EPIC Policy Project
EPIC provides expertise to shape strong privacy and open government laws at both the state and federal level. EPIC has testified in Congress, submitted statements to Congressional committees, and participated in hearings before the state legislatures on topics ranging from student privacy to drone surveillance.
Top News
- California Enacts Genetic Information Privacy Act: This week, Governor Gavin Newsom signed the California Genetic Information Privacy Act, which had been passed unanimously by the California Senate and Assembly in September. The Act requires direct-to-consumer genetic testing companies to provide consumers with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data. The law imposes civil penalties for a violations, enforced by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor. EPIC tracks state genetic privacy laws through its State Policy Project. (Oct. 8, 2021)
- House Committee Approves $1B to Create New Privacy Bureau at FTC: The House Energy and Commerce Committee today approved a $1 billion appropriation for the Federal Trade Commission to create and operate a new bureau focused on privacy, data security, identity theft, data abuses, and related matters. EPIC strongly supports the appropriation, but urges Congress to follow up this budget measure with comprehensive privacy legislation and create an independent data protection agency. "This increased funding for enforcement is a step in the right direction, but the increasing pervasiveness of technology in our lives and our economy necessitates an update to our privacy laws and a dedicated agency," said Caitriona Fitzgerald, EPIC's Deputy Director. "While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency. Congress must follow up this budget measure with comprehensive baseline privacy legislation and the creation of an independent data protection agency. And the FTC should use these funds to promptly initiate a privacy rulemaking and go after unfair data practices and biased AI systems." EPIC has long advocated for the creation of a U.S. Data Protection Agency. (Sep. 14, 2021)
- Rep. Castor Introduces KIDS PRIVCY Act to Protect Children, Teens + (Jul. 29, 2021)
Today, U.S. Rep. Kathy Castor (FL14) introduced an updated “Protecting the Information of our Vulnerable Children and Youth Act” or the “Kids PRIVCY Act” to strengthen the Children’s Online Privacy Protection Act (COPPA). "Representative Castor’s bill makes critical updates to our children's privacy laws to address the dangers of today’s technologies," said Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC). "Everyone deserves strong privacy protections online, but children and teens especially need to be protected from corporate surveillance and manipulative targeted advertising. The Kids PRIVCY Act prohibits behavioral ad targeting to children and teens and includes strong enforcement mechanisms to ensure that companies comply with the law. EPIC is proud to support this bill and encourages Congress to move this legislation forward in order to protect children and teens online."
- House Judiciary Considering Antitrust Reform Bills + (Jun. 23, 2021)
The House Judiciary Committee is today holding a markup session on six bills aimed at disrupting the monopoly power of Big Tech. EPIC has long argued that market consolidation in online platform threatens privacy. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook's acquisition of WhatsApp.
- BREAKING: Sen. Gillibrand Introduces U.S. Data Protection Agency Bill + (Jun. 17, 2021)
Senator Kirsten Gillibrand (D-NY) has introduced the Data Protection Act of 2021 which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, many leading consumer and civil rights organizations, privacy experts, and scholars support Senator Gillibrand's non-partisan bill. "It’s time for America to catch up with the rest of the world and create a Data Protection Agency," said Caitriona Fitzgerald, EPIC Deputy Director. "Congress’ ongoing failure to modernize our privacy laws imposes enormous costs on individuals, communities, and American businesses alike. We need a new approach. Senator Gillibrand’s Data Protection Act creates an agency dedicated to safeguarding the personal data of individuals and ensuring that data practices are fair and non-discriminatory. The Data Protection Act is the game-changing proposal we need in order to ensure adequate oversight over what has become a massive sector of our economy and affects the daily lives of all Americans. EPIC urges Congress to enact the Data Protection Act." EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. [Bill text] [Sen. Gillibrand Press Release]
- Senator Markey Introduces Bill to Ban Face Surveillance + (Jun. 15, 2021)
Senator Edward J. Markey (D-Mass.), along with Senators Merkley, Sanders, Warren, and Wyden, as well as Congresswomen Jayapal, Pressley, and Tlaib today introduced legislation to stop government use of biometric surveillance, including facial recognition tools. The Facial Recognition and Biometric Technology Moratorium Act prohibits the use of facial recognition and other biometric technologies by federal agencies, including Customs and Border Protection. "Facial recognition poses a significant threat to our democracy and privacy," said Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC). "Facial recognition technology has been shown time and time again to be biased, inaccurate, and disproportionately harmful to people of color. The Facial Recognition and Biometric Technology Moratorium Act of 2021 would effectively ban law enforcement use of this dangerous technology. EPIC is proud to support it.” EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries. Recently, in an open letter EPIC and a coalition of more than 175 civil society organizations and prominent individuals called for "an outright ban on uses of facial recognition and remote biometric recognition technologies that enable mass surveillance and discriminatory targeted surveillance."
- Florida House of Representatives Passes Florida Privacy Protection Act + (Apr. 21, 2021)
The Florida House of Representatives today passed the Florida Privacy Protection Act, HB 969, on a 118-1 vote. The bill gives Floridians the right to know what information companies have collected about them, the right to delete and correct that information, the right to opt-out of the sale or sharing of their personal information, strong limits on the retention of their data, and additional protections for their children’s privacy. Critically, the bill would create robust enforcement mechanisms, including a private right of action, to ensure companies do not flout the law. EPIC and a coalition of privacy and consumer organizations had previously sent letters to Florida Governor Ron DeSantis, the Florida House Commerce Committee, and Florida's Senate Rules Committee urging them to preserve private rights of action the bill. "The inclusion of a private right of action in HB 969 and SB 1734 is the most important tool the Legislature can give to Floridians to protect their privacy," the groups wrote. "The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined." The Senate Rules Committee removed the private right of action provisions from the Senate bill, but the Senate could restore the crucial enforcement provision on the floor this week.
- EPIC Urges Florida Lawmakers to Pass Strong Privacy Law + (Apr. 14, 2021)
As the Florida Legislature considers pending privacy bills, HB 969 and SB 1734, EPIC is urging lawmakers to enact strong privacy protections for all Floridians. The House Commerce Committee is today hearing HB969, would give Floridians the right to know what information companies have collected about them, the right to delete and correct that information, the right to opt-out of the sale or sharing of their personal information, strong limits on the retention of their data, and additional protections for their children’s privacy. Critically, the bill would create robust enforcement mechanisms, including a private right of action, to ensure companies do not flout the law. In written testimony, EPIC urged committee members to further strengthen the bill to prohibit discriminatory uses of data, remove the "right to cure" provision, require data minimization, support global opt-out mechanisms, ban pay-for-privacy schemes, and provide enhanced safeguards for sensitive uses of data. EPIC had previously led a coalition of groups urging Florida lawmakers to preserve the private right of action in the bills.
- EPIC, Coalition Urge Florida Lawmakers to Preserve Private Right of Action + (Apr. 5, 2021)
EPIC and a coalition of privacy and consumer organizations today sent letters to Florida Governor Ron DeSantis, the Florida House Commerce Committee, and Florida's Senate Rules Committee urging them to preserve private rights of action in two pending privacy bills, SB 1734 and HB 969. "The inclusion of a private right of action in HB 969 and SB 1734 is the most important tool the Legislature can give to Floridians to protect their privacy," the groups wrote. "The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined."
- California Bans "Dark Patterns" That Subvert CCPA's Opt-out Rights + (Mar. 16, 2021)
California Attorney General Xavier Becerra has announced updated regulations under the California Consumer Privacy Act (CCPA) that ban so-called “dark patterns” that delay or obscure the process for opting out of the sale of personal information. Specifically, the regulations prohibit companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out. "These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights," said Attorney General Becerra. Dark patterns "are design features used to deceive, steer, or manipulate users into behavior that is profitable for an online service, but often harmful to users or contrary to their intent." Last month, EPIC filed a complaint with the D.C. Attorney General alleging that Amazon unlawfully employs manipulative "dark patterns" in the Amazon Prime subscription cancellation process. Next month, the FTC plans a workshop on "Bringing Dark Patterns to Light."
- Virginia Governor Signs Consumer Data Protection Act + (Mar. 3, 2021)
Virginia Governor Ralph Northam has signed the Virginia Consumer Data Protection Act into law. "It is good to see Virginia and other states taking action to protect the privacy of their residents. States have always played a key role in establishing privacy protections," EPIC Policy Director Caitriona Fitzgerald said. "But in 2021 we need a more comprehensive and proactive approach to privacy than what Virginia adopted. We need privacy laws in the United States that address current business practices and protect individuals from all forms of corporate surveillance, algorithmic unfairness, manipulative design, and discrimination. We need privacy laws that minimize the data collected about us and encourage innovation in privacy enhancing technologies. And we need robust enforcement of these rules to make sure that the underlying business practices actually change."
- EPIC to Maryland Legislators: Security Questions Need Upgrade + (Feb. 9, 2021)
EPIC Interim Associate Director and Policy DIrector Caitriona Fitzgerald will testify today before the Maryland Senate Committee on Finance in support of stronger authentication methods to protect consumers. Senate Bill 185 requires financial institutions who choose to use security questions as a authentication method to provide customers with more than one security question option. EPIC noted that there are plenty of alternative authentication methods available today and that financial institutions truly should no longer be using basic security questions. "The requirement that your password contain one uppercase letter, one lowercase letter, one symbol, and one number is meaningless if all that is required to bypass that password is your pet’s name," EPIC told the Committee. But, EPIC said, if security questions are going to be used, institutions should ensure that multiple question options are given, and that users are permitted to answer the questions with randomly-generated password-like answers rather than factual, semantic answers.
- EPIC to Maryland Legislators: Enact Biometric Privacy Law + (Jan. 27, 2021)
EPIC Senior Counsel Jeramie Scott testified today to Senate and House Committees of the Maryland General Assembly in support of legislation protecting biometric information privacy. HB218 and SB16 are modeled after the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA has been referred to as one of the most effective and important privacy laws in America. "Unlike a password or account number, a person’s biometrics cannot be changed if they are compromised," EPIC told the Committees. EPIC stressed the importance of strong enforcement measures in privacy laws, particularly a private right of action. EPIC also submitted a recent case study on the Illinois law written by EPIC Advisory Board member Woody Hartzog. EPIC previously filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. [Watch the hearing]
- EPIC to Washington Legislature: Pass Commonsense AI Regulation + (Jan. 20, 2021)
EPIC Equal Justice Works Fellow Ben Winters testified today before the Washington Legislature in support of a bill to establish transparency and accountability around state automated decision-making and ban certain dangerous applications of AI. Under SB5116, public and regularly updated algorithmic accountability reports of state uses of automated decision-making systems will be completed, AI-enabled profiling that produces significant legal effects will be prohibited, and other baseline protections will be enacted. EPIC has advocated for algorithmic transparency for several years, has issued calls to ban face surveillance, and tracks use of AI in the Criminal Justice System.
- Bipartisan Internet of Things Security Bill Passes Congress + (Nov. 20, 2020)
Both branches of Congress have now passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) in the House and Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate. "While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security," said Sen. Warner. The bill now heads to the President's desk for signature. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards.
- EPIC, Coalition Release Data Protection Plan for Biden Administration + (Nov. 10, 2020)
EPIC and a coalition of privacy, civil rights, and consumer organizations have released a policy framework for the Biden Administration to protect privacy and digital rights for all Americans. "Without laws that limit how companies can collect, use, and share personal data, we end up with an information and power asymmetry that harms consumers and society at large," the groups said. "Individual, group and societal interests are diminished, and our privacy and other basic rights and freedoms are at risk." The ten recommendations include: 1) recognizing privacy and surveillance as racial justice issues; 2) establishing algorithmic governance and accountability to advance fair and just data practices; 3) encourage enactment of a baseline comprehensive federal privacy law; 4) the establishment of a U.S. Data Protection Agency; and 5) bringing consumer, privacy, and civil rights experts into key government positions.
- EPIC Publishes Analysis of California's Proposition 24 + (Oct. 15, 2020)
EPIC has published an analysis of Proposition 24 in California, the California Privacy Rights Act. In 2018, the State of California enacted the California Consumer Privacy Act of 2018 ("CCPA"), the first comprehensive consumer privacy law enacted in the United States. This year, Californians will once again play a role in determining the direction of privacy law in the United States. A new ballot initiative, California Proposition 24: The California Private Rights Act of 2020, which will be on the November election ballot, would significantly change the CCPA. EPIC is not taking a position for or against Proposition 24, but provides this resource to help voters understand the initiative. EPIC has also published a resourceto help California residents exercise their rights under the CCPA.
- House Judiciary Committee Reports on Competition in Digital Markets + (Oct. 6, 2020)
The House Judiciary Committee has released its report following a years-long investigation of competition in digital markets. "[O]nline platforms’ dominance carries significant costs. It has diminished consumer choice, eroded innovation and entrepreneurship in the U.S. economy, weakened the vibrancy of the free and diverse press, and undermined Americans’ privacy," the Majority Staff report states. The Committee also found that the Federal Trade Commission had neglected to use the antitrust authorities granted to the agency by Congress. "In its first hundred years, the FTC promulgated only one rule defining an "unfair method of competition," the report notes. EPIC had previously told the Committee that merger review must consider data protection. "The United States stands virtually alone in its unwillingness to address privacy as an increasingly important dimension of competition in the digital marketplace," EPIC said. The Committee report makes numerous recommendations, including "structural separations and prohibitions of certain dominant platforms from operating in adjacent lines of business."
- Facebook Integrates Instagram and Messenger + (Oct. 1, 2020)
Facebook has announced the integration of Facebook Messenger and Instagram. Early last year, Facebook had released plans to integrate WhatsApp, Messenger, and Instagram, breaking the promises Facebook made when it acquired WhatsApp. After yesterday's announcement, Facebook declined to give a timeline for when WhatsApp integration would occur. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter noted that "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." Today, the House Judiciary Committee will hold a hearing on proposals to strengthen antitrust laws and restore competition. EPIC has told the Committee that merger review must consider data protection.
- EPIC to Senate Commerce: the U.S. Needs a Data Protection Agency + (Sep. 22, 2020)
In a statement to the Senate Commerce Committee before a hearing on the need for federal privacy legislation, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency. EPIC laid out the FTC's typical privacy playbook: consent decrees, infrequent penalties, and no meaningful changes in business practices. "The FTC does not have the motivation or the tools necessary to enforce meaningful privacy and data protection rights in 2020," EPIC said, pointing to settlements the FTC had reached with Facebook, Google, YouTube, Uber, and Equifax. EPIC also noted the FTC's failure to use its existing authority to regulate privacy, including its rulemaking authority under Section 5 to establish stronger data security standards. "If the FTC fails to use these authorities, then the Commission is not capable of protecting Americans’ privacy, and the Commission should no longer be trusted to do so," EPIC stated. EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency.
- Senate Republicans Introduce Weak 'SAFE DATA Act' + (Sep. 18, 2020)
Senators Roger Wicker, John Thune, Marsha Blackburn, and Deb Fischer have introduced the “SAFE DATA Act,” which relies on an outdated notice-and-choice model that allows companies to diminish the rights of consumers and use personal data to benefit the company but not the individual. "Senator Wicker’s SAFE DATA Act allows companies to collect any personal data it pleases as long as it discloses it in its privacy policy,” said EPIC Policy Director Caitriona Fitzgerald. "And it prohibits states from adopting or enforcing any data privacy or data security laws. The SAFE DATA Act is very weak compared to Senator Gillibrand’s Data Protection Act, Senator Brown’s discussion draft, and the Online Privacy Act introduced in the House.” EPIC's recent report on federal privacy legislation Grading on a Curve: Privacy Legislation in the 116th Congress evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency.
- IoT Security Bill Passed in House of Representatives + (Sep. 15, 2020)
The House of Representatives has passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) “The Internet of Things grows every single day, and, by the end of next year, it will include more than 20 billion devices. The result is an astounding, unimaginable amount of data—90% of the data in the entire world was created in the last two years. America needs to keep up with this incredible trend, and that means ensuring proper security and protections—the IoT Cybersecurity Improvement Act is a step in that direction,” said Hurd. The Senate Homeland Security Committee advanced a similar bill last year. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards.
- Brazil's General Data Protection Law To Take Effect This Month + (Sep. 1, 2020)
Brazil’s Lei Geral de Proteção de Dados (or LGPD), enacted in 2018, will go into effect this month. The LGPD is similar to the EU's General Data Protection Regulation, granting individual rights and placing obligations on companies processing personal data. The Brazilian law also creates a National Data Protection Authority. EPIC has long advocated for the enactment of comprehensive privacy legislation and the creation of data protection agency. EPIC’s report Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law.
- EPIC to Senate Commerce: Hold Hearing on Data Protection Agency Legislation + (Aug. 4, 2020)
In a statement to the Senate Commerce Committee before a Federal Trade Commission oversight hearing, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency. "When it comes to data protection, the FTC is not up to the task. It is time to establish an independent federal data protection agency in the United States," EPIC wrote. EPIC pointed to the FTC's failure to both stop mergers that threaten consumer privacy and enforce its own consent orders. EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency.
- Lawful Access to Encrypted Data Act Weakens Encryption, Undermines Public Safety + (Jun. 24, 2020)
Senators Lindsey Graham, Tom Cotton, and Marsha Blackburn introduced the “Lawful Access to Encrypted Data Act” yesterday. The bill would would make it illegal for manufacturers to build systems that cannot be accessed by law enforcement. EPIC strongly opposes this measure. “The Lawful Access To Encrypted Data Act will make it easier for bad actors to access people’s communications. You cannot build a backdoor that only law enforcement can access. That’s not how encryption works,” said Alan Butler, EPIC Interim Executive Director. EPIC recently told the Senate Judiciary Committee that "now is not the time to undermine the systems that we all rely upon to secure our data and communications." EPIC cited growing problems of data breach and cyber attack. EPIC led the effort in the United States in the 1990s to support strong encryption tools and played a key role in the development of the international framework for cryptography policy that favored the deployment of strong security measures to safeguard personal information. EPIC also filed an amicus brief in Apple v. FBI in support of encryption.
- Senate Amends FISA Reauthorization Bill, Sends Back to the House + (May. 15, 2020)
The Senate voted today to pass an amended version of the USA FREEDOM Reauthorization Act of 2020, which was passed by the House in March. The bill would end the NSA’s bulk telephone metadata program and make further reforms to the Foreign Intelligence Surveillance Act. The Senate agreed this week to further amendments by Senators Lee and Leahy that expand FISA protections, but rejected amendments proposed by Senators Wyden and Daines that would have protected Americans’ internet browsing and search histories. The adopted Leahy/Lee amendment strengthens the role of “amici curiae,” who are independent, expert advisors to the Foreign Intelligence Surveillance Court, by increasing their access to information, their power to raise issues with the Court, and the number of cases they are appointed in. Since amendments were adopted, the bill now returns to the House of Representatives for consideration. Members of both parties have expressed support for reform of the controversial NSA surveillance program. EPIC closely tracks the use of FISA authority. EPIC has advocated for significant FISA reforms, and recently advised Congress to limit Section 702 surveillance and to allow Section 215 to expire.
- Public Health Emergency Privacy Act Introduced + (May. 14, 2020)
Representatives Anna G. Eshoo (CA-18), Jan Schakowsky (IL-09), Suzan DelBene (WA-01), and U.S. Senators Richard Blumenthal (D-CT), and Mark Warner (D-VA) today today introduced the Public Health Emergency Privacy Act. The bill would protect personal data collected in connection with COVID-19 from being used for non-public health purposes, and provides for both public and private enforcement. “The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, EPIC Interim Associate Director and Policy Director.
- Senator Markey Says Contact Tracing Plans Must Protect Privacy + (Apr. 22, 2020)
Senator Edward Markey [D-MA] has outlined nine key principles to guide federal leadership on coronavirus contact tracing in the United States. In a letter sent today to the White House Coronavirus Task Force, Senator Markey urged the administration to design and implement a comprehensive coronavirus contact tracing plan with key privacy safeguards. In a statement to the Senate and House Commerce Committees last week, EPIC said it is "essential that government agencies and private companies implement standards that safeguard privacy." EPIC's letter followed a proposal from Apple and Google for a contact tracing app to "combat the spread of the novel coronavirus." EPIC cited public health officials in support of data protection and human rights. For digital contact tracing techniques, EPIC recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency."
- Tech Companies Block Washington State Privacy Law + (Mar. 13, 2020)
Last minute lobbying by big tech companies blocked passage of the Washington Privacy Act. The state privacy law have given consumers the right to access, correct and delete their personal data held by tech firms. EPIC and a broad coalition of privacy groups backed a comprehensive bill that would include, as privacy laws typically do, the right of consumers to bring legal action but that was opposed by industry groups. The Washington legislature did pass a modest bill limiting the government use of facial recognition technology. EPIC has long supported federal baseline legislation and the creation of a data protection agency. EPIC has also called for a moratorium on face surveillance. The EPIC State Policy Project monitors privacy bills nationwide.
- EPIC, Coalition Recommend Changes to Pending Washington Privacy Law + (Mar. 5, 2020)
EPIC along with a coalition of groups proposed changes to the Washington Privacy Act, a bill now pending in the Washington legislature. The Washington Privacy Act would give consumers the right to access, correct and delete personal data held by companies, and it wold require companies to uphold privacy obligations, including transparency, purpose specification, data minimization, security, and nondiscrimination. But the bill lacks an effective mechanism for enforcement, permits the deployment of facial recognition, and contains many loopholes. EPIC and the coalition urged the Washington legislature to establish a private right of action, narrow the exemptions, make risk assessments publicly accessible, and remove the provisions permitting facial recognition. At the federal level, EPIC supports H.R. 4978, the Online Privacy Act, and S. 3300, to establish a US Data Protection Agency. EPIC has also called for a moratorium on face surveillance. The EPIC State Policy Project monitors privacy bills nationwide.
- BREAKING - Sen. Gillibrand Introduces U.S. Data Protection Agency Bill + (Feb. 13, 2020)
Senator Kirsten Gillibrand (D-NY) has introduced S. 3300, The Data Protection Act of 2020 which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, many leading consumer and civil rights organizations, privacy experts, and scholars support Senator Gillibrand's non-partisan bill. "The US confronts a privacy crisis. Our personal data is under assault. Congress must establish a data protection agency. Senator Gillibrand has put forward a bold, ambitious proposal to safeguard the privacy of Americans," said Caitriona Fitzgerald, EPIC Policy Director. EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a modern privacy law, including the creation of a Data Protection Agency. [Bill text] [EPIC PRESS RELEASE]
- EPIC to Maryland State Senate: Protect Drivers License Data + (Jan. 28, 2020)
EPIC has written in support of Maryland Senate Bill 34, which would prohibit the scanning or swiping of identification cards and driver’s licenses. "The best defense against data breaches is not collecting and retaining personal data in the first place,” EPIC said in testimony to the Maryland State Senate Finance Committee. The bill is sponsored by Senator Cheryl Kagan and it passed the State Senate unanimously last session. EPIC previously warned of the risks of swiping identity documents in a report on the controversial REAL ID proposal - “REAL ID Implementation Review: Few Benefits, Staggering Costs." EPIC's State Policy Project tracks privacy developments at the state level.
- EPIC Backs Strong Implementation of California Privacy Law + (Dec. 6, 2019)
In comments to the California Attorney General on proposed regulations to the California Consumer Privacy Act, EPIC backed provisions that would strength consumer protections and identified topics for future action, such as the creation of data protection agency. EPIC's comments followed from its recent report on federal privacy legislation, Grading on a Curve: Privacy Legislation in the 116th Congress. EPIC has long supported state efforts to establish strong privacy safeguards, and opposed federal preemption. EPIC's State Policy Project provides expertise to the states to help shape effective privacy laws.
- Robust Privacy Bill Introduced in the Senate + (Nov. 26, 2019)
Ranking Member Cantwell, and Senators Schatz, Klobuchar, and Markey have introduced the Consumer Online Privacy Rights Act, a strong framework for data protection. The bill is based on Fair Information Practices and includes a private right of action so individuals can enforce their rights. The Act would also establish new standards for algorithmic accountability. The bill follows a framework recently announced by Senate Democrats for data protection and privacy. "The Consumer Online Privacy Rights Act is outstanding. The bill gives consumers meaningful rights, holds companies accountable, and protects stronger state safeguards. With the addition of a data protection agency, the bill would establish a comprehensive approach for privacy protection for the U.S.,” EPIC Policy Director Caitriona Fitzgerald said in a statement. EPIC's legislative report graded the Consumer Online Privacy Rights Act an A-. The Senate Commerce Committee will hold a hearing on privacy legislation on December 4.
- EPIC Advises New York Senate on Privacy Legislation + (Nov. 21, 2019)
EPIC has sent a statement to the New York State Senate recommending passage of legislation modeled on Fair Information Practices and creation of a Data Protection Agency. The NY Senate will hold a hearing this week on Senate Bill 5642, concerting oversight of personal data. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress sets out the key elements of a privacy law. "A strong state privacy law would establish an independent state-level Data Protection Agency with resources, technical expertise, rulemaking authority and effective enforcement powers," EPIC told the New York Senate. EPIC's State Policy Project tracks privacy developments at the state level.
- Senate Democrats Set Out Comprehensive Data Protection Framework + (Nov. 18, 2019)
Top Senate Democrats today unveiled key goals for comprehensive federal data privacy legislation. The Democratic Senators' proposal calls for strong consumer rights, corporate accountability, effective enforcement, data minimization, and accountability for algorithmic decision making. The proposal would not preempt stronger state privacy laws. The proposal is backed by Senators Maria Cantwell, Dianne Feinstein, Sherrod Brown, and Patty Murray, and endorsed by Senators Ron Wyden, Richard Blumenthal, Brian Schatz, and Ed Markey, as well as Minority Leader Chuck Schumer. EPIC Policy Director Caitriona Fitzgerald called the new Senate proposal a game changer. "We are now on track for the adoption of comprehensive privacy legislation in the United States," she said. "The Senate should move forward this excellent proposal."
- Bill to Establish Data Protection Agency Introduced in Congress + (Nov. 5, 2019)
Representatives Eshoo and Lofgren have introduced the Online Privacy Act, a comprehensive framework for data protection in the United States. The bill would establish a data protection agency, create meaningful privacy safeguards for consumers, and hold companies accountable for the collection and use of personal data. The bill is based on Fair Information Practices and includes a provision on algorithmic accountability. "The Online Privacy Act sets out strong rights for Internet users, promotes innovation, and establishes a data protection agency. This is the bill that Congress should enact,” EPIC Policy Director Caitriona Fitzgerald said in a statement. EPIC's legislative report graded the Online Privacy Act the #1 privacy bill in Congress.
- Senator Booker Introduces Legislation Banning Face Surveillance in Public Housing + (Nov. 4, 2019)
Presidential Candidate Cory Booker has introduced the No Biometric Barriers to Housing Act, a bill to ban the use of facial recognition technology in public housing. “Facial recognition technology has been repeatedly shown to be incomplete and inaccurate, regularly targeting and misidentifying women and people of color. We need better safeguards and more research before we test this emerging technology on those who live in public housing and risk their privacy, safety, and peace of mind,” Senator Booker said. Congresswoman Yvette Clarke (D-NY) introduced similar legislation in the House in July. The House bill now has 10 cosponsors. EPIC recently testified before the Massachusetts Legislature in support of a moratorium on face surveillance. EPIC also organized a civil society declaration endorsed by over 80 organizations and 650 individuals to suspend the deployment of facial surveillance technology.
- EPIC to Massachusetts Legislature: Ban Facial Recognition + (Oct. 22, 2019)
EPIC Policy Director Caitriona Fitzgerald will testify today before the Massachusetts Legislature in support of a bill to establish a moratorium on the use of facial recognition by state agencies. Under S. 1385 and H. 1538 the use of facial recognition technology by the state would be banned until privacy and security safeguards are in place. EPIC recommended eight principles that must be adhered to prior to deployment of facial recognition technology: 1) prohibition on mass surveillance; 2) provably non-discriminatory; 3) minimal retention; 4) transparency; 5) security; 6) monitoring for inappropriate uses; 7) accountability; and 8) independent auditing. EPIC noted the growing use of facial recognition technology in China and Hong Kong, as well as the bipartisan support for a facial recognition moratorium in Congress.
- EPIC Asks Senate Rules Committee to Investigate Tech Task Force’s Closed-Door Meetings + (Aug. 1, 2019)
EPIC, the Center for Digital Democracy, and the Consumer Federation of America have written to the Senate Rules Committee regarding a closed-door meeting of a Senate “Tech Task Force.” The groups allege that the meeting violated the Senate Rules of Procedure for open meetings, public notice, and recording of Committee meetings. As EPIC and the groups explained, "the Senate Rules of Procedure establish a strong presumption that meetings of the Senate shall be open to the public." There are six narrow exceptions to this rule, none of which apply to the meeting of the “Judiciary Committee Tech Task Force” held on July 18, 2019 in the hearing room of the Senate Judiciary Committee. The meeting included four industry lobbyists, members of the Senate and their staff. The public and the press were not notified of the meeting, nor were they invited, nor was a record of the meeting created. EPIC, CDD, and CFA asked the Rules Committee to open an investigation and make a determination, and then instruct the Member to conduct meetings in accordance with the Senate Rules and Regulations. The groups said "Open meetings, public notice, and hearing records are central to the integrity of the United States Senate.” The groups wrote earlier to the Senator who organized the Tech Task Force, expressing support for the initiative but also urging her to establish a more "open, inclusive process."
