet of Things" refers to the growing capacity of devices to communicate via the Internet. EPIC’s comments listed several privacy and security risks posed by the Internet of Things, such as the collection of data about sensitive behavior patterns and an increase in the power imbalance between consumers and service providers. EPIC then made several recommendations, such as requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information see EPIC: Federal Trade Commission.

Questions Presented

  • Do the plaintiffs have standing to challenge Toyota and GM for selling cars susceptible to hacking
  • Do the plaintiffs have standing to challenge Toyota and GM for selling cars that collect and disclose personal driving information?
  • Have the plaintiffs stated a claim for invasion of privacy under the California Constitution?

Background

Factual & Procedural Background

Named plaintiffs Helene Cahen and Merrill Nisam, both California residents, represent a class of California consumers who purchased cars from Toyota and General Motors. Cahen purchased a Lexus RX 400 H in September 2008, while Nisam purchased a Chevrolet Volt in March 2013.

The California class brought eight causes of action against GM and Toyota:

  1. Violation of the California’s Unfair Competition Law (“UCL”), Cal. Bus. Prof. Code § 17200, et seq.;
  2. Violation of California’s Consumers Legal Remedies Act (“CLRA”), Cal. Civ. Cod § 1250, et seq.;
  3. Violation of California’s False Advertising Law (“FAL”), Cal. Bus. Prof. Code § 17500, et seq.;
  4. Breach of California’s Implied Warranty of Merchantability, Cal. Com. Code § 2314;
  5. Breach of contract at California common law;
  6. Fraud by concealment at California common law;
  7. Violation of California’s Song-Beverly Consumer Warranty Act, Cal. Civ. Code §§ 1791.1 & 1792; and
  8. Invasion of privacy under the California Constitution, Cal. Const. art. I, § 1. FAC ¶¶ 62-138.

These causes of action reduce down to two complaints:

  1. The “cars’ computer systems lack security,” and consequentially “basic vehicle functions can be controlled by individuals outside the car, endangering the safety of vehicle occupants.” Despite “defendants’ knowledge of significant security vulnerabilities, they market their vehicles as safe,” and
  2. “[D]efendants collect owner data, specifically geographic location, driving history, and vehicle performance, from the vehicle computers and then share that data with third parties without securing the transmission.”

Lower Court Opinion

The lower court dismissed plaintiffs’ claims on a combination of lack of Article III standing and (FRCP 12(b)(1)) and failure to state a claim (FRCP 12(b)(6)).

To assert standing, plaintiffs claimed injury caused by the defendants’ misrepresentations about safety and data collection. Plaintiffs argue that they wouldn’t have purchased the cars or paid as much to purchase them had they known of the safety and privacy risks, and alleged that they paid inflated prices. Plaintiffs also claimed injury because defendants collect large amounts of driving data, including location data, and transmit the data to third party data centers without effectively securing it.

The court first considered whether the plaintiffs had standing based on the future risk of hacking. Relying on Clapper v. Amnesty Int’l USA, U.S. Hotel and Resort Management, Inc. v. Onity, Inc., and Birdsong v. Apple, Inc, the lower court concluded that a future risk of hacking did not provide injury-in-fact. The court was unable to determine “whether plaintiffs’ vehicles might be hacked at some point in the future, especially in light of the fact that plaintiffs do not allege that anybody outside of a controlled environment has ever been hacked.” As a result, plaintiffs had failed to allege actual or “certainly” impending harm, which the court confused with injury-in-fact: “[W]hile it is possible that a potential hacker would in fact attempt to gain control of a vehicle, allegations of possible future injury are not sufficient.” In addition, because the risk of hacking was “speculative,” the court found that the plaintiffs had failed to allege “that any future risk of harm is concrete and particularized as to themselves.” Drawing from products liability cases in the Northern District of California, the court found persuasive that many of these cases denied standing “where there has been no actual injury and the injury in fact theory rests only on an unproven risk of future harm.”

