EPIC v. ODNI (Russian Hacking)
- EPIC to Maryland Legislators: Security Questions Need Upgrade: EPIC Interim Associate Director and Policy DIrector Caitriona Fitzgerald will testify today before the Maryland Senate Committee on Finance in support of stronger authentication methods to protect consumers. Senate Bill 185 requires financial institutions who choose to use security questions as a authentication method to provide customers with more than one security question option. EPIC noted that there are plenty of alternative authentication methods available today and that financial institutions truly should no longer be using basic security questions. "The requirement that your password contain one uppercase letter, one lowercase letter, one symbol, and one number is meaningless if all that is required to bypass that password is your pet’s name," EPIC told the Committee. But, EPIC said, if security questions are going to be used, institutions should ensure that multiple question options are given, and that users are permitted to answer the questions with randomly-generated password-like answers rather than factual, semantic answers. (Feb. 9, 2021)
- Documents Obtained by EPIC Reveal DHS’s Slow Response to Election Cybersecurity Threats, Underscore Risks Posed by New Voting Technologies: EPIC has obtained additional documents related to federal efforts to respond to election cybersecurity threats in its suit against the Department of Homeland Security. The documents include summaries of: the DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report. The incident logs reveal difficulties contacting campaign officials in the lead up to the 2016 Election and concern voiced within the agency about "unbalanced" outreach. And DHS contacts with state election officials were somewhat limited as some were wary that the critical infrastructure designation "would at a later time lead to regulation on states." In the September 2016 Election Infrastructure Cyber Risk Characterization Report, the DHS Office of Cyber and Infrastructure Analysis found that compromises in voter registration databases resulted in the potential release of personally identifiable information but not the modification of the underlying records. The DHS determined that exposure of this information could undermine public confidence in election systems. The DHS also counseled strongly against untested voting technologies, finding that the "introduction of new technologies in the voting system will increase vulnerabilities to the election system in the future," particularly the implementation of internet-connected voting systems. The case is EPIC v. DHS, 17-2047 (D.D.C.). (Aug. 19, 2020) More top news »
- EPIC to Congress: Strong Encryption Keeps Our Nation Secure » (Dec. 10, 2019) In advance of a hearing on "Encryption on Lawful Access," EPIC wrote to the Senate Judiciary Committee "now is not the time to undermine the systems that we all rely upon to secure our data and communications." EPIC cited growing problems of data breach and cyber attack. Leading computer scientists and security experts, including members of the EPIC Advisory Board, have found that proposals to add "backdoors" for law enforcement are "unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm." EPIC previously filed an amicus brief in Apple v. FBI in support of robust security safeguards for cellphone users. EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC President Marc Rotenberg warned of the risk of NSA-mandated backdoors in a 1990 article, "The Only Locksmith in Town."
- Report: FBI Victim Notification Procedures ‘Unreliable’ and ‘Incomplete’ » (Apr. 1, 2019) The FBI’s system for notifying victims of cyberattacks is “unreliable” and “incomplete,” according to a report by the Inspector General for the Department of Justice. The IG report found that “not all victims were informed of their rights as required by” DOJ guidelines, which are “outdated since they do not consider the needs of victims of cybercrime.” In 2017, EPIC obtained through EPIC v. FBI, a FOIA lawsuit, the FBI Victim Notification Procedures that should have applied to Russian cyberattacks during the 2016 Presidential election. The FBI Notification Procedures made clear that notification should occur “even when it may interfere with another investigation or (intelligence) operation.” The records obtained by EPIC led to Associated Press investigation ("FBI gave heads-up to fraction of Russian hackers’ US targets”), which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. The EPIC Democracy and Cybersecurity Project has pursued multiple FOIA cases concerning Russian interference with the 2016 election, including EPIC v. DOJ (the Mueller Report), EPIC v. ODNI (Russian hacking), EPIC v. IRS I release of Trump's tax returns), EPIC v. IRS II (release of Trump business tax records), and EPIC v. DHS (election cybersecurity).
- EPIC Files Brief on Government Hacking With Court of Human Rights » (Feb. 28, 2019) EPIC has filed a brief with the European Court of Human Rights detailing the public safety and privacy risks of government hacking. Privacy International v. United Kingdom asks whether remote hacking by UK intelligence services violates the European Charter of Fundamental Rights. The Court recently granted EPIC's request to intervene in the case. "Hacking tools stockpiled by governments could be used by criminals to mount cyberattacks," EPIC's brief states. EPIC also explained that "Government hacking weakens security safeguards." EPIC has long advocated for strong cybersecurity policies.
- EPIC, Coalition Ask Australia to Amend "Assistance and Access" Law » (Feb. 25, 2019) EPIC and a coalition of civil society organizations told the Australian Parliament that a law allowing police to require weak security for tech products should be amended. The Parliament reopened debate over the "Assistance and Access" law, broadly denounced as a threat to security and freedom of expression. Following earlier comments, the coalition has now called on the Australian Parliament to narrow the law. EPIC has long advocated for strong encryption, led the campaign against the Clipper Chip, and published the first global survey on Cryptography and Liberty. And when the FBI sued Apple in 2016 for refusing to allow law enforcement access to iPhones, EPIC filed an amicus brief in support of Apple arguing the FBI's demand "places at risk millions of cell phone users across the United States."
- EPIC Commends FAA Comment Opportunity on Aircraft Security, Urges More Public Reporting » (Jan. 8, 2019) In comments to the Federal Aviation Administration, EPIC praised the agency for inviting public input on technology that exposes aircraft control networks to remote hacking. EPIC previously warned the FAA that, "hackers can exploit weaknesses in drone software to gain control of a drone's movement and other features." EPIC has also called attention to the potential for connected cars and Internet of Things devices to be hacked. EPIC recommended that the FAA routinely report on the growing risks of cyber attack.
- EPIC, Coalition Call for Investigation into FBI's Inflated Encryption Statistic » (Jun. 5, 2018) EPIC and a coalition of twenty organizations called for the Department of Justice Inspector General to investigate the FBI's "grossly inflated" statistic of encrypted devices inaccessible to law enforcement in 2017. The Washington Post reported that the FBI repeatedly stated it was locked out of 7,800 devices, but subsequent review suggested the actual number is about 1,200. The coalition wrote to the IG asking him to investigate the error, why DOJ officials used the data point after it was discovered to be incorrect, and what measures were taken to inform Congress and the public of the FBI's miscalculation. EPIC President Marc Rotenberg previously told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States."
- EPIC to Senate: Weaknesses in Cybersecurity Threaten Both Consumers and Democratic Institutions » (Apr. 24, 2018) EPIC submitted a statement to the Senate Homeland Security Committee in advance of a hearing on "Cyber Threats Facing America." Last year, the White House National Security Strategy report set out the administration's goals for global policy. EPIC supports several of the goals in the National Strategy report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the Senate Committee to seek assurances that those goals will remain priorities for this administration. Quoting former world chess champion Garry Kasparov, EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."
- FEC Proposes Regulation of Internet Political Ads » (Mar. 14, 2018) Today the Federal Election Commission voted unanimously, at a public meeting, to publish a proposed rule concerning transparency requirements for online political ads. The FEC noted EPIC's comments—arguing that internet companies should be held to the same standard as broadcast companies—in its proposal. The FEC will publish the proposal in the Federal Register, accept comments from the public, and then hold a public hearing on June 27, 2018. After Russian interference in the 2016 election, EPIC launched the Democracy and Cybersecurity Project to preserve the integrity of elections and democratic institutions. In comments to the FEC in November 2017, EPIC explained the "need to protect democratic institutions from foreign adversaries has never been greater...To help ensure the integrity of U.S. elections, the Federal Election Commission should not exempt technology companies from notification requirements for Internet communications."
- Senators Ask Director of National Intelligence About Russian Meddling » (Mar. 6, 2018) Today the Senate Armed Services Committee held a hearing that addressed concerns about Russian interference in upcoming elections. In his opening statement, the Director of National Intelligence Daniel Coats stated that Russia views its influence on the 2016 election as successful and emphasized the threat that Russian cyberattacks pose to U.S. democracy. Coats testified that the U.S.'s response has not been sufficient to deter Russia from interfering in the 2018 midterm elections, agreeing with testimony of Admiral Michael Rogers, the Commander of U.S. Cyber Command, in a hearing last week. Coats called the U.S.'s strategy to combat Russian interference a "whole government approach," but it concerned some Senators that there was no lead agency in charge of this effort, including Senator Mazie Hirono (D-HI) who said that it caused her to conclude that it is "not a top priority" for the President. EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election.
- SEC Issues Guidance on Cybersecurity Disclosures » (Mar. 5, 2018) The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security.
- Senate Holds Hearing on National Security Strategy » (Jan. 24, 2018) EPIC submitted a statement to the Senate Armed Services Committee in advance of a hearing on "Global Challenges and U.S. National Security Strategy." Last year, the White House released a National Security Strategy report that laid out the administration's goals. EPIC supports many of the goals stated in the report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the committee to seek assurances that those goals will remain priorities for this administration. EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."