- Voter Privacy Act Would Limit Targeting + (Aug. 1, 2019)
Senator Dianne Feinstein (D-CA) has introduced the Voter Privacy Act, S. 2398, a bill to ensure privacy with respect to voter information. The Act would give voters basic rights regarding their personal data: right of access, right of notice, right of deletion, right to prohibit transfer, and the right to prohibit targeting. The Federal Election Commission would oversee enforcement of the Act. “Political candidates and campaigns shouldn’t be able to use private data to manipulate and mislead voters. This bill would help put an end to such actions,” Senator Feinstein said. The bill cites EPIC Advisory Board members Julie E. Cohen's forthcoming publication “Between Truth and Power,” quoting "today's networked information flows are optimized to produce what social psychologist Shoshana Zuboffcalls instrumentarian power: They employ a radical behaviorist approach to human psychology to mobilize and reinforce patterns of motivation, cognition, and behavior that operate on automatic, near-instinctual levels and that may be manipulated instrumentally.” The Voter Privacy Act was referred to the Senate Rules Committee.
- Pew: States Battle Big Tech Over Data Privacy Laws + (Jul. 31, 2019)
The Pew Charitable Trusts reports that of the 24 states legislatures that considered data privacy legislation in 2019, only a few have passed new laws. Last year, California passed the California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. This month, New York state passed the Stop Hacks and Improve Electronic Data Security, which imposes new obligations on businesses collecting personal data on New York residents. According to the National Conference on State Legislatures, more than 100 privacy bills are currently pending in the states. The EPIC State Policy Project monitors privacy bills nationwide
- EPIC to Congress: Safety Commission Must Regulate Internet-connected Devices + (Apr. 5, 2019)
In advance of a hearing on “Protecting Americans from Dangerous Products," EPIC wrote to the House Commerce Committee that the Consumer Product and Safety Commission must do more to protect consumers and ensure security of IoT devices. In recent comments to the CPSC, EPIC urged the agency to regulate Internet of Things devices, pointing to weak privacy and security safeguards. EPIC advised the Commission to require manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques. EPIC told the House committee that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.”
- Utah Becomes First State to Require Warrant for Data Held by Third-parties + (Apr. 1, 2019)
The State of Utah has become the first state in the nation to require law enforcement to obtain a warrant to obtain electronic data held by third parties such as wireless providers, email providers, search engines, or social media companies. House Bill 57, sponsored by State Representative Craig Hall (R) was signed by Governor Gary Herbert last week. Last year, the Supreme Court ruled in Carpenter v. United States that the Fourth Amendment protects location records generated by mobile phones. Recognizing that other types of data were in equal need of protections, Chief Justice John Roberts, writing for the Court, said "legislation is much preferable to the development of an entirely new body of Fourth Amendment case law." Utah took that advice and passed broad protections for essentially all data held by third-parties, with exceptions in emergency circumstances. EPIC filed an amicus brief in the Carpenter case, has recommended updates to the Electronic Communications Privacy Act, and recently proposed a comprehensive strategy for Congress to update federal law after the Carpenter decision.
- Idaho Enacts Law Requiring Transparency in Pre-Trial Risk Assessments + (Mar. 28, 2019)
Idaho became the first state to pass a law specifically promoting transparency, accountability, and explainability in pre-trial risk assessment tools. Pre-trial risk assessments are algorithms that help inform sentencing and bail decisions for defendants. The law prevents a trade secrecy or IP defense, requires public availability of “all documents, data, records, and information used by the builder to build or validate the pretrial risk assessment tool,” and empowers defendants to review all calculations and data that went into their risk score. The law became effective on July 1, 2019. EPIC has consistently advocated for Algorithmic Transparency and urges jurisdictions to use the Universal Guidelines for Artificial Intelligence as a guideline for AI policy.
- EPIC Urges Senate to Strengthen US Privacy Laws for Cross Border Data Flows + (Mar. 26, 2019)
EPIC sent a statement to a Senate committee on Foreign Relations regarding the nomination of Keith Krach to Under Secretary of State. Krach would serve as the US Privacy Shield Ombudsperson, a pivotal role concerning the transfer of personal data between the EU and the US. EPIC took no position on the nominee, but wrote to underscore the urgency of Congressional action to safeguard the privacy interests of Americans. EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take three steps to update U.S. privacy law: (1) enact the comprehensive baseline privacy legislation, (2) establish an independent data protection agency, and (3) ratify the International Privacy Convention.
- EPIC to Senate Committee: Privacy Rules Can Help Level Playing Field for Small Business + (Mar. 26, 2019)
In advance of a hearing on "Small Business Perspectives on a Federal Data Privacy Framework," EPIC has sent a statement to the the Senate committee on consumer protection. EPIC said that over the last two decades, an absence of privacy regulation has led to a growing concentration of internet services. "Privacy rules could help level the playing field," EPIC said. EPIC also warmed against preempting state laws, citing California's data breach legislation as an example. "A federal law that preempted California's ability to respond to new threats would have placed consumers and businesses at risk," EPIC said.
- Senator Blumenthal Calls on FTC to Unwind Big Tech Mergers + (Mar. 7, 2019)
In a Senate Judiciary Committee hearing earlier this week, Senator Richard Blumenthal said that antitrust enforcers must consider unwinding anticompetitive mergers. “Over the past decade tech companies have in effect been given a free pass by antitrust regulators,” Senator Blumenthal said. "Facebook perhaps should never been allowed to acquire Instagram, Google to acquire DoubleClick. I have come to the conclusion that maybe post merger, some of these transactions should be challengeable, rarely done, but still challengeable, especially when the merger is approved on conditions that are then violated.” Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger.
- California AG Proposes Stronger Enforcement for State Privacy Law + (Feb. 28, 2019)
The attorney general of California has unveiled legislation that would strengthen the California Consumer Privacy Act. The new bill would enable consumers to enforce their rights in court. The proposal comes as California seeks to implement the Consumer Privacy Act. In testimony for the US Congress, EPIC has explained that the “most effective way to improve data security is to establish a private right of action.” At present, there are hundreds, perhaps thousands, of substantial privacy complaints pending before the Federal Trade Commission. The EPIC State Policy Project monitors privacy bills nationwide.
- State Consumer Protection Report Highlights Privacy Cases + (Feb. 12, 2019)
A recent report by the Center for State Enforcement of Antitrust and Consumer Protection Laws highlighted major privacy actions by state attorneys general, including New York's lawsuit against Apple for the FaceTime bug and California's settlement with Aetna for sending letters that revealed, through an oversized clear window, that the recipient was taking HIV-related medication. Several Attorneys General, including the DC attorney general, have sued Facebook over the Cambridge Analytica scandal. EPIC opposes federal preemption of state law, has defended the enforcement powers of state attorneys general, and established the EPIC State Policy Project to highlight model state privacy law.
- New Hampshire Voters Establish Constitutional Right to Informational Privacy + (Nov. 8, 2018)
New Hampshire voters overwhelmingly approved a ballot measure that guarantees a constitutional right to information privacy in the state. The measure, which received 80% of the vote, amends Article 2 in the New Hampshire Bill of Rights providing that "an individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent." New Hampshire joins a growing number of states with constitutional privacy protections. EPIC Advisory Board member David Flaherty has written about the development of constitutional privacy protections. EPIC regularly files amicus briefs supporting state privacy rights. In a recent amicus brief concerning the OPM data breach, EPIC argued that the right to information privacy exists in the federal Constitution.
- Consumer and Privacy Organizations Propose Framework for U.S. Data Protection + (Oct. 9, 2018)
EPIC joined a group of twelve consumer and privacy organizations that submitted a statement to the Senate Commerce Committee in advance of a consumer privacy hearing. The groups outlined a draft framework for data protection in the U.S., advocating that Congress (1) enact baseline federal data protection legislation; (2) limit government access to personal data; (3) establish algorithmic transparency and end discriminatory profiling; (4) prohibit “take it or leave it” and other unfair terms; (5) ensure robust enforcement; (6) promote privacy innovation; and (7) establish a data protection agency. EPIC also submitted a statement to the Committee that highlighted recent breaches at Google and Facebook and the FTC's failure to enforce its own consent orders.
- California Bans Anonymous Bots, Regulates Internet of Things + (Oct. 2, 2018)
California Governor Jerry Brown recently signed two modern privacy laws, including a first in the nation law governing the security of the Internet of Things. SB327 sets baseline security standards for IoT devices. EPIC recently submitted comments to the Consumer Product Safety Commission recommending similar action. Governor Brown also signed a bill banning anonymous bots. The law makes it illegal to use a bot, or automated account, to mislead California residents or communicate without disclosing the identity of the actual operator. EPIC President Marc Rotenberg had earlier proposed that Asimov's Laws of Robotics be updated to require that robots reveal the basis of their decisions (Algorithmic Transparency) and that robots reveal their actual identity.
- For House Hearing, EPIC Urges FTC to Unwind WhatsApp Deal, Enforce Facebook Consent Order + (Jul. 17, 2018)
EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on “Oversight of the Federal Trade Commission.” EPIC told the Committee to urge the new FTC leadership to enforce the Facebook Consent Order and unwind the Facebook-WhatsApp merger As EPIC previously told Congress, the Cambridge Analytica breach could have been avoided if the FTC had enforced its 2011 Consent Order against Facebook. That Order was the result of detailed complaints filed by EPIC and consumer privacy organizations in 2009 and 2010. In 2014, EPIC and the Center for Digital Democracy urged the FTC to block Facebook’s acquisition of WhatsApp unless appropriate privacy safeguards were put in place. In 2016, EPIC and CDD filed a second complaint after Facebook broke its privacy promises and began collecting WhatsApp users' data.
- California Passes Milestone Privacy Law + (Jun. 28, 2018)
The State of California has enacted the California Consumer Privacy Act of 2018, the most comprehensive consumer privacy state law ever enacted in the United States. The Act will establish the right of residents of California to know what personal information about them is being collected; to know whether their information is sold or disclosed and to whom; to limit the sale of personal information to others; to access their information held by others; and to obtain equal service and price, even if they exercise their privacy rights. The Act will allow individuals to delete their data and it will establish opt-in consent for those under 16. The Consumer Privacy Act provides for enforcement by the Attorney General, a private right of action, and will establish a Consumer Privacy Fund to support the purposes of Act. The California Consumer Privacy Act of 2018 follows a California ballot initiative that gathered over 600,000 signatures. After the Equifax data breach, EPIC testified in the U.S. Senate that comprehensive privacy legislation was long overdue. The EPIC State Policy Project also provides expertise to the states to help shape strong privacy laws.
- After Carpenter Decision, EPIC Calls on Congress to Update Federal Wiretap Law + (Jun. 27, 2018)
In advance of a hearing on “Bolstering Data Privacy and Mobile Security” EPIC has told the House Science Committee that Congress should apply a heightened “super warrant” standard to "StingRays,” a technique for tracking cell phones users. After an EPIC FOIA lawsuit revealed that the FBI was using stingrays without a warrant, the Bureau changed its practices. EPIC filed amicus briefs in U.S. v. Jones and Carpenter v. U.S., two recent Supreme Court cases, arguing that a warrant is required to obtain location information. In a landmark ruling last week, the Supreme Court held that the Fourth Amendment protects location records generated by mobile phones. As a consequence, EPIC said, Congress should update federal privacy law.
- Amazon Echo Secretly Recorded And Disclosed User's Private Conversation + (May. 24, 2018)
"Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices.
- EPIC Calls on FEC to Pass Stronger Transparency Rules for Political Ads + (May. 24, 2018)
EPIC submitted comments on the Federal Election Commission's (FEC) proposed rules for political ads on the internet. The FEC proposed two alternative rules, one which would hold internet companies to the same standard as traditional media companies and one which would make exceptions for online ads. EPIC stated: "FEC rules should be technology-neutral and consistent across media platforms." EPIC also recommended that the FEC adopt algorithmic transparency rules, which would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment, and maintain a public directory of advertiser data. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack.
- EPIC Testifies Before Safety Commission on IoT Privacy Hazards + (May. 17, 2018)
EPIC testified before the Consumer Product Safety Commission at the hearing on "The Internet of Things and Consumer Product Hazards." EPIC International Law Counsel Sunny Kang urged the Commission to focus on privacy and security. EPIC's Kang told the Commission that "IoT is the weakest link to privacy and security vulnerabilities in consumer products." EPIC recommended baseline rules for IoT device manufacturers adopted by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups previously urged the Commission to recall the Google Home Mini device which was designed to always record conversations.
- EPIC To Senate Judiciary: Privacy Is Integral to Democracy + (May. 15, 2018)
In advance of a hearing on Cambridge Analytica and the Future of Data Privacy, EPIC has sent a statement to the Seante Judiciary Committee. EPIC said that "It has become increasingly clear that even as we are asked to give up our privacy, companies have become ever more secretive about how they profile and target voters." In 2014, EPIC challenged Facebook's manipulation of users' News Feeds for psychological research. "If Facebook used data manipulation to shape users' emotions, it can use data manipulation to shape voters' practices," EPIC told the Committee.
- EPIC Urges Congress to Require Algorithmic Transparency For Dominant Internet Firms + (Apr. 25, 2018)
In advance of a hearing on Filtering Practices of Social Media Companies, EPIC has sent a statement to the House Judiciary Committee. EPIC said that "algorithmic transparency" could help establish fairness, transparency, and accountability for much of what users see online. In 2011, EPIC sent a letter to the FTC stating that Google's acquisition of YouTube led to a skewing of search results after Google substituted its secret "relevance" ranking for the original objective ranking, based on hits and ratings. The FTC took no action on EPIC's complaint. But last year, after a seven year investigation, the European Commission found that Google rigged search results to give preference to its own shopping service. The Commission required Google to change its algorithm to rank its own shopping comparison the same way it ranks its competitors.
- EPIC to Congress: Enhanced Surveillance at Border Will Impact Rights of U.S. Citizens + (Apr. 24, 2018)
EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing with the Commissioner of Customs and Border Protection. EPIC urged the Committee to ask the CBP Commissioner about the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC is currently seeking records from the federal agency concerning the accuracy of facial recognition. EPIC also recommended the Committee examine how CBP will comply with state laws prohibiting warrantless aerial surveillance when deploying drones at the border. As a result of an earlier FOIA lawsuit, EPIC found that the CBP is deploying drones with facial recognition technology without warrant authority.
- EPIC to Senate: Weaknesses in Cybersecurity Threaten Both Consumers and Democratic Institutions + (Apr. 24, 2018)
EPIC submitted a statement to the Senate Homeland Security Committee in advance of a hearing on "Cyber Threats Facing America." Last year, the White House National Security Strategy report set out the administration's goals for global policy. EPIC supports several of the goals in the National Strategy report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the Senate Committee to seek assurances that those goals will remain priorities for this administration. Quoting former world chess champion Garry Kasparov, EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."
- EPIC Obtains Partial Release of 2017 Facebook Audit + (Apr. 20, 2018)
EPIC has obtained a redacted version of the 2017 Facebook Assessment required by the 2012 Federal Trade Commission Consent Order. The Order required Facebook to conduct biennial assessments from a third-party auditor of Facebook's privacy and security practices. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, and 2017 Facebook Assessments as well as related records. The 2017 Facebook Assessment, prepared by PwC, stated that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. This assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users. In a statement to Congress for the Facebook hearings last week, EPIC noted that FTC Commissioners represented that the Consent Order protected the privacy of hundreds of millions of Facebook users in the United States and Europe.
- EPIC Tells House Committee: Require Transparency for Government Use of AI + (Apr. 19, 2018)
In advance of a hearing on "Game Changers: Artificial Intelligence Part III, Artificial Intelligence and Public Policy," EPIC told the House Oversight Committee that Congress must implement oversight mechanisms for the use of AI by federal agencies. EPIC said that Congress should require algorithmic transparency, particularly for government systems that involve the processing of personal data. EPIC also said that Congress should amend the E-Government Act to require disclosure of the logic of algorithms that profile individuals. EPIC made similar comments to the UK Privacy Commissioner on issues facing the EU under the GDPR. A recent GAO report explored challenges with AI, including the risk that machine-learning algorithms may not comply with legal requirements or ethical norms. EPIC has pursued several criminal justice FOIA cases, and FTC consumer complaints to promote transparency and accountability. In 2015, EPIC launched an international campaign for Algorithmic Transparency.
- EPIC Supports Additional Regulation of Robocalls + (Apr. 17, 2018)
In advance of a hearing on "Abusive Robocalls and How We Can Stop Them" EPIC recommended reforms that would combat fraud while protecting privacy. EPIC supports regulations that would (1) allow phone providers to proactively block numbers that are unassigned, unallocated, or invalid; (2) block invalid numbers without requiring consumer consent; (3) provide strong security measures for any database of blocked numbers; and (4) prohibit spoofing with the intent to defraud or cause harm. EPIC played a leading role in the creation of the Telephone Consumer Protection Act and continues to defend the Act.
- EPIC Tells Congress to Consider Census Privacy Risks + (Apr. 17, 2018)
In advance of a hearing on the Census Bureau, EPIC told Congress to consider the privacy issues arising from potential misuse of Census data. After the Department of Commerce announced that the 2020 Census will include a question on citizenship status, many have expressed concerns about the confidentiality of the data collected. EPIC told Representatives: "your committee should ensure that the data collected by the federal government is not misused." The census raises significant privacy risks and has been used to discriminate. EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies. Customs and Border Protection also changed its policy on requesting "information of a sensitive nature from the Census Bureau."
- EPIC Sues ICE Over Technology Used to Conduct Warrantless Searches of Mobile Devices + (Apr. 9, 2018)
EPIC has filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's use of mobile forensic technology to conduct warrantless searches of mobile devices. ICE has contracts with a company called Cellebrite for techniques to unlock, decrypt, and extract data from mobile devices, including personal data stored in cloud-based accounts. Privacy complaints regarding the search of mobile devices at the border continue to increase. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact the rights of U.S. citizens. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border.
- EPIC Urges Senate to Focus on FTC Consent Order with Facebook + (Apr. 9, 2018)
In advance of a joint hearing about Facebook's failure to protect the personal data of users, EPIC has sent a comprehensive statement to the Senate Committee on the Judiciary and the Senate Committee on Commerce. EPIC is urging the Senators to focus on the 2011 Consent Order between Facebook and the Federal Trade Commission. In 2009, EPIC and a coalition of consumer groups presented the FTC with a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook. The FTC adopted a Consent Order in 2011, based on EPIC's Complaint, but failed to enforce the Order even after EPIC sued the agency in a related matter. In numerous comments to the FTC, EPIC and others urged the FTC to enforce its consent order. In the statement to the Senate this week, EPIC contends that the Cambridge Analytica debacle could have been prevented if the FTC enforced the Order.
- EPIC, Consumer Groups to Urge Federal Trade Commission to Investigate Facebook's Use of Facial Recognition + (Apr. 5, 2018)
EPIC and a coalition of consumer groups will file a complaint with the FTC on Friday charging that Facebook's use of facial recognition techniques threaten user privacy and violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." The FTC has confirmed that an investigation is now underway. The FTC said, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements." Facebook CEO Mark Zuckerberg will testify next week before the Senate Judiciary Committee and the House Commerce Committee. In 2011 EPIC urged the FTC to investigate Facebook's facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques."
- EPIC Tells House to Probe Commerce Secretary on Data Protection, Privacy Shield + (Mar. 20, 2018)
EPIC has sent a statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The Committee held a hearing today to discuss the FY19 budget for the Department of Commerce. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by this week's report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.
- SEC Issues Guidance on Cybersecurity Disclosures + (Mar. 5, 2018)
The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security.
- Rep. Lieu Introduces Two Consumer Data Protection Bills + (Mar. 1, 2018)
Today Rep. Lieu (D-CA) introduced two bills to safeguard consumer data: the "Protecting Consumer Information Act of 2018" and the "Ending Forced Arbitration for Victims of Data Breaches Act." The first bill will expand the Federal Trade Commission's enforcement authority over credit reporting agencies, while allowing state attorneys general to also bring enforcement actions. The second bill will prohibit entities from enforcing mandatory arbitrary clauses—which prohibit consumers from filing lawsuits—in data breach cases. In a press release announcing the legislation, Rep. Lieu said, "these bills forge a path forward that can both prevent future breaches and ensure victims can seek due process when they occur." Rep. Lieu's announcement came the same day that Equifax disclosed an addition 2.4 million people were impacted by last year's data breach, bringing the total to approximately 148 million people. EPIC President Marc Rotenberg recently testified before Congress to call for comprehensive privacy legislation and the creation of a federal data protection agency.
- FTC Report - ID Theft Complaints Rank High + (Mar. 1, 2018)
Identity theft ranked second among all complaints submitted to the Federal Trade Commission in 2017. Although the total number of complaints dropped, consumers reported losing $63 million more to identity theft and fraud in 2017 than in 2016. EPIC has warned that "the FTC's failure to act against the growing threats to consumer privacy and security could be catastrophic." 2017 marked a record year for data breaches. EPIC urged the FTC to enforce data security standards as part of its 10 recommendations for the FTC's five-year strategic plan. EPIC President Marc Rotenberg also testified before the Senate and the House following the Equifax breach, calling for comprehensive data protection legislation.
- EPIC Urges Congress to Suspend Facial Recognition At US Airports + (Feb. 26, 2018)
EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC previously pursued a significant lawsuit against the TSA that led to the removal of x-ray body scanners from US airports. EPIC is currently seeking records from Customs and Border Protection concerning the accuracy of facial recognition.
- EPIC Advises Congress on Uber Data Breach, Bug Bounties + (Feb. 5, 2018)
EPIC submitted a statement to the Senate in advance of a hearing to examine the October 2016 Uber breach and the value of bug bounty programs. Last fall, Uber admitted that hackers stole the data of 57 million Uber customers and drivers and that the company paid the hackers $100,000 to delete the data. This has raised legal questions about Uber's failure to notify those affected by the breach and about "bug bounty" programs, where companies pay hackers that bring vulnerabilities to their attention. EPIC explained to the Senate that, "bug bounty programs do not excuse non-compliance with data breach notification laws." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other similar transportation companies.
- Senators Urge FTC to Investigate Companies Selling Social Media Influence + (Feb. 1, 2018)
Senators Jerry Moran (R-KS) and Richard Blumenthal (D-CT) wrote Federal Trade Commission Acting Chair Maureen Ohlhausen to urge the FTC to investigate companies that use fraudulent automated accounts to influence social media. The techniques, known as "amplification bots," follow, retweet, and like social media content to boost a client's visibility. The Senators' letter follows a recent New York Times report on Devumi, a company engaged in such practices. Devumi's bots often steal identities, using the photos and personal information of real people, some of whom are minors. The Senators called these practices a "unique kind of social identity theft" that "have the effect of distorting the online marketplace and creating a false sense of celebrity, credibility, or importance in people, companies, or institutions that may not deserve it." The practice also violates state privacy laws concerning "the right of publicity," which EPIC has defended.
- EPIC Advises Congress to Protect Student Privacy in Evidence-Based Policymaking + (Jan. 30, 2018)
In advance of a hearing on "Protecting Privacy, Promoting Policy: Evidence-Based Policymaking and the Future of Education," EPIC wrote a statement to the House committee, expressing support for both evidence-based policy and student privacy. EPIC explained that privacy enhancing technologies are necessary to protect student data, because even where data has been de-identified it may still possible to extract personal data. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. EPIC also testified before the Commission on Evidence-Based Policymaking, and recommended innovative privacy techniques to protect personal data that also enable informed public policy decisions.
- Senate Holds Hearing on National Security Strategy + (Jan. 24, 2018)
EPIC submitted a statement to the Senate Armed Services Committee in advance of a hearing on "Global Challenges and U.S. National Security Strategy." Last year, the White House released a National Security Strategy report that laid out the administration's goals. EPIC supports many of the goals stated in the report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the committee to seek assurances that those goals will remain priorities for this administration. EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."
- EPIC Warns Senate of Dangers of Connected Cars + (Jan. 24, 2018)
In advance of a hearing on self-driving cars, EPIC submitted a statement to the Senate on the privacy and security risks of autonomous vehicles. Researchers have been able to hack connected cars, and the vehicles have caused several accidents. EPIC told the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has worked extensively on the privacy and data security implications of connected cars, having testified on "The Internet of Cars" and submitted numerous comments to the National Highway and Transportation Safety Agency. In a recent amicus brief to the Supreme Court, EPIC underscored the privacy risks of modern vehicles, which collect vast troves of personal data.
- EPIC Urges Senate to Seek Assurances from DHS on Privacy of Voter Data + (Jan. 15, 2018)
EPIC sent a statement to the Senate Judiciary Committee in advance of a DHS Oversight Hearing, to seek assurances that "the DHS will not continue the activities of the Presidential Advisory Commission on Election Integrity." After the Commission was disbanded in the wake of EPIC’s lawsuit, the former Vice Chair told reporters that he intended to continue the work of the Commission at the DHS. But EPIC told the Senate committee that the Commission has no authority to transfer the voter data and warned that the DHS would be subject to federal lawsuits if it assembled a database of voter information. EPIC also urged the Senate to confirm that the personal data provided by DACA applicants will not be misused by DHS, and that DHS biometric programs will not be expanded until transparency obligations are fulfilled and privacy safeguards are established. The EPIC letter follows a statement last week from civil rights and government oversight organizations to the DHS Secretary, seeking assurance that there will be no transfer or collection of state voter data.
- EPIC FOIA: Report Reveals Failure of Border Biometric Matching Program + (Dec. 18, 2017)
Through a Freedom of Information Act lawsuit, EPIC has obtained a report from Custom and Border Protection, which evaluated iris imaging and facial recognition scans for border control. The "Southwest Border Pedestrian Field Test" reveals that the agency program does not perform operational matching at a "satisfactory" level. In a statement to Congress earlier this year, EPIC warned that biometric identification techniques are unreliable and lack proper privacy safeguards. EPIC is pursuing related documents for the use of biometrics at airports. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA (concerning body scanner modifications) and EPIC v. DHS (concerning full body scanner radiation risks).
- EPIC Urges Congress to Focus on Consumer Privacy and Data Security in Antitrust Hearing + (Dec. 12, 2017)
In a statement to the Senate Judiciary committee, EPIC urged lawmakers to consider consumer privacy at a hearing on "The Consumer Welfare Standard in Antitrust." EPIC emphasized the privacy risks of mergers, stating that "when companies merge, they combine not only their products, services, and finances, but also their vast troves of personal data." EPIC reminded Congress that the United States is experiencing an epidemic of data breaches, and large databases of personal data are more vulnerable to attack. EPIC testified before the Senate Judiciary Committee in 2007 about the growing risks to competition and privacy of mergers in the online advertising industry. EPIC also warned the FTC about the consumer privacy risks of high profile mergers. In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. And in 2014 EPIC urged the FTC to mandate privacy safeguards for Facebook's acquisition of WhatsApp.
- FAA Drone Registration Requirement Flies Again + (Dec. 12, 2017)
A defense authorization bill signed by the President today restores the FAA's drone registration requirement. The registration requirement was struck down by a federal appeals court earlier this year. EPIC supports registration for commercial drones because of the unique privacy risks they pose. In 2015, EPIC submitted extensive comments to the FAA, proposing that commercial drones also routinely broadcast location, course, speed over ground, as well as owner identifying information, similar to the Automated Identification System for commercial vessels. Earlier this year, EPIC also submitted statements to the House Transportation Committee and the Senate Commerce Committee emphasizing the privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to establish privacy safeguards. EPIC v. FAA is before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018.
- Support for Bills Establishing Oversight of AI Grows in Congress + (Dec. 12, 2017)
Senators Maria Cantwell (D-WA) and Brian Schatz (D-HI) are planning legislation to establish new oversight committees for the use of AI. Cantwell's bill—Future of Artificial Intelligence Act of 2017—is cosponsored by Senators Ed Markey (D-MA) and Todd Young (R-IN) and would establish an AI committee at the Commerce Department. A companion bill in the House is sponsored by Representatives John Delaney (D-MD) and Pete Olson (R-TX), co-chairs of the Artificial Intelligence Caucus. Schatz has announced his intent to introduce a bill creating an independent AI commission. In 2015, EPIC launched an international campaign in support of Algorithmic Transparency and has warned Congress about the use of opaque technique in automated decision-making.
- EPIC Urges Congress to Regulate AI Techniques, Promotes 'Algorithmic Transparency' + (Dec. 12, 2017)
In advance of a hearing on "Digital Decision-Making: The Building Blocks of Machine Learning and Artificial Intelligence," EPIC warned a Senate committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable."
- EPIC to Congress: FAA Must Establish Drone Privacy Safeguards and ID Requirements + (Nov. 28, 2017)
EPIC sent a statement to a House Committee on Transportation ahead of a hearing on drone deployment in the United States. EPIC said that "privacy rules and identification requirements" are vital for the safe integration of commercial drones in the national air space. EPIC explained that the FAA has failed to establish necessary safeguards and has purposefully ignored privacy and public safety risks. In 2015, EPIC sued the FAA, arguing that the agency failed to comply with a Congressional mandate and a petition from leading experts. EPIC also told Congress that the FAA has excluded privacy experts from the agency task force on drone policy. In October 2017, CNN reported the first drone strike on a commercial aircraft.
- Consumer Bureau Proposes Policy Guidance for Data Aggregation Services + (Nov. 16, 2017)
The Consumer Financial Protection Bureau recently set out guidance for financial services that aggregate consumer data. The Bureau outlined Consumer Protection Principles that "express the Bureau's vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value." The Consumer Protection Principles for aggregated consumer data services are: (1) consumer access to information, (2) usability and limited scope of access by third parties, (3) consumer control and informed consent, (4) authorizing payments, (5) security (6) access transparency, (7) accuracy, (8) ability to dispute and resolve unauthorized access, and (9) efficient and effective accountability mechanisms. EPIC has urged Congress to establish privacy and data security standards for consumer services and has championed algorithmic transparency. In testimony before Congress, EPIC Board member Professor Frank Pasquale explained that the use of secret algorithms often have adverse consequences for consumers.