Second, the court rejected plaintiffs’ allegations of economic loss flowing from the risk of future hacking. Economic injury sufficient to provide Article III standing arises when plaintiffs pay “more for a product than they otherwise would have paid, or bought it when they otherwise would not have done so.” But here, the court found that the plaintiffs could not “obscure that the alleged economic injury rests solely upon the existence of a speculative risk of future harm.” Plaintiffs had also failed to make specific allegations of “diminution in value.” As a result, the “unmanifested and widespread” harm could not clearly translate into economic injury. In addition, the market effect was “hypothetical” because “potentially all post-2008 cars vehicles on the American market, and not just defendants’ vehicles, lack the allegedly necessary security protections and firewalls.”

Third, the court rejected standing based on invasion of privacy because the plaintiffs had not “identified a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact.” Again confusing harm for injury-in-fact, the court faulted plaintiffs for failing to “allege the kind of theft, malicious breach, or widespread accidental publication of sensitive personally identify information such as social security numbers or credit card information” that other courts had found sufficiently dangerous to pose a credible risk of future identity theft. Moreover, the plaintiffs’ claims were not particularized because they had not specifically alleged that they themselves were harmed by the defendants’ data collection.

Finally, the court held in the alternative that the plaintiffs had not stated a claim of invasion of privacy. A claim of invasion of privacy under the California Constitution requires a plaintiff to plead “(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.” The court found that “defendants’ tracking of a vehicle’s driving history, performance, or location at various times, is not categorically the type of sensitive and confidential information the constitution aims to protect.” The court criticized the plaintiffs’ allegations for leaning heavily on a report prepared by Senator Edward Markey instead of identifying “which car manufactures are collecting data, the frequency of which the data is being tracked, or the type of data is being collected.”

The court granted defendant’s motion to dismiss, and appellants appealed.

Legal Background

Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.

EPIC's Interest

EPIC has a long and substantial interest in building privacy protections into the Internet of Things generally and connected cars specifically. EPIC has also filed two recent amicus briefs in cases involving Article III standing.

In November 2015, former EPIC Associate Director Khaliah Barnes testified before Congress about the Internet of Cars. EPIC’s testimony urged Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. In June 2016, EPIC submitted comments to the National Telecommunications and Information Administration about the Internet of Things. EPIC recommended that legal requirements ensure that companies providing IoT services adopt Privacy Enhancing Technologies; do not track, profile, or monitor users; minimize data collection; and ensure security in both design and operation of Internet-connected devices. EPIC has also submitted comments to the Federal Trade Commission describing several of the most common IoT devices, including some in connected cars, and outlined the main privacy and security concerns associated with these devices.

In 2013, EPIC and a coalition of privacy advocates submitted comments the National Highway Traffic Safety Administration’s (“NHTSA”) 2012 proposal to mandate Event Data Recorders (“EDRs”) in vehicles manufactured after September 2014. Event Data Recorders are devices that can internally record, retain, and report data related to the drivers’ operation of an automobile. The comments recommend that NHTSA protect driver privacy and limit the collection and use of EDR data. EPIC also commented on NHTSA’s 2014 advanced notice of proposed rulemaking requiring vehicle-to-vehicle communications. There, EPIC urged NHTSA to complete a more detailed privacy and security assessment of V2V communications. Additionally, EPIC recommend that NHTSA should: (1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications, including the basic safety messages (“BSMs”); (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights. EPIC commented on the privacy implications of EDRs to NHTSA in 2003 and 2004.

Finally, EPIC has filed several amicus briefs recently that defend plaintiffs’ ability to bring lawsuits for privacy violations. In In re SuperValu Customer Data Security Breach Litigation, EPIC presented a comprehensive framework of Article III standing, and urged a federal appeals court to protect consumers' ability to sue companies for inadequate data security. Early in 2016, EPIC argued in Storm v. Paytime that data breach victims have standing to sue without needing to wait for consequential harms. EPIC also catalogued the epidemic of data breaches in the U.S., and explained why companies should be liable when they fail to protect the consumer data they collect. In Spokeo v. Robins, EPIC defended Congress’s authority to enact laws that safeguard the privacy of American consumers.

Legal Documents

U.S. Court of Appeals for the Ninth Circuit, No. 16-15496

U.S. District Court for the Northern District of California, No. 15-01104

News

Resources

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security