- National Security Strategy Acknowledges Importance of Democratic Institutions, Privacy » (Dec. 21, 2017) The White House has released the 2017 National Security Strategy. The report underscores the importance of democratic institutions and the rule of law. The report states the “government must do a better job of protecting data to safeguard information and the privacy of the American people,” and calls out "actors such as Russia [who] are using information tools in an attempt to undermine the legitimacy of democracies.” The report also cautions that cyber policy must be pursued "In accordance with the protection of civil liberties and privacy.” EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).
- D.C. Circuit Sets Schedule for EPIC Case to Obtain Trump Tax Returns » (Dec. 19, 2017) The D.C. Circuit Court of Appeals has set a schedule in EPIC’s case to obtain President Trump’s tax returns. EPIC previously argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning financial ties to Russia, such as President Trump’s tweet "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." The IRS recently admitted to EPIC that it has used this authority at least 10 times in one year. The schedule for the appeal was announced the same week that Congress considers sweeping tax legislation, but Congress and the public remain in the dark about the consequences of the legislation on the President’s personal finances. According to CNN, 73% of Americans favor release of the President’s tax returns. EPIC v. IRS is one of several FOIA cases concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). EPIC’s opening brief in EPIC v. IRS is due January 24, 2018.
- EPIC Urges House Judiciary to Examine FBI Response to Russian Cyber Attacks » (Dec. 12, 2017) EPIC has sent a statement to the House Judiciary Committee ahead of Wednesday's DOJ Oversight hearing. EPIC urged the Committee to question Deputy Attorney General Rosenstein about the FBI's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).
- EPIC to House Committee: Privacy Safeguards Apply to Personal Data Sent to Government » (Nov. 15, 2017) In advance of a hearing on "Cyber Threat Information Sharing," EPIC has sent a statement to the House Homeland Security Committee. EPIC urged the Committee to determine whether there are sufficient protections for personal data sent to government agencies. Private companies now have legal authority to transfer data to government agencies outside traditional privacy procedures following passage of the Cybersecurity Information Sharing Act. EPIC and a broad coalition warned that the law will increase monitoring of Internet users and government secrecy. EPIC urged the Congressional committee to carefully examine the "scrubbing" techniques that are intended to remove personally identifiable information before data is transferred to federal agencies.
- White House Vulnerability Review Charter Provides Process for Disclosing Tech Flaws » (Nov. 15, 2017) The White House has released the "Vulnerabilities Equities Policy and Process," describing how the U.S. Government will make decisions regarding disclosure of "Zero-day vulnerabilities." At issue are vulnerabilities in software and consumer products that can be exploited by intelligence agencies and malicious hackers. If the VEP review board — comprised of agency representatives such as the DHS, ODNI, CIA, FBI, OMB, Commerce Department, and NSA — votes for disclosure, the tech company will be notified "when possible" within 7 business days. The charter requires the NSA, serving as the board's secretariat, to produce an annual public report on VEP decisions. In extensive comments on surveillance reform, EPIC supported the recommendations of the Obama Review Group, which included a recommendation for an interagency process to review "Zero-day vulnerabilities." In a letter to the Senate Committee on Homeland Security earlier this year, EPIC stated that "data protection and privacy should remain a central focus of the cyber security policy of the United States."
- Senators Urge FEC to Promote Transparency in Online Ads » (Nov. 13, 2017) A group of 15 Senators led by Mark Warner (D-VA), Amy Klobuchar, (D-MN) and Claire McCaskell, (D-MO) have urged the Federal Election Commission to improve transparency for online political ads. The Senators stated that, "the FEC can and should take immediate and decisive action to ensure parity between ads seen on the internet and those on television and radio." The Senators emphasized how "Russian operatives used advertisements on social media platforms to sow division and discord" during the 2016 election. EPIC provided comments to the FEC calling for "algorithmic transparency" and the disclosure of who paid for online ads. Senators Klobuchar, Warner, and McCain (R-AZ) have also introduced a bipartisan bill that would require the same disclosures for online political advertisements as for those on television and radio. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to promote election integrity and safeguard democratic institutions from various forms of cyber attack.
- EPIC Sues Department of Homeland Security for Release of Russian Interference Records » (Oct. 4, 2017) EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain records related to Russian interference in the 2016 U.S. Presidential Election. Earlier this year, the DHS has designated state election systems as critical infrastructure and published a Joint Analysis Report acknowledging Russian interference with U.S. election systems. However, DHS has not provided any significant new information to the American public about the extent of the Russian interference. EPIC now seeks disclosure of the agency's "research, integration, analysis" related to the scope of Russian interference. EPIC's FOIA lawsuit follows H.Res. 235, a bill sponsored by Rep. Thompson (D-MS) that would have directed the DHS to provide this information to Congress, but was blocked by the House Homeland Security Committee. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records).
- EPIC Obtains Documents about DARPA's "Brandeis" Program » (Oct. 2, 2017) EPIC has received documents about the Defense Advanced Research Projects Agency's (DARPA) Brandeis Program, following a 2015 FOIA request. According to the agency, the program is intended to "research and develop tools for online privacy." EPIC obtained over 1,100 pages of documents about the Program. The documents include email communications (parts 1, 2, 3), budget appropriation justifications for fiscal year’s 2015 (parts 1, 2) and 2016 (parts 1, 2), as well as the names of contract awardees. According to the documents obtained by EPIC, the $75 million program provided $75 million over 4.5 years. Contract recipients include UC Berkley, UC Irvine, MIT, Carnegie Mellon University, Raytheon, SRI International, Stealth Software Technologies, and Galois.
- EPIC Awarded Nearly $100,000 in Internet Surveillance Case » (Jun. 5, 2017) A federal judge in Washington, DC has issued a final order granting EPIC substantial attorney's fees in a long-running case against the Department of Homeland Security. EPIC sued the DHS in 2012 for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but an executive order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPIC's lawsuit produced the release of several thousand pages on the program. EPIC sought attorneys fees for the successful litigation, which the DHS opposed. In November, Judge Gladys Kessler ruled that EPIC was entitled to attorney's fees because it "substantially prevailed in [the] litigation" and added "to the fund of information that citizens may use in making vital political choices." On Monday, Judge Kessler confirmed that decision and awarded EPIC nearly $100,000 in fees—the largest such award in EPIC's history.
- Executive Order on Cybersecurity Finally Released » (May. 12, 2017) A long delayed Executive Order on cybersecurity was released this week. The Order continues many of the cybersecurity policies of the Obama and Bush administrations. The Executive Order requires agency heads to use the NIST Framework to manage cybersecurity risk, and to provide a risk management report. The Order also requires Cabinet officials to devise a strategy for international cooperation in cybersecurity. However, the Order does not address Russia's cyber interference with the 2016 Presidential Election. EPIC, and a group of forty leading experts in law and technology, had urged the White House to strengthen privacy and data protection, and support strong encryption. The EPIC Cybersecurity and Democracy Project focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
- On Cyber Policy, EPIC Urges Senate to Protect Consumers, Democratic Institutions » (May. 8, 2017) In advance of a hearing on "Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape," EPIC has sent a statement to a Senate Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
- EPIC To Senate Judiciary - "Public Has Right to Know About Russia Ties" » (May. 5, 2017) EPIC has sent a statement to the Senate Judiciary Committee for a hearing on "Russian Interference in the 2016 United States Election." EPIC described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC is also pursuing the release of any FISA orders for Trump Tower, as well as Donald Trump's tax returns. EPIC wrote the "need to understand Russian efforts to influence democratic elections cannot be overstated.”
- Intelligence Agency Provides Non-Responsive Response in EPIC Lawsuit for Russia Report » (May. 3, 2017) The Director of National Intelligence has failed to provide a sufficient response in EPIC v. ODNI, concerning release of the report on the Russian interference in the 2016 Presidential election. The intelligence agency was required to release all “non-exempt portions" of the report to EPIC on May 3, 2017. However the agency withheld the entire document, refusing to provide even partial information that should have been released to EPIC under the Freedom of Information Act. As EPIC made clear in the complaint, “There is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks on democratic institutions.” EPIC will challenge the agency’s response as the litigation continues in federal district court in Washington, DC. EPIC v. ODNI is a part of the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
- Pew Survey Finds Varying Cybersecurity Knowledge Among the Public » (Mar. 22, 2017) The Pew Research Center has released a report on "What the Public Knows About Cybersecurity." According to the Pew survey, 75% of respondents could identify the strongest password out of four options. About half of the people who took the survey could identify a phishing attack; a similar number knew what ransomware is. Only 16% answered that "a group of computers that is networked together and used by hackers to steal information" is called a "botnet." EPIC maintains an Online Guide to Practical Privacy Tools and resources on Public Opinion and Privacy.
- EPIC Urges House Committee to Protect Consumers, Democratic Institutions with Strong Cyber Security Measures » (Feb. 28, 2017) In advance of a hearing on "Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities," EPIC has sent a letter to the House Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
- FBI Responds to EPIC FOIA Suit for Details of Russian Interference with 2016 Election » (Feb. 23, 2017) The FBI has filed an answer to EPIC's Freedom of Information Act lawsuit for records pertaining to the Russian interference with the 2016 Presidential election. In the answer, the FBI acknowledged receipt of EPIC's FOIA request. EPIC filed suit against the FBI in federal district court after the agency failed to make a timely decision concerning EPIC's request for expedited processing of the FOIA request. The parties will next confer to set a schedule for production of documents and briefing, if necessary. EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
- EPIC Seeks Public Release of Secret Directive on Cybersecurity » (Jan. 28, 2017) EPIC has filed an urgent FOIA request with the DHS, the Department of Justice, and the NSA, seeking the expedited release of NSPD-1. The National Security Presidential Directive sets out procedures for cybersecurity "policy coordination, guidance, dispute resolution, and periodic in-progress review." EPIC has previously litigated, and successfully obtained, NSPD-54, a Presidential Directive concerning the NSA's authority to conduct surveillance within the United States.