- EPIC to House Committee: Privacy Safeguards Apply to Personal Data Sent to Government + (Nov. 15, 2017)
In advance of a hearing on "Cyber Threat Information Sharing," EPIC has sent a statement to the House Homeland Security Committee. EPIC urged the Committee to determine whether there are sufficient protections for personal data sent to government agencies. Private companies now have legal authority to transfer data to government agencies outside traditional privacy procedures following passage of the Cybersecurity Information Sharing Act. EPIC and a broad coalition warned that the law will increase monitoring of Internet users and government secrecy. EPIC urged the Congressional committee to carefully examine the "scrubbing" techniques that are intended to remove personally identifiable information before data is transferred to federal agencies.
- EPIC Warns that Weak Cybersecurity and Privacy Guidance Endangers Drivers + (Nov. 15, 2017)
In comments to the National Highway Traffic Safety Administration, EPIC warned that the agency's proposed voluntary guidelines for autonomous vehicles would not protect auto passengers. EPIC explained that the privacy and security are paramount safety concerns and stated that "strong encryption in autonomous vehicles will be essential to driver safety." EPIC urged NHTSA to issue mandatory guidelines to protect consumers. EPIC also warned that the FTC lacks authority and expertise to protect driver privacy and security. EPIC made comments to NHTSA earlier this year, and has also brought this issue to attention of a House committee on consumer protection and the Senate Committee on Commerce.
- Senator Leahy Introduces Legislation To Protect Consumer Privacy + (Nov. 15, 2017)
Senator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review.
- House Bill Would Restore FAA's Drone Registration Rule + (Nov. 9, 2017)
A defense authorization bill released today in the House would restore an FAA drone regulation that was struck down by a federal appeals court earlier this year. The D.C. Circuit had previously ruled that a regulation requiring hobbyists to register their drones violated the FAA Modernization Act, which forbids regulations for "model aircraft." EPIC strongly supports registration for commercial drones but recognizes an exception for hobbyists. EPIC submitted statements to the House Transportation Committee and the Senate Commerce Committee earlier this year emphasizing the unique privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to protect the public from aerial surveillance by commercial drones in federal court. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018.
- FTC Requests Public Comments on Strategic Plan + (Nov. 9, 2017)
The FTC released a draft of the FTC 2018-2022 strategic plan for public comment. The plan broadly summarizes the FTC's role in protecting consumers and promoting competition. Federal agencies are required by law to publish a strategic plan every four years. EPIC has stated that the Commission needs to "step up its efforts to protect the privacy interests of American consumers." EPIC wrote to Senate Commerce Committee in advance of a recent hearing on reform proposals for the FTC, stating "the FTC must do more to safeguard American consumers." EPIC also urged the FTC to re-focus an upcoming "workshop on informational injury" on the unprecedented levels of data breach and identity theft in the United States. Earlier this year, EPIC and a coalition of consumer privacy organizations set out "10 Steps for the FTC to Protect Consumers." Comments on the Strategic Plan are due to the FTC by December 5, 2017.
- EPIC Urges FTC to Focus on Data Protection at Upcoming Workshop + (Oct. 31, 2017)
EPIC has sent a letter to the FTC expressing concerns regarding their upcoming workshop on "Informational Injury." In advance of the workshop, the FTC has asked, "how to best characterize" privacy injuries. EPIC stated, "the injuries consumers face are obvious," in particular the unprecedented levels of data breach and identity theft. EPIC urged the FTC to re-focus the workshop on the questions of why data breach, identity theft, and financial fraud continue to rise in the United States, and how the FTC can do more to address these issues. EPIC recently testified before Congress on consumer data security and the credit bureaus, and has called on the FTC to step up its enforcement to protect consumer privacy.
- EPIC Assesses Progress on Government's Commitments to Transparency + (Oct. 30, 2017)
In comments filed with the Open Government Partnership's Independent Reporting Mechanism, EPIC assessed the government's progress toward the transparency commitments it made in the National Action Plan on Open Government. EPIC advised the government to incorporate findings of the Commission on Evidence Based Policymaking including the use of Privacy Enhancing Techniques, called for the Privacy and Civil Liberties Oversight Board (PCLOB) be restored to full strength, and warned about the federal government's ongoing failure to create Privacy Impact Assessments required by law. EPIC and a coalition of civil society groups had issued recommendations for the Third National Action Plan, and, in response, the administration pledged to modernize implementation of the FOIA, streamline record declassification, and increase transparency of the intelligence community. The Plan is an initiative pursued by countries and NGOs participating in the Open Government Partnership.
- EPIC Calls on House to Protect Privacy at U.S. Seaports + (Oct. 30, 2017)
EPIC submitted a statement to the House Homeland Security Committee in advance of a hearing on "Examining Physical Security and Cybersecurity at Our Nation's Ports." The Committee recently reported favorably "The Border Security for America Act," which would dramatically expand U.S. border surveillance, including a biometric exit data system at U.S. seaports. EPIC has expertise regarding maritime surveillance. EPIC pursued a Freedom of Information Act lawsuit against the Department of Homeland Security concerning the Nationwide Automatic Identification System, a system designed with the support the U.S. Coast Guard to promote boating safety that the DHS has transformed into a surveillance surveillance for monitoring vessels, including recreational vessels operated by U.S. citizens. In the letter to the House Committee, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens."
- In Senate Testimony, EPIC Calls for Reform of Credit Reporting Industry + (Oct. 16, 2017)
EPIC's President Marc Rotenberg will testify this week before the Senate Banking Committee on reform of the credit reporting industry following the Equifax breach. The hearing, "Consumer Data Security and the Credit Bureaus," follows several Congressional hearings with Equifax CEO Richard Smith. Rotenberg will emphasize the need to limit the use of the Social Security number in the private sector and to give consumers control over their personal data. EPIC will recommend a national credit "freeze" and free life-term credit monitoring services for all U.S. consumers. Rotenberg detailed how the credit reporting industry is broken in a recent article in the Harvard Business Review. He also warned that the failure to update U.S. privacy law has placed the digital economy at risk and may lead to the suspension of trans-border data flows. EPIC has previously testified before the House and Senate on the need for Congress to address data breach and identity theft.
- EPIC Recommends Measures to Protect Seniors from Robocalls + (Oct. 4, 2017)
EPIC sent a letter to the Senate Committee on Aging in advance of a hearing on robocalls and fraud against seniors. EPIC explained that "criminals target senior citizens, believing they are wealthy and will be unable to detect crime or report that a crime has occurred." In comments to the FCC earlier this year, EPIC expressed support for regulations that would allow block unsolicited calls from invalid numbers. EPIC told the Committee that the FCC rule could protect seniors and other consumers from predatory robocalls.
- EPIC Asks Senate to Enforce Privacy Safeguards for "Dreamers" + (Oct. 3, 2017)
EPIC warned the Senate Judiciary Committee that 800,000 DACA applicants face privacy risks as a result of the decision to end the Deferred Action for Childhood Arrivals. According to EPIC, the Department of Homeland Security has failed to ensure that DACA applicant's information will be used exclusively for the purpose it was disclosed, as set out in the 2012 privacy impact assessment. EPIC urged the Committee to uphold Privacy Act safeguards for DACA applicants.
- EPIC Calls for Greater FTC Enforcement + (Sep. 28, 2017)
In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders.
- EPIC Backs Commission on Evidence-Based Policymaking, Urges Congress to Take Steps to Preserve Privacy + (Sep. 26, 2017)
In a statement to Congress, EPIC expressed support for the findings of the Commission on Evidence-Based Policymaking. Congress established the Commission to study how data across the federal government could be combined to improve public policy while protecting privacy. The Commission's report recommends new privacy safeguards and encourages broader use of statistical data. EPIC submitted comments to the Commission urging the adoption of Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. Several of EPIC's recommendations were incorporated in the Commission report. A report from the National Academies of Science earlier this year examined federal data sources and privacy.
- EPIC Urges FTC To Strengthen Privacy Settlement With Uber + (Sep. 15, 2017)
In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a proposed settlement with Uber. The FTC's investigation and subsequent settlement was prompted by EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. EPIC recommended that the FTC require Uber to end collection of customer data beyond what is necessary to provide the service and to mandate that Uber implement stronger privacy safeguards. As EPIC highlighted in the original complaint, Uber has a history of abusing consumer privacy. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC is obligated to consider public comments before finalizing a proposed settlement.
- Senators Introduce Data Breach Legislation In The Wake Of Equifax Breach + (Sep. 15, 2017)
Senator Markey (D-MA) and several other Senators have introduced legislation that would provide consumers with more control over their personal data. The Data Broker Accountability and Transparency Act would allow consumers to access and correct their personal data and stop data brokers from using, disclosing, or selling their information for marketing purposes. The bill also requires data brokers to develop comprehensive privacy and data security measures and provide "reasonable notice" in the event of a breach. For years, EPIC has supported stronger data breach notification laws, and EPIC has testified before the Senate and House in support of a federal law. EPIC supports consumer control over personal data, and EPIC recommends mandatory breach notification procedures to ensure the consumers are aware when their personal data is wrongly obtained by others. Additionally, last year EPIC created http://www.dataprotection2016.org/ to promote the adoption of stronger privacy safeguards in the U.S.
- EPIC, Groups Urge Greater Transparency for International Intelligence Arrangements + (Sep. 14, 2017)
EPIC, Privacy International, and other groups called for increased transparency of U.S. intelligence arrangements. The groups explained that secret arrangements circumvent international human rights agreements and domestic law. The coalition asked the Senate and House Intelligence Committees and Judiciary Committees, as well as the Privacy and Civil Liberties Oversight Board for information about their review of these arrangements. Earlier this year, EPIC warned Congress about of secret US-UK agreement for law enforcement access to personal data otherwise protected by law. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit.
- NHTSA Revised Automated Vehicle Policy Lacks Privacy Safeguards, Senate Considers Draft Bill + (Sep. 12, 2017)
The National Highway Traffic Safety Administration released revised guidance for automated vehicles. The modified guidance encourages manufacturers to develop best practices to minimize cybersecurity risks. However, the NHTSA guidance lacks mandatory standards and fails to safeguard privacy stating that the Federal Trade Commission is responsible for consumer privacy. Previous NHTSA guidance established privacy standards and required developers to minimize data collection. The Senate Commerce Committee is now considering the "AV START Act" concerning automated vehicles. The draft bill proposes voluntary cybersecurity and also lacks consumer privacy standards. Today the NSTB also released findings that Tesla's autopilot feature contributed to a highway fatality earlier this year. EPIC has long advocated for privacy and cybersecurity safeguards to be a central component of automated vehicle development.
- Voting System Guidelines Under Review, Secret Ballot at Risk + (Sep. 12, 2017)
The Election Assistance Commission technical committee is meeting today to review standards for voting equipment. Some members of theTechnical Guidelines Development Committee have raised questions about the value of the secret ballot. Last year, EPIC, Verified Voting, and Common Cause explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy" that the secret ballot — the inability to link particular voters to particular votes — is a cornerstone of modern democracies. Most states (44) have constitutional provisions guaranteeing secrecy in voting. The secret ballot also reduces the threat of coercion, vote buying and selling, and tampering. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote. Also today, MIT Professor Ronald Rivest spoke in support of ballot secrecy and election integrity at a meeting of the Presidential Commission on Election Integrity.
- EPIC Urges Senate To Establish Data Protection Standards For Financial Technologies + (Sep. 11, 2017)
In advance of a hearing on financial technology, EPIC recommended that the Senate Committee establish privacy standards for financial companies that use social media and secret algorithms to make determinations about consumers. In light of the recent Equifax breach, EPIC proposed that the Committee make privacy and security its top priorities. Earlier this year, EPIC submitted a similar statement to the House Committee on Energy and Commerce. EPIC also recently filed a complaint with the CFPB regarding "starter interrupt devices" deployed by auto lenders to remotely disable cars when individuals are late on their payments. Testimony of Professor Frank Pasquale on "Exploring the Fintech Landscape."
- Federal Commission Backs Evidence-Based Policies, Strong Privacy Safeguards + (Sep. 7, 2017)
The Commission on Evidence-Based Policymaking, which was tasked with studying whether and how data across the federal government could be combined for policy research while protecting privacy, has issued its final report. The Commission backs evidence-based policy, recommends new privacy safeguards including Privacy Enhancing Techniques, encourage broader use of statistical data, and recommends the creation of a National Secure Data Service. In testimony before the Commission, EPIC President Marc Rotenberg promoted both innovative privacy safeguards and well informed public policy. EPIC also filed comments with the Commission urging adoption of Privacy Enhancing Techniques, such as anonymization, that minimize or eliminate the collection of personal data. The National Academies of Sciences released a report earlier this year that examined how disparate federal data sources can be used for policy research while protecting privacy.
- Medicare to Remove SSN from ID Cards + (Sep. 5, 2017)
Earlier this year, the Center Medicare Services announced that the Social Security Number would be removed from the Medicare benefits card. Senators Susan Collins and Claire McCaskill led the effort in the Senate to remove the SSN, which contributed to identity theft and often targeted seniors. EPIC testified before their Senate Committee in 2015 on "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" EPIC explained that "there is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy." Since its founding, EPIC has sought to limit the use of the Social Security Number on identification documents.
- House Releases Text of Automated Vehicle Bill, Preempts State Action + (Aug. 10, 2017)
The House Committee on Energy & Commerce recently approved text for a bill on automated vehicles. The bill prevents the states from issuing any rule or regulation that is not identical to a Federal Motor Vehicle Safety Standard, preventing states from issuing their own safety and privacy regulations to safeguard consumers. The bill also calls for automated vehicle manufacturers to have cybersecurity and privacy plans, however it does not address who owns the data collected by automated vehicles or how consumers can access or delete their data. EPIC has opposed federal preemption for automated vehicle regulation and has repeatedly urged federal agencies and Congress to allow states to craft their own privacy and security regulations to protect public safety. EPIC has also recommended that consumers control the personal information that is created and stored by the vehicles they operate, rent, and own.
- FBI Issues Final Rule on Biometric Database, Exempts Itself From Privacy Act Protections + (Aug. 1, 2017)
The FBI has released a final rule claiming several Privacy Act Exemptions for the Next Generation Identification System, a database that contains the biometric data of millions of Americans, much of which is unrelated to law enforcement. EPIC had criticized the FBI's proposal to remove Privacy Act safeguards and urged the FBI to limit the scope of data collection and reduce the retention of data. However, in issuing the final rule the FBI repeatedly stated that exemptions would be used responsibly and in accordance with FBI policies and procedures. Through a FOIA lawsuit, EPIC obtained documents that revealed the NGI database contained an error rate of up to 20% on facial recognition searches. EPIC has identified several problems with the NGI database in statements to Congress oversight Committees, which have indicated strong concern about the FBI's facial recognition program.
- EPIC Urges Congress to Focus on FCC and Privacy + (Jul. 27, 2017)
EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to affirm the FCC's role in protecting online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections.
- EPIC to Senate Judiciary: FBI Response to Russia Attack Must Be Examined + (Jul. 27, 2017)
Following a hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the Senate Judiciary Committee. EPIC urged the Committee to explore whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election.
- EPIC Calls for End to Collection of State Voter Records by Presidential Commission + (Jul. 18, 2017)
In a statement today for a Forum organized by the House Judiciary Committee and the Congressional Black Caucus, EPIC President Marc Rotenberg called for an end to the efforts of the Presidential Commission on Election Integrity to gather state voter records. Rotenberg said the program was "ill-conceived, poorly executed, and most likely unconstitutional." EPIC brought suit against the Commission, charging violations of federal laws and the federal constitution, and noting also that the Commission's plan to gather data on a military site that returned error messages was pure incompetence. The Commission has since suspended the program, pending a decision by the federal court in EPIC's case. But the Commission meets this week in Washington to discuss next steps. In the prepared statement, Rotenberg said, "I hope the Commission will simply announce the termination of the program. But if it does not, EPIC will pursue its case until we obtain a favorable outcome. And we welcome the many organizations across the country that have also filed lawsuits." The case is EPIC v. Commission, No. 17-1320 (D.D.C. July 3, 2017).
- EPIC Raises Questions About FBI Surveillance Programs + (Jul. 14, 2017)
In a statement to Congress, EPIC told members of the Senate Judiciary Committee to press the nominee for FBI Director, Christopher Wray, on his views of FBI databases and domestic surveillance programs. EPIC again expressed concern about the size and scope of the FBI's Next Generation Identification system which stores personal and biometric information on millions of individuals. EPIC also expressed concern over the FBI's failure to issue timely privacy impact assessments, lack of transparency on drone use, and plans to monitor social media. EPIC urged the Committee to obtain the nominee's views on these matters and to ensure his commitment to protect privacy and ensure transparency at the FBI.
- Congress Defends Power of Local Authorities to Regulate Drone Privacy + (Jul. 12, 2017)
Both the Senate and House are considering bi-partisan drone bills to protect the ability of states and local government to safeguard privacy. The House's Drone Innovation Act, sponsored by Rep. Jason Lewis (R-MN) and the Senate's Drone Federalism Act, sponsored by Sen. Diane Feinstein (D-CA), would ensure that FAA regulations do not preempt legitimate interests of local governments to protect personal privacy. Earlier this year, EPIC submitted a statement to the House Transportation Committee and a statement to the Senate Commerce Committee to emphasize the unique privacy risks of drones. EPIC explained that the FAA has failed to establish necessary privacy safeguards and that the states must be free to protect privacy interests. In 2015, EPIC sued the agency, arguing the FAA failed to protect the public from aerial surveillance. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals. Argument will likely take place this fall.
- EPIC Provides Suggestions for "Self-Driving" Vehicle Legislation + (Jul. 5, 2017)
EPIC has sent a statement to Congress ahead of a hearing to discuss proposed self-driving vehicle legislation. The House Energy & Commerce Committee drafted several bills related to the development and deployment of "self-driving" vehicles. EPIC urged the Committee not to pre-empt states from issuing their own self-driving vehicle regulations, to encourage developers to be transparent in the development of autonomous vehicles, and to urge that advocacy groups be included in connected car advisory councils. EPIC has been a leading advocate for privacy and safety in the development of connected and autonomous vehicle and has participated in workshops, written to NHTSA, and actively informed Congress of privacy and safety related developments in connected and autonomous vehicles.
- EPIC Recommends National Safety Standard for "Self-Driving" Vehicles + (Jun. 28, 2017)
In remarks today to a joint workshop of the FTC and NHTSA, EPIC President Marc Rotenberg called for the establishment of national safety standards prior to the deployment of "self-driving" vehicles on the nation's highways. "Given the current vulnerabilities of networked communications, self-driving vehicles are simply unsafe at any speed," said Mr. Rotenberg. EPIC has participate in numerous NHTSA rule makings on auto safety, proposed stronger data protection standards for connected vehicles, and sided with consumers in a case concerning the risks of autonomous vehicles. In extensive comments for the FTC/NHTSA workshop, EPIC pointed to known vulnerabilities with bluetooth communications, auto hacking, "level 3" control, malware and ransomware, auto repossession remote deactivation, and safety defects. EPIC urged the FTC and NHTSA to focus on "data protection, vehicle safety, consumer protection, and privacy." EPIC also said that the ability of states to develop safety standards must be maintained. EPIC warned that the failure to establish robust safety standards could be "catastrophic."
- Google Faces Record Fine for Monopolistic Search Practices + (Jun. 27, 2017)
European antitrust officials have imposed a $2.7 billion fine on Google for favoring its own services over competitors on Google search, which now dominates 90% of the market in Europe. It is the largest antitrust fine in European history. European Commissioner Margrethe Vestager stated "Google has abused its market dominance in search by promoting its own services and demoting its competitors. What Google has done is illegal under EU antitrust rules. It has denied other companies the chance to compete on the merits and to innovate. And most importantly, it has denied European consumers the benefits of competition, genuine choice, and innovation." Google competitors and news organizations, based in the United States, favored the outcome. Over many years, EPIC had urged the US government to take a closer look at Google's anti-competitive practices. In testimony before the Senate Judiciary Committee in 2007, EPIC warned that Google's growing dominance of online advertising would diminish user privacy and market competition. In a statement to the FTC in 2011, EPIC explained that Google altered the search rankings of YouTube after it acquired the company to preference Google's content over that of competitors and NGOs, including EPIC. In 2012, EPIC told the FTC that "Google's business practices raise concerns related to both competition and the implementation of the Commission's consent order." EPIC later sued the FTC for its failure to enforce the consent order.
- EPIC Urges Senate Judiciary Committee To Restore PCLOB to Full Strength + (Jun. 23, 2017)
In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a statement to the Senate Judiciary Committee urging increased public reporting of the government's surveillance activities under section 702. EPIC also highlighted the need to restore the Privacy and Civil Liberties Board (PCLOB) to full strength. As Judge Patricia Wald recently stated in remarks at the EPIC Champions of Freedom Dinner, "an agency dedicated to protecting privacy and civil liberties inside the intelligence community with access to classified material is a uniquely valuable asset in the ever difficult search for the right balance between national security and democratic values." EPIC testified before the House Judiciary Committee in support of increased transparency during the 2012 FISA reauthorization hearings. Analysis of 702 reform by Prof. Laura Donohue.
- EPIC Urges Congress to Examine FBI's Biometric Identification Program + (Jun. 20, 2017)
EPIC has sent a statement to the House Appropriations Committee in advance of a hearing on the FBI's budget. EPIC urged the Committee to examine the FBI's Next Generation Identification program. EPIC explained that the program "raises far-reaching privacy issues that implicate the rights of Americans all across the country." The FBI biometric database is one of the largest in the world, but the Bureau proposed to exempt the database from Privacy Act protections. EPIC and others supported strong safeguards for the program. In an early FOIA case against the FBI, EPIC obtained documents which revealed high error levels in the biometric database. EPIC has recently filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
- EPIC Recommendations for Tech Week Meeting: Protect U.S. Consumers + (Jun. 20, 2017)
In advance of a White House / OSTP meeting on "emerging technologies," EPIC has sent a statement to the Office of Science and Technology Policy. EPIC urged the Administration to focus on consumer protection and address the numerous privacy and security risks related to the "Internet of Broken Things." EPIC recommended recommended Privacy Enhancing Technologies, data minimization, and security measures for Internet-connected devices. EPIC also urged the Administration to issue regulations on drone privacy as mandated by Congress and to establish minimum safety standards for connected cars. EPIC warned that "The unregulated collection of personal data and the growth of the Internet of Things has led to staggering increases in identity theft, security breaches, and financial fraud in the United States."
- EPIC Urges Swift Action on FCC Data Retention Mandate + (Jun. 20, 2017)
In a statement to the Senate Committee on Appropriationst, EPIC asked Congress to obtain assurances from the FCC Chair to repeal the FCC regulation that requires telephone companies to keep customer's phone records for 18 months. EPIC warned that the regulation "places at risk the privacy of users of network services." Two years ago, EPIC, joined by consumer privacy organizations, technical experts, and legal scholars, submitted a formal petition to the FCC, calling for the repeal of the data retention ruie. The FCC recently docketed the petition and accepted public comments on the matter. All of the commentators favored the EPIC petition to end the mandate. The next step will be for the FCC to begin a Rulemaking to Repeal 47 C.F.R.§42.6 ("Retention of Telephone Records").
- EPIC Joins Call to Keep Surveillance Transparency Promise + (Jun. 13, 2017)
EPIC and over 30 organizations urged the Director of National Intelligence Dan Coates to uphold a promise to provide a public estimate of how many Americans are caught up in NSA surveillance of foreign targets. The coalition, including EPIC, previously pushed for the estimate. Americans' communications are "incidentally" collected under section 702 of the Foreign Intelligence Surveillance Act, and the FBI searches this data without a warrant or judicial oversight. EPIC, in testimony before Congress and comments to the Privacy and Civil Liberties Oversight Board, has repeatedly called for greater oversight and transparency of surveillance authorities.
- EPIC Urges House Committee to Back Consumer Safeguards for Internet of Things + (Jun. 13, 2017)
EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on "IOT Opportunities and Challenges." EPIC raised the "significant privacy and security risks" of the Internet of Things. A recent report from the Pew Research Center on the Internet of Things underscores the need to develop new safeguards for what some call "The Internet of Broken Things." EPIC has been at the forefront of policy efforts to establish safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
- EPIC to Congress: Ask ICE About FOIA Compliance + (Jun. 12, 2017)
EPIC has sent a statement to the House Appropriations Committee in advance of a budget hearing for Immigrations and Customs Enforcement and Customs and Border Patrol. EPIC urged the Committee to ask whether ICE is complying with FOIA "when it receives requests for immigration data." EPIC and a coalition recently sent a letter to DHS Secretary Kelly calling on ICE to "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." EPIC also said the Committee should ensure that CBP, which is now deploying drones, will comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance.
- EPIC Tells House Committee to Ensure Telemarketing Rules Protect Consumers + (Jun. 12, 2017)
EPIC has sent a statement to the House Judiciary Committee in advance of the hearing on "Lawsuit Abuse and the Telephone Consumer Protection Act." The telemarketing law bars telemarketers and robocallers from contacting consumers by phone fax, or text without prior consent. EPIC acknowledged that class action settlements often fail to provide direct financial benefits to consumers, but explained that "TCPA cases are among the most effective privacy class actions because they typically require companies to change their business practices to comply with the law." Last year, EPIC filed an amicus brief in support of TCPA protections for consumers. EPIC has also testified before Congress about the telemarketing law and submitted many comments concerning its implementation.
- EPIC to House: FAA Must Establish Drone Privacy Safeguards + (Jun. 9, 2017)
EPIC sent a statement to the House Committee on Transportation & Infrastructure ahead of a hearing on FAA Reauthorization. Emphasizing the unique privacy risks of drones, EPIC explained that the FAA has failed to establish necessary safeguards. In 2015, EPIC sued the agency, arguing that it failed to comply with Congressional directives. Following a petition by EPIC, the agency received hundreds of comments in support of privacy rules. EPIC also told Congress that the FAA has excluded privacy experts from the agency task force on drone policy.
- Senator Feinstein Proposes Reforms to Broad Spying Authority + (Jun. 9, 2017)
Senator Dianne Feinstein, the former chair of the Senate Intelligence Committee, today outlined reforms to Section 702 surveillance authority. The law, which allows the NSA "PRISM" and "Upstream" surveillance programs, is set to expire at the end of this year. Senator Feinstein would end permanently the NSA's "about" searches, expand the amicus role at the intelligence court, and require the continued sunsetting of FISA authorities created in the The FISA Amendments Act of 2008. In 2012, EPIC testified before Congress on the need to establish better oversight for Section 702 prior to renewal.
- EPIC to Congress: Data Protection Needed for Financial Technologies + (Jun. 9, 2017)
EPIC submitted a statement to a House Committee hearing on financial technologies on the risks with new financial services. Companies now use social media data and secret algorithms to make determinations about consumers. They are also reaching out, through the "Internet of Things," to control consumers. EPIC's recently filed a complaint with the CFPB about "starter interrupt devices," deployed by auto lenders to remotely disable cars when individuals are late on their payments.
- EPIC Urges Senate Committee To Reform Surveillance Law + (Jun. 6, 2017)
In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a Statement to the Senate Select Committee on Intelligence urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted several legal challenges to an NSA bulk surveillance program abroad. The bulk surveillance program for the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the House Judiciary Committee during the 2012 FISA reauthorization hearings, recommended improved public reporting, and warned pre-Snowden that the extent of mass surveillance was much greater than was known to the public.
- EPIC Tells Congress: Limit Use of Social Security Numbers + (May. 22, 2017)
EPIC has sent a statement to the House Ways & Means Committee and House Committee on Oversight and Government Reform in advance of a hearing on "Protecting Americans' Identities: Examining Efforts to Limit the Use of Social Security Numbers." EPIC warned about the danger of SSN-related identity theft. "Given the growing risk of identity theft coupled to the SSN and the ease of alternative systems, there is simply no excuse for the use of SSNs in either the public or private sector," said EPIC. EPIC has long urged Congress and state legislators to limit use of the SSN.
- Facebook Fined $122 Million for Misleading Europe on Privacy Risks of WhatsApp Merger + (May. 18, 2017)
The EU has fined Facebook $122 million for misleading the European Commission during the investigation of the Facebook-WhatsApp Merger. Following Facebook's acquisition of WhatsApp, WhatsApp transferred users' personal data to Facebook and violated the company's privacy promises. Facebook had downplayed the risks of the merger, saying that WhatsApp users' personal data could not be linked with their Facebook accounts. "U.S. antitrust law has failed to keep up with the digital economy and the emergence of monopoly services," EPIC president Marc Rotenberg told the New York Times. "There is far too much 'lock in' with a dominant provider, and far too much consolidation of personal data." The head of BEUC, the European consumer association, said "It is very disappointing that the Commission decided not to revise its original decision on the Facebook merger with WhatsApp." EPIC recently urged the Senate Judiciary Committee to consider the role of consumer privacy and data protection in merger reviews and highlighted the FTC's failure to block the Facebook-WhatsApp merger.
- EPIC Urges Transparency in Negotiation of US-UK Intercept Treaty + (May. 9, 2017)
EPIC has sent a statement to the Senate Judiciary Committee for a hearing on "Law Enforcement Access to Data Stored Across Borders." According to news reports, the United States and the United Kingdom are seeking to establish an agreement for direct access to personal data outside their legal jurisdictions. A secret agreement is under negotiation. In November 2016, EPIC filed a FOIA Request related to the US-UK agreement. Last week, the Justice Department alerted EPIC that responsive documents had been located and would be referred to the State Department for additional processing. EPIC has long advocated for transparency concerning international agreements. In 2016, EPIC obtained the "Umbrella Agreement" after a successful Freedom of Information Act lawsuit.