- EPIC Sues for Release of Complete Report on Russian Interference with 2016 Election » (Jan. 26, 2017) EPIC has filed a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence in federal district court in Washington, DC. The case is designated EPIC v. ODNI, No. 17-163 (D.D.C. filed Jan. 25, 2017). As EPIC makes clear in the complaint, "there is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks in democratic institutions." More details in the press release. Last week EPIC sued the FBI to uncover details of the Bureau's response to Russian interference.
- NEWS UPDATE - EPIC Sues FBI for Details of Russian Interference with 2016 Election » (Jan. 18, 2017) EPIC today filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation in federal district court in Washington, DC. The case is designated EPIC v. FBI, No. 17-127 (D.D.C. filed Jan. 18, 2017). The complaint states “EPIC challenges the FBI’s failure to make a timely decision concerning EPIC’s request for expedited processing of the FOIA request for records about the Russian interference with the 2016 Presidential Election.” A press conference will be held at the Fund for Constitutional Government on Capitol Hill on Thursday, January 19, 2017 at 1 pm. Media Advisory
- Senate Intelligence Committee Presses FBI to Reveal Russia Investigation » (Jan. 16, 2017) Senator Richard Burr (R-NC) and Senator Mark Warner (D-VA), the Chairman and Ranking Member of the Senate Intelligence Committee, have announced a bipartisan inquiry into the Russian interference with the 2016 Presidential Election. Democratic members of the House Judiciary Committee have also pressed the FBI to confirm its investigation of President-elect Trump's ties to Russia. In a letter to FBI Director James Comey, Committee Members requested "all documentation relevant to this investigation" be provided to the Committee "as soon as possible." EPIC has filed two urgent Freedom of Information Act requests concerning Russian interference: one for records about the FBI's lax response to the foreign cyber threat, the other for the report "Russian Activities and Intentions in Recent US Elections". This week EPIC also urged the Senate Armed Services Committee to pursue an investigation.
- EPIC, Technology Experts Urge Senate Committee to Monitor President’s Homeland Security Advisor » (Jan. 10, 2017) In a letter to the Senate Committee on Homeland Security, EPIC and leading experts urged Congress to keep a close eye on the White House Homeland Security Advisor. EPIC explained that the position, equal in power to the National Security Advisor, carries "significant implications for the safety and security of the American people." EPIC said that the Homeland Security Advisor should ensure "the Russian government poses no further threats to the United States electoral system or to other democratic governments." EPIC also said that "data protection and privacy should remain a central focus" of U.S. cyber security policy. The EPIC letter was signed by distinguished experts in cyber security, information technology, encryption, and human rights law.
- EPIC Seeks Expedited Release of Report on Russian Interference in 2016 Election » (Jan. 10, 2017) EPIC has submitted an urgent Freedom of Information Act request to the Office of the Director of National Intelligence (ODNI) seeking the complete report on the Russian interference in the 2016 Presidential Election. On January 6, the ODNI released a public summary on the Russian interference, but withheld important information. EPIC is seeking expedited release of the complete, unreacted report. EPIC is also seeking records from the FBI about the agency's lax response to the foreign cyber threat. EPIC submitted a statement to the Senate Armed Services Committee hearing on Russian interference. Congress will hold a second hearing today, and a bill initiating new sanctions against Russia is expected this week. EPIC will continue to press the ODNI for prompt release of the report.
- Senate Armed Services Committee to Examine Foreign Cyber Threats » (Jan. 4, 2017) The Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote “we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States.”“Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify.
- Obama Orders Review of Hacking During 2016 Election » (Dec. 9, 2016) President Obama's top homeland security advisor Lisa Monaco announced today that the Administration has asked the intelligence community to conduct a "full review" of cyber activity during the 2016 election. In 2016, EPIC urged candidates for office to focus on data protection, calling it "the most important, least well understood issue" of the 2016 election. EPIC also published a report on the importance of the secret ballot for democratic decision making. EPIC's Freedom of Information Act litigation uncovered flaws in online voting reported by the Department of Defense just prior to the 2012 election.
- EPIC Prevails in Internet Surveillance Case » (Nov. 21, 2016) A federal judge in Washington, DC has granted EPIC attorney's fees in a long-running case against the Department of Homeland Security. In 2012 EPIC sued the DHS for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but a 2012 Executive Order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPICs lawsuit produced the release of several thousand pages on the program. In today's extensive opinion, Judge Gladys Kessler concluded that EPIC "substantially prevailed in this litigation" and that EPIC had added "to the fund of information that citizens may use in making vital political choices." The Court awarded EPIC substantial attorneys fees for its work in the case.
- EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public » (Aug. 5, 2016) EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights.
- EPIC Presses House Leaders on "Data Protection" » (Jun. 10, 2016) At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016.
- New Congressional Report Explores Legal Issues Regarding Compelled Decryption » (Mar. 8, 2016) "Encryption: Selected Legal Issues," a new report from the Congressional Research Service, explores two important legal questions that arise from government requests for compelled decryption: the Fifth Amendment right agains self-incrimination and the scope of the All Writs Act, the federal statute at issue in Apple v. FBI. EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case, pointing to the increased risk of cell phone theft and financial fraud that would result from compelled encryption.
- EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case » (Mar. 3, 2016) Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment.
- Bill to Establish Digital Security Commission Introduced in House » (Mar. 2, 2016) Rep. Lieu (D-CA) has cosponsored bipartisan legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple opposes a court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
- Apple Opposes FBI Decryption Order » (Feb. 25, 2016) Today Apple filed a "motion to vacate" a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. In its brief, Apple asserts that this case is about "the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe." Apple argued that the FBI's requested court order violates the First and Fifth Amendments. Consumer Reports found that more than 3.1 million cellphones were stolen in 2013, and noted that "efforts by the telecom industry to reduce thefts don't seem to be helping matters." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
- Writers Side with Apple in Encryption Fight with FBI » (Feb. 24, 2016) In a letter to the Attorney General, leading writers and artists protested the FBI's "efforts to force Apple to create software that could effectively enable the U.S. government to unlock any iPhone." The letter from the PEN America Center highlights how "intrusions on privacy damage creative expression and free speech." EPIC has long supported strong encryption as key to the future of privacy and security. EPIC recently gave the 2015 Champion of Freedom Award to Apple CEO Tim Cook for his work in promoting encryption and protecting privacy and security. The 2016 EPIC Awards dinner will be held on June 6th in Washington, DC.
- President Announces $19 billion Cybersecurity Plan » (Feb. 23, 2016) President Obama has proposed a $19 billion Cybersecurity National Action Plan that aims to modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has repeatedly urged federal agencies to uphold Privacy Act protections.
- Apple Opposes FBI Decryption Order » (Feb. 17, 2016) Apple has opposed a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. The order followed an FBI application under the All Writs Act, a law from 1789. Apple CEO Tim Cook wrote in response that the government's action "would undermine the very freedoms and liberty our government is meant to protect." In 2015, EPIC gave the Champion of Freedom Award to Mr. Cook for his work protecting privacy and promoting encryption. The EPIC 2016 Awards dinner will be held June 6 in Washington, DC.
- House Adds Cyber Surveillance to Budget Bill » (Dec. 16, 2015) Today, the House added the Cybersecurity Act of 2015 to an expansive appropriations bill. The Cybersecurity Act was negotiated behind closed doors and represents a new version of the Cybersecurity Information Sharing Act (CISA). Previous versions of CISA have been opposed by a broad coalition of organizations. The current bill, like previous ones, would allow the government to obtain personal information from private companies without judicial oversight. The Act would also expand government secrecy. EPIC previously won a five-year court battle to obtain NSPD 54, a foundational legal document for U.S. cybersecurity policies that revealed the government's interest in enlisting the private sector to monitor user activity.
- Senator Leahy Opposes FOIA Exemptions in Cyber Security Bill » (Oct. 27, 2015) Senator Patrick Leahy (D-VT) urged fellow Senators to remove a proposed open government exemption in a pending cybersecurity bill. The Cybersecurity Information Sharing Act (CISA), said Sen. Leahy, "contains an overly broad new FOIA exemption that is both unnecessary and harmful." Sen. Leahy called the FOIA "our nation's premier transparency law," and said that any modifications must go through the Senate Judiciary Committee. "The Senate must have an open and honest debate about the Senate Intelligence Committee's bill and its implications for Americans' privacy and government transparency," remarked the Senator. Last year, EPIC won a five-year court battle against the NSA for NSPD 54, the foundational legal document for U.S. cybersecurity policies. EPIC has also set out recommendations for FOIA reform.
- Obama Drops Plan to Regulate Crypto » (Oct. 11, 2015) According to the New York Times, President Obama has concluded that "it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit." Earlier this year Apple CEO Tim Cook said at the EPIC Champions of Freedom dinner, "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it." EPIC launched the public campaign for the freedom to use encryption in 1994 and several of the world's leading cryptographers are members of the EPIC Advisory Board. Tim Cook received the 2015 EPIC Champion of Freedom Award. Past recipients include Max Schrems and Edward Snowden.
- California Rejects Warrantless Surveillance, Enacts "CalECPA" » (Oct. 9, 2015) California Governor Jerry Brown has signed the California Electronic Communications Privacy Act (CalECPA). CalECPA requires law enforcement to obtain a warrant before accessing digital data including metadata, location data, emails, and text messages. The warrant requirement applies to searches of electronic devices themselves and to content stored by an online service provider. In response to requests from the US Congress, EPIC has made several recommendations regarding updates to the federal ECPA. EPIC has also obtained documents from the FBI concerning Stingray surveillance technology, which is now prohibited under the California bill.
- OECD Finalizes Risk Management Guidelines » (Oct. 9, 2015) The OECD has published the new Recommendation on Digital Security Risk Management a revision of the 2002 OECD Security Guidelines. Science, Technology and Innovation Director Andrew Wyckoff said that "a totally secure digital environment is impossible". EPIC supports the Recommendations which emphasize digital security risk management "in a transparent manner and consistently with human rights and fundamental values." EPIC has long been engaged with the work of OECD and supports civil society participation at the 2016 OECD Ministerial Meeting on the Digital Economy.
- Federal Appeals Court Recognizes "Substantial Risk of Future Harm" » (Jul. 29, 2015) In a landmark opinion, the Seventh Circuit Court of Appeals has ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission, identity theft remains the top concern of American consumers.
- Congress to Hold Hearing on Encryption and Privacy » (Jul. 8, 2015) Today the Senate is holding a hearing on "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy." FBI Director Comey, testifying today, has advocated for broken encryption to enable law enforcement access to private communications. Despite claims of "going dark" because of new encryption technologies, law enforcement encountered encryption in only 25 wiretap cases in 2014. Of those cases, non-encrypted text was obtained in all but four cases. EPIC has advocated for strong encryption and urged President Obama to reject proposals to weaken encryption. EPIC published the first comprehensive survey of encryption use around the world. And earlier this year, EPIC gave a Champion of Freedom Award to Apple CEO Tim Cook, who warned that "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it."
- Leading Security Experts Oppose Government Encryption Plan » (Jul. 7, 2015) Several members of the EPIC Advisory Board, leading experts in security technology, have warned that a government plan to weaken encryption threatens the nation's critical infrastructure and puts at risk confidential personal information. Recalling a similar report from 1997, the researchers concluded that "the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. Recent reports from the US courts, available from EPIC, show that encryption has not been an obstacle to law enforcement investigations. A 1994 Internet petition led to the demise of "Clipper," the original government plan for escrowed encryption.
- Massive Government Data Breach Even Worse than Reported » (Jun. 25, 2015) A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data.
- Senate Rejects User Surveillance Proposal » (Jun. 17, 2015) The Senate has rejected an amendment to the National Defense Authorization Act for 2016 that would transfer user data from private companies to government agencies without judicial oversight. Senator Patrick Leahy (D-Vt) urged Senators to oppose the amendment, stating "we need a cyber-security bill, not a cyber-surveillance bill." Last year, EPIC won a five-year court battle against the NSA for NSPD 54-the foundational legal document for U.S. cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States.
- Massive Breach Impacts Millions of Government Employees » (Jun. 10, 2015) The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information.
- EPIC, Coalition to President: No Encryption Backdoors » (May. 20, 2015) EPIC and a coalition of civil society organizations and security experts urged President Obama to reject proposal to weaken encryption used in U.S. products. Administration officials, including FBI Director Comey, have advocated for broken encryption to enable law enforcement access to private communications. The letter details how weakened encryption undermines cybersecurity and economic security. EPIC previously led the effort to oppose the "Clipper Chip," the NSA's proposal for key escrow encryption that would have severely crippled the privacy and security of online communication. EPIC also recently expressed support for encryption and anonymity in a letter to a UN Rapporteur.
- Senate Committee Approves Cyber Surveillance Bill » (Mar. 14, 2015) In a closed-door meeting, the Senate Select Committee on Intelligence approved the "Cyber Information Sharing Act of 2015". The bill would allow the government to obtain user information from private companies without judicial oversight. Companies would receive immunity for their disregard of existing privacy law. Senator Wyden, who opposed the measure, stated, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name." Last year, EPIC won a five-year court battle against the NSA for NSPD 54—the foundational legal document for U.S. cybersecurity policies. The Directive reveals the government's long-standing interest in enlisting private sector companies to monitor user activity.
- Executive Order Calls for More Cybersecurity Info "Sharing" » (Feb. 13, 2015) President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security.
- President Obama Announces New Cybersecurity Initiatives » (Jan. 13, 2015) Today the President announced several cybersecurity initiatives, including a proposal to facilitate private sector threat information disclosures. The White House proposal requires the removal of personal information prior to data transfers but privacy concerns remain. The President threatened to veto a previous bill that lacked privacy and civil liberties safeguards. A 2013 expert report set out 46 proposals for strengthening cyber security that the White House said it would adopt. EPIC supported these recommendations and has also recommended civilian leadership on cybersecurity.
- Senate Cybersecurity Information Sharing Bill Proposed » (Jun. 20, 2014) Senators Dianne Feinstein and Saxby Chambliss have proposed the Cybersecurity Information Sharing Act of 2014. The Senate bill is similar to the House Cyber Intelligence Sharing and Protection Act (CISPA), which was opposed by civil liberties organizations and would have been vetoed by the White House if enacted. Like CISPA, the Senate bill allows companies to monitor private communications on their networks and to disclose user activity to the government. The bill would also exempt companies from liability for monitoring communications or disclosing user information. However, the Senate bill makes some attempt to limit the collection of personally identifiable information. EPIC recently won a five-year court battle with the NSA and obtained National Security Presidential Directive 54. The directive was issued by President Bush in 2008 and is the foundational legal document for U.S. cybersecurity policies. The Presidential Directive reveals the government’s long-standing interest in enlisting private sector companies to monitor user activity. For more information, see EPIC: Cybersecurity.
- EPIC v. NSA: EPIC Obtains Presidential Directive for Cybersecurity » (Jun. 6, 2014) After almost five years, EPIC has obtained National Security Presidential Directive 54. The previously classified Presidential Directive contains the full text of the Comprehensive National Cybersecurity Initiative and "establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace." This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability. EPIC first sought public release of NSPD-54 with a Freedom of Information Act request, submitted to NSA in June 2009. After the agency failed to disclose the document, EPIC filed suit. When a federal district court ruled in 2013 that the Presidential Directive was not subject to the Freedom of Information Act, EPIC then filed an appeal with the DC Circuit Court of Appeals. The document has now been disclosed to EPIC. The case is EPIC v. NSA, a Freedom of Information Act lawsuit in D.C. Circuit Court. EPIC has several related FOIA cases with the NSA pending in federal court. For more information see EPIC - EPIC v. NSA (Cybersecurity Authority).
- New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air » (May. 12, 2014) New e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on sharing "cyber threat information with the private sector." EPIC previously sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously urged Google to routinely encrypt cloud-based services. PBS Frontline begins a two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see EPIC v. NSA: Google/NSA Relationship and EPIC: Cybersecurity.
- DHS Releases Cybersecurity Report, NSA Role Remains Murky » (Apr. 25, 2014) The Department of Homeland Security had published the first Privacy and Civil Liberties Assessment Report. The report examined several federal agencies, including the Department of Defense and the Office of the Director of National Intelligence, regarding cybersecurity activities. Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," requires the reports as well as the creation of a cybersecurity framework. Last year, EPIC recommended civilian control of domestic Cybersecurity and clarification of the NSA's involvement. The Privacy and Civil Liberties Assessment Report and the cybersecurity framework both fail to clarify the NSA's role in cybersecurity. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
- EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive » (Apr. 1, 2014) EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal.
- EPIC Accepts NSA's Settlement Offer, Receives Attorneys Fees » (Feb. 11, 2014) EPIC has accepted the NSA's offer to settle a Freedom of Information Act case EPIC v. NSA. EPIC sought both National Security Presidential Directive 54, a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States, as well as documents related to NSPD 54. EPIC received some of the documents as a result of the lawsuit, "substantially prevailing" under the FOIA, and prompting the NSA to make a settlement offer to EPIC. As a consequence, EPIC will receive attorneys fees from the NSA. EPIC is simultaneously appealing the lower court's determination that NSPD-54 is not an "agency record" subject to the FOIA. It was the first time a federal court has ruled that a Presidential Directive is not subject to the Freedom of Information Act. For the appeal, EPIC has already filed a Statement of the Issue, and the parties are waiting for the D.C. Circuit Court of Appeals to set a briefing schedule. For more information, see EPIC v. NSA - Cybersecurity Authority.