- Former Attorney General Testifies about Russian Influence with Key Trump Advisor + (May. 9, 2017)
In a hearing before a Senate Judiciary Subcommittee, former Acting Attorney General Sally Yates said she warned the White House that General Michael Flynn "could be blackmailed by the Russians" who knew he had lied about his Russian contacts. Yates also said the DOJ came forward out of concern that both administration officials and the American people "had been misled." As a part of the Democracy and Cybersecurity Project, EPIC is pursuing a Freedom of Information Act request for records of DOJ's investigation of Russian interference, EPIC explained to the Senate committee that "the public has 'the right to know' the extent of Russian interference with democratic elections and the steps that are being taken to prevent future attacks."
- On Cyber Policy, EPIC Urges Senate to Protect Consumers, Democratic Institutions + (May. 8, 2017)
In advance of a hearing on "Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape," EPIC has sent a statement to a Senate Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
- EPIC To Senate Judiciary - "Public Has Right to Know About Russia Ties" + (May. 5, 2017)
EPIC has sent a statement to the Senate Judiciary Committee for a hearing on "Russian Interference in the 2016 United States Election." EPIC described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC is also pursuing the release of any FISA orders for Trump Tower, as well as Donald Trump's tax returns. EPIC wrote the "need to understand Russian efforts to influence democratic elections cannot be overstated.”
- EPIC to Congress: Protect Student Privacy + (May. 2, 2017)
EPIC has sent a statement to the House Committee on Oversight for the upcoming hearing on the FAFSA ("Free Application for Federal Student Aid") data breach, which compromised more than 100,000 taxpayer records. EPIC urged the Committee to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Congress adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy.
- EPIC Renews Call for Connected Cars Safeguards + (May. 2, 2017)
In comments to the FTC and NHTSA ahead of a June workshop, EPIC underscored the need to safeguard consumers and improve vehicle security. EPIC also defended the role of states that are developing new safeguards for connected vehicles. For more than a decade, EPIC has been a leading advocate for privacy and security measure for connected vehicles. EPIC routinely submits comments to federal agencies regarding the unique challenges that these vehicles present. EPIC has also testified before Congress, filed amicus briefs, and submitted statements on the risks of autonomous vehicles.
- EPIC Urges Senate Committee to Investigate FBI's Massive Biometric Database + (May. 1, 2017)
EPIC has sent a statement to the Senate Judiciary Committee for an upcoming FBI oversight hearing. EPIC urged the Committee to investigate the FBI's Next Generation Identification system, a massive biometric database. EPIC has sought to ensure that the FBI database complies fully with the federal Privacy Act which the Bureau has opposed. EPIC explained to the Senate Committee that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." In a leading FOIA lawsuit, EPIC v. FBI, EPIC also uncovered documents which revealed high error rates in the biometric system. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
- Senators Blumenthal and Udall Introduce Online Privacy Bill + (Apr. 27, 2017)
Senators Richard Blumental (D-CT) and Tom Udall (D-NM) have introduced the Managing Your Data Against Telecom Abuses (MY DATA) Act. The MY DATA Act would grant the FTC jurisdiction over broadband providers, as well the authority to establish rules for privacy and data security online. "In the 21st century, internet access is a basic necessity. And signing up for a basic necessity should never mean you have to sign away your rights to privacy," said Senator Blumenthal. EPIC has previously told Congress that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. EPIC has also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud.
- EPIC to Congress: Examine TSA Secrecy + (Apr. 26, 2017)
EPIC has sent a statement to the House Committee on Homeland Security for an oversight hearing on the Transportation Security Administration. EPIC has objected to the TSA's refusal to release information the agency designated as "sensitive security information" that is pertinent to EPIC's ongoing case against TSA regarding airport body scanners. EPIC said that the TSA is "seeking to hide its decision making behind this cloak of secrecy." Congress also criticized the TSA's use of the SSI designation in an extensive report on "Pseudo Classification." In the statement for the Committee, EPIC also objected to the eye scanning of US travelers at US airports.
- EPIC: Enhanced Surveillance at Border Will Sweep Up U.S. Citizens + (Apr. 26, 2017)
A statement from EPIC to the House Oversight Committee for a hearing on border security warns that enhanced surveillance will impact citizens' rights. "The use of drones in border security will place U.S. citizens living on the border under ceaseless surveillance by the government." said EPIC. EPIC noted that Customs and Border Protection is already deploying drones with facial recognition technology on U.S. communities. In 2013, EPIC obtained records under the Freedom of Information Act which revealed that CBP drones could also intercept electronic communications in the United States. State laws in some border states prohibit warrantless aerial surveillance but the United States has failed to enact laws to limit drone surveillance. EPIC has sued the FAA for the agency's failure to create drone privacy safegruards as required by Congress.
- EPIC Recommends Adoption of Privacy-Enhancing Technologies in Health Care Sector + (Apr. 5, 2017)
EPIC has sent a letter to the House Energy and Commerce Committee about cybersecurity in the health care sector EPIC noted that in 2016, approximately 300 health care sector data breaches compromised the health data of over 4 million patients. EPIC recommended specific privacy-enhancing technologies that should be required to be implemented in health care IT systems, including secure e-mail communications systems and the ability for patients to hold back sensitive information.
- EPIC Brings Attention to Auto "Starter Interrupt Devices" + (Apr. 5, 2017)
In a letter to the House Financial Services committee about the Consumer Financial Protection Bureau, EPIC highlighted its complaint about automobile "starter interrupt devices." EPIC alleges that companies use these devices to monitor borrowers' location and disable vehicles in violation of the Consumer Financial Protection Act. EPIC has asked the Bureau "to enjoin their unfair and abusive practices." In testimony, detailed comments, and letters, EPIC has urged Congress to establish safety standards for connected vehicles. EPIC has also submitted comments to the CFPB on debt collection practices and publication of consumer complaint narratives.
- EPIC Recommends Scrutiny of DEA Surveillance Programs + (Apr. 4, 2017)
In a letter to the House Judiciary Committee for an oversight hearing, EPIC highlighted civil liberties problems with DEA programs. In 2014, EPIC sued the DEA for information about the agency's Hemisphere program, a massive telephone record database. More recently, EPIC prevailed in a FOIA lawsuit that revealed the DEA's failure to conduct privacy assessments required by law, for the agency's license plate scanning program. In the letter EPIC urged the Committee to investigate the Hemisphere program and determine whether the agency will complete privacy impact statements for agency programs as required by law.
- EPIC To Senate Intelligence - "Public Has Right to Know About Russia Ties" + (Mar. 29, 2017)
EPIC has sent a letter to the Senate Intelligence Committee for a hearing on "Disinformation: A Primer in Russian Active Measures and Influence Campaigns." EPIC described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC is also pursuing the release of any FISA orders for Trump Tower, as well as Donald Trump's tax returns. EPIC wrote the "need to understand Russian efforts to influence democratic elections cannot be overstated." EPIC President Marc Rotenberg summarized EPIC's FOIA efforts in an op-ed in The Hill earlier this week.
- EPIC Warns Congress about Law Enforcement Forensic Techniques + (Mar. 28, 2017)
EPIC has sent a letter to a House Judiciary committee concerning “the state of forensic science in the United States.” Citing the work of EPIC Advisory Board members Erin Murphy and Jennifer Mnookin EPIC said that oversight of forensic techniques, such as DNA and algorithms, is needed to ensure confidence in the criminal justice system. Last year, EPIC filed public records requests with six states to obtain the source code of DNA forensic software. EPIC has previously warned the US Supreme Court to carefully assess the reliability of investigative techniques. EPIC also argued a federal appeals case against DNA dragnet surveillance.
- EPIC Urges Senate Commerce Committee to Back Algorithmic Transparency, Safeguards for Internet of Things + (Mar. 22, 2017)
EPIC has sent a letter to the Senate Commerce Committee concerning "The Promises and Perils of Emerging Technologies for Cybersecurity." EPIC urged the Committee to support "Algorithmic Transparency," an essential strategy to make accountable automated decisions. EPIC also pointed out the "significant privacy and security risks" of the Internet of Things. EPIC has been at the forefront of policy work on the Internet of Things and Artificial Intelligence, opposing government use of "risk-based" profiling, and recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
- Senators Markey and Blumenthal Introduce Bill to Protect Driver Privacy in Connected Cars + (Mar. 22, 2017)
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2017." The SPY Car Act would establish cybersecurity and privacy standards for new passenger vehicles, and establish a privacy rating system. A 2014 report from Senator Markey "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prevent the use of driver data for marketing purposes without consent. In 2015 EPIC testified before Congress on the need for privacy and safety safeguards for connected vehicles. In 2016 EPIC filed an amicus brief in federal appeals court to protect consumers in cases involving connect vehicles.
- EPIC Urges House Oversight Committee to Explore FBI's Use of Biometric Data + (Mar. 21, 2017)
EPIC has sent a letter to the House Committee on Oversight concerning "Law Enforcement's Use of Facial Recognition Technology." EPIC urged the Committee to investigate the FBI's Next Generation Identification program. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." The FBI biometric database is one of the largest in the world, but the FBI has opposed privacy safeguards that EPIC supported. The Bureau proposed to exempt the database from Privacy Act protections. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
- EPIC Complaint Seeks Investigation of Auto "Starter Interrupt Devices" + (Mar. 21, 2017)
EPIC has filed a complaint with the Consumer Financial Protection Bureau over the use of automobile "starter interrupt devices." The EPIC complaint alleges that companies use these devices to "monitor borrowers' real-time location, limit borrowers' movements to prescribed boundaries via geo-fencing technology, and disable vehicles in remote or dangerous locations" in violation of the Consumer Financial Protection Act. EPIC has asked the Bureau "to enjoin their unfair and abusive practices." In testimony, and detailed comments, and letters. EPIC has urged Congress to adopt privacy and safety standards for connected vehicles. EPIC has also submitted comments to the CFPB on debt collection practices and publication of consumer complaint narratives.
- Secret Ballot At Risk in Colorado As Governor Considers "Ballot Selfie" Bill + (Mar. 16, 2017)
The Colorado General Assembly recently passed a bill that allows "ballot selfies," threatening voter privacy. Ballot selfies allow campaigns, employers, unions, and others to verify how an individual voted. But EPIC explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy" that the secret ballot — the inability to link particular voters to particular votes — is a cornerstone of modern democracies. The secret ballot reduces the threat of coercion, vote buying and selling, and tampering. The secret ballot allows people to vote without fear of intimidation or retaliation. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote.
- Sen. Markey and Rep. Welch Introduce Drone Privacy Legislation + (Mar. 15, 2017)
Senator Markey and Representative Welch today introduced the Drone Aircraft Privacy and Transparency Act of 2017. The Act would establish privacy safeguards to protect individuals from drone surveillance. The Drone Privacy Act requires publicly available data collection statements from operators and warrants for drone surveillance by law enforcement. "Drones flying overhead could collect very sensitive and personally identifiable information about millions of Americans, but right now, we don't have sufficient safeguards in place to protect our privacy," said Senator Markey. The Act includes privacy protections EPIC has proposed in statements to Congress and comments to federal agencies. In EPIC v. FAA, EPIC is challenging the failure of the FAA to protect the public from aerial surveillance.
- EPIC Urges Senate Committee to Investigate Russian Interference with US Election + (Mar. 15, 2017)
EPIC has sent a letter to the Senate Judiciary Committee for a hearing on "The Modus Operandi and Toolbox of Russia and Other Autocracies for Undermining Democracies Throughout the World." EPIC described two of its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions, as well as a pending FOIA request regarding the "wiretapping of Trump Tower." EPIC explained that upcoming federal elections in Europe underscore the need to assess the threat to democratic elections. EPIC told the Committee the "need to understand Russian efforts to influence democratic elections cannot be overstated."
- EPIC to Senate: FAA Must Establish Drone Privacy Safeguards + (Mar. 14, 2017)
EPIC sent a detailed letter to the Senate Commerce Committee ahead of a hearing on drone deployment in the United States. Emphasizing the unique privacy risks of drones, EPIC explained that the FAA has failed to establish necessary safeguard. EPIC has sued the agency, arguing that is has failed to comply with Congressional directives, following a petition by EPIC hundreds of comments the agency receivedin support of privacy rules. EPIC also pointed out that the FAA has excluded privacy experts from the agency task force on drone policy.
- House Committee Approves Bill That Places Genetic Privacy At Risk + (Mar. 13, 2017)
The House Committee on Education and the Workforce gave approval last week to a bill that would undermine the privacy protections guaranteed by the Genetic Information Nondiscrimination Act (GINA). The bill would condition health insurance discounts for wellness programs on whether an employee agrees to participate in genetic testing. Under GINA, employers may not penalize employees for keeping their genetic data private. DNA profiles and other genetic records contain particularly sensitive personal information that can impact employment decisions, insurance availability, and even criminal justice outcomes. EPIC supported GINA and has backed the right of individuals to control the use of their genetic data in numerous comments and cases.
- EPIC Urges House Committee to Protect Democratic Institutions + (Mar. 9, 2017)
EPIC has asked the House Committee on Foreign Affairs to examine the risk to democratic institutions of cyber attack. EPIC described two recent Freedom of Information Act cases against the FBI and the ODNI to obtain records about the Russian interference with the 2016 US Presidential election. EPIC pointed to the upcoming federal elections in Europe and the need to safeguard democratic elections. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems, and foreign attempts to influence American policymaking.
- EPIC to Senate: Back FCC Broadband Privacy Rule, End FCC Bulk Data Collection + (Mar. 7, 2017)
EPIC has sent a letter to the Senate Commerce Committee ahead of an FCC oversight hearing. EPIC urged the Committee to examine the FCC's role in online privacy. EPIC supports the FCC's broadband privacy rule. In fact, EPIC had urged the FCC to adopt a comprehensive privacy rule for all communications services, as suggested by FCC Chairman Pai. EPIC also brought to the Committee's attention an outdated FCC regulation that requires the bulk collection of telephone data of American consumers. In 2015, EPIC and many consumer privacy groups petitioned the FCC to repeal, but the Commission has yet to take any action. In the letter to the Senate, EPIC said the FCC should withdraw the anti-privacy, data retention regulation.
- EPIC to Congress: Examine TSA Secrecy + (Mar. 2, 2017)
EPIC has sent a letter to the House Committee on Oversight for a hearing on the Transportation Security Administration. EPIC has objected to the TSA's refusal to release information designated as "sensitive security information" that is pertinent to EPIC's ongoing case against TSA regarding airport body scanners. EPIC said that "seeking to hide its decision making behind this cloak of secrecy." The House Committee has also criticized the agency's use of the SSI designation. EPIC also raised concerns about the eye scanning of US travelers at US airports as well as the TSA's statement that they will no longer accept drivers licenses from states that oppose "REAL ID".
- EPIC Urges Senate Committee to Protect Consumers, Democratic Institutions With Strong Cyber Policies + (Mar. 2, 2017)
In advance of a hearing on "Cyber Strategy and Policy," EPIC has sent a letter to the Senate Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
- EPIC Urges House Committee To Ensure Transparency, Public Reporting in Surveillance Law + (Mar. 1, 2017)
In advance of a hearing on Section 702 of the Foreign Intelligence Surveillance Act, EPIC has sent a letter to the House Judiciary Committee urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted that Section 702 is the central focus of multiple current legal challenges to international data transfer agreements occurring abroad. Section 702, which authorizes the bulk surveillance on the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the Committee during the 2012 FISA reauthorization hearings.
- EPIC Urges House Committee to Protect Consumers, Democratic Institutions with Strong Cyber Security Measures + (Feb. 28, 2017)
In advance of a hearing on "Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities," EPIC has sent a letter to the House Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
- EPIC Tells Senate Committee that Transparency is Critical for Next Director of National Intelligence + (Feb. 28, 2017)
EPIC has sent a statement to the Senate Select Committee on Intelligence outlining the key government transparency and cybersecurity challenges the next Director of National Intelligence will confront. The Committee meets today to consider the nomination of Sen. Dan Coats for the position. EPIC commended former Director Clapper's progress on oversight and transparency and urged the Committee to seek assurance from Sen. Coats that his office will continue that work. EPIC also warned that over classification remains an issue that frustrates government accountability. EPIC informed the Committee that EPIC has filed suit against the ODNI for public release of the Complete Assessment of the Russian interference in the 2016 election. In the unclassified report, former Director Clapper said that the Russians conducted a "multi-faceted" attack on the 2016 election.
- EPIC Asks Congress To Examine Privacy and Safety Concerns for Connected Cars + (Feb. 15, 2017)
EPIC has sent a letter to a House committee on Digital Commerce and Consumer Protection for a hearing on "Self-Driving Cars: Road to Deployment," urging the establishment of privacy and safety measures for connected cars. EPIC warned that connected vehicles raise substantial risks for consumers. EPIC explained that voluntary guidance and self-regulation do not provide meaningful protection. EPIC has testified before Congress and submitted detailed comments on the need for privacy and safety standards for connected vehicles.
- EPIC Urges Senate Committees to Protect Democratic Institutions + (Feb. 13, 2017)
EPIC has sent letters to two Senate Committees investigating Russian interference with the 2016 Presidential Election. In letters to the Senate Judiciary Committee and Senate Foreign Relations Committee EPIC described two Freedom of Information Act cases against the FBI and the ODNI to obtain records about the scope of activities aimed at undermining democratic institutions. EPIC explained that upcoming federal elections in Europe underscore the need to understand the cyber threat to democratic elections.
- EPIC Urges Congress to Protect Consumers, Democratic Institutions with Strong Cyber Security Measures + (Feb. 13, 2017)
In advance of a hearing on "Strengthening U.S. Cybersecurity Capabilities," EPIC has sent a letter to the House Science Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency.
- States Recognize Data Privacy Day + (Feb. 10, 2017)
Several states across the U.S., including Michigan, Montana, North Carolina, and Ohio, recognized international Data Privacy Day, held annually on January 28 to commemorate the first international treaty for privacy and data protection. State efforts to raise awareness about privacy and other consumer protection issues are published monthly in The State Center Consumer Protection Report. The Report also noted that Mississippi is pursuing legal action against Google over student data collected from public schools. The lawsuit accuses Google of collecting students' personal information and search history for its own business interests in violation of the Mississippi Consumer Protection Act.
- Senators Calls for Answers from Secretary Kelly on Privacy Act Exclusion + (Feb. 9, 2017)
In a letter to DHS Secretary Kelly, Senator Markey (D-MA) and five other Senators pressed DHS about the impact of an Executive Order limiting federal Privacy Act protections. "These Privacy Act exclusions could have a devastating impact on immigrant communities and would be inconsistent with the commitments made when the government collected much of this information," the Senators contended. The Senators also called on Secretary Kelly to explain the Order's impact on international commitments that permit U.S. firms to obtain access to the data of European consumers. EPIC is participating in Data Protection Commissioner v. Facebook, a case which follows a landmark decision that found insufficient legal protections for the transfer of European consumer data to the United States.
- House to Consider Narrow Update for Communications Privacy Law + (Feb. 3, 2017)
Congress is scheduled to consider the "Email Privacy Act" (H.R. 387) next week. The bill passed the House 419-0 last session. The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.
- EPIC Urges Congress to Examine "Connected Devices," Safeguard Consumer Privacy and Protect Public Safety + (Feb. 2, 2017)
EPIC sent a letter to a House Subcommittee on Communications and Technology in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing recent examples of hacks of devices, including home locks and cars, connected to the internet. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
- Trump Administration Limits Scope of Privacy Act + (Jan. 26, 2017)
Less than one week in office, the Trump Administration has published an Executive Order that limits the application of the federal Privacy Act. The Order states that "Agencies shall . . . ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act . . .” Few U.S. privacy laws distinguish between U.S. and non-U.S. citizens. The Privacy Act is an exception. Some efforts were made in the last few years to update the Privacy Act, a law adopted in 1974, as the federal government now collects detailed personal information on non-U.S. citizens. The reforms were also considered legally necessary to permit U.S. firms to obtain access to the data of European consumers.
- Pompeo Confirmed as CIA Director, Privacy Concerns Remain + (Jan. 25, 2017)
This week the U.S. Senate confirmed Rep. Mike Pompeo to be Director of the CIA by a vote of 66-32. EPIC sent a statement to the Senate Select Committee on Intelligence highlighting Pompeo's troubling statements on privacy and surveillance. In a January 2016 op-ed, Mr. Pompeo wrote that "Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database. Legal and bureaucratic impediments to surveillance should be removed." EPIC warned the Senate Committee that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people." A recent Freedom of Information Act case pursued by an EPIC revealed that the CIA spied on staff members of the US Senate.
- Intelligence Director Releases Report on Signals Intelligence Reform + (Jan. 24, 2017)
The Director of National Intelligence released a final progress report from the Obama administration on signals intelligence reform. The DNI report detailed the agency's efforts under Presidential Policy Directive 28 to increase transparency and accountability. Clapper also highlighted the Privacy and Civil Liberties Oversight Board's oversight role and stated that transparency is "difficult, but also, in my view, essential." The DNI stated, "The IC routinely provides the Board with the information and access it requests to carry out its oversight duties." The report also notes implementation of the Freedom Act, which prohibits the bulk collection of domestic telephone records. EPIC has supported enhanced transparency for the Intelligence Community and filed a Supreme Court petition to end the bulk data collection program.
- EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills + (Jan. 24, 2017)
EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules.
- US Designates Countries Covered Under the Judicial Redress Act + (Jan. 23, 2017)
During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.
- White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office + (Jan. 19, 2017)
As one of the final acts of the outgoing President, the White House has released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the Freedom Act and Obama reformed intelligence practices, but the US failed to limit data collection outside the US. The "Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of data breach, identity theft, and financial fraud in the United States skyrocketed, even as Americans called for stronger protections. The 2016 Presidential election was marked by data breaches, email disclosures and cyber attack The U.S. is still one of the few democratic nations in the world without a data protection agency.
- EPIC Urges Senate Committee to Ensure UN Ambassador Supports International Privacy Convention + (Jan. 18, 2017)
EPIC has sent a statement to the Senate Foreign Relations Committee urging that the next UN Ambassador to advocate for human rights, particularly the right to privacy and the right to freedom of expression as set out in the Universal Declaration of Human Rights. EPIC also wrote that the UN Ambassador should support US ratification of the Council of Europe Privacy Convention, which is critical to the continued flow of personal data around the world. EPIC and consumer organizations have called on the United States to ratify the Privacy Convention. Next week, many countries around the world will recognize January 28, International Privacy Day, which celebrates the International Privacy Convention.
- EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield + (Jan. 18, 2017)
EPIC has sent a letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the inadequacy of the Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law.
- EPIC Urges Senate Committee to Examine CIA Nominee's Positions on Surveillance + (Jan. 17, 2017)
EPIC has sent a statement to the Senate Select Committee on Intelligence highlighting CIA Director nominee Mike Pompeo's troubling positions on privacy and surveillance. In a January 2016 op-ed, Mr. Pompeo wrote that "Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database. Legal and bureaucratic impediments to surveillance should be removed." EPIC warned the Committee that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people." The CIA has a long history of unlawful surveillance. A recent Freedom of Information Act case pursued by an EPIC revealed the CIA spied on staff members of the US Senate.
- Senate Intelligence Committee Presses FBI to Reveal Russia Investigation + (Jan. 16, 2017)
Senator Richard Burr (R-NC) and Senator Mark Warner (D-VA), the Chairman and Ranking Member of the Senate Intelligence Committee, have announced a bipartisan inquiry into the Russian interference with the 2016 Presidential Election. Democratic members of the House Judiciary Committee have also pressed the FBI to confirm its investigation of President-elect Trump's ties to Russia. In a letter to FBI Director James Comey, Committee Members requested "all documentation relevant to this investigation" be provided to the Committee "as soon as possible." EPIC has filed two urgent Freedom of Information Act requests concerning Russian interference: one for records about the FBI's lax response to the foreign cyber threat, the other for the report "Russian Activities and Intentions in Recent US Elections". This week EPIC also urged the Senate Armed Services Committee to pursue an investigation.
- EPIC Urges Senate Committee to Press Transportation Nominee on Drones, Connected Cars + (Jan. 12, 2017)
EPIC has sent a statement to the Senate Commerce Committee, highlighting two significant privacy issues: drones and autonomous vehicles. The Senate Committee met this week to consider the nomination of Elaine Chao for Secretary of Transportation. EPIC sued the FAA, an agency subject to the Committee's oversight, for its failure to establish drone privacy rules, as required by Congress. EPIC also testified last year before the Committee on the risks of connected cars, EPIC has recently submitted comments on federal automated vehicles policy and filed an amicus brief in federal appeals court on the risks to consumers of connected vehicles.
- FTC Responds to EPIC, Consumer Groups About Toys That Spy + (Jan. 11, 2017)
The Federal Trade Commission has responded to EPIC's complaint about toys that spy, promising to "carefully review" the filing. EPIC's complaint, filed last month and joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, alleges that the internet-connected children's toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy laws. The complaint is part of coordinated, international efforts to ban these toys from the marketplace. Walmart, Toys "R" Us, and stores across Europe have already pulled the toys from their shelves. EPIC's complaint has also spurred a congressional investigation by Sen. Edward Markey (D-MA) into the data practices of toymaker Genesis Toys and speech technology developer Nuance Communications.
- EPIC, Technology Experts Urge Senate Committee to Monitor President’s Homeland Security Advisor + (Jan. 10, 2017)
In a letter to the Senate Committee on Homeland Security, EPIC and leading experts urged Congress to keep a close eye on the White House Homeland Security Advisor. EPIC explained that the position, equal in power to the National Security Advisor, carries "significant implications for the safety and security of the American people." EPIC said that the Homeland Security Advisor should ensure "the Russian government poses no further threats to the United States electoral system or to other democratic governments." EPIC also said that "data protection and privacy should remain a central focus" of U.S. cyber security policy. The EPIC letter was signed by distinguished experts in cyber security, information technology, encryption, and human rights law.
- EPIC Seeks Expedited Release of Report on Russian Interference in 2016 Election + (Jan. 10, 2017)
EPIC has submitted an urgent Freedom of Information Act request to the Office of the Director of National Intelligence (ODNI) seeking the complete report on the Russian interference in the 2016 Presidential Election. On January 6, the ODNI released a public summary on the Russian interference, but withheld important information. EPIC is seeking expedited release of the complete, unreacted report. EPIC is also seeking records from the FBI about the agency's lax response to the foreign cyber threat. EPIC submitted a statement to the Senate Armed Services Committee hearing on Russian interference. Congress will hold a second hearing today, and a bill initiating new sanctions against Russia is expected this week. EPIC will continue to press the ODNI for prompt release of the report.
- Senate to Consider Nomination of Senator Sessions for Attorney General + (Jan. 9, 2017)
Tomorrow the Senate Judiciary Committee will begin hearings on the nomination of Senator Jeff Sessions for Attorney General. EPIC submitted a statement to the Committee, which stated “Senator Sessions’ record regarding the privacy rights of Americans raises serious questions about his selection as Attorney General.” EPIC pointed to Sessions’ support for warrantless surveillance of the American people and opposition to government oversight. Senator Sessions also opposed Apple in its dispute with the FBI and failed to support efforts to modernize the Electronic Communications Privacy Act. The Lawyers for Good Government also raised concerns about Senator Session’s support for the Privacy Act, the Freedom of Information Act, as well as his independence to “prosecute all criminal acts including those that may implicate the President of the United States.”
- White House Issues Data Breach Guidance for Federal Agencies + (Jan. 4, 2017)
The White House Office of Management and Budget has released guidance establishing common standards and practices for how federal agencies manage data breaches. The Data Breach Memorandum sets out a risk-based framework for evaluating data breaches and requires each agency to develop a data breach response plan. Not all breaches will trigger individual notification under the guidance. The new guidance comes four months after a House Government and Oversight Committee report criticized the Office of Personnel Management about the 2015 data breaches that compromised the records of 22 million federal employees and family members. EPIC testified in 2009 and 2011 in support of strong data breach notification laws, filed comments with the Office of Personal Management recommending limits on data collection, and has urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.
- Senate Armed Services Committee to Examine Foreign Cyber Threats + (Jan. 4, 2017)
The Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote “we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States.”“Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify.
- Obama Sanctions Russia for Election “Hack" + (Dec. 30, 2016)
President Obama has sanctioned the Russian government for interference with the 2016 Presidential election. Obama stated, "These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior." Throughout this year, EPIC pursued a campaign in support of data protection, contending that it was "the most important, least well understood issue" of the 2016 election. EPIC specifically warned that online voting systems were vulnerable to cyber attack. EPIC recently filed an expedited FOIA request with the FBI, seeking to determine why the agency was slow to respond to the attack on US democratic institutions by a foreign government.
- Rep. Sensenbrenner Warns Trump on EU-US Data Flows + (Dec. 21, 2016)
Congressman James Sensenbrenner has sent a letter to President-elect Donald Trump urging him to retain Presidential Policy Directive 28, which governs domestic and foreign signals intelligence activity. The Directive requires the intelligence community to safeguard the personal information of all individuals regardless of nationality. Sensenbrenner noted that PPD 28 also serves as a foundation for the “Privacy Shield,” a framework for commercial data flows between Europe and the United States. EPIC has urged the EU and US to strengthen safeguards for transborder data flows and is currently participating as amicus curiae in a legal challenge to Privacy Shield brought by privacy advocate Max Schrems.
- Congressional Working Group Releases Encryption Report + (Dec. 20, 2016)
The Congressional Encryption Working Group has released a year-end report. Two Congressional Committees formed the working group following the FBI’s demand that Apple weaken cell phone security to provide access to encrypted data on an iPhone. The report, endorsed by both Republican and Democratic members of Congress, finds that “any measure that weakens encryption works against the national interest.” The report also notes that encryption is a global technology, and suggests that Congress should “foster cooperation between the law enforcement community and technology companies” instead of seeking a “one-size-fits-all” solution. EPIC has advocated for strong encryption since its founding in 1994 and published the first comprehensive survey of encryption use around the world. Earlier this year, EPIC filed a “friend of the court" brief in support of Apple's challenge in the FBI iPhone case. The EPIC amicus brief explained that encryption protects the owners of the approximately three million cell phones lost or stolen each year from criminal hacking, financial fraud, and identify theft.