- EPIC Files Appeal, Challenging Secrecy of Presidential Directives » (Jan. 22, 2014) EPIC has filed a Statement of the Issue Presented with the D.C. Circuit Court of Appeals. EPIC is appealing a lower court decision that NSPD 54 -- a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States -- is not subject to disclosure under the Freedom of Information Act. EPIC sought the Presidential Directive, signed by President Bush in January 2008, from the National Security Agency after the White House disclosed the existence of the Directive but not the substance. After the agency failed to respond to EPIC's FOIA request, EPIC filed an administrative appeal, and then a lawsuit. The lower court ruled in EPIC v. NSA that the Presidential Directive is not subject to the FOIA because it was not under "the control" of the NSA. It was the first time a federal court has ruled that an Presidential Directive is not subject to the Freedom of Information Act. EPIC is now asking the Court of Appeals to determine, "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA." For more information, see EPIC v. NSA: Cybersecurity Authority.
- Federal Appeals Court Rules that Legal Policy Memos Can Be Withheld From the Public » (Jan. 3, 2014) The Court of Appeals for the D.C. Circuit has ruled that the FBI may withhold a memo prepared by the Office of Legal Counsel concerning the law governing "exigent letter" requests to telephone companies for call records. The decision affirmed an earlier opinion that the memo was privileged advice, and exempt from disclosure under the Freedom information Act. The Electronic Frontier Foundation argued that the memo was "working law" and not simply advice from government lawyers. However, the Court of Appeals found that the FBI had not itself adopted the advice of government lawyers. In a different case where the Department of State followed the guidance of Justice Department lawyers, EPIC filed a "friend" of the court brief in support of the New York Times and the ACLU and argued for the release of opinions of the Office of Legal Counsel. For more information, see EPIC v. NSA: Cybersecurity Authority and EPIC: New York Times v. DOJ.
- EPIC Appeals Secrecy of Presidential Cybersecurity Directive » (Dec. 17, 2013) EPIC has filed a notice of appeal with the D.C. Circuit Court of Appeals in EPIC v. NSA. In that case, EPIC sought NSPD 54, a presidential policy directive outlining the scope of the NSA's authority over computer networks in the United States. A federal district court ruled that the directive is not subject to the Freedom of Information Act because it was not under "the control" of the federal agencies and officials who received it. It is the only time a federal court has ruled that presidential directives in the possession of federal agencies are not subject to the FOIA. EPIC is appealing the decision. For more information, see EPIC v. NSA: Cybersecurity Authority
- EPIC Urges Clarification of NSA's Role in Cybersecurity » (Dec. 13, 2013) EPIC has submitted comments on the National Institute of Standards and Technology's cybersecurity policy proposal. Pursuant to an Executive Order, the federal agency is charged with defining a "cybersecurity framework" for the federal government. EPIC reiterated previous comments that emphasized civilian control, adherence to the Fair Information Practices, and compliance with the Privacy Act and Freedom of Information Act. In light of revelations that the National Security Agency's has weakened key security standards, EPIC urged NIST to clarify the NSA's involvement in the development of the federal policy. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- NIST Releases Cybersecurity Framework, Silent on NSA's Role » (Nov. 1, 2013) The National Institute for Standards and Technologies has released the Preliminary Cybersecurity Framework. Earlier this year, President Obama directed NIST to develop a Framework for Cybersecurity. In Executive Order 13636, the President said the NIST Framework should protect individual privacy and civil liberties. EPIC submitted comments to the NIST supporting the protections for civil liberties, recommending separate treatment for computer crimes and "cyberterrorism" and official acknowledgement of the 1992 OECD Security Guidelines. In September 2013, the Guardian, the New York Times, and ProPublica reported that the National Security Agency directed NIST to reduce a key security standard. NIST has not commented on any involvement that NSA had in the development of the Framework. For more information see EPIC: Cybersecurity Privacy Practical Implications.
- Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority » (Jun. 8, 2013) Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a post to the Guardian by Glenn Greenwald. For more information, see EPIC: Presidential Directives and Cybersecurity, EPIC: EPIC v. NSA - Cybersecurity Authority and EPIC: Cybersecurity Privacy Practical Implications.
- DHS Releases Revised Privacy Impact Assessment on Internet Monitoring Program » (Apr. 24, 2013) The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority.
- EPIC FOIA Request Reveals Details About Government Cybersecurity Program » (Apr. 24, 2013) New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority.
- White House Releases Unclassified Summary of Presidential Cybersecurity Directive » (Apr. 19, 2013) The White House has released an unclassified summary of Presidential Policy Directive 20. The Policy Directive sets out the cybersecurity authority of the National Security Agency in the United States and has raised concerns about government surveillance of the Internet. The existence of the Directive was detailed in a story in the Washington Post in 2012, and EPIC immediately pursued the public release of the document. According to the White House, PPD-20 "established principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools." EPIC is still pursuing the release of the full document. For more information see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (NSPD 54).
- White House Threatens to Veto CISPA Unless Privacy Protections Improved » (Apr. 16, 2013) In a Statement of Administration Policy, the White House threaten to veto the controversial Cyber Intelligence Sharing and Protection Act (CISPA) unless more robust privacy and civil liberties protections are added and newly authorized information sharing goes through a civilian agency. EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process for CISPA. The markup for CISPA remained closed, and currently as drafted, CISPA would allow companies to disclose vast amounts of customer and client information to other companies and the government, including the National Security Agency, for "cybersecurity purposes." EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
- EPIC Comments on Federal Cybersecurity Framework » (Apr. 12, 2013) In response to a request for comments, EPIC submitted comments on the National Institute of Standards and Technology’s review to develop a cybersecurity framework. Pursuant to Executive Order 13636, the agency is charged with defining a cybersecurity framework for the federal government. EPIC supports civilian control of cybersecurity and privacy protections based on the Fair Information Practices. In the comments to NIST, EPIC emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- EPIC Supports Public Mark Up for Controversial Cyber Security Bill » (Apr. 4, 2013) EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
- White House Issues New Executive Order, Presidential Directive on Cybersecurity » (Feb. 13, 2013) In conjunction with the 2013 State of the Union, President Obama has signed a public Executive Order on cybersecurity and "critical infrastructure." The Order grants new powers to federal agencies to share cybersecurity information with private companies. Affected federal agencies will "conduct regular assessments of privacy and civil liberties impacts." The President also issued Presidential Policy Directive 21, which directs the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a secret directive that grants cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- Obama Talks Cybersecurity at 2013 State of the Union » (Feb. 13, 2013) At the 2013 State of the Union, President Obama announced an Executive Order that grants new authority to federal agencies to share information with private companies. President Obama further urged Congress to act to "pass legislation to give our government a greater capacity to secure our networks and deter attacks." A new Presidential Directive was also published today, directing the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a prior directive that grants additional, secret cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- EPIC Comments on Federal Cybersecurity Plan » (Dec. 20, 2012) In response to a request for comments, EPIC submitted comments on the Federal Cybersecurity Research and Development Strategic Plan. The cybersecurity strategic plan calls for a coordinated research strategy across federal agencies including the Department of Homeland Security and the National Security Agency. EPIC supported the call for privacy safeguards and anonymous web access, and recommended the further integration of genuine privacy-enhancing techniques. EPIC also emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act as the plan progresses. EPIC previously submitted comments to the Department of Defense regarding Cyber Security and Information Assurance Activities. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA - Cybersecurity Authority.
- UPDATED: EPIC Appeals NSA's Withholding of Cybersecurity Directive » (Nov. 27, 2012) EPIC has appealed a decision by the National Security Agency to deny EPIC's Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cyber security authority. The NSA has ten days to respond to EPIC's appeal. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority.
- NSA Withholds Cybersecurity Directive, EPIC to Appeal » (Nov. 20, 2012) The National Security Agency has responded to a Freedom of Information Act Request from EPIC, seeking the public release of Presidential Policy Directive 20. The Directive, first reported by the Washington Post, is believed to expand the NSA's cybersecurity authority. In response to EPIC, the NSA argued that the Agency does not have to release the document because it is a confidential presidential communication and it is classified by the NSA. EPIC is litigating similar claims against the NSA, including the release of NSPD 54, a 2008 presidential directive setting out the NSA’s cybersecurity authority. In an official statement to Congress earlier this year, EPIC explained that the NSA was a “black hole for public information about cybersecurity.” EPIC plans to appeal the NSA's determination. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority.
- President Issues Secret Cybersecurity Directive, EPIC Seeks Public Release » (Nov. 14, 2012) Following a Washington Post report of a new cyber security directive, EPIC has filed a Freedom of Information Act request for the release of Presidential Policy Directive 20. The Directive is believed to expand cyber security authority for the National Security Agency. EPIC is pursuing several FOIA cases, including the release of NSPD-54, an earlier Directive that gave NSA authority to conduct surveillance within the United States. EPIC has also sought public release of the technical arrangement between the NSA and Google that was adopted in January 2010. Federal law prevents the National Security Agency, a component of the Department of Defense, from conducting operations within the United States. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority, and EPIC v. NSA: Google / NSA Relationship.
- 2012 Democrat Platform Endorses Internet Privacy » (Sep. 4, 2012) The 2012 Democratic National Platform supports the administration’s Internet Privacy Bill of Rights to protect consumer privacy. Separate provisions in the platform call for privacy protections for broadband deployment, intellectual property enforcement, and cybersecurity laws; the Democratic platform opposes voter identification laws. However, the platform is silent on the Fourth Amendment, and retreats from the 2008 Democratic platform that opposed surveillance of individuals that were not suspected of a crime. In 2008, Candidate Obama promised to "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy.” The 2012 Republican Platform was released last week. The Libertarian and Green Party platforms are also available. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Voter Photo ID and Privacy, EPIC: National Security Letters, and EPIC: Cybersecurity Privacy Practical Implications.
- 2012 Republican Platform Addresses Privacy and Government Surveillance » (Aug. 29, 2012) The 2012 Republican Party Platform calls for strong Constitutional protections for privacy and new safeguards for personal data held by businesses. "We will ensure that personal data receives full constitutional protection from government overreach and that individuals retain the right to control the use of their data by third parties," the platform states. The platform also criticizes TSA screening procedures and calls for warrant requirements for most law enforcement-operated drones. However, other provisions endorse voter identification laws and increased disclosure of personal information to the government for cyber security. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Whole Body Imaging Technology and Body Scanners, EPIC: Unmanned Aerial Vehicles (UAVs) and Drones, EPIC: Voter Photo ID and Privacy, and EPIC: Cybersecurity Privacy Practical Implications.
- Franken Amendment Seeks to Protect Cybersecurity Privacy » (Jul. 30, 2012) The Senate is expected to consider the Cybersecurity Act of 2012 prior to the August recess. Unlike the Secure IT Act, the Cybersecurity Act would avoid the NSA takeover of the Internet. However, privacy concerns remain about the broad authority of Internet companies to monitoring Internet users and turn information to the government. An amendment sponsored by Senator Al Franken (D-Minn) would limit this surveillance. A provision that limits the disclosure of cybersecurity threat information remains in the Act. Earlier this year, EPIC recommended to the Senate that the Freedom of Information Act limitation be removed. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
- EPIC Urges Privacy Safeguards for Defense Department Cybersecurity Program » (Jul. 11, 2012) EPIC has submitted comments to the Department of Defense, urging the agency to protect individual privacy when it obtains detailed information about Internet users from the private sector. Under current Department regulations, companies are encouraged to provide information about Internet users that may relate to "cyber incidents" and cyber "threats."This is similar to a controversial provision in Cyber Intelligence Information Protection Act ("CISPA"). EPIC recommended that the agency revise the regulations for the "Cyber Security and Information Assurance" program so that: (1) the program remain voluntary, (2) "cyber incident" and "threat" are narrowly defined, (3) liability is imposed on private companies for disclosing excess user information, (4) the Attorney General conduct annual audits, and (5) the agency adheres to federal privacy laws. EPIC also warned the agency to fully comply with the Freedom of Information Act, which has provided the public with important information about network security. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relationship).
- Executive Order Grants Authority to Seize Private Communications Facilities » (Jul. 9, 2012) The White House has released a new Executive Order seeking to ensure the continuity of government communications during a national emergency. The Executive Order grants new powers to the Department of Homeland Security, including the ability to collect certain public communications information. Under the Executive Order the White House has also granted the Department the authority to seize private facilities when necessary, effectively shutting down or limiting civilian communications. In 2011, Congress considered similar provisions in cybersecurity legislation, which would have allowed the government to disconnect communications traffic in times of national security. Following public protest, congress abandoned the proposal. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
- LinkedIn Breach Leads to 6.5 Million Stolen Passwords » (Jun. 7, 2012) The professional social network LinkedIn suffered a security breach that exposed the passwords of over 6 million users. A user on a Russian Web forum reported downloading 6 million LinkedIn passwords. LinkedIn later confirmed that some of the passwords corresponded to LinkedIn accounts, deactivated those passwords, and advised all users to update their passwords. EPIC testified about the growing problem of data breaches in 2011 before the House Financial Services Committee and the Senate Banking Committee. For more information, see EPIC: Cybersecurity and Privacy.
- Privacy Board Approved by Judiciary Committee, Vote Moves to Senate » (May. 17, 2012) The Senate Committee on the Judiciary has approved President Obama's five nominees for the Privacy and Civil Liberties Oversight Board. The Board is an independent entity charged with ensuring that fundamental rights are protected in the implementation of government programs, including cybersecurity. Originally convened in 2004, the five seats on the Board have remained vacant for the past five years. Senator Leahy, the Chairman of the Judiciary Committee, said, "When we worked to create this board, we did so to ensure that our fundamental rights and liberties would be preserved…The Senate should move quickly to confirm the nominees to the board so that they can get to their important work." For more information, see EPIC: 9/11 Commission Report and "The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11."
- Flawed Cybersecurity Bill Passes House, Headed for Senate without Privacy, FOIA Safeguards » (Apr. 27, 2012) The House of Representatives passed the Cyber Intelligence Information Protection Act ("CISPA"), a cybersecurity bill that allows the government to obtain detailed information about Internet users from the private sector. The bill preempts established privacy protections in other federal laws and opens the door for increased surveillance of individuals in the United States. The bill also creates a new Freedom of Information Act exemption, which will reduce government transparency and accountability. Earlier this year, EPIC said in a statement to the Senate that the Freedom of Information Act provides the public important information about network security, and warned that the National Security Agency has become a “black hole” for public information about cybersecurity. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relatioship).
- Coalition Urges Congress to Remove Cybersecurity FOIA Limitations » (Apr. 18, 2012) An open government coalition has asked House lawmakers to oppose provisions in "CISPA" that would cut off public access to information held by federal agencies. The Cyber Intelligence Sharing and Protection Act would allow the government to refuse to disclose broad swaths of information, otherwise subject to FOIA, that companies provide to the government. More than three dozen groups have signed the petition - including Openthegovernment.org, the Sunlight Foundation, Project On Government Oversight, and EFF. The groups have asserted that the legislation "constitutes a wholesale attack on public access to information under the Freedom of Information Act" and would impede the public's ability to evaluate whether the government is adequately combating cybersecurity threats. In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information see EPIC: Cybersecurity, EPIC: EPIC v. NSA, Litigation Under the Federal Open Government Laws 2010.
- Open Government Groups Oppose Cyber Security FOIA Exemption » (Mar. 14, 2012) Open government organizations have sent a letter to Senator John McCain, opposing specific provisions in a cybersecurity bill he introduced. The SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. FOIA exemptions limit public access to government information. The organizations stated, "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information, see EPIC: Cybersecurity.
- EPIC Urges Senate to Safeguard FOIA for Cybersecurity » (Mar. 12, 2012) In a detailed statement to the Senate for a hearing on the "Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see EPIC: Cybersecurity.
- EPIC Warns Congress of Cybersecurity Risks to Consumers » (Sep. 14, 2011) EPIC Executive Director Marc Rotenberg testified today before the House Subcommittee on Financial Institutions and Consumer Credit. EPIC highlighted several recent high-profile data breaches, including those involving the digital security certificates used to authenticate websites, that have compromised the private data of thousands of consumers. Citing reports from the Privacy Rights Clearinghouse, EPIC's Rotenberg said "These attacks on financial institutions produce both direct and indirect costs for consumers who must contend with the risk of identity theft and financial fraud." EPIC previously testified before the Senate Banking Committee on cybersecurity in the financial sector and the growing threat to consumer data. For more information, see EPIC: Cybersecurity and Privacy. Webcast.
- Commerce Department Releases Cybersecurity Report, Seeks Comments » (Jun. 8, 2011) The U.S. Department of Commerce has released a green paper on "Cybersecurity, Innovation, and the Internet Economy." The paper is the latest deliverable published by Secretary Locke's Internet Policy Task Force, established in April 2010 as collaboration between technical, policy, trade, and legal experts. The Department’s goal is to provide voluntary standards and incentives for Internet stakeholders who fall outside of the scope of "critical infrastructure." The White House released draft cybersecurity legislation in May 2011 that would designate the Department of Homeland Security as the lead administrative agency for critical infrastructures. The Department of Commerce poses several questions in the green paper, and is encouraging stakeholders to submit comments, which are due in 45 days. For more information, see EPIC: Cybersecurity and Privacy.
- House Examines White House Cybersecurity Proposal » (May. 26, 2011) The House of Representatives has held two hearings on the White House legislative plan for cybersecurity. The House Oversight and House Judiciary Committees questioned government officials and members of private industry on the proposal. Committee members showed particular interest in provisions that pre-empted stronger state laws and those that offered immunity to private industry for complying with government requests for information on data breaches. Rep. Watt (D-NC) asked how the proposal was unlike the controversial telecom immunity contained in the Patriot Act. The White House proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC has called for cybersecurity legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. For more information, see EPIC: Cybersecurity and Privacy and EPIC: National Strategy for Trusted Identities in Cyberspace.
- White Houses Releases International Cyberspace Plan » (May. 17, 2011) Following the release of proposed cyber security legislation last week, the White House today unveiled "International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World." The Strategy is ambitious and far-reaching, covering economic policy, foreign affairs, homeland security, and defense. The Strategy also emphasizes the need to safeguard fundamental freedom and privacy rights. To address growing concerns about online privacy, EPIC has recommended that the United States begin the process of ratifying the International Privacy Convention, which has been adopted by more than 40 countries. For more information see, EPIC - Privacy Convention.