- EPIC Hosts Curated CRS Reports on Cyber Topics + (Dec. 20, 2016)
EPIC has launched an online resource to make selected reports of the Congressional Research Service available to the public. The Congressional Research Service, housed within the US Library of Congress, provides timely reports on important legislative and policy issues pending in Congress. EPIC has reviewed CRS reports over the past decade and, with a dedicated portal, will now make available CRS reports on cyber security, surveillance, open government, drones, and other similar topics. The EPIC CRS Reports page will be frequently updated to make relevant reports widely available during the upcoming Congress. EPIC’s own work on these topics is often cited in CRS reports.
- Data Stolen from Over One Billion User Accounts in Second Yahoo Data Breach + (Dec. 15, 2016)
Yahoo announced this week that data was stolen from over one billion user accounts in August 2013. The breach included names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers. More than 150,000 U.S. government and military employees are among the victims. Yahoo's earlier breach drew wide-ranging concern from U.S. Senators to European privacy officials. EPIC testified in support of strong data breach notification laws in 2009 and 2011 (urging Congress to establish a short timeline for notification to users of breaches), launched the Data Protection 2016 campaign to make privacy a campaign issue, and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
- EPIC's "Toys That Spy" Complaint Spurs Congressional Investigation + (Dec. 9, 2016)
Senator Edward Markey (D-MA) has sent letters to toy maker Genesis Toys and speech technology developer Nuance Communications requesting information on their data collection from young children. The investigation follows EPIC's complaint filed with the Federal Trade Commission over "toys that spy" on children in violation of federal privacy laws. EPIC's complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated, international efforts to ban these toys from the marketplace. Senator Markey and Rep. Joe Barton (R-TX), joined by Senator Mark Kirk (R-IL) and Rep. Bobby Rush (D-IL), introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation that updates the law to protect children's personal information.
- Watchdog Report Shows Wiretap Powers Ineffective + (Dec. 9, 2016)
The Justice Department's Inspector General has released the latest report to Congress on government surveillance. The report includes a review of the FBI's data collection under Section 215 of the Patriot Act, which was revised by the Freedom Act. According to the IG report, FBI agents "did not identify any major case developments that resulted from use of the records obtained in response to the [Section 215] orders." Similar findings were made by the PCLOB and the Senate Judiciary Committee: section 215 has not prevented terrorist acts. The Second Circuit ruled last year that the NSA's telephone record collection program exceeded the legal authority of Section 2015. EPIC recently obtained nonpublic IG reports through a FOIA lawsuit.
- Open Government Lawsuits at Near-Record Highs in 2016 + (Dec. 9, 2016)
Advocates, journalists, and businesses have brought a near-record 512 lawsuits under the Freedom of Information Act in 2016. The findings, complied by for FOIAproject.org by the Transactional Records Access Clearinghouse, show a 35 percent increase in FOIA litigation over the past five years. According to the new report, the lawsuits have covered diverse issues including "private email accounts, national security, immigration, the environment and even Donald Trump." In 2016, EPIC brought FOIA suits for the DOJ's secret inspector general reports, the DOT's drone task force records, and the FBI's biometric data transfer memos.
- Senate Explores Security of Ground Transportation, Witnesses Express Privacy Concerns + (Dec. 9, 2016)
The Senate Commerce Committee examined security issues in road and railroad transportation. Witnesses expressed concerns about the cybersecurity of commercial trucking networks, customer data, and hacking of a truck's braking systems. Witnesses also proposed a credentialing system for access port facilities. EPIC has submitted comments to NHTSA and testified before Congress on the safety and privacy risks of automated vehicles.
- Congress to Examine Artificial Intelligence + (Nov. 30, 2016)
Today the Senate Commerce Committee will hold a hearing on "The Dawn of Artificial Intelligence." Experts from industry and academia will provide "a broad overview of the state of artificial intelligence, including policy implications and effects on commerce." In a prepared statement, EPIC urged the Committee to support "Algorithmic Transparency," an essential public policy strategy to make AI accountable. The hearing follows two White House reports -Preparing for the Future of Artificial Intelligence and the National Artificial Intelligence Research and Development Strategic Plan. EPIC is currently litigating several "AI" cases including EPIC v. FAA (drone surveillance), Cahen v. Toyota (autonomous vehicles), EPIC v. CPB (U.S. traveler "risk assessments"), and Secret DNA Forensic Source Code.
- Congress Passes Consumer Review Fairness Act, Bans Gag Clauses + (Nov. 29, 2016)
Congress has passed the Consumer Review Fairness Act, a law protecting consumers' right to post negative reviews without fear of retaliation. The bipartisan measure would make it illegal for companies to include non-disparagement clauses in consumer contracts, or to impose penalties or fees for critical reviews. The Federal Trade Commission will enforce the new law, which now awaits President Obama's signature. "By ending gag clauses, this legislation supports consumer rights and the integrity of critical feedback about products and services sold online." said Senate Commerce Committee Chairman John Thune. EPIC has long supported free speech and access to information online.
- FBI to Monitor Twitter + (Nov. 29, 2016)
According to FBI contracting documents, the FBI has hired Dataminr to monitor in real-time more than 500 million daily tweets. EPIC has warned that these techniques of mass surveillance will subject more innocent people to government investigation. In 2012, EPIC successfully obtained documents detailing the social media monitoring program of the Department of Homeland Security, including instructions to analysts to monitor critics of the agency. EPIC's FOIA work led to a Congressional hearing on social media monitoring and government surveillance.
- EPIC Urges OMB to Strengthen Privacy Act Safeguards + (Nov. 7, 2016)
EPIC has submitted comments on Circular A-108, guidelines proposed by the Office of Management and Budget for federal agency compliance with the Privacy Act. EPIC warned that agencies frequently misuse exceptions to the Privacy Act to circumvent important safeguards required by law. EPIC urged the OMB to "strengthen its guidance on federal agency implementation of the Privacy Act" and to limit the 'routine use' exemption. EPIC regularly comments on privacy safeguards for federal databases and has urged Congress to modernize the Privacy Act.
- House Members Urge FTC to Examine Internet-of-Things + (Nov. 4, 2016)
In the wake of October's massive distributed denial of service attack, two members of Congress have sent a letter to Federal Trade Commission Chairwoman Edith Ramirez urging the FTC to protect consumers from insecure Internet of Things devices. Rep. Frank Pallone, Jr. and Rep. Jan Schakowsky, senior members of the House Energy and Commerce Committee, wrote that the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures." EPIC is at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," 'consumer products, and "always on" devices. EPIC recently urged the federal government to establish legal requirements to promote Privacy Enhancing Technologies, limit user tracking, minimize data collection, and "ensure security in both design and operation of Internet-connected devices."
- Second Legal Challenge Launched Against "Privacy Shield" + (Nov. 3, 2016)
La Quadrature du Net, a French privacy organization, has launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a comprehensive framework for data protection and said that Privacy Shield was not adequate. EPIC also testified before Congress on the need to update US privacy law. EPIC is currently participating as amicus curiae in related case brought by privacy advocate Max Schrems.
- European Privacy Officials Pursue Investigation of WhatsApp & Yahoo + (Oct. 28, 2016)
The Article 29 Working Party, an expert group of European privacy officials, is pursuing investigations of WhatsApp and Yahoo. In a letter to Facebook, the Working Party stated that the decision to transfer confidential user data from WhatsApp to Facebook has raised "serious concerns," and urged WhatApp to halt data transfers pending completion of the investigation. Separately, the group urged Yahoo to provide information about the 2014 data breach which compromised 500 million accounts. The Article 29 also pressed the company to explain why it scanned customer emails for US intelligence agencies. EPIC recently filed a complaint with the FTC regarding WhatApp, arguing that it violated a 2014 and agreement and urging the Commission to block the transfer. EPIC has also testified before Congress about the need to adopt data breach legislation and launched the Data Protection 2016 campaign.
- EPIC to Testify Before Maryland House of Delegates on Cell Site Simulators + (Oct. 25, 2016)
EPIC Senior Counsel Alan Butler will testify today before the Maryland House of Delegates concerning "Cell Site Simulator Technology, Historical Location Information, and Aerial Surveillance by Police." The hearing follows a recent complaint to the FCC regarding the use of "Stingrays," fake cell phone towers, by the Baltimore Police Department to intercept private communication. In a 2013 Freedom of Information Act suit against the FBI, EPIC uncovered plans involving federal and state law enforcement agencies to keep the use of Stingrays secret. EPIC has since argued in amicus briefs that cell phone location data is protected by the Fourth Amendment. Baltimore Police used Stingrays to track more than 1,700 individuals between 2007 and 2014.
- EPIC Urges Massachusetts High Court to Protect Email Privacy + (Oct. 24, 2016)
EPIC has filed an amicus brief in the Massachusetts Supreme Judicial Court regarding email privacy. At issue is Google's scanning of the email of non-Gmail users. EPIC argued that this is prohibited by the Massachusetts Wiretap Act. EPIC described Google's complex scanning and analysis of private communications, concluding that it was far more invasive than the interception of a telephone communications, prohibited by state law. A federal court in California recently ruled that non-Gmail users may sue Google for violation of the state wiretap law. EPIC has filed many amicus briefs in federal and state courts and participated in the successful litigation of a cellphone privacy case before the Massachusetts Judicial Court. The EPIC State Policy Project is based in Somerville, Massachusetts.
- EPIC FOIA - FAA Defies Congress, Fails to Complete Drone Privacy Report + (Oct. 24, 2016)
Through an EPIC Freedom of Information Act request, EPIC obtained documents revealing that the FAA never finished a drone privacy report required by Congress. The Appropriations Act of 2014, which provided funding for the agency, required the FAA to inform Congress on "how the FAA can address the impact of widespread use of [drones] on individual privacy." The FAA drone privacy report was to be completed before the end of 2015 and prior to any drone regulations were issued. Now, as the end of 2016 approaches, the FAA has moved forward with regulations lacking privacy safeguards, and the drone privacy report still unfinished. EPIC is currently suing the FAA for the agency's failure to establish drone privacy rules.
- EPIC and Coalition Urge Presidential Candidates to Adopt Good Government Policies + (Oct. 19, 2016)
In letters to Hilary Clinton and Donald Trump, EPIC and a coalition of NGOs urged the presidential candidates to adopt good-government policies in the next administration. In the first letter, the coalition called on the nominees to adopt a rigorous code of ethics for their presidential transition teams. Citing then-Senator Obama's 2008 transition code of ethics, the coalition urged the candidates to prohibit individuals with lobbying ties and financial conflicts of interest from working in the administration. EPIC also joined a second letter calling on the next president to adopt stronger policies on government record keeping. The next president, wrote the coalition, "can demonstrate commitment to strengthening records accountability within the federal government" by directing agencies to comply with the Office of Management and Budget's 2012 government records directive, implement agency-wide record keeping training, develop open records plans, and abide by strict reporting deadlines. EPIC and other open government groups previously pushed the Obama administration to improve its implementation of the Freedom of Information Act.
- FTC Hosts Event on Drones and Privacy + (Oct. 13, 2016)
Today the Federal Trade Commission will host a panel discussion on drones and privacy as part of the agency's Fall Technology Series. The Director of EPIC's Domestic Surveillance Project, Jeramie Scott, will participate in the panel. Mr. Scott previously testified before the Pennsylvania Senate on domestic drone surveillance and submitted a statement for record regarding a Maryland bill to limit drone surveillance. EPIC and leading experts previously urged the FAA to adopt privacy rules for drones, and when the agency refused, EPIC sued. EPIC v. FAA is currently pending before the D.C. Circuit Court of Appeals.
- White House Releases Reports on Future of Artificial Intelligence + (Oct. 13, 2016)
The White House has released two new reports on the impact of Artificial Intelligence on the US economy and related policy concerns. Preparing for the Future of Artificial Intelligence surveys the current state of AI, applications, and emerging challenges for society and public policy. The report concludes "practitioners must ensure that AI-enabled systems are governable; that they are open, transparent, and understandable; that they can work effectively with people; and that their operation will remain consistent with human values and aspirations." A companion report National Artificial Intelligence Research and Development Strategic Plan proposes a strategic plan for Federally-funded research and development in AI. President Obama will discuss these issues on October 13 at the White House Frontiers Conference in Pittsburgh. #FutureofAI EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), and Cahen v. Toyota (autonomous vehicles).
- EPIC Opposes DHS Plan to Collect Social Media Identifiers + (Sep. 30, 2016)
In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked abuse, and would disproportionately impact against minority groups. Documents obtained by EPIC in 2011 in a Freedom of Information Act lawsuit revealed that the DHS gathered social media comments to identify individuals, including US citizens, critical of the agency and the government. A 2012 Congressional hearing, based on the documents obtained by EPIC, revealed bipartisan opposition to the original DHS social media monitoring program.
- Massachusetts Court Upholds Privacy Rights of Cell Phone Users + (Sep. 28, 2016)
The Massachusetts Supreme Judicial Court ruled today in Commonwealth v. White that the Fourth Amendment prohibits law enforcement from seizing a cell phone based simply on an officer’s suspicion that a cell phone may be used in a crime, finding that a warrant must be obtained prior to the seizure of the phone. EPIC filed an amicus brief in the case, arguing that "digital is different," and therefore the legal standard for warrantless searches of contraband in schools does not apply to cell phones. EPIC also explained the significance of Riley v. California, the recent Supreme Court that established a warrant requirement for searches of cell phones. The EPIC State Policy Project coordinated the EPIC amicus brief in the case.
- EPIC Urges Congress to Protect Voter Privacy + (Sep. 27, 2016)
EPIC has sent a letter to a Congressional committee in advance of a hearing on cybersecurity and ballot integrity. EPIC warned that casting votes online threaten voter privacy. EPIC explained that the secret ballot is the cornerstone of the US election system. EPIC, Common Cause, and Verified Voting recently published The Secret Ballot at Risk: Recommendations for Protecting Democracy. The report makes specific recommendations for protecting voter privacy. EPIC has a long history of working to protect voter privacy and election integrity.
- Senators Seek Answers About Yahoo's Massive Data Breach + (Sep. 27, 2016)
Led by Senator Patrick Leahy, several senators sent a letter to Yahoo’s CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” EPIC testified in support of strong data breach notification laws in 2009 and 2011 and urged Congress to ensure that users are “notified promptly” when personal information is wrongfully disclosed. EPIC launched “Data Protection 2016” to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
- Secret Ballot At Risk in Maryland After Election Board Vote + (Sep. 27, 2016)
The Maryland State Board of Elections has voted to certify Maryland’s online ballot-marking system for general use, threatening voter privacy. Voters using the online-ballot marking system would receive and fill out their ballot online, risking third party access their vote. Previously online ballot-marking was permitted only to enable participation by voters with disabilities. EPIC, Verified Voting, and Common Cause recently released The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. EPIC has a long history of working to protect voter privacy and election integrity.
- EPIC Tells Congress FTC Must Do More for Consumer Privacy + (Sep. 26, 2016)
EPIC has sent a letter to the Senate Commerce Committee in advance of an oversight hearing on the Federal Trade Commission. EPIC explained that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. "The FTC’s failure to act in the face of mounting threats to consumer privacy and security could be catastrophic," EPIC warned. EPIC also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. Public opinion polls show broad public support for new US privacy laws.
- Data Protection 2016: 500 Million Yahoo Users Victims of Massive Data Breach + (Sep. 22, 2016)
Yahoo has announced that the personal data of at least 500 million users was breached in late 2014. The breach included users’ names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.
- EPIC Advises Congress on Modernizing Telemarketing Rules to Protect Consumers + (Sep. 21, 2016)
EPIC has sent a letter to the House Energy and Commerce Committee in advance of the hearing on “Modernizing the Telephone Consumer Protection Act.” The telemarketing law bars telemarketers and robocallers from contacting consumers by phone fax, or text without prior consent. EPIC urged the Committee to ensure that an update to the law “protects consumers from unwanted commercial communications.” EPIC said legal rights should be “robust, enforceable and minimally burdensome for consumers." Earlier this year, EPIC filed an amicus brief in support of strengthening TCPA protections for consumers. EPIC has also testified before Congress about the telemarketing law and submitted many comments concerning its implementation.
- U.S. Proposes Voluntary Guidelines for "Automated Vehicles," Privacy and Safety Issues Remain a Challenge + (Sep. 20, 2016)
The Department of Transportation has released federal guidelines for the automated vehicle industry. The Federal Automated Vehicles Policy backs the deployment of self-driving cars in the United States. The agency acknowledges privacy concerns and endorses the Consumer Privacy Bill of Rights, which EPIC supports, however the framework lacks compliance obligations and enforcement mechanisms. The agency also proposes to preempt existing state regulations that may provide stronger protections. Last year in testimony before Congress, EPIC warned of public safety risks associated with automated vehicles. And yesterday Secretary of Commerce Penny Pritzker warned the Commission on Enhancing National Cybersecurity that "as cars go driverless . . . the cyberthreats we face will only grow more widespread." The Transportation Department seeks public comments on the Guidelines for Automated Vehicles. The deadline is November 22, 2016.
- Policy Commission Seeks Public Comment + (Sep. 20, 2016)
The Commission on Evidence-Based Policymaking has issued a request for comments on "strategies to increase the availability and use of government data." Congress established the Commission to study whether and how data across the federal government could be combined for policy research while protecting privacy. The Commission seeks comment on several issues including privacy risks, access to data, and whether a single clearinghouse should be created. In testimony before the Commission, EPIC President Marc Rotenberg emphasized safeguards for personally identifiable information, following EPIC’s work on Re-identification and The Census and Privacy. Comments to the Commission are due on November 14, 2016.
- White House Updates Guidance on Federal Agency Privacy Practices + (Sep. 19, 2016)
The Office of Management of Budget released a memorandum that requires the head of each agency to “assess the management, structure, and operation of the agency’s privacy program.” The OMB memo provides updated guidance, requiring the designation of a Senior Agency Official for Privacy with appropriate authority to implement the agency’s privacy program, including ensuring compliance with the Privacy Act. In 2015, a breach of records at the OMB, impacted more than 22 million federal employees, family members and associates. EPIC has filed numerous comments with agencies across the federal government criticizing their lack of compliance with the Privacy Act. EPIC has also submitted amicus briefs to the US Supreme Court concerning the federal Privacy Act.
- Federal Agencies Unable to Measure FOIA Litigation Costs + (Sep. 9, 2016)
In a new report the Government Accountability Office found that the Justice Department and other federal agencies are unable to determine how much they spend on defending Freedom of Information Act lawsuits. The watchdog agency found that of the 112 FOIA lawsuits decided between 2009 and 2012 in which the requester prevailed, agencies were able to calculate costs for only half, and estimated $1.4 million in costs. The GAO—which conducted the investigation in response to a request from Senators Chuck Grassley (R-IA) and Patrick Leahy (D-VT) of the Senate Judiciary Committee—urged Congress to explore the possibility of requiring agencies to track FOIA litigation costs. EPIC routinely litigates FOIA cases against federal agencies, and is currently fighting to obtain secret Inspector General reports surveillance oversight reports, and details on the government’s largest-ever phone surveillance program.
- Presidential Science Advisors Challenge Validity of Criminal Forensic Techniques + (Sep. 8, 2016)
According to an upcoming report by the President’s Council of Advisors on Science and Technology, much of the forensic analysis in criminal trials is not scientifically valid. The report, to be released this month, attacks the validity of analysis of evidence like bite-marks, hair, and firearms. The "lack of rigor in the assessment of the scientific validity of forensic evidence is not just a hypothetical problem but a real and significant weakness in the judicial system,” wrote the council. The Senate Judiciary Committee held hearings in 2009 and 2012 to discuss the need to strengthen forensic science, and Sen. Patrick Leahy (D-VT) introduced a forensic reform bill in 2014. EPIC has pursued FOIA requests on the reliability of proprietary forensic techniques. EPIC also filed a brief on the reliability of novel forensic techniques in the Supreme Court case Florida v. Harris.
- Pokemon GO Developer Niantic Responds to Sen. Franken Inquiry into Privacy Concerns + (Sep. 8, 2016)
Pokemon GO developer Niantic has responded to Sen. Al Franken’s request for information concerning the company’s data practices. Sen. Franken’s letter, sent in early July, asked Niantic to clarify the scope, purpose, and necessity of its data collection practices. Niantic’s response letter indicates that it “collects and stores” user location data to place and position users on the game’s map, but fails to explain why and for how long location data is stored. Franken also directed the company to provide a current list of the "third party service providers" with whom user data is shared. Niantic’s letter confirms that it hires third parties to provide a variety of services, but does not specifically identify any of these companies. Privacy officials in Canada, Europe, and Asia, have begun investigations of Niantic, which is tied to the Google company Alphabet. The Niantic CEO led the Google project that captured private communications in more than 30 countries around the world. The initial Pokemon Go release provided Niantic full access to the user's Google account. EPIC sent a letter to the FTC urging the Commission to investigate the privacy risks posed by Pokemon GO, Niantic’s data collection practices, and its ties to Google.
- House Report Criticizes OPM Handling of Massive Data Breach Last Year + (Sep. 7, 2016)
In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
- EPIC Opposes DHS Plan to Collect Social Media Identifiers + (Aug. 23, 2016)
In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked abuse, and would disproportionately impact against minority groups. Documents obtained by EPIC in 2011 in a Freedom of Information Act lawsuit revealed that the DHS gathered social media comments to identify individuals, including US citizens, critical of the agency and the government. A 2012 Congressional hearing, based on the documents obtained by EPIC, revealed bipartisan opposition to the original DHS social media monitoring program.
- EPIC, Verified Voting, Common Cause Release Report on Ballot Secrecy + (Aug. 18, 2016)
EPIC, Verified Voting, and Common Cause today released The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. All 50 states recognize ballot secrecy as a core value. Despite this, 32 states and DC are promoting Internet voting, typically for overseas and military voters, and are asking those voters to waive their right to a secret ballot. That threatens voting freedom and election integrity. The report recommends actions voters can take to protect the secrecy of their ballot, and encourages states to do more to safeguard voter privacy. EPIC has a long history of working to protect voter privacy and election integrity.
- EPIC Urges Wisconsin Legislature to Safeguard Student Privacy + (Aug. 17, 2016)
In testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Wisconsin adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. EPIC's State Policy Project is monitoring privacy bills nationwide.
- EPIC and Coalition Recommend Improvements to Health Agency’s Open Government Rules + (Aug. 17, 2016)
In comments to the Department of Health and Human Services, EPIC and a coalition of open government advocates urged the agency to update its FOIA rules to keep in line with the FOIA Improvement Act of 2016. The coalition pressed the agency to “go further to ensure greater access to public interest information.” Signed into law by President Obama on the FOIA’s 50th anniversary, the FOIA Improvement Act creates a new portal for requesters, requires the proactive disclosure of frequently requested records, strengthens the FOIA ombudsman, and codifies the presumption of openness.
- EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public + (Aug. 5, 2016)
EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights.
- White House Hosts Drone Workshop, FAA OKs Commercial Use, Ignores Privacy + (Aug. 4, 2016)
The White House hosted “Drones and the Future of Aviation.” The FAA Administrator announced that the FAA will approve drone operations over people before the end of the year. The FAA also announced an industry-led task force that will promote voluntary privacy best practices. In EPIC v. FAA, EPIC challenged the FAA's failure to establish drone privacy regulations following a petition endorsed by more than 100 experts and organizations. The FAA has repeatedly acknowledged the privacy risks of drones, but has refused to establish privacy safeguards.
- EPIC Ask FTC to Investigate Privacy Risks of Pokemon GO + (Jul. 22, 2016)
EPIC has urged the FTC to launch an investigation of Pokemon GO and the app's developer Niantic. When the augmented-reality app was first released, Niantic granted itself "full access" to users' Google accounts in violation of federal privacy law. Even after recent changes, the company continues to collect detailed location history and has access to smartphone cameras. Pokemon GO "raises complex and novel privacy issues that require close FTC scrutiny," EPIC told the Commission. Senator Al Franken recently sent a letter to the company asking for clarification on the scope and purpose of its data collection. Niantic has close ties to Google and its CEO oversaw Google's controversial Street View project, which was found to collect private wifi data transmissions.
- Federal Appeals Court Strikes Down Texas Voter ID Law + (Jul. 20, 2016)
A federal appeals court has ruled that a Texas voter ID law violates the Voting Rights Act. In a fractured opinion, the court held that Senate Bill 14 had a “discriminatory effect” on minorities’ voting rights, and remanded the case to the lower court. The appeals court instructed the district court to provide interim relief for individuals, which could include suspending the voter ID requirement, ahead of the November 2016 election. EPIC filed an amicus brief in the case, arguing that SB 14 also places an unconstitutional burden on voters’ rights to informational privacy because of the excessive collection of personal data.
- FAA Reauthorization Grounds Drone Privacy Safeguards + (Jul. 13, 2016)
Shortly before adjourning, Congress passed the FAA Extension, Safety and Security Act of 2016 without drone privacy provisions authored by Senator Markey, included in the original legislation. Senator Markey said "Now is the time to prevent these eyes in the skies from becoming spies in the skies." EPIC urged Congress and the FAA to establish limits on drone surveillance. In EPIC v. FAA, EPIC challenged the FAA's failure to establish drone privacy regulations following a petition endorsed by more than 100 experts and organizations. EPIC's proposal to require remote identification of drones was incorporated in the legislation enacted by Congress.
- EPIC Tells FCC to Reject "Notice and Choice" Approach to Privacy + (Jul. 7, 2016)
EPIC has filed reply comments with the Federal Communications Commission on the proposed broadband privacy rules. EPIC said that the proposed rules are a modest first step and that the FCC has legal authority to do more to safeguard American consumers. EPIC also responded to erroneous statements from industry groups that the FTC's "notice and choice" framework safeguards consumer privacy. EPIC described numerous shortcomings, including lack of enforcement, frequent changes in privacy policies, and data breaches. "Notice and choice" is “directly at odds with baseline privacy standards,” EPIC said. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data.
- EPIC Sues for Release of Government Oversight Reports + (Jul. 5, 2016)
EPIC has filed a FOIA lawsuit against the Department of Justice to obtain the agency’s secret watchdog reports. The mission of the Office of the Inspector General is “to detect and deter waste, fraud, abuse, and misconduct.” However, many of the reports are kept secret. Those reports, EPIC explained in the complaint, "are critical for the public to understand the measures taken to increase the efficiency and effectiveness of the DOJ, and as a mechanism to hold the agency accountable.” EPIC previously obtained oversight reports on the CIA surveillance of muslims in New York, and CIA spying on Senate staff.
- White House Releases Flawed Privacy Research Agenda + (Jul. 5, 2016)
The White House has announced the National Privacy Research Strategy, which the authors state "will enable the U.S. to benefit from innovative data use while protecting privacy." The National Strategy focuses on measuring the "privacy desires" of users rather than the extent of the problem or goals to safeguard privacy, such as coding Fair Information Practices, developing genuine Privacy Enhancing Techniques, or complying with Privacy Act obligations. The "National Strategy" follows from a similar report in 2014 that embraced big data without considering actual privacy risks in data collection. In 2015, the federal government lost 21.5 million records of federal employees and their families. A recent book from EPIC "Privacy in the Modern Age: The Search for Solutions" outlines several new approaches for privacy protection, and builds on earlier work by members of the EPIC Advisory Board.
- President Obama Signs FOIA Reform Bill Into Law + (Jul. 1, 2016)
Celebrating 50 years since enactment of the Freedom of Information Act, the Congress has passed, and the President has signed the FOIA Improvements Act of 2016. The Act creates a new portal for requesters, requires the proactive disclosure of frequently requested records, strengthens the Office of Government Information Services, and codifies the "Presumption of Openness" in the processing of requests for information about government. Senator Patrick Leahy (D-Vt.), a champion of open government, stated "Our founders had the revolutionary vision to create a government of, by, and for the people. Today we have helped strengthen that ideal." EPIC and many open government advocates urged the President to support these reforms. EPIC also established the website FOIA.ROCKS.
- FOIA Ombudsman Recommends Changes to Use of "Still Interested" Letters + (Jun. 21, 2016)
The FOIA ombudsman has issued the third part of a report on the use of "still interested" letters (part 1, part 2). Such letters are used by federal agencies to prematurely terminate FOIA requests. In 2014, an EPIC-led coalition urged the Office of Government Information Services to investigate the pervasive use of such letters. Today’s report recognizes that this agency practice is "not addressed in the FOIA statute or in agency regulations,” and that reporting on the practice is inconsistent. The FOIA ombudsman urged agencies to provide additional guidance on the use of such letters, and to document the practice in annual reporting. Congress recently passed legislation to strengthen the FOIA, which the President is expected to sign.
- States Adopt New Student Privacy Safeguards + (Jun. 21, 2016)
Several states have recently enacted new student privacy laws. Colorado and Connecticut’s laws impose strict requirements on those who collect student data. Connecticut also requires that parents are notified each time a school district enters into a contract that involves student data. North Carolina enacted a student privacy law modeled after California's Student Online Personal Information Protection Act. The National Association of State Boards of Education reported that 38 states considered student privacy legislation in 2016. Ten of those states passed student privacy laws. EPIC has urged the enactment of a comprehensive student privacy bill of rights. EPIC's State Policy Project is monitoring privacy bills nationwide.
- EPIC Tells Congress FCC is "Under Reaching" on Privacy + (Jun. 13, 2016)
EPIC has sent a letter to the House Energy and Commerce Committee in advance of a hearing on “FCC Overreach: Examining the Proposed Privacy Rules.” EPIC described the shortcomings of the ”notice and choice” privacy framework and pointed to growing levels of public concern in the United States about Internet privacy. EPIC said that the FCC’s proposed privacy rules are a modest first step and that the Communications Communication has legal authority to go much further to safeguard American consumers. EPIC has repeatedly urged the Commission to broaden the scope of the proposed privacy rules.
- House to Consider Overdue FOIA Reform Bill + (Jun. 10, 2016)
Congress is poised to take up a FOIA reform bill next Monday. The bill would require federal agencies to operate under a "presumption of openness" and places time limits on agency responses, improvements that EPIC has long supported. EPIC routinely uses the Freedom of Information Act to promote government oversight and agency accountability. July 4, 2016 will mark the 50th anniversary of the enactment of the FOIA.
- EPIC Presses House Leaders on "Data Protection" + (Jun. 10, 2016)
At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016.
- Amendment Would Overturn Model Facial Recognition Privacy Law + (May. 27, 2016)
The Illinois Biometric Information Privacy Act is one of the strongest facial recognition laws in the country. Enacted in 2008, the law prohibits the use of biometric recognition technologies without consent and provides for meaningful enforcement. But a proposed amendment would undercut legal protections, exempting facial recognition software from the law. A pending lawsuit against Facebook alleges that the company violates the law by amassing a database of users’ faceprints “without even informing its users — let alone obtaining their informed written consent.” EPIC has urged a moratorium for such surveillance techniques, pending the enactment of strong privacy laws such as those in Illinois. In much of the world, facial recognition software is illegal.
- Federal Court Strikes Down Obstacle to Student FOIA Requests + (May. 20, 2016)
A federal appeals court has ruled that government agencies must give students who pursue Freedom of Information Act requests favorable fee treatment. The case involved a Ph.D. student who was charged $900 to process a FOIA request. The Department of Defense contended that students are not entitled to the favorable fee standards of “educational institutions." The D.C. Circuit disagreed and ruled today that “[s]tudents who make FOIA requests to further their coursework or other school-sponsored activities are eligible for reduced fees under FOIA because students, like teachers, are part of an educational institution.” In 2011, EPIC criticized the practice of charging students extra fees for FOIA requests, calling the government’s position “absurd.”
- Senate Examines "Do Not Call" Law + (May. 19, 2016)
The Senate Commerce Committee held a hearing yesterday on the Telephone Consumer Protection Act. The "TCPA" bars telemarketers and robocallers from contacting consumers by phone or fax without prior express consent. In January, EPIC filed an amicus brief to provide greater TCPA protections for consumers. EPIC said that widespread use of cellphones “has amplified the nuisance and privacy invasion caused by unwanted calls and text messages.” EPIC has testified before Congress about the TCPA and submitted many comments concerning the implementation of the consumer privacy law.
- Senators Introduce Bill to Block Broad Remote Hacking Rules + (May. 19, 2016)
Senators Wyden, Paul, Baldwin, Daines, and Tester have introduced the Stop Mass Hacking Act of 2016. The law would block amendments to Rule 41 of the Federal Rules of Criminal Procedure that were recently issued by the Supreme Court. The amendments authorized judges to issue "remote access" warrants to search computers even when the targets are outside the jurisdiction of the court. EPIC criticized the Rule 41 change in a statement last year. Unless Congress takes action to block the Rule 41 amendments by December 1, the government’s surveillance authority will be expanded significantly.
- Justice Department Releases 2016 FOIA Reports + (May. 19, 2016)
The Justice Department has released an assessment of the 2016 FOIA compliance reports. Every year, federal agencies prepare reports describing steps taken to implement President Obama's Memo and former AG Eric Holder's Guidelines. The DOJ grades FOIA compliance in five areas: applying the presumption of openness, effective and responsive systems, proactively releasing information, utilizing technology, and reducing backlogs and improving response times. The Senate recently passed by unanimous consent the Freedom of Information Improvement Act of 2015; the bill is now in the House. EPIC and other open government organizations have called on President Obama to strengthen the FOIA.
- EPIC Urges Appeals Court to Strike Down Voter ID Law + (May. 17, 2016)
EPIC has urged a federal appellate court to find unconstitutional a Texas law that requires voters to obtain photo IDs. A lower court held that Senate Bill 14 violates the Voting Rights Act and burdens the constitutional right to vote. Texas appealed. In response, EPIC argued that the ID requirement also burdens the constitutional right of informational privacy. “Individuals should not be subject to excessive identification requirements to exercise fundamental democratic rights,” EPIC stated. EPIC has previously filed amicus briefs defending the right to informational privacy.
- Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey + (May. 16, 2016)
A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
- Senator Leahy Calls for FISA Reforms + (May. 13, 2016)
The Senate Judiciary Committee held a hearing on the FISA Amendments Act, a law that grants the government broad surveillance powers over Internet communications. The Act, commonly referred to as "Section 702,: is the basis for the NSA’s “PRISM” program. EPIC testified before the House Judiciary Committee in 2012 on the need to limit the scope of Section 702 surveillance and to improve transparency of the Foreign Intelligence Surveillance Court. US and EU NGOs have since called for the end of the section 702. This week Senator Patrick Leahy (D-VT) stated that "additional reforms are needed to protect Americans’ privacy, and restore global trust in the U.S. technology industry."
- EPIC Urges Senate to Back Comprehensive Communications Privacy Protection + (May. 10, 2016)
EPIC has sent a letter to the Senate Judiciary Committee in advance of a hearing on "Examining the Proposed FCC Privacy Rules." EPIC pointed to growing public concerns about the loss of privacy and the need to update federal privacy laws. EPIC explained that the neither Federal Communications Commission or the Federal Trade Commission has done enough to safeguard consumer privacy. EPIC warned that the "failure to modernize our privacy law is imposing an enormous cost on American consumers and businesses."
- White House Report Points to Risks with Big Data + (May. 5, 2016)
A new White House report "Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights" points to risks with big data analytics. According to the authors, "[t]he algorithmic systems that turn data into information are not infallible--they rely on the imperfect inputs, logic, probability, and people who design them." An earlier White House report warned of "the potential of encoding discrimination in automated decisions." EPIC launched a campaign on "Algorithmic Transparency" after warning about the risks of secretive decision making coupled with "big data."
- NY Attorney General Reports 40% Increase in Data Breaches + (May. 5, 2016)
New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
- Intelligence Court Skeptical of Some FISA Applications + (May. 3, 2016)
The Department of Justice has published the 2015 FISA report, which summarizes the use of the Foreign Intelligence Surveillance Act. The report also details the number of applications rejected or modified by the FISA Court (FISC). Overall, the Government’s applications for FISA warrants has declined since 2003 but there was a slight uptick this year with 1,456 orders granted. A significant number of orders were modified by the FISC. The FISC modified 80 orders and the Government even withdrew one application. Prior to the USA FREEDOM Act, which limited bulk collection under section 215, the FISC modified many of those orders.
- Supreme Court Approves Remote Computer Hacking by Police + (Apr. 28, 2016)
The U.S. Supreme Court has voted to approve changes to Rule 41 of the Federal Rules of Criminal Procedure, which will allow judges to issue "remote access" warrants. These warrants authorize mass computer searches, even when the targets are outside the jurisdiction of the court. EPIC criticized the proposal in a statement last year, arguing that the procedure enables searches outside traditional Fourth Amendment requirements and would not provide adequate notice to those subject to search. Congress can amend or reject the proposal. Senator Ron Wyden said today he would introduce legislation to reverse the proposal.
- FTC Increases Scrutiny of Google's Practices, Implicating Antitrust and Privacy Interests + (Apr. 27, 2016)
The FTC has reportedly expanded its investigation into Google's use of the Android operating system to exclude or demote competing services. The Commission’s increased scrutiny comes shortly after the European Commission filed formal antitrust charges against Google. Last fall, the FTC began looking at whether Google unfairly prioritizes its own products after earlier ending a similar investigation in 2012 though staff recommended litigation. EPIC previously urged the Senate and the FTC to investigate Google's dominance of essential Internet services, warning that monopoly practices implicate privacy interests. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of Commissioner Pamela Harbor, who cited the connection between monopoly practices and privacy violations.
- House Passes Narrow ECPA Update + (Apr. 27, 2016)
The Email Privacy Act of 2016 has passed the House 419-0 The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. Senator Leahy tweeted that "Long past time to protect American people's emails & info stored in the cloud from warrantless searches." EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.
- Privacy in the States: Data Breach Notification in TN, Drone Surveillance in OR + (Apr. 15, 2016)
Tennessee has become to the first state to expand data breach notification requirements to encrypted data. Public Chapter Number 692 requires any information holder to notify Tennessee residents of a data breach even if the data was encrypted. Information holders include anyone who conducts business in the state or state agencies that own or license personal information. The new law also requires that the notice be made within 45 days of discovering the breach.
Oregon further strengthened protections against drone surveillance last month when Governor Kate Brown signed HB 4066. Existing Oregon law already provided a civil action against drone operators who fly over private property after receiving notice from the property owner. The new legislation adds a provision to the state's criminal laws which would make the recording of photos, motion picture video, or other visual recording through the use of a drone an invasion of personal privacy, which is a Class A misdemeanor. The law also requires that any public body that operates a drone establish policies for the "use, storage, accessing, sharing and retention of data" resulting from the operation of drones. EPIC's State Policy Project monitors state privacy issues nationwide. - House Moves Forward on Modest ECPA Updates + (Apr. 14, 2016)
The House Judiciary Committee has voted 28-0 in favor of the Email Privacy Act, H.R. 699, a bill that would establish a warrant requirement for the disclosure of all electronic communications. The law would also require notice to customers whose communications have been collected. With 314 members of the House cosponsoring, the bill is slated to be considered by the House on April 25th. Senator Leahy, who has sponsored an identical bill in the Senate, said that "Congress has waited far too long to enact these reforms." But the bill stops short of several updates recommended by EPIC, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.
- Senate Examines FTC's Antitrust Enforcement + (Apr. 13, 2016)
The Senate Judiciary Committee recently examined the scope and application of the FTC's Section 5 antitrust enforcement authority at the hearing "Section 5 and 'Unfair Methods of Competition': Protecting Competition or Increasing Uncertainty?" EPIC Advisory Board member Tim Wu testified in support of the agency's approach, which he called "an important protection for competition." EPIC has urged the FTC to use Section 5 authority to protect consumers, arguing against Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp. EPIC has also recommended a transparent process for evaluation of substantial changes in business practices by companies subject to FTC consent orders.
- President Obama: In Digital Age, People Have New Set of Privacy Expectations + (Apr. 8, 2016)
In remarks at the University of Chicago Law School yesterday, President Obama named privacy as one of the constitutional issues that will be increasingly salient in the years to come. "In a society in which so much of your life is digitized, people have a whole new set of privacy expectations that are understandable,” said the President. Obama said the encryption debate was “just the tip of the iceberg of what we’re going to have to figure out.” In its brief in Apple v. FBI, EPIC recently argued that cell phone encryption was adopted to protect consumers from crime. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues.
- FCC Moves Forward With Narrow Privacy Rules + (Mar. 31, 2016)
The Federal Communications Commission has voted to adopt a Notice of Proposed Rulemaking on consumer privacy regulations. The proposal follows Chairman Wheeler's earlier draft proposal, which EPIC explained was too limited to safeguard online privacy. During the vote, Commissioner Ajit Pai echoed EPIC's view that the rulemaking should not focus solely on ISPs. EPIC has argued that the FCC proposal ignores invasive practices by Internet firms, including search companies and social media firms that track and profile Internet users. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data.
- Ninth Circuit Sends NSA Surveillance Case Back to Lower Court + (Mar. 24, 2016)
A Federal Appeals court has remanded a case challenging the NSA's bulk collection of telephone records. In Smith v. Obama, the Ninth Circuit Court of Appeals instructed the lower court to consider the impact of the USA Freedom Act, which ended the bulk data collection program. EPIC, joined by thirty-three technical experts and legal scholars, filed an amicus brief in the case, arguing that modern communications systems are "entirely unlike the telephone network of the 1970s" and that a 1977 case concerning "pen registers" no longer applied. EPIC also challenged the NSA bulk collection program in a petition to the Supreme Court.
- EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules + (Mar. 20, 2016)
EPIC has released a memo on the FCC's draft broadband privacy rules, urging the Commission to broaden its scope and strengthen its substantive data protections. The draft rules, previewed in a fact sheet on March 10, 2016, would apply to Internet service providers (ISPs) but not to email, search, or social media services. EPIC explained that the proposal's "framing of the communications privacy challenges facing US consumers is incomplete and fails to address the full range of activities that threaten online privacy." EPIC further explained that the proposal's focus on "choice, transparency and security" will fail to safeguard consumer privacy. EPIC has urged the Commission to apply the Consumer Privacy Bill of Rights to communications data.
- President Obama Nominates Merrick Garland for Supreme Court + (Mar. 16, 2016)
The President has nominated D.C. Circuit Chief Judge Merrick Garland for the United States Supreme Court. Garland, a former prosecutor and head of the Department of Justice's Criminal Division, has served on the D.C. Circuit for 15 years. EPIC has previously urged the Senate to hold hearings and explore the views of earlier Supreme Court nominees, including Justice Kagan, Justice Sotomayor, and Chief Justice Roberts. EPIC frequently files amicus briefs in the US Supreme Court, including Spokeo v. Robins and Utah v. Strieff in the current term.
- Drone Privacy Safeguards Move Forward in Senate + (Mar. 16, 2016)
A Senate committee has adopted several key privacy amendments concerning drone operations in the US. The amendments, sponsored by Senator Markey (D-Mass), limit the scope of drone surveillance and require more accountability for drone operators. Markey stated, "As more and more drones take flight in our skies, the need to protect Americans' privacy is paramount." EPIC urged Congress and the FAA to establish limits on drone surveillance and recommended the FAA establish a database detailing drone surveillance capabilities. EPIC has sued the FAA for its failure to establish commercial drone privacy rules.
- Senate Passes FOIA Reform Bill + (Mar. 16, 2016)
The Senate has passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senator Patrick Leahy (D-VT) and Senator John Cornyn (R-TX), requires federal agencies to operate under a "presumption of openness," and places time limits on the FOIA's Exemption 5. Senator Leahy said that the bill "will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency." The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law. EPIC and a coalition of open government advocates urged the President to support the bipartisan legislation.
- Senate to Consider FAA Funding but Drone Privacy Safeguards Missing + (Mar. 14, 2016)
On March 16, 2016 the Senate will consider the FAA Reauthorization bill. Senator John Thune introduced the legislation to fund the operations of the the federal agency responsible for aviation safety. The bill requires drone operators to post privacy policies, but provides no meaningful privacy safeguards that would limit surveillance by drone operators. EPIC has urged Congress and the FAA to establish real limits on surveillance by drones. EPIC also recommended that the FAA to establish a national database detailing the surveillance capabilities of commercial drones. And after the agency failed to establish privacy rules mandated by Congress, EPIC filed a lawsuit, EPIC v. FAA that is now pending before the DC Circuit Court of Appeals.
- EPIC to Testify before Pennsylvania Senate on Domestic Drone Surveillance + (Mar. 14, 2016)
EPIC Domestic Surveillance Project Director Jeramie Scot will testify at a hearing on before the Pennsylvania Senate Majority on "Unmanned Aerial Vehicles." The hearing will address the private and public sector use of drones. In a prepared statement, EPIC’s Scott urges the Pennsylvania Senate to enact legislation to limit both law enforcement and commercial drone surveillance. EPIC states, “The increased use of drones to conduct various forms of surveillance must be accompanied by increased privacy protections.” EPIC previously sued the FAA for failing to establish federal privacy rules for commercial drones. EPIC v. FAA is pending before the D.C. Circuit.
- Bill to Establish Digital Security Commission Introduced in House + (Mar. 2, 2016)
Rep. Lieu (D-CA) has cosponsored bipartisan legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple opposes a court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
- NY District Court Denies Government Demand to Unlock iPhone + (Feb. 29, 2016)
Magistrate Judge Orenstein denied a government request under the All Writs Act to force Apple to unlock an iPhone. Judge Orenstein stated "the government's construction of the [All Writs Act] produces absurd results in application." The ruling comes the day before a Congressional hearing to address recent efforts to force Apple to decrypt iPhones. Apple is opposing a court order in another case that would require the company to make changes to the iPhone to enable government access. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
- House Members Seek Answers on FBI Stingray Agreements + (Feb. 25, 2016)
Two leading members of the House Judiciary Committee sent a letter to FBI Director James Comey regarding Stingray surveillance devices, which intercept cellphone communications. Representative Jim Sensenbrenner (R-Wisc) and Representative Sheila Jackson Lee (D-Tx) sharply criticized the FBI's use of "non disclosure agreements" that prohibit local law enforcement agencies from discussing the use of Stingrays, even in court proceedings. The representatives noted that such secrecy "shields the technology from debate." They asked the FBI to answer specific questions about the agreements. In 2013, EPIC first uncovered these secret Stingray agreements in a Freedom of Information Act suit against the FBI.
- EPIC FOIA - Information about Controversial DNA Forensic Technique Released + (Feb. 23, 2016)
In response to EPIC's FOIA request, the California Department of Justice has released records on a controversial forensic technique. The records show that in 2014, the state agency spent more than $300,000 on STRMix, a secret technique for matching DNA. Investigators in Australia subsequently found an error in the STRMix code that produced incorrect results in 60 criminal cases, including a high-profile murder case. STRMix promises prosecutors the ability to "[c]arry out familial searches against a database, searching for close relatives of contributors to mixed DNA profiles" but the algorithm remains secret. EPIC is pursuing FOIA requests on the secret DNA matching algorithms with state agencies across the U.S.
- President Announces $19 billion Cybersecurity Plan + (Feb. 23, 2016)
President Obama has proposed a $19 billion Cybersecurity National Action Plan that aims to modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has repeatedly urged federal agencies to uphold Privacy Act protections.
- California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable + (Feb. 18, 2016)
A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.
- "Judicial Redress Act" Provides Little Redress + (Feb. 12, 2016)
The Judicial Redress Act of 2015, enacted by Congress and now on to the President for signature, fails to extend Privacy Act protections to non-U.S. citizens. EPIC previously recommended changes to protect transborder data flows. The bill, as adopted, coerces European countries to transfer data to the US, even without adequate protection, or be denied legal rights. Congress adopted the narrow amendment to the Privacy Act without any changes to benefit U.S. citizens even after a data breach compromised 21.5 records maintained by the Office of Personnel Management. EPIC explained that the OPM breach made clear the need for updates to the federal privacy law.
- EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement + (Jan. 25, 2016)
After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.
- EPIC Urges FCC to Establish Communications Privacy Protections for Consumers + (Jan. 20, 2016)
EPIC has submitted a letter to the Federal Communications Commission urging the agency to undertake a rulemaking to protect the communications privacy of consumers. EPIC asked the FCC to explore "the full range of communications privacy issues facing US consumers." EPIC proposed that the FCC implement Fair Information Practices and the Consumer Privacy Bill of Rights; adopt data minimization requirements; promote Privacy-Enhancing Technologies; and require opt-in consent for the use or disclosure of consumer data. EPIC suggested that the FCC model its communications privacy rules on the Code of Fair Information Practices for the National Information Infrastructure. EPIC has worked with the FCC to promote consumer privacy in the communications field for more than 20 years.
- Senator Franken Presses Google on Student Privacy + (Jan. 16, 2016)
Senator Al Franken (D-MN) asked Google to explain what the company does with student data, including: what types of data Google collects, to whom Google discloses student information, and whether students and schools “have control over what data is being collected and how the data are being used?” Senator Franken stated, “I believe Americans have a fundamental right to privacy, and that right includes a student or parent’s access to information about what data are being collected about them and how the data are being used.” EPIC has called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework.
- EPIC Urges Senate to Postpone Action on Judicial Redress Act + (Jan. 16, 2016)
Today EPIC urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously wrote to the House Judiciary Committee to recommend updates to the Privacy Act.
- Amid Criticism of Agency Compliance, House Passes Substantial FOIA Reforms + (Jan. 11, 2016)
Congress has passed the FOIA Oversight and Implementation Act, H.R. 653, which would limit exemptions that allow agencies to withhold public records, create an online portal for FOIA requests, and require agencies to post frequently requested documents. Open government advocates and members of Congress have criticized federal agencies for lax compliance with the Freedom of Information Act. The House Oversight Committee concluded that "[e]xcessive delays and redactions" have undermined the Act." The FOIA Ombudsman criticized the Transportation Security Administration for its "weak management" and lack of a "FOIA tracking system." EPIC has pursued many FOIA cases. EPIC and a coalition previously urged President Obama to strengthen the FOIA by committing to a "presumption of openness" and narrowing the use of FOIA exemptions.
- DHS Releases Drone Privacy Best Practices + (Jan. 6, 2016)
The Department of Homeland Security has released a set of drone privacy best practices. The best practices reflect many of the recommendations made by EPIC in testimony to Congress, including limiting data collection, use, dissemination, and retention. The recommendations also propose a redress program so individuals can challenge inappropriate collection. The best practices are only guidelines, but a Presidential Memorandum on drones and privacy requires that all federal agencies to establish and publish drone privacy procedures by February 2016. EPIC has sued the Federal Aviation Administration, EPIC v. FAA to establish privacy rules for commercial drones. Oral arguments are scheduled before the D.C. Circuit Court of Appeals on February 10.
- EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit + (Jan. 6, 2016)
In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.
- EPIC Urges OMB to Update Open Government Plan + (Dec. 21, 2015)
EPIC and a coalition of transparency advocates urged the Office of Management and Budget to comply with President Obama's plan to promote open government. The OMB is expected to produce an open government plan, "describ[ing] how it will improve transparency." However, OMB Has failed to act even as the Administration has urged other governments to adopt similar plans. "The failure is particularly troubling," wrote the groups, "because OMB is an agency with a central oversight role on information policy, it has responsibility for implementation of this plan, and it often serves as the right hand of the President." EPIC and others previously called on President Obama to address weaknesses in open government administration and support FOIA reform.
- Senators Blumenthal, Markey Propose Do Not Track Legislation + (Dec. 17, 2015)
Sen. Richard Blumenthal and Sen. Edward Markey have introduced the Do Not Track Online Act of 2015, to limit online tracking. The bill directs the FTC to develop a simple Do Not Track mechanism that would allow consumers to stop companies from collecting their personal information. The bill authorizes the FTC and state attorneys general to bring enforcement actions against companies that refuse to honor consumers' requests. EPIC has previously said that an effective mechanism must ensure that a consumer's decision is "enforceable, persistent, transparent, and simple."
- House Adds Cyber Surveillance to Budget Bill + (Dec. 16, 2015)
Today, the House added the Cybersecurity Act of 2015 to an expansive appropriations bill. The Cybersecurity Act was negotiated behind closed doors and represents a new version of the Cybersecurity Information Sharing Act (CISA). Previous versions of CISA have been opposed by a broad coalition of organizations. The current bill, like previous ones, would allow the government to obtain personal information from private companies without judicial oversight. The Act would also expand government secrecy. EPIC previously won a five-year court battle to obtain NSPD 54, a foundational legal document for U.S. cybersecurity policies that revealed the government's interest in enlisting the private sector to monitor user activity.
- DHS and State Department Pushing for Increased Social Media Monitoring + (Dec. 16, 2015)
According to reports and statements from former Homeland Security officials, the DHS has initiated three "pilot programs" to analyze social media posts during the visa review process. Prior to 2014, a DHS policy prohibited social media monitoring by immigration officials. EPIC successfully obtained documents in 2012 detailing the DHS social media monitoring policies, including instructions to analysts to monitor criticism of the agency. EPIC also submitted a letter to congressional leaders, outlining how DHS officials misrepresented their policies in a Homeland Security Committee hearing. EPIC wrote that the DHS' monitoring program should be suspended, as it exceeds the agency's statutory authority and chills First Amendment activity.
- Obama Administration Gets Failing Grade on Surveillance Reform + (Dec. 15, 2015)
EPIC has launched a scorecard for the 46 surveillance reform recommendations made two years ago by the President's Review Group on Intelligence and Communications Technologies. Although some of the recommendations have been fully implemented, the Administration has failed to implement most of them. The recommendations set out to limit NSA surveillance, expand judicial oversight, create new transparency requirements, update federal privacy laws, and create a new privacy agency. During the review process, EPIC met with the review group and submitted extensive comments to the panel, specifically urging the end of the bulk record collection program.
- Senate Postpones Action on Weak EU-US Privacy Measure + (Dec. 12, 2015)
The Senate Judiciary Committee has "held over" the Judicial Redress Act, industry-sponsored legislation regarding the transfer of personal data on Europeans to the United States. European legal experts have stated that the measure does not provide meaningful protections for the data of Europeans. Forty NGOS have recommended substantial changes to privacy law in the US and the EU to make possible the continuation of transborder data flows. EPIC has also recommended specific changes to the Judicial Redress Act. European data protection agencies are expected to begin enforcement actions against US companies after January 30, 2016. According to Govtrack, the Judicial Redress Act has a "1% chance of being enacted."
- Senate Judiciary Committee Holds FBI Oversight Hearing + (Dec. 10, 2015)
The Senate Judiciary Committee held an oversight hearing with FBI Director James Comey. Following the calls of some political leaders to exclude Muslims from the United States, Senator Leahy warned leaders to not "succumb to the politics of fear and lose sight of our fundamental American values." Director Comey continued to advocate for weakened encryption to enable law enforcement access to private communications. EPIC has championed strong encryption and urged President Obama to reject proposals to weaken encryption. EPIC has also urged oversight of the FBI's Next Generation Identification program, a massive biometric database, that lacks appropriate privacy safeguards.
- White House Announces Federal Privacy Council + (Dec. 4, 2015)
White House OMB Director Shaun Donovan announced plans to establish a new Federal Privacy Council. The Privacy Council will develop and coordinate privacy strategies and best practices across the federal government. Director Donovan remarked, "
Government has a critical role in enforcing and ensuring protections for the privacy of its citizens." Donovan also announced plans to update privacy guidance for federal agencies. Donovan highlighted the White House's efforts to protect privacy and civil liberties, including the White House Consumer Privacy Bill of Rights and Big Data Review. EPIC recently urged Congress to enact the Consumer Privacy Bill of Rights and establish an independent privacy agency. - Markey and Barton Pursue VTech Data Breach + (Dec. 2, 2015)
Senator Edward Markey (D-Mass.) and Congressman Joe Barton (R-Tex) have asked VTech, "How do you protect children's information?" The electronic toy produced,recently exposed the personal profiles of millions of children in a cyber hack. The personal date included names, mailing addresses, email addresses, download history, birthdates, and genders. Senator Markey and Congressman Barton asked about VTech's data and security practices, including compliance with the Children's Online Privacy Protection Act, data the company collects about children, and security standards. EPIC has testified several times before Congress on protecting children's data and supported the updates to the Childrens Online Privacy Protection Act.
- Freedom Act Goes Into Effect, NSA Bulk Data Collection Ends + (Nov. 30, 2015)
The Director of National Intelligence has announced that the NSA's bulk collection of domestic telephone records under "Section 215" ended yesterday when the USA Freedom Act took effect. The Freedom Act ended the NSA's 215 Program and established new transparency and accountability rules for the Foreign Intelligence Surveillance Court. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program.
- In Court: EPIC Urges Massachusetts to Protect Student Privacy + (Nov. 23, 2015)
EPIC has filed an amicus brief in the Massachusetts Supreme Judicial Court regarding a student privacy case. EPIC said that the police should obtain a warrant before seizing a student's cell phone. Citing a recent Supreme Court case, EPIC explained "Modern cell phones . . . implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. In Riley v. California, a unanimous Supreme Court held that a search of cell phone required a warrant. EPIC previously filed an amicus brief in Commonwealth v. Connolly, a Massachusetts case concerning GPS tracking. The EPIC State Policy Project is based in Cambridge, Massachusetts.
- Congress Examines (Lack of) Drone Privacy and Safety + (Nov. 20, 2015)
This week a House Committee examined "The Fast-Evolving Uses and Economic Impacts of Drones." Chairman Burgess, echoing comments from other committee members, stated, "there are important questions around privacy laws and safety." The FAA Modernization and Reform Act of 2012 required the FAA to develop a "comprehensive plan" to integrate drones into national airspace by September 30, 2015. Despite missing the deadline, the FAA has granted over 2,220 exemptions for commercial drones even as safety and privacy concerns increase. More than 100 privacy experts and organizations petitioned the FAA to establish privacy safeguards prior to the deployment of drones. EPIC has sued the agency, EPIC v. FAA, to establish privacy rules for commercial drones.
- Congress Explores Risk of Student Record Data Breach + (Nov. 19, 2015)
A Congressional Committee held a hearing on the Education Department's information security program. In 2014, the Department's Inspector General found that the "information systems continue to be vulnerable to serious security threats." The hearing revealed that the Education Department maintains at least 139 million Social security numbers in one of its databases. The Department has 184 information systems and 120 of those systems are managed by outside parties. For years, EPIC has warned of growing student privacy and security risks. EPIC has urged congress to enact the Student Privacy Bill of Rights to protect student data.
- EPIC to Testify on Car Privacy and Data Security + (Nov. 17, 2015)
EPIC Associate Director Khaliah Barnes will testify at a hearing on "The Internet of Cars" before the House Oversight and Government Reform on Wednesday, November 18, 2015. The hearing will address the safety and privacy issues confronting drivers in vehicles connected to the Internet. EPIC's prepared statement urges Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. EPIC states, "New vehicle technologies raise serious safety and privacy concerns that Congress needs to address." EPIC has previously examined the privacy and data security implications of the Internet of Things and the "Internet of Cars", and recommended strong safeguards for consumers.