- White House Sets Out Cyber Security Plan » (May. 13, 2011) The White House has announced a far-reaching legislative proposal for cyber security. The plan proposal would standardize data breach reporting requirements, clarify penalties for computer crime, and create a regulatory framework for critical infrastructure. However, the plan also enables greater data collection across the federal government and expanded electronic surveillance. EPIC has previously called for cyber security legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. EPIC has several pending FOIA lawsuits concerning the Administration's cyber security programs, including the Google/NSA collaboration. For more information, see EPIC: Cybersecurity and Privacy.
- Senate Commerce Committee to Explore Internet Privacy, Airport Screening, Cybersecurity » (Jan. 21, 2011) Chairman Rockefeller's (D-WV) priorities for the Senate Commerce Committee in the new Congress will include consumer privacy, oversight of the Federal Trade Commission, airport screening, and cybersecurity, according a recent statement. Senator Rockefeller has specifically called for strong Internet privacy laws. "There are no baseline privacy protections for most consumer online activity," he stated. "Industry self-regulation has largely failed, and I hope that the Department of Commerce . . .will reach the conclusion that legislation is necessary to protect consumers." EPIC has testified previously before the Committee on the Childrens' Online Privacy Protection Act (COPPA), protecting consumers' phone records, and spam e-mail. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Cybersecurity Privacy Practical Implications.
- EPIC, Joined by 13 Organizations, Sends Statement on NSTIC » (Oct. 1, 2010) EPIC, joined by the American Library Association, Liberty Coalition, Bill of Rights Defense Committee, and the Center for Media and Democracy, among others, sent a statement to the Department of Homeland Security responding to the Administration's call for comments regarding its National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy (NSTIC) draft policy. The coalition's comments press the Administration for a clearer definition of the problems that the policy intends to solve. The coalition further advocates for the maintenance of a free and open Internet that protects the creative content of users, assures privacy, and creates accountability and oversight of government activity, especially as it relates to law enforcement and surveillance. For more, see EPIC's Cybersecurity and Privacy.
- EPIC Seeks Details on New Government Crypto Regulations » (Sep. 29, 2010) EPIC has sent Freedom of Information Act (FOIA) requests to the Department of Justice, the Federal Bureau of Investigation, and the National Security Agency for information about a proposal to expand Internet surveillance and deploy weakened security standards. The proposal would require Internet companies to develop network services to enable government access to private communications, including those on peer-to-peer networks. In 1996, the National Resource Council concluded that such technical standards make network communications more vulnerable to cyber attack. For more information, see EPIC: Cryptography Policy.
- DHS Privacy Office Releases 2010 Annual Report » (Sep. 24, 2010) The Department of Homeland Security has released the Privacy Office 2010 Annual Report. The Agency's Chief Privacy Officer must prepare an annual report to Congress that details activities of the Department that affect privacy, including complaints of privacy violations, and DHS compliance with the Privacy Act of 1974. This year’s report details the establishment of privacy officers within each component of the Agency. The report also provides updates on Fusion Centers, Cybersecurity, and Cloud Computing activities of the agency. For more information, see EPIC: DHS Privacy Office.
- EPIC FOIAs NSA for Details of "Perfect Citizen" » (Jul. 16, 2010) EPIC has filed a Freedom of Information Act request with the National Security Agency regarding the new secret cybersecurity program known as "Perfect Citizen." According to the Wall Street Journal, the program "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack," although the agency has claimed that there "is no monitoring activity involved, and no sensors are employed in this endeavor" but has refused to release the details of the program. In its request, EPIC has sought contracts, memoranda, and other records relating to "Perfect Citizen." For more information, see EPIC Cybersecurity and Privacy.
- EPIC Testifies in Congress on Cybersecurity and Privacy » (Jul. 15, 2010) EPIC Executive Director Marc Rotenberg testified today before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies. For more information, see EPIC Cybersecurity and Privacy.
- Cybersecurity Legislation Moves Forward in Congress » (Jun. 25, 2010) The Senate Homeland Security Committee voted unanimously to report favorably the Protecting Cyberspace as a National Asset Act of 2010 to the Senate at a markup session (video) on June 24th. An earlier version of the bill was introduced on June 10th and a hearing (video) was held on June 15th. The bill would establish a National Center for Cybersecurity and Communications at the Department of Homeland Security. Critics' had said that the bill would also give the President an "internet kill switch" to take over private networks. Before committee passage, the bill was amended to include limitations on the proposed Presidential powers to declare a "cybersecurity emergency" and to better define what parts of critical infrastructure are covered by the bill. For more information, see EPIC Cybersecurity and Privacy.
- EPIC's Coney Leads Cybersecurity Panel at Computers, Freedom, Privacy Conference » (Jun. 18, 2010) EPIC Associate Director Lillie Coney leads a panel discussion today on "Cybersecurity Policy and the Role of .Orgs" at the annual conference on Computers, Freedom, and Privacy. The panel features top government decision makers and leading experts in cybersecurity. The panel will be cybercast June 18 at 2 pm ET. The discussion builds on a letter to White House Cyber Security Director Howard Schmidt, organized by EPIC and endorsed by 30 organizations, which states that US cybersecurity policy "must incorporate protections of our basic freedoms and constitutional rights." Ms. Coney will co-chair the 2011 CFP Conference, which will be held in Washington DC. For more information, see EPIC-Cybersecurity Privacy Practical Implications.
- Senate Committee Holds Hearing on Cybersecurity Bill » (Jun. 16, 2010) The Senate Homeland Security Committee held a first hearing on the recently introduced cybersecurity bill, the Protecting Cyberspace as a National Asset Act of 2010. The hearing (video) featured testimony from Philip Reitinger at the Department of Homeland Security, as well as several industry representatives. Many of the committee's questions focused on whether authority over civilian cybersecurity should be concentrated in the Department of Homeland Security or in the Department of Defense, a question on which EPIC has repeatedly sought information. For more information, see EPIC Cybersecurity and Privacy.
- New Cybersecurity Legislation Introduced » (Jun. 11, 2010) Senators Lieberman, Collins, and Carper of the Senate Homeland Security & Governmental Affairs Committee have introduced the Protecting Cyberspace as a National Asset Act of 2010. The bill would establish a White House Office of Cyberspace Policy and a National Center for Cybersecurity and Communications. The bill would allow the President to declare a "national cyber emergency" and implement emergency measures, although it would not allow these measures to set aside requirements of the Wiretap Act, the Electronic Communications Privacy Act, or the Foreign Intelligence Surveillance Act. The bill would also make certain changes to the Federal Information Security Management Act. The Committee released a summary of the bill. EPIC is currently seeking to make public the NSA's authority for cyber security. For more information, see EPIC Cybersecurity and Privacy.
- Coalition Letter Results in Meeting with White House Cybersecurity Coordinator » (May. 12, 2010) EPIC, joined by over 30 organizations, launched a campaign to obtain a meeting with Howard Schmidt, the White House Cybersecurity Coordinator. Groups joining the letter included the ACLU, American Library Association, Bill of Rights Defense Committee, Liberty Coalition, NAACP, OpenTheGovernment.org, and the Lawyers Committee for Civil Rights Under Law. The White House has agreed to the meeting, which follows Senate confirmation of Keith B. Alexander, director of the National Security Agency, to lead the U.S Cyber Command. Civil society organizations have expressed concern about the growing role of the NSA in cyber security. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see EPIC Sues NSA to Force Disclosure of Cybersecurity Authority, and EPIC - Cybersecurity Privacy: Practical Implications.
- White House Issues Rules for Security Reporting » (Apr. 26, 2010) A new White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance. For more information, see EPIC's Cybersecurity page.
- EPIC Demands Release of Classified Answers on Privacy and Internet Standards from Cyber Command Nominee » (Apr. 19, 2010) EPIC has filed a Freedom of Information Act (FOIA) request with the National Security Agency (NSA) seeking the "classified supplement" that Director Lt. Gen. Keith Alexander filed with his answers to questions from the Senate Armed Services Committee regarding his nomination to be the Commander of the newly formed United States Cyber Command. Several of Lt. Gen. Alexander's classified responses were to questions regarding the privacy of Americans' communications, and EPIC's request urges the Agency to make the full responses public. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see EPIC Sues NSA to Force Disclosure of Cybersecurity Authority.
- Congress Considers Nomination of NSA Director to US Cyber Command, Concerns Remain » (Apr. 15, 2010) The Senate Armed Services Committee will hold a hearing on April 15, to consider the nomination NSA Director Lt. Gen Keith B. Alexander to be the Commander of the US Cyber Command. EPIC has expressed concern about the expanded authority of the NSA within the United States and has specifically requested the public release of NSPD-54, the secret Presidential Directive that allows the NSA to conduct electronic surveillance against US citizens within the United States, prior to the confirmation of Lt. Gen. Alexander. EPIC is seeking this and related document in a Freedom of Information Act lawsuit. For more information, see EPIC Sues NSA to Force Disclosure of Cyber Security Authority.