- EPIC Obtains Documents on Secret DNA Forensic Source Code + (Nov. 10, 2015)
In response to EPIC's state public records requests, Virginia and Pennsylvania have both released documents about "TrueAllele," a proprietary technique used in DNA forensic analysis. Virginia released to EPIC a validation study and validation summary prepared by the Virginia Department of Forensic Science. Pennsylvania produced purchase and service contracts, technical specifications, and user manuals for TrueAllele. Agencies in California, Louisiana, Pennsylvania, and Virginia have stated that they do not have access to the TrueAllele source code that they are using to produce evidence against defendants. EPIC's open government requests cited the importance of algorithmic transparency in the criminal justice system.
- Court Suspends NSA Phone Record Collection Program + (Nov. 10, 2015)
A federal court in Washington D.C. has ordered the National Security Administration to halt the bulk collection of domestic telephone records, ruling that the indiscriminate collection violates the Fourth Amendment. Following the USA Freedom Act, the telephone records program will expire at the end of the month. The government has moved to stay the judge's order. In 2013, EPIC brought the first challenge to the NSA surveillance program in the Supreme Court. EPIC has also testified before Congress on the need to reform the Foreign Intelligence Surveillance Court, and led a broad coalition urging the President to end the NSA surveillance program.
- European Commission Issues Guidance on Data Transfers Post-Schrems + (Nov. 6, 2015)
The European Commission has published guidelines for EU-US data transfer after the invalidation of the Safe Harbor framework. The Commission explained that the Safe Harbor case "underlined the importance of fundamental right to data protection." The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to create a revised arrangement. NGOs have said that fundamental rights must be protected in all data transfers. In testimony before Congress, EPIC recommended several updates to US privacy law. EPIC's Marc Rotenberg said "these changes will benefit consumers and businesses on both sides of the Atlantic."
- Privacy Groups Urge Ninth Circuit to Find NSA Metadata Program Illegal + (Nov. 5, 2015)
EPIC and other privacy groups have filed a friend of the court brief in United States v. Moalin, the first criminal case challenging the NSA's warrantless surveillance of Americans' telephone records. The lower court refused to reopen the case after it was revealed that data acquired by the NSA provided the primary evidence for the criminal conviction. EPIC and other groups argued in their brief that metadata is protected under the Fourth Amendment. EPIC previously argued in Smith v. Obama that "changes in technology and the Supreme Court's recent decision in Riley v. California favor a new legal rule that recognizes the privacy interest inherent in modern communications records." In In re EPIC, EPIC petitioned the Supreme Court to end the NSA's bulk telephone record collection program, which occurred with passage of the USA Freedom Act.
- US Releases Updated Open Government Plan + (Nov. 5, 2015)
The United States has released its Third Open Government National Action Plan, an initiative pursued by countries and NGOs participating in the Open Government Partnership. In response to recommendations proposed by EPIC and a coalition of civil society groups, the administration pledged to modernize implementation of the FOIA, streamline record declassification, and increase transparency of the intelligence community. The White House, however, failed to incorporate other recommendations such as publishing FISC opinions and pledging to limit the use of the FOIA's b(5) Exemption. EPIC and others previously called on President Obama to address weaknesses in open government administration and push for meaningful FOIA reform.
- Rep. Chaffetz Bill Would End Warrantless Stingray Surveillance + (Nov. 4, 2015)
Rep. Jason Chaffetz has introduced a bill in the U.S. Congress that would prohibit government agencies from using cell-site simulators (or stingrays) without a warrant in most circumstances. The Cell-Site Simulator Act of 2015 would also explicitly exclude stingrays from the pen register statute currently used by law enforcement to conduct stingray operations with less than probable cause. The government would still be able to conduct warrantless stingray operations under the Foreign Intelligence Surveillance Act or in emergencies. An EPIC FOIA lawsuit in 2012 revealed that the FBI was using stingrays without a warrant. EPIC has also filed amicus briefs arguing that cell phone location data is protected by the Fourth Amendment.
- EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law + (Nov. 2, 2015)
In testimony before the US Congress, EPIC's Marc Rotenberg is expected to say that the recent decision of the European Court confirmed what everyone already knows, US privacy law is not adequate. "Our country suffers from an epidemic of data breaches and identity theft. And all the data indicates these problems are getting worse." EPIC, consumer allies, and privacy experts are urging the Congress to enact the Consumer Privacy Bill of Rights, modernize the Privacy Act, create an independent privacy agency, and ratify the International Privacy Convention. "These changes will benefit consumers and businesses on both sides of the Atlantic."
- Senator Leahy Opposes FOIA Exemptions in Cyber Security Bill + (Oct. 27, 2015)
Senator Patrick Leahy (D-VT) urged fellow Senators to remove a proposed open government exemption in a pending cybersecurity bill. The Cybersecurity Information Sharing Act (CISA), said Sen. Leahy, "contains an overly broad new FOIA exemption that is both unnecessary and harmful." Sen. Leahy called the FOIA "our nation's premier transparency law," and said that any modifications must go through the Senate Judiciary Committee. "The Senate must have an open and honest debate about the Senate Intelligence Committee's bill and its implications for Americans' privacy and government transparency," remarked the Senator. Last year, EPIC won a five-year court battle against the NSA for NSPD 54, the foundational legal document for U.S. cybersecurity policies. EPIC has also set out recommendations for FOIA reform.
- House Committee to Examine Cell Phone Surveillance + (Oct. 21, 2015)
The House Subcommittee on Information Technology will examine law enforcement use of "Stingrays," a technique for tracking cell phones users. The Department of Justice adopted guidelines that require a warrant before using Stingray devices to track the location of mobile devices. Senators Grassley and Leahy recently asked DHS Secretary Jeh Johnson to adopt a similar policy for DHS. California passed a law requiring a warrant for a Stingray. Documents obtained by EPIC in a FOIA lawsuit revealed the FBI was using the cell-site simulators without a warrant. EPIC also filed amicus briefs in U.S. v. Jones and State v. Earls, arguing that a warrant is required to obtain location information from cell phone subscribers.
- House Passes Faux Privacy Bill + (Oct. 21, 2015)
The House of Representatives has passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a letter to Congress, EPIC explained that the bill does not provide adequate protection to permit transborder data flows and recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but secret EU-US "Umbrella Agreement". EPIC submitted a Freedom of Information request for the Umbrella agreement, and recently filed an administrative appeal challenging the agency's denial of expedited processing.
- House to Consider Bill on Vehicle Data Privacy and Cybersecurity + (Oct. 21, 2015)
The House Energy and Commerce Committee will hold a hearing to consider a draft legislation concerning vehicle data privacy and cybersecurity. The bill would require vehicle manufacturers to establish privacy policies and would prohibit vehicle data hacking. However, the bill provides only limited enforcement of the privacy and cybersecurity provisions. EPIC has previously recommended safeguards for vehicle event data recorders (EDRs) and urged the Transportation Department to protect driver privacy. EPIC has written on the privacy and security implications of the "Internet of Things," which includes cars.
- New Mexico Supreme Court Finds Warrantless Aerial Surveillance Violates Fourth Amendment + (Oct. 19, 2015)
The Supreme Court of New Mexico ruled in State v. Davis that the Fourth Amendment prohibits the warrantless aerial surveillance of, and interference with, a person's private property. Specifically, the court found that "prolonged hovering close enough to the ground to cause interference with Davis' property transformed this surveillance from a lawful observation of an area left open to public view to an unconstitutional intrusion into Davis' expectation of privacy." EPIC filed a friend of the court brief and presented oral argument before the Court. EPIC said that aerial surveillance threatens privacy and property interests and that surveillance in the airspace close to a home violates the Fourth Amendment. The New Mexico Supreme Court agreed. EPIC frequently amicus briefs on emerging privacy and civil liberties issues.
- EPIC Pursues Public Release of Secret DNA Forensic Source Code + (Oct. 14, 2015)
EPIC has filed public records requests in six states to obtain the source code of "TrueAllele," a software product used in DNA forensic analysis. According to recent news reports, law enforcement officials use TrueAllele test results to establish guilt, but individuals accused of crimes are denied access to the source code that produces the results. A similar program used by New Zealand prosecutors was recently found to have a coding error that provided incorrect results in 60 cases, including a high-profile murder case. EPIC has previously urged the US Supreme Court to carefully consider the reliability of new investigative techniques and argued a federal appeals case against DNA dragnet surveillance. Citing the importance of algorithmic transparency in the criminal justice system, EPIC filed requests in California, Louisiana, New York, Ohio, Pennsylvania, and Virginia.
- California Rejects Warrantless Surveillance, Enacts "CalECPA" + (Oct. 9, 2015)
California Governor Jerry Brown has signed the California Electronic Communications Privacy Act (CalECPA). CalECPA requires law enforcement to obtain a warrant before accessing digital data including metadata, location data, emails, and text messages. The warrant requirement applies to searches of electronic devices themselves and to content stored by an online service provider. In response to requests from the US Congress, EPIC has made several recommendations regarding updates to the federal ECPA. EPIC has also obtained documents from the FBI concerning Stingray surveillance technology, which is now prohibited under the California bill.
- California Enacts Innovative Privacy Protections for Drones and SmartTVs + (Oct. 9, 2015)
California Governor Jerry Brown has signed laws that provide California residents with privacy protections against drones and SmartTVs. AB856 prohibits drone flight in the airspace above private property with the intent of taking photos, video, or a sound recording of a person. AB1116 prohibits the use of voice recognition on SmartTVs unless consumers are "prominently inform[ed]" during the initial setup of the TV. The new California law also prohibits the use of voice recording for advertising purposes. Earlier this year, EPIC filed a complaint to the Federal Trade Commission about Samsung's SmartTVs and recommended new consumer safeguards. EPIC has also recommended drone privacy safeguards to the US Congress, the FAA, and State courts.
- Congress Holds Hearing on Drone Safety After FAA Misses Deadline on Drone Regs + (Oct. 9, 2015)
The House Subcommittee on Aviation held a hearing on drone safety after the FAA's failure to meet a Congressional deadline to implement comprehensive drone regulations. The FAA Modernization and Reform Act of 2012 required the agency to develop a "Comprehensive Plan" to integrate drones into the national airspace by September 30, 2015. The agency missed the deadline. However, the FAA has granted over a 1,700 exemptions for drones to operate in the US even as safety and privacy concerns increase. Chairman LaBiondo (R-NJ) said at the hearing, "The real possibility of a mid-air collision must be taken seriously in order to prevent tragic consequences." EPIC recently sued the agency, EPIC v. FAA, to establish privacy rules for commercial drones.
- EPIC Testifies Before Senate on Risks of SSN on Medicare Cards + (Oct. 6, 2015)
EPIC will testify before the Senate Committee on Aging about "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" A law enacted earlier this year prohibits the inclusion of SSNs on Medicare cards, but the federal agency tasked with implementing the change has said it will take years. In a prepared statement, EPIC President Marc Rotenberg warns about the growing risk of SSN-related identity theft. Mr. Rotenberg said, "Given the growing risk of identity theft coupled to the SSN and the fact that other federal agencies have already removed the SSN from identity cards, there is simply no excuse for further delay." EPIC has long urged Congress and state legislators not to use the SSN on identity documents.
- Senators Push DHS to Enact Cell Phone Monitoring Policy + (Oct. 2, 2015)
Senator Chuck Grassley and Senator Patrick Leahy have asked DHS Jeh Johnson to enact a policy on cell phone surveillance devices, known as "Stingrays." The Department of Justice recently adopted new guidelines on Stingray use that requires agents to obtain a search warrant before employing Stingrays. The DOJ policy also prohibits officers from using Stingrays to intercept communications, and requires that all non-target data be deleted after use. Documents obtained by EPIC in a FOIA lawsuit revealed the FBI was using the cell-site simulators without a warrant. EPIC also filed amicus briefs in U.S. v. Jones and State v. Earls, arguing that a warrant is required to obtain location information from cell phone subscribers.
- News Reports: FTC Investigating Google Anti-Competitive Practices + (Sep. 28, 2015)
According to the New York Times and Bloomberg News, the FTC is investigating whether Google unfairly prioritizes its own products on the Android platform. Google bundles several Google products on the Andriod platform and requires manufacturers to install them directly onto smartphones. DOJ pursued antitrust violations against Microsoft for this type of "tying" or "bundling" practice. EPIC previously urged the Senate and the FTC to investigate Google's business practices because of the privacy implications. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of former FTC Commissioner Pamela Harbor, who cited the close ties between monopoly practices and privacy violations.
- New Report Highlights Consumer Goals for EU Privacy Law + (Sep. 17, 2015)
BEUC, The European Consumer Organization, has published "My Personal Data", outlining key requirements for negotiations in Europe on the General Data Protection Regulations. BEUC underscored "the urgent need to put consumers back in control over the way their personal data is processed online." The BEUC report emphasized strong data protection principles, enhanced rights for individuals, and a comprehensive enforcement scheme. EU negotiations involve a "trilogue" of the European Parliament, the Council, and the Commission, with the EU Data Supervisor also playing an active role. In the U.S., EPIC supports the Consumer Privacy Bill of Rights and organized a coalition of consumer privacy groups to urge President Obama to enact the privacy framework into law.
- Senators Markey and Blumenthal Push Automakers to Protect Drivers from Remote Hacking + (Sep. 17, 2015)
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking how each company is protecting drivers from remote hacking. Earlier this year, a reporter detailed his experience driving a hacked Jeep. Markey and Blumenthal have also introduced the SPY Car Act to establish cybersecurity and privacy requirements for new passenger vehicles. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers."
- EPIC Recommends Changes to Judicial Redress Act + (Sep. 16, 2015)
In a letter to the House Judiciary Committee, EPIC recommended changes to the Judicial Redress Act to provide meaningful protections for data collected on non-U.S. persons. The bill, also pending in the Senate, seeks to amend the federal Privacy Act. EPIC explained that the legislation under consideration fails to provide adequate protection to permit transborder data flows. EPIC also pointed to increasing public concern in the United States about failure to enforce the law. EPIC has previously recommended Congressional action to ensure adequate protections for all personal information collected by U.S. federal agencies. EPIC is also seeking public release of the text of the EU-US "Umbrella Agreement."
- Senate Considers Modest Updates to ECPA + (Sep. 16, 2015)
The Senate Judiciary Committee will hold a hearing on proposed amendments to the Electronic Communications Privacy Act. The bill under consideration would establish a warrant requirement for the disclosure of electronic communications. The ECPA Amendments Act would also require notice to customers whose communications have been collected. Senator Leahy said that passage of the bill should be a "no brainer." But the bill stops short of several updates recommended by EPIC, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.
- Congress Moves to Advance Judicial Redress Act as Secret Police Agreement is Leaked in Europe + (Sep. 15, 2015)
A Congressional committee will this week consider endorsement of the Judicial Redress Act, after announcement of the just concluded EU-US "Umbrella Agreement." EPIC filed expedited an FOIA requests to obtain the text of the secret agreement. The document was since made available by Statewatch. EPIC will pursue official release of the Agreement from US and EU authorities to the public. Regarding amendments to the Privacy Act, EPIC has made extensive recommendations for Privacy Act modernization, including specific changes to the damages provision that would correct a Supreme Court holding and address such problems as the OPM data breach.
- EPIC Urges Wisconsin to Protect SSNs of Job Seekers + (Sep. 15, 2015)
In testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect the privacy of SSNs for job seekers. EPIC expressed support for a bill that prohibits the Department of Workforce Development from requiring SSNs from those who are trying to obtain employment information from the state. EPIC explained that other states do not require SSN collection for job seekers and urged the development of a "context-dependent" identifier. EPIC has previously warned Congress about the link between SSN misuse and identity theft. EPIC's State Policy Project is monitoring privacy bills nationwide.
- In the States: California Governor Vetoes Drone Privacy Bill + (Sep. 14, 2015)
Following lobbying by several tech companies, California Governor Jerry Brown has vetoed a bill that would have prohibited drone trespass over private property. Neighboring Oregon provides a civil action against drone operators who fly lower than 400 feet over private property. EPIC has testified in Congress in support of comprehensive drone privacy legislation, argued before the New Mexico Supreme Court in support of a warrant requirement for low altitude aerial surveillance, and sued the FAA for failing to establish drone privacy safeguards.
- Congress to Examine Commercial Drones, Privacy and Safety Issues Loom Large + (Sep. 9, 2015)
The House Judiciary Committee will hold a hearing on Unmanned Aerial Vehicles: Commercial Applications and Public Policy Implications. The FAA has granted nearly 1,500 exemptions to commercial drone operators even as public safety risks and privacy concerns increase. EPIC has sued the agency for its failure to establish privacy safeguards prior to the deployment of commercial drones in the United States. The lawsuit, EPIC v. FAA, follows an act of Congress requiring the agency to develop a "comprehensive plan" for the safe integration of drones in domestic airspace, and a petition, organized by EPIC and joined by over 100 experts organizations, calling on the FAA to establish privacy rules. EPIC previously testified in Congress in support of strong privacy legislation.
- EU and US Reach Agreement on Data Protection for Investigations + (Sep. 9, 2015)
US officials have concluded an agreement with their European counterparts on data protection for transatlantic criminal investigations. The EU Justice Commissioner stated "Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic." The US Congress must next pass the Judicial Redress Act for the "Umbrella Agreement" to take effect. EPIC has previously urged US ratification of Council of Europe Convention 108, "the most widely known international framework for privacy protection."
- In the States: Delaware Enacts Several Privacy Laws + (Aug. 10, 2015)
Delaware has recently passed four privacy laws. Under the Delaware Online Privacy and Protection Act, websites and apps must disclose the personally identifiable information they collect and how they use this information. The Student Data Privacy Protection Act enhances student privacy protections, banning companies from selling student data or using student data for targeted advertising. The Victim Online Privacy Act protects domestic violence survivors against having certain contact information posted online. The Employee/Applicant Protection for Social Media Act bars employers from demanding access to their employees' or prospective employees' social media accounts. EPIC's State Policy Project is monitoring privacy bills nationwide.
- Federal Court Strikes Down Texas Voter ID Law + (Aug. 6, 2015)
The U.S. Court of Appeals for the Fifth Circuit has ruled that the strict Texas Voter ID requirement is unlawful because it would disproportionately burden minority voters, in violation of the Voting Rights Act. EPIC has previously raised similar arguments about voter privacy in its amicus brief in the Supreme Court case Crawford v. Marion County Election Board. EPIC argued in Crawford that "Not only has the state failed to establish the need for the voter identification law or to address the disparate impact of the law, the state's voter ID system is imperfect, and relies on a flawed federal identification system." EPIC also presented a statement to the House Judiciary Committee in 2007 highlighting the importance of the secret ballot.
- Coalition Successfully Blocks Restrictive FOIA Exemptions + (Aug. 5, 2015)
After receiving opposition from open government advocates and support from Senators Patrick Leahy, John Cornyn, and Charles Grassley, the Senate has removed "b(3)" Freedom of Information Act exemptions from the Senate's transportation bill. The exemptions would exclude public access to important information about safety audits, trucking company safety scores, accident footage, and records related to hazardous train service. The final bill passed the Senate 65 to 34 without the controversial language, which Senator Leahy called "bad FOIA provisions" that should have been first reviewed by the Judiciary Committee. EPIC previously set out recommendations for FOIA reform.
- GAO Report: Facial Recognition Technology Implicates Consumer Privacy, But Remains Unregulated + (Aug. 3, 2015)
The Government Accountability Office has published a report on commercial use of facial recognition technology. The GAO compiled the report at the request of Senator Al Franken, who objected to use of the technology by Facebook and Google. The GAO surveyed companies, federal agencies, and NGOS, including EPIC. The report explains the technology's privacy risks, but also reports that no laws or guidelines currently regulate facial recognition technology. The GAO also reports that the "extent of [the technology's] current use in commercial settings is not fully known." EPIC has frequently advocated for face recognition privacy laws.
- In the States: NH Adopts Location Privacy Law + (Jul. 28, 2015)
New Hampshire has enacted a strong location privacy law that requires a judicial warrant for access to cell phone location data. New Hampshire joins several other states that protect the privacy of cell phone location records, by public law or court decision. EPIC has filed amicus curiae briefs in the U.S. Supreme Court and the Supreme Court of New Jersey arguing that location tracking by the government is a search under the Fourth Amendment and should be conducted only with a judicial warrant.
- Intelligence Director Says NSA Access to Bulk Phone Record Data Will End + (Jul. 27, 2015)
The Director of National Intelligence announced today that the NSA analysis of "section 215" telephone records previously gathered will end when the USA FREEDOM Act goes into effect on November 29, 2015. Earlier this month, the U.S. Surveillance Court ruled that the NSA could continue collecting records during a 180 day transition period, despite an earlier decision finding the program was unlawful. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program.
- Open Government Groups Oppose Proposed FOIA Exemptions + (Jul. 27, 2015)
Over the weekend, several open government groups urged Sen. Mitch McConnell (R) and Sen. Harry Reid (D) to remove proposed FOIA "b(3)" exemptions from a pending transportation bill. The exemptions would exclude public access to information about safety audits, trucking company safety scores, accident footage, and records related to hazardous train service. The groups oppose the exemptions and also explained that such proposals should be reviewed by the Senate Judiciary Committee which is responsible for FOIA oversight. EPIC previously set out recommendations for FOIA reform.
- Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking + (Jul. 21, 2015)
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2015." The SPY Car Act would establish cybersecurity and privacy requirements for new passenger vehicles, and inform consumers about the risks of remote hacking. The SPY Car Act follows a report from Senator Markey, which "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prohibit manufacturers from using consumer driver data for marketing purposes without consumer consent. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers."
- Congress to Hold Hearing on Encryption and Privacy + (Jul. 8, 2015)
Today the Senate is holding a hearing on "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy." FBI Director Comey, testifying today, has advocated for broken encryption to enable law enforcement access to private communications. Despite claims of "going dark" because of new encryption technologies, law enforcement encountered encryption in only 25 wiretap cases in 2014. Of those cases, non-encrypted text was obtained in all but four cases. EPIC has advocated for strong encryption and urged President Obama to reject proposals to weaken encryption. EPIC published the first comprehensive survey of encryption use around the world. And earlier this year, EPIC gave a Champion of Freedom Award to Apple CEO Tim Cook, who warned that "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it."
- States Adopt Privacy Laws for Student Data, Breach Notification, License Plate Readers, and Drones + (Jul. 2, 2015)
Several states have recently enacted new privacy laws. New Hampshire and Oregon passed student privacy legislation modeled after California's Student Online Personal Information Protection Act. Rhode Island and Connecticut enacted new consumer privacy and data breach notification laws. A new Minnesota law limits the data police may capture using automated license plate readers and requires the deletion of all data not relevant to an investigation. And the Freedom from Unwanted Surveillance Act, a law in Florida regulating the commercial use of drones, went into force this week. EPIC's State Policy Project is monitoring privacy bills nationwide.
- Surveillance Court Ignores Court Ruling, Reauthorizes NSA Bulk Collection Program + (Jul. 1, 2015)
The Foreign Intelligence Surveillance Court has reauthorized the collection of domestic telephone records for 180 days. The Surveillance Court ignored the recent decision of the Federal Court of Appeals, which held that the NSA bulk collection program is unlawful. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program. Congress then passed the Freedom Act to end program, but the FISC didn't get the memo.
- EPIC Urges California Supreme Court to Protect Open Records Law + (Jun. 25, 2015)
EPIC has asked the Supreme Court of California to review a lower court decision that prevented public release of information about "automated license plate readers." The lower court held that information about the system to gather license plate date on all motorists was an "investigative record." In the amicus letter EPIC stated, "as the government's ability to collect information about individuals has expanded, open record laws have become an important tool for government oversight." Documents obtained by EPIC about the FBI's use of license plate readers showed the agency failed to address the system's privacy implications.
- Massive Government Data Breach Even Worse than Reported + (Jun. 25, 2015)
A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data.
- EPIC Files FTC Complaint Against Uber about Plan to Track Users and Gather Contact List Data + (Jun. 22, 2015)
EPIC has filed a complaint with the Federal Trade Commission, charging that Uber's plan to track users and gather contact details is an unlawful and deceptive trade practice. EPIC cites Uber's history of misusing customer data as one of many reasons the Commission must act. EPIC has also recommended comprehensive legislation for Uber and other similar companies. EPIC has previously pursued successful complaints at the FTC concerning Google, Facebook, WhatsApp, Snapchat and other firms. The complaints typically lead to investigations and then to settlements following a change in business practices.
- Senate Rejects User Surveillance Proposal + (Jun. 17, 2015)
The Senate has rejected an amendment to the National Defense Authorization Act for 2016 that would transfer user data from private companies to government agencies without judicial oversight. Senator Patrick Leahy (D-Vt) urged Senators to oppose the amendment, stating "we need a cyber-security bill, not a cyber-surveillance bill." Last year, EPIC won a five-year court battle against the NSA for NSPD 54-the foundational legal document for U.S. cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States.
- Senator Sanders Proposes Commission on Privacy Rights in Digital Age + (Jun. 17, 2015)
Senator Bernie Sanders (I-VT) has introduced a bill to establish a federal Privacy Commission. The Commission on Privacy Rights in the Digital Age would convene for two years to "examine the ways in which public agencies and private companies gather data on the people of the United States and the ways in which that data is utilized." The Commission would also "make recommendations concerning potential policy changes needed to safeguard the privacy" of Americans. EPIC has repeatedly urged Congress to establish a privacy agency. As EPIC explained in Senate testimony, similar agencies in other countries "routinely report on the handling of privacy complaints, the emergence of new privacy issues, and proposed measures to protect privacy." The United States is one of the few democratic countries in the world that does not have a federal privacy agency.
- EPIC Joins Open Government Groups in Support of FOIA Reform + (Jun. 12, 2015)
EPIC and a coalition of open government advocates has urged Congress to pass FOIA reform legislation. In response to a request from the Chairman of the House Oversight and Government Reform Committee, the coalition expressed support for the FOIA Act of 2015, specifically praising a provision limiting the use of Exemption 5, which has enabled the growth of secret law. In EPIC v. DOJ, EPIC argued that agencies improperly use Exemption 5 to hide government documents from public scrutiny. EPIC also filed an amicus in NY Times v. DOJ, a successful challenge to the secrecy of the legal memos justifying the government's "targeted killing" drone program.
- New Law Would Strengthen Children's Online Privacy + (Jun. 12, 2015)
The "Do Not Track Kids" Act, introduced this week by Senator Markey (D-MA), Senator Blumenthal (D- CT), Rep. Barton (R-TX), and Rep. Rush (D-IL) would strengthen and expand the privacy protections afforded children in the 1998 Children's Online Privacy Protection Act. The Act extends privacy safeguards to children over 13, requires that businesses collecting information on minors comply with Fair Information Practices, and establishes a "right to be forgotten," allowing parents and minors to remove social media posts, similar to California's Eraser Law. EPIC has long advocated for the privacy rights of children, testifying in Congress 1996 in support of the Children's Privacy Law and again before the Senate in 2010 as new technologies and business practices emerged. EPIC also urged FTC in 2011 to establish stronger regulations to protect the data concerning children.
- South Carolina Requires Police Body Cameras, But Blocks Public Access to Footage + (Jun. 12, 2015)
South Carolina has become the first state to require law enforcement agencies to deploy body cameras. However, the law exempts police body camera footage from public records law, which appears contrary to the stated goal of promoting police accountability. Many states are considering similar legislation and EPIC's State Policy Project is monitoring bills nationwide. EPIC has submitted testimony to Congress and the D.C. City Council opposing the deployment of body cameras. But where body-worn cameras are deployed, EPIC recommends that the police agencies comply with open government laws.
- Massive Breach Impacts Millions of Government Employees + (Jun. 10, 2015)
The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information.
- Senators Urges FCC to Protect Consumers Against Unsolicited Calls + (Jun. 9, 2015)
Almost a dozen senators have urged the Federal Communications Commission to uphold consumer privacy protections within the Telephone Consumer Protection Act. Next week the Commission will vote on two dozen proposals seeking to relax enforcement of the Act. According to Senator Markey and others, the FCC's recommendation to permit unsolicited texts and calls without consumer consent "would threaten privacy and result in an increase in disruptive and annoying calls for American consumers." The Commission will vote on the proposals during an Open Meeting on June 18, 2015. EPIC supported enactment of the TCPA and has advocated for strong enforcement.
- Senator Markey Speaks at EPIC Book Event + (Jun. 2, 2015)
Senator Edward Markey (D-MA) appeared today at the Fund for Constitutional Government to support the release of EPIC's new anthology, "Privacy in the Modern Age: The Search for Solutions" and Bruce Schneier's NY Times bestseller "Data and Goliath." Senator Markey discussed his efforts to establish new safeguards for student privacy and to limit drone surveillance. [Photo]
- Senate Passes FREEDOM Act, Ends NSA Bulk Collection + (Jun. 2, 2015)
The Senate has passed the USA FREEDOM Act, sponsored by Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-TX). The Act, which the President is expected to sign, ends the NSA bulk collection of domestic telephone records and establishes new transparency and accountability rules for the Foreign Intelligence Surveillance Court. In 2012, EPIC testified before the House Judiciary Committee on the need to reform the Surveillance Court. In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the NSA surveillance program.
- Senate to Debate End of PATRIOT Act + (May. 31, 2015)
The Senate convenes today for a rare Sunday session. Senators will consider whether to renew key provisions of the PATRIOT Act, including the NSA bulk collection program, due to expire tonight. Senator Rand Paul has said he will oppose any renewal. Also under consideration is the FREEDOM Act, sponsored by Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-TX). In 2013, EPIC filed a petition in the Supreme Court, In re EPIC, supported by experts, scholars, and members of the Church Committee, arguing that the NSA program was unlawful. In 2014, EPIC and a broad coalition urged the President to end the program. The Sunday debate will be broadcast live on CSPAN2 at 4 pm EDT.