- Congressional Leaders Press Obama on Privacy Board » (Mar. 30, 2010) Chairman Bennie Thompson and twenty members of the House of Representatives sent a letter to President Obama seeking the immediate nomination of members to the Privacy and Civil Liberties Oversight Board. The Privacy Board was active during the Bush Administration, but the Obama administration has moved slowly to reconstitute the advisory body. No hearings have been held and no reports have been issued. The board is intended to provide advice on the civil liberty implications of programs that effect the rights of citizens, such as the use of Whole Body Scanners by the TSA, biometic identifiers, and cyber security policy.
- White House Publishes Outline of Cyber Security Policies » (Mar. 2, 2010) The White House announced today that it has made a description of the Comprehensive National Cybersecurity Initiative (CNCI) available online for public viewing. The12 CNCI initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains secret. EPIC has been involved in ongoing litigation regarding a Freedom of Information Act request for the text of the critical cybersecurity document NSPD 54 that President Bush signed in 2008. For more information, see EPIC: EPIC Sues NSA to Force Disclosure of Cyber Security Authority and EPIC: EPIC Seeks Records on Google-NSA Relationship.
- EPIC Statement to Congress on Google, NSA, and Cybersecurity » (Feb. 9, 2010) EPIC has submitted a statement for the record for a House Foreign Affairs Committee hearing on Google and U.S. Cyberspace Policy. EPIC's statement recommends investigation into the newly-announced partnership between Google and the National Security Agency and the public release of the secret document that grants the NSA broad surveillance authority in cyberspace. The EPIC statement also urges the Congressional Committee to support US ratification of the Council of Europe privacy convention. For more information, see EPIC Critical Infrastructure Protection, Experts' Letter to Secretary Clinton on the Council of Europe Convention.
- FCC Commits to Protecting Consumers in FY 2011 Performance Plan » (Feb. 4, 2010) The Federal Communications Commission (FCC) released its FY 2011 budget request and performance plan. The FCC requests funding for furthering cybersecurity, implementing the National Broadband Plan, revamping the FCC's data systems and processes, and modernizing the agency's communications tools and expertise. The FCC prioritizes implementation of the National Broadband Plan and protection of consumers in the agency's performance goals. Objectives with respect to consumers include addressing 100% of complaints filed with the Commission alleging violations of the Communications Act and taking appropriate action within 15 months, rigorously enforcing the Telephone Consumer Protection Act, and ensuring "through litigation where necessary, that consumers are protected from anticompetitive practices."
- EPIC Sues NSA to Force Disclosure of Cyber Security Authority » (Feb. 4, 2010) EPIC has filed a lawsuit against the National Security Agency and the National Security Council, seeking a key document governing national cybersecurity policy. The document, National Security Presidential Directive 54 grants the NSA broad authority over the security of American computer networks. The agencies violated the Freedom of Information Act by failing to make public the Directive and related records in response to EPIC's request. EPIC's suit asks a federal judge to require the release of the documents. Congress is currently debating cyber security policy. For more information, see EPIC FOIA Litigation, EPIC Critical Infrastructure Protection.
- New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009) Senator Patrick Leahy (D-Vt) introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and establishes an Office of Federal Identity Protection within the FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see EPIC Identity Theft, EPIC Personal Data and Privacy Protection, and EPIC Preemption Page.
EPIC is seeking the release of the “Complete ODNI Assessment” of the Russian interference with the 2016 U.S. Presidential election, a record in possession of the Office of the Director of National Intelligence (ODNI). The suit follows ODNI’s failure to make a timely decision regarding expedited processing EPIC’s FOIA request. This interference, by a foreign government in the democratic processes of the United States, is under investigation by the U.S. Intelligence community and is of widespread concern to the American public. The activities of the Russian government also pose a risk to democratic institutions in other countries.
During the 2016 election season, there were numerous cyberattacks on both the Democratic National Committee and the Republican National Committee. These cyberattacks resulted in the publication of e-mails from the DNC and fallout from the disclosures mired congressional candidates in accusations of scandal, and led to the resignation of a DNC leader. The New York Times reported that the RNC’s computer systems were also attacked. News outlets report that hackers attempted to penetrate the RNC’s computer network “using the same techniques that allowed them to infiltrate its Democratic counterpart.” “Once inside, [hackers] reportedly were able to access a trove of DNC opposition research on Mr. Trump, then a candidate.”
In October 2016, prior to the outcome of the election, the Obama administration accused the Russian government of perpetrating the attacks on the U.S. election process. “The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of emails from US persons and institutions,” said the Department of Homeland Security and Office of the Director of National Intelligence in a joint statement, which “intended to interfere with the US election process.” The DHS and ODNI concluded “We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.”
The U.S. Intelligence Community recently reaffirmed in a Declassified ODNI Assessment that the Russian government was responsible for interference in the 2016 Presidential elections. In a January hearing before the Senate Armed Services Committee, former Director of National Intelligence James Clapper stated “We stand more resolutely on that statement.” At the same hearing, leaders from the intelligence community repeatedly affirmed their belief that Russians had interfered with the 2016 election and had compromised both major political parties.
Investigations undertaken by private security firms, independent from government agencies, indicate that the attacks on the 2016 U.S. Presidential election also threaten democratic institutions in other countries. The private cybersecurity firm hired by the DNC to investigate the hacks has published evidence pointing to the Russian military’s involvement. CrowdStrike “linked malware used in the DNC intrusion to malware used to hack and track an Android phone app used by the Ukrainian army in its battle against pro-Russia separatists in eastern Ukraine from late 2014 through 2016.” CrowdStrike co-founder Dmitri Alperovitch concluded, “we have high confidence” it was a unit of the GRU, Russia’s military intelligence agency.
President Obama ordered the ODNI in December of 2016 to prepare a a comprehensive intelligence report assessing Russian activities and intentions in recent U.S. elections. Yet, when the report was complete, the ODNI only released a limited, declassified version to the public.
Since the declassified version of the report was released, new facts indicating the depth of the Russian interference continue to emerge. On June 21, 2017, nearly eight months after election day, in an open hearing before the Senate Select Committee on Intelligence, NPPD’s Acting Deputy Under Secretary for Cybersecurity and Communications Jeanette Manfra confirmed for the first time that “election-related systems in 21 states were targeted” by Russian cyber actors during the 2016 election cycle. Nearly half of the United States were targets of Russian activities during the 2016 election cycle. Acting Deputy Under Secretary Manfra did not indicate which states were affected, and, when pressed, would not disclose the states from which data was exfiltrated. On September 13, 2017, Acting Secretary of Homeland Security Elain Duke issued a Binding Operational Directive to Federal Executive Branch departments and agencies to stop using software made by the Russian cybersecurity firm Kaspersky Lab. Facebook was forced to reveal to Congress over 3,000 Russia-linked political ads posted to the social media platform during the election cycle. And, finally, investigative reporting exposed that on social media "Russian trolls and automated bots not only promoted explicitly pro-Donald Trump messaging, but also used social media to sow social divisions in America by stoking disagreement and division around a plethora of controversial topics"
EPIC has filed this lawsuit to gain access to the Complete ODNI Assessment in order to provide as much information as possible to the extent of Russian interference. The Congress is in the midst of a critical debate about Russia and the 2016 Presidential Election. This debate continues to be of interest to the American people who should be concerned, not only about interference with the election, but about continuing interference with democratic institutions in the United States and around the world.
As EPIC notes in the Complaint that “There is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks on democratic institutions.”
EPIC has filed several Freedom of Information Act requests concerning Russian interference in the 2016 Presidential Election. The first is the request at issue in the case, and the other is a request for the full report on "Russian Activities and Intentions in Recent US Elections."
EPIC has also urged the Senate Armed Services Committee to pursue an investigation.
U.S. District Court for the District of Columbia (No. 17-163)
- Complaint (Feb. 10, 2017)
- Answer (Mar. 17, 2017)
- Briefing Schedule (April 4, 2017)
- Joint Status Report (May 17, 2017)
- Extension of Time (June 21, 2017)
- ODNI Motion for Summary Judgment (June 26, 2017)
- EPIC Cross Motion for Summary Judgment (July 25, 2017)
- Extension of Time (August 21, 2017)
- ODNI Opposition and Reply (August 22, 2017)
- EPIC Reply (Sept. 6, 2017)
- Memorandum Opinion (Dec. 18, 2017)
- EPIC v. FBI (Russian Hacking)
- EPIC Letter to Senate Armed Services Committee (Jan. 4, 2017)
- Honest Ads Act Introduced Oct. 19, 2017
- Summary: Honest Ads Act
- Report: FBI Fails to Promptly Notify Cybercrime Victims, Bank Info Security, April 3, 2019
- Judge Calls Strike One on Heavy FBI Redactions, Courthouse News Service, February 23, 2017
- EPIC notches win over FBI in FOIA fight, POLITICO, February 22, 2017
- Civil liberties group sues FBI to release Russia response, The Hill, January 19, 2017
- EPIC files FOIA suit over records of Russia hacking, Politico Pro, January 19, 2017
- FBI sued to release info on probe of Russia role in election, Washington Times, January 19, 2017
- Privacy Group Presses FBI On Russia's Election Hacking, Law360, January 19, 2017
- Transparency Group Sues for FBI Records on Russian Hacking, NextGov, January 19, 2017
- Federal intelligence agencies sued over Russian Interference in U.S., SC Magazine, December 28, 2016