- White House Begins Shutdown of Bulk Collection Program + (May. 27, 2015)
According to media reports, the Administration has decided not to renew the legal authority for the NSA’s telephone record collection program. EPIC and a coalition of privacy organizations had urged the President to end the program, which he said he would do in 2014. In 2013, EPIC filed a petition in the US Supreme Court, supported by technical experts, legal scholars, and former members of the Church Committee, arguing that the program was unlawful. The Senate is expected to take up the USA Freedom Act on May 31, the day before key provisions of the Patriot Act expire.
- Florida Blocks Public Access to Police Body Camera Footage + (May. 27, 2015)
Florida, a state with very broad open government laws, has exempted police body camera footage obtained inside a private residence, a health care, mental health care or social services facility or is taken in a place that a reasonable person would expect to be private from public records law. Many states are considering similar legislation and EPIC's State Policy Project is monitoring bills nationwide. EPIC has submitted testimony to Congress and the D.C. City Council in opposition to the deployment of body cameras. But, where body-worn cameras are deployed, EPIC recommends no exemptions from open government laws.
- California AG Urges Congress to Reform Data Breach Notification Bill + (May. 21, 2015)
California Attorney General Kamala Harris has admonished the House Energy and Commerce Committee about the proposed Data Security and Breach Notification Act. In a letter to Committee leadership, Harris wrote, "I urge you to recognize the important role that states play in developing innovative approaches to consumer protection, and to reject a one-size-fits all law that establishes a ceiling rather than a floor on data security and data breach notification and consumer protection." California's Constitution guarantees the right to privacy, and California passed the first ever state data breach notification law. EPIC has also warned that the House bill would preempt stronger state laws and strip the FCC of its authority to defend consumer privacy.
- EPIC Warns Congress of Risks of Body Cameras + (May. 20, 2015)
EPIC submitted a statement for the record today for the Senate hearing "Can Technology Increase Protection for Law Enforcement Officers and the Public?". EPIC opposes the use of "police cams" and warned Congress that body cameras could "become the next surveillance technology disproportionately aimed at the most marginalized members of society." EPIC also pointed to the potential liability for cities if harmful images are posted online. EPIC explained that there are "more productive means to achieve police accountability that do not carry the risk of increasing surveillance." EPIC stressed that if body cameras are deployed, police departments must comply with all privacy and open government laws.
- New Drone Privacy Law Signed by Florida Governor + (May. 17, 2015)
Florida has a new law prohibiting the use of drones to intentionally record images of people on private property if a reasonable expectation of privacy exists. The law applies to law enforcement and private individuals, and provides for civil damages and injunctive relief. The law follows Florida's 2013 law requiring that police obtain a warrant to use drones to collect evidence. Many states are considering similar legislation and EPIC's State Policy Project is monitoring bills nationwide. EPIC has also testified in Congress in support of comprehensive drone privacy legislation, argued before the New Mexico Supreme Court in support of the warrant requirement, and sued the FAA for failing to establish drone privacy safeguards.
- House Passes Surveillance Reform Bill, Deadline Looms for Senate + (May. 14, 2015)
The House of Representatives has passed the USA Freedom Act of 2015. The bill would end the NSA's controversial domestic telephone record collection program--a program the Second Circuit Court of Appeals recently ruled was unlawful. The Freedom Act would also establish new transparency requirements for the Foreign Intelligence Court, recommended by EPIC in testimony before the House Judiciary Committee in 2012. EPIC also opposed renewal of the NSA's Section 215 orders and petitioned the Supreme Court to suspend the program. The Senate is expected to take up the bill before the June 1 expiration of Section 215 of the Patriot Act.
- Senators Markey and Hatch Propose Student Privacy Act + (May. 13, 2015)
Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have reintroduced the "Protecting Student Privacy Act.". The Act would strengthen the Family Educational Rights and Privacy Act, a federal student privacy law. The Student Privacy Act would also implement several of the recommendations EPIC set out in the Student Privacy Bill of Rights, including data security safeguards, students access to their information held by companies, prohibiting the use of personal data for marketing purposes, and minimizing the personal information schools transfer to third parties.
- EPIC to Recognize Richard Clarke, Tim Cook, AG Kamala Harris, and Susan Linn at June Awards Dinner + (May. 11, 2015)
On June 1, 2015 in Washington, D.C., EPIC will present the 2015 EPIC Champions of Freedom Awards to Richard Clarke, former National Coordinator for Security and Counter-terrorism, Apple CEO Tim Cook, California Attorney General Kamala Harris, and Susan Linn, co-founder and director of The Campaign for a Commercial-Free Childhood. Computer security expert Bruce Schneier and political analyst Hilary Rosen will host the gala event. Tickets are available to the public for purchase until May 22.
- House Committee Approves Surveillance Reform Bill + (May. 1, 2015)
The House Judiciary Committee voted to send the USA FREEDOM Act of 2015 to the House of Representatives for further consideration prior to the June 1 Patriot Act expiration deadline. The bill would end the NSA's controversial domestic telephone record collection program. The bill would also establish new transparency requirements for Intelligence Court Orders, recommended by EPIC in testimony before the House Judiciary Committee. EPIC also opposed renewal of the NSA's Section 215 orders and petitioned the Supreme Court to suspend the program.
- House Members Introduce Student Privacy Bill + (Apr. 30, 2015)
Congressmen Luke Messer (R-IN) and Jared Polis (D-CO) have introduced the "Student Digital Privacy and Parental Rights Act of 2015." The student privacy bill would prohibit companies from selling student information, using student information for targeted advertising, or otherwise disclosing student information for non-educational purposes. The Student Digital Privacy Act would implement portions of EPIC's Student Privacy Bill of Rights, including granting students access to their personal information collected by companies and requiring companies to provide notice of data security breaches. The bill is modeled on a new student privacy law in California.
- Senator McConnell Seeks Renewal of NSA Bulk Collection Program + (Apr. 23, 2015)
Senate majority leader Mitch McConnell has introduced a bill that would extend the Patriot Act until 2020. Specifically, S. 1035 would renew the controversial Section 215 authorities for the NSA's telephone record collection program. The 215 authority is set to expire on June 1. EPIC urged the President and the Attorney General not to renew the 215 order after it became clear that the NSA routinely collected the telephone records of US citizens. EPIC previously petitioned the Supreme Court to suspend the program, arguing that the NSA program exceeded the section 215 legal authority.
- Congress Proposes Bipartisan Student Privacy Bill + (Apr. 23, 2015)
The House Education and Workforce Committee has proposed a discussion draft amending the Family Educational Rights and Privacy Act, a federal student privacy law. The draft recommends ways to strengthen the law, including: (1) protecting student data maintained by private companies; (2) shorter wait times for students to access their records; (3) permitting students to opt out of disclosing their data for certain research studies; (4) mandatory data security for schools; (5) written agreements detailing obligations of third parties receiving student data; (6) enhanced enforcement mechanisms; and (7) narrowing exceptions under which schools may disclose student data without consent.
- House Reconsiders Data Breach Bill + (Apr. 15, 2015)
Members of the Energy and Commerce Committee have convened to rework the Data Security and Breach Notification Act. The Act, introduced by Reps. Blackburn and Welch, would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumer privacy. Rep. Frank Pallone and others have raised concerns. EPIC previously urged Congress to adopt baseline federal law that would allow states to develop innovative legislative responses to privacy risks.
- Court Awards EPIC Attorneys' Fees in FOIA Case Against NSA + (Apr. 9, 2015)
A federal district court has ordered the NSA to pay EPIC attorneys fees in a lawsuit that led to the the release of a presidential cybersecurity order. Back in 2009, EPIC requested National Security Presidential Directive 54, which concerns the NSA's domestic surveillance authority. After EPIC brought suit and then an appeal to the D.C. Circuit, the NSA finally released the document to EPIC. The agency then opposed EPIC's request for attorneys fees in the case. A federal court has now ruled that NSA's refusal to disclose the document was "incorrect as a matter of law," that EPIC had "substantially prevailed," and awarded EPIC more than $31,000 in fees.
- Judge Approves Laughably Bad, Collusive Class Action Settlement + (Apr. 3, 2015)
A federal judge has approved a settlement involving Google after the company routinely disclosed the search histories of Internet users to third parties in violation of federal law. Under the settlement, Google will continue the practice and the attorneys will receive several million in fees. Google will also distribute millions to the schools the lawyers attended. None of the class members will receive any benefit. A coalition of consumer privacy organizations, including EPIC, twice urged the judge to reject the settlement. The groups cited an opinion by Supreme Court Chief Justice John Roberts about a similarly collusive settlement.
- Senate Committee Approves Modest Driver Privacy Bill + (Mar. 30, 2015)
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act of 2015, a bipartisan bill limiting access to event data recorder or "black box" data. Under the Act, black box data could only be obtained with: (1) a court or administrative order; (2) consent of a car owner or lessee; (3) a federal transportation safety investigation if personal information is redacted; (4) emergency crash medical response; or (5) traffic safety research if personal information is redacted. The Senate Commerce Committee approved a stronger bill last year. EPIC previously recommended safeguards for black box data in USA Today and Costco Connect and then urged the Transportation Department to establish privacy rules for data access.
- EPIC Pursues Investigation of FTC's 2012 Investigation of Google + (Mar. 26, 2015)
EPIC has filed a FOIA request with the Federal Trade Commission, reopening a 2013 FOIA request from EPIC regarding the Commission's Google antitrust investigation. After the agency closed the investigation in 2013, EPIC asked for agency communications with the White House. The FTC denied having any such records. Now, the Wall Street Journal has reported that the Chairman of the FTC attended White House meetings on the same day as Google lobbyists. EPIC also filed a request this week for the FTC staff reports recommending that the agency file an antitrust lawsuit against Google.
- EPIC Pursues Reports from FTC's 2012 Investigation of Google + (Mar. 24, 2015)
EPIC has filed a FOIA request with the Federal Trade Commission, seeking the two reports prepared by agency staff during the 2012 Google antitrust investigation. After the agency closed the investigation in 2013, asked for for agency communications with the White House. Now, the Wall Street Journal has obtained a report revealing that the Commission ignored recommendations to reform Google's anticompetitive practices. EPIC warned the FTC in 2011 about Google's search ranking manipulation after the company acquired YouTube.
- Wall Street Journal Reveals FTC Ignored Google's Anticompetitive Practices + (Mar. 23, 2015)
According to an internal document obtained by the WSJ, in 2012 the Federal Trade Commission ignored recommendations to reform Google's anticompetitive practices. The FTC staff report concluded that Google's "conduct has resulted-and will result-in real harm to consumers and to innovation in the online search and advertising markets." The internal FTC report said the company illegally took content from rival websites to improve its own rankings and "[w]hen competitors asked Google to stop taking their content, it threatened to remove them from its search engine. The report also found that Google altered search results "to benefit its own services at the expense of rivals." In 2011 EPIC detailed for the FTC Google's manipulation of rankings for a search on the term "privacy" after it acquired YouTube. EPIC pursued an FOIA request for agency communications with the White House after the agency closed investigation.
- EPIC Comments on Maryland Drone Bill + (Mar. 17, 2015)
In a prepared statement for a hearing on a bill to limit drone surveillance, EPIC urged Maryland state legislatures to add additional privacy protections. The bill prohibits drone surveillance of "specifically targeted individuals or private property," except where a valid search warrant is obtained or explicit consent is given. EPIC recommended that the bill specifically limit police drone surveillance of First Amendment protected activities, require use and data limitations, and include additional transparency and accountability measures. EPIC previously petitioned the FAA to establish clear privacy guidelines for commercial drones and urged Congress to establish privacy safeguards to limit drone surveillance.
- Senate Committee Approves Cyber Surveillance Bill + (Mar. 14, 2015)
In a closed-door meeting, the Senate Select Committee on Intelligence approved the "Cyber Information Sharing Act of 2015". The bill would allow the government to obtain user information from private companies without judicial oversight. Companies would receive immunity for their disregard of existing privacy law. Senator Wyden, who opposed the measure, stated, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name." Last year, EPIC won a five-year court battle against the NSA for NSPD 54—the foundational legal document for U.S. cybersecurity policies. The Directive reveals the government's long-standing interest in enlisting private sector companies to monitor user activity.
- Data Breach Bill Would Preempt State Law, Weaken FCC Authority + (Mar. 13, 2015)
Representatives Burgess, Blackburn, and Welch have proposed a bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumers privacy. In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. In 2009 and again in 2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks.
- Senators Propose Law to Regulate Data Broker Industry + (Mar. 5, 2015)
Senators Markey, Blumenthal, Whitehouse and Franken have introduced the Data Broker Accountability and Transparency Act. The bill would give consumers the right to access their personal information held by data brokers and stop data brokers from disclosing or selling that information to others. Senator Markey said, "The era of data keepers has given way to the era of data reapers." In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. EPIC's FTC complaint lead to a $10 million settlement with Choicepoint.
- Sen. Markey and Rep. Welch Propose Drone Privacy Legislation + (Mar. 3, 2015)
Senator Markey and Representative Welch introduced the Drone Aircraft Privacy and Transparency Act of 2015. The Act would regulate the use of drones in the United States. The Drone Privacy Act requires publicly available data collection statements from operators and warrants for drone surveillance by law enforcement. Recently announced rules by the FAA and White House "fail to adequately protect the privacy of Americans," according to the Congressmen. The Drone Privacy Act incorporates recommendations by EPIC in testimony to Congress and comments to federal agencies. EPIC petitioned the FAA to establish clear privacy rules for commercial drone operators.
- White House (Commerce Dept.) Privacy Bill Not Helpful, Unworkable + (Mar. 2, 2015)
The White House has released a consumer privacy proposal, prepared by the Commerce Department. The bill falls far short of the recommendations for a “Consumer Privacy Bill of Rights” set out by President Obama in 2012 and broadly supported by consumer organizations. The draft proposal lacks meaningful protections for consumers, would preempt stronger state laws, and create unnecessary regulatory burdens for businesses. EPIC has long recommended enactment of consumer privacy legislation based on “Fair Information Practices,” the basic framework for modern privacy law.
- EPIC Prevails in "Stingray" Case Against FBI + (Feb. 20, 2015)
EPIC has obtained nearly $30,000 in litigation fees as a result of a Freedom of Information Act case against the FBI concerning a new surveillance technology. EPIC's lawsuit produced the release of more than 4,000 pages of documents about a phony cell tower technique called "Stingray." The documents obtained by EPIC revealed that the FBI used the devices to monitor cell phones without a warrant, and provided Stingrays to other law enforcement agencies. Following objections by Senator Grassley, the FBI restricted Stingray use. In EPIC v. FBI, No. 12-667, the Federal District Court awarded EPIC nearly all of the attorneys' fees requested.
- FAA Ignores Privacy Concerns in Public Rulemaking on Commercial Drones + (Feb. 19, 2015)
The Federal Aviation Administration announced a public rulemaking for the integration of small commercial drones into the National airspace. The rules will establish safety procedures but will not address privacy concerns. The agency stated that privacy "issues are beyond the scope of this rule making." EPIC and 100+ organizations, experts, and members of the public petitioned the FAA to conduct a public rulemaking on the privacy impact of domestic drone use. Several members of Congress, including Senator Markey and Senator Paul have urged the establishment of privacy laws before surveillance drones are deployed in the United States.
- President Orders Federal Agencies to Adopt Privacy Rules for Drone Use, FAA Proposes Weak Rules for Commercial Users + (Feb. 15, 2015)
The President has issued a new Executive Order requiring all federal agencies to adopt privacy rules for drone use. The Order is intended to limit the collection and use of personally identifiable information. The rules will also require agencies to adopt transparency and accountability procedures for drone use. The Order incorporates recommendations made by EPIC in testimony to Congress and comments to several federal agencies. The Federal Aviation Administration has also proposed new regulations for commercial drone use in the United States. These rules will establish safety procedures for drone use, including maximum height, weight and line-of-sight operation, but the rules do not address the privacy impact of commercial drone use. EPIC petitioned the FAA to establish clear privacy rules for commercial drone operators.
- Executive Order Calls for More Cybersecurity Info "Sharing" + (Feb. 13, 2015)
President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security.
- EPIC Urges House to Safeguard Student Privacy + (Feb. 11, 2015)
EPIC has sent a statement to a House Committee in advance of the Committee's hearing on "How Emerging Technology Affects Student Privacy." EPIC urged the Committee to "pursue effective measures that meaningfully safeguard student data," including adoption of the Student Privacy Bill of Rights, privacy enhancing techniques, and a private right of action against companies that unlawfully disclose student data. Last month, President Obama proposed legislation to "ensure that data collected in the educational context is used only for educational purposes." EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy.
- Senator Markey Report Warns of Risks with "Connected Cars" + (Feb. 10, 2015)
A report from Senator Edward Markey (D-MA) finds lax privacy practices at leading auto manufacturers. The Senator said the safeguards in the auto industry for data collection are "inconsistent" and "haphazard." The investigation also revealed, "automobile manufacturers collect large amounts of data on driving history and vehicle performance." Senator Markey has called on the Department of Transportation and the Federal Trade Commission to issue rules to protect driver privacy and security. EPIC has urged the Department of Transportation to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and said also that "cars should not spy on drivers."
- Anthem breach Shows Risks of "Big Data" + (Feb. 5, 2015)
One of the largest health insurers in the country has lost millions of medical records of American consumers. The most recent breach of sensitive medical information shows the dangers of "Big Data" and the mistaken conclusion of the report of the Presidents Science Advisors, which simply assumed the benefits of data collection. EPIC has urged the FTC to establish data minimization procedures for companies limit the risks of data breaches.
- Congress to Hold Hearing on Student Privacy + (Feb. 5, 2015)
Next week, a House committee will hold a hearing on "How Emerging Technology Affects Student Privacy." Last month, President Obama proposed legislation to safeguard student data. The legislation would "ensure that data collected in the educational context is used only for educational purposes" And prohibit companies from selling data for non-educational purposes and targeting advertising. Last year, EPIC proposed the Student Privacy Bill of Rights following growing concerns about misuse of student data. EPIC has urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy.
- White House Report on "Big Data" Explores Price Discrimination, Opaque Decisionmaking + (Feb. 5, 2015)
A White House report on Big Data and Differential Pricing released today examines new forms of discrimination resulting from big data analytics. The White House explained the risks to consumers, acknowledged the failure of self-regulatory efforts, and called for greater transparency and consumer control over their personal information. Last year, EPIC and a coalition of NGOs urged the President to establish privacy protections - including "algorithmic transparency", consumer control, and robust privacy techniques - to address Big Data risks.
- Online Privacy Bills Introduced in Congress, EPIC Recommends Further Changes + (Feb. 4, 2015)
Senators and House Members have introduced bills to update the federal communications privacy law. The proposals would require law enforcement agents to obtain a warrant before they could access e-mails or location data. EPIC has called for a comprehensive overhaul of the federal privacy law. EPIC has recommended protections for location data, data minimization requirements, and end-to-end encryption for commercial email services.
- President Discusses Surveillance Reform, Bulk Collection Continues + (Feb. 3, 2015)
Today President Obama outlined new steps on surveillance reforms. The Director of National Intelligence also released a privacy framework for non-US persons and revised agency guidelines on data collection. Last year, the President committed to end the bulk collection of American's phone records and increase oversight of intelligence gathering. But the President has not ended the bulk collection program despite the absence of evidence that the program is effective. In 2013 EPIC, joined by dozens of legal experts, petitioned the Supreme Court to find the program unlawful.
- Lawmakers Renew FOIA Reform Efforts + (Feb. 3, 2015)
After narrowly failing to pass FOIA legislation last year, lawmakers in the House and the Senate have introduced the FOIA Improvement Act of 2015. The bill requires Federal agencies to operate under a "presumption of openness" and aims to reduce the overuse of exemptions to withhold information from the public. Senators called for swift passage of the bipartisan legislation which promotes transparency. Last October, EPIC and others urged the President to pursue many of the reforms contained in the proposed legislation.
- Senators Challenge Verizon's Secret Mobile Tracking Program + (Jan. 30, 2015)
In a letter to Verizon, Senators on the Commerce Committee challenged the company's practice of placing a "super cookie" oncustomers' smartphones. The letter follows the recent discovery that the advertising company Turn was secretly tracking Verizon customers, even after customers deleted its cookies. In the letter, the Senators asked Verizon to stop tracking users with undeletable cookies. EPIC has urged the White House and the Federal Trade Commission to limit the use of persistent identifiers. EPIC supports opt-in requirements and Privacy Enhancing Techniques for consumers, and algorithmic transparency for data collectors.
- DOJ Reverses Course on Forensic Evidence Committee After Federal Judge Resigns in Protest + (Jan. 30, 2015)
The Department of Justice has reversed a decision to limit oversight of scientific evidence after a federal judge threatened to resign in protest. The National Commission on Forensic Science, established by the DOJ, was charged with improving the reliability of forensic science but the Justice Department appeared ready to make a recommendation contrary to the Commission's purpose. Senator Patrick Leahy (D-VT) has urged better oversight of forensic evidence in the criminal justice system. EPIC also asked the Supreme Court in an amicus curiae brief in Florida v. Harris to look more closely at investigative techniques that help establish probable cause. EPIC argued that courts should ensure that techniques are adequately tested to ensure the accuracy and validity of results. The dispute over the recommendations of the National Commission on Forensic Science reflect a similar concern.
- FAA Settles Case Testing Legality of Commercial Drone Ban + (Jan. 27, 2015)
The FAA has settled a case, Huerta v. Pirker, that challenged the agency's ability to regulate the commercial use of drones. The settlement requires the drone operator to pay a $1,100 fine for violating the FAA regulation. Despite the ban, the agency continues to grant exceptions for commercial drone use. A small drone recently crashed on the White House grounds, raising additional concerns the anticipated deployment of drones in the United States. EPIC has petitioned the FAA to establish clear privacy rules for the operation of commercial drones.
- EPIC Urges House to Safeguard Consumer Privacy + (Jan. 26, 2015)
EPIC has sent a statement to the House Commerce Committee for the hearing, "What are the Elements of Sound Data Breach Legislation?". EPIC had testified before the House Committee in 2011 on data breach notification, urging Congress to set a national baseline standard. EPIC also supports enactment of the Consumer Privacy Bill of Rights. EPIC also urged the House Committee to promote "algorithmic transparency." EPIC has warned that “[t]he ongoing collection of personal information in the United States without sufficient privacy safeguards has led to staggering increases in identity theft,security breaches, and financial fraud.”
- CIA Releases Redacted Report on Surveillance of Congress + (Jan. 15, 2015)
Several months after EPIC filed a Freedom of Information Act lawsuit against the Central Intelligence Agency, the agency has released the Inspector General's report on the agency's surveillance of Congress. The Inspector General launched an investigation after the Senate accused the CIA of improperly accessing the computers of Senate staff who were investigating CIA torture practices. The Inspector General found that CIA personnel improperly accessed Senate computers multiple times. The Inspector General also found that the CIA's accusations that Senate staff had improperly removed CIA files were baseless. EPIC will pursue release of the full, unredacted report.
- President Obama Announces New Cybersecurity Initiatives + (Jan. 13, 2015)
Today the President announced several cybersecurity initiatives, including a proposal to facilitate private sector threat information disclosures. The White House proposal requires the removal of personal information prior to data transfers but privacy concerns remain. The President threatened to veto a previous bill that lacked privacy and civil liberties safeguards. A 2013 expert report set out 46 proposals for strengthening cyber security that the White House said it would adopt. EPIC supported these recommendations and has also recommended civilian leadership on cybersecurity.
- Obama Calls for Disclosure of Secret Credit Scores + (Jan. 12, 2015)
In a speech at the Federal Trade Commission today, President Obama called for free access to credit scores. This will improve transparency for companies that profile consumers with "big data." Last year, the White House explored "Big Data and the Future of Privacy." EPIC called for "algorithmic transparency" and urged the White House to end secret profiling that limits opportunities for consumers, employees, students, and others.
- Obama Announces New Consumer Privacy Initiatives + (Jan. 12, 2015)
Today the President announced several initiatives to help protect consumer privacy following many, many data breaches. The President will move forward the Consumer Privacy Bill of Rights, a model framework for federal consumer privacy legislation, that EPIC supported in comments to executive agencies, legislators, and the White House. The President also proposed that financial firms disclose credit scores and that Congress enact the Student Digital Privacy Act based on "Fair Information Practices."
- President Obama Backs Student Privacy Law + (Jan. 12, 2015)
Today the President will propose legislation to safeguard student data, to "ensure that data collected in the educational context is used only for educational purposes." The Student Digital Privacy Act, based on a landmark California statute, will prohibit companies from selling data for non-educational purposes and from using data for targeted advertising. Last year, EPIC called for a Student Privacy Bill of Rights to safeguard student information. EPIC has urged Congress and the Department of Education to strengthen student privacy.
- EPIC Urges Congress to Hold Hearing on FBI Database + (Jan. 9, 2015)
In a letter to Senators Grassley and Leahy, EPIC has urged the Senate Judiciary Committee to investigate the FBI's "Next Generation Identification" program. NGI is the most extensive biometric database in the world and raises many privacy risks. In a recent FOIA case, EPIC v. FBI, EPIC obtained documents which show that the FBI accepted a 20% error rate for facial recognition matches. EPIC and over 30 organizations have urged Attorney General Holder to conduct a privacy assessment of NGI, but the program has since gone fully operational without the required evaluation.
- New Report Surveys FOIA Litigation in 2014 + (Jan. 6, 2015)
The Transactional Records Access Clearinghouse has released its analysis of 2014 litigation under the Freedom of Information Act. TRAC found that 422 FOIA lawsuits were filed in the past year, the highest number since 2001. Among advocacy organizations, EPIC was the third most frequent filer, with seven lawsuits filed in 2014. Several notable lawsuits were also filed by the New York Times and Vice reporter Jason Leopold. The Department of Justice was the federal agency most frequently sued, followed by the Department of Defense. For more information see: EPIC: Open Government and FOIA.ROCKS.
- Senators Seek Answers on Use of Cell Phone Surveillance Devices + (Jan. 2, 2015)
Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Ranking Member Chuck Grassley (R-Iowa) have asked Attorney General Eric Holder and Secretary of Homeland Security Jeh Johnson several questions about the government’s use of cell site simulators or “Stingray” devices to track cell phones. According to the letter, the Senators previously asked FBI Director James Comey about the FBI’s use of cell site simulators and, after two briefings with the Senators, the FBI announced a new policy that it would obtain search warrants before using the devices, subject to certain exceptions. The new letter raises questions about the broader use of cell site simulators by other law enforcement agencies and their impact on the privacy of innocent individuals. EPIC filled a lawsuit under the Freedom of Information Act in 2012, seeking information about the FBI’s use of cell site simulators and, in particular, what legal process the agency required before deploying the technology. As a result of EPIC’s lawsuit, more than 4,000 pages of partially-redacted FBI records were released to the public. For more information, see EPIC v. FBI - Stingray / Cell Site Simulator.
- FTC Charges Data Broker with Theft + (Jan. 2, 2015)
The Federal Trade Commission has brought a complaint against LeapLab, a commercial data broker. According to the complaint, LeapLab bought the payday loan applications of “financially strapped consumers,” and then sold the consumer information to marketers. At least one marketing company that purchased consumer information from LeapLab used that information to steal millions of dollars from consumers’ bank accounts. “This case shows that the illegitimate use of sensitive financial information causes real harm to consumers,” said Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. Further, EPIC's complaint to the FTC against Choicepoint lead to a $10 million settlement. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC.
- FTC Finalizes Snapchat Settlement + (Jan. 2, 2015)
The Federal Trade Commission has approved a final order with Snapchat, the messaging service that falsely promised that messages sent and received through the service would "disappear forever.” The Commission’s investigation and initial proposed consent order followed a complaint filed by EPIC in 2013. EPIC brought the complaint against Snapchat after a researcher discovered that Snapchat photos could be retrieved by others after they should have vanished. EPIC also filed comments regarding the Commission's proposed consent order, expressing support for the Commission’s findings but recommending that Snapchat should be required to implement the Consumer Privacy Bill of Rights and make Snapchat's privacy assessments publicly available. Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC.
- Final Act: Senator Rockefeller Proposes Drone Privacy Bill + (Dec. 24, 2014)
Senator Rockefeller, the outgoing Chair of the Senate Commerce Committee and a leading privacy champion, introduced a bill to require privacy safeguards in the commercial operation of drones. The Unmanned Aircraft Systems Privacy Act of 2014 would prohibit surveillance of individuals by companies unless explicit prior consent is obtained and would require the development of remote identification transmission technologies for drones. The bill would also provide a private right on action against invasions of privacy in violation of the act and grant the FTC additional authority to regulate on commercial drone privacy issues. EPIC previously testified before Congress in support of a drone privacy law. EPIC recommended data use and retention limitations as well as additional transparency and accountability measures for drone operators. For more information, see EPIC Spotlight on Surveillance: Drones - Eyes in the Sky and EPIC: Domestic Drones.
- EPIC, Coalition Urge Changes for House Procedures on National Security + (Dec. 18, 2014)
EPIC and a coalition of civil liberties groups is advocating for changes that would create more oversight and accountability in Congress for national security issues. In a letter to House Speaker John Boehner and Minority Leader Nancy Pelosi, more than 50 organizations recommended that the leadership provide all Members of Congress with access to relevant information and sufficient staff assistance. That groups recommended revising procedures for the House Permanent Select Committee on Oversight so that other Committees are kept informed, unclassified reports are made public with minimal delay, and the Committee operates more openly. The groups proposed a Congressional option for whistleblowers so that information can be communicated to Members of Congress "without fear of reprisal" and a comprehensive review of the activities of the Intelligence Community since 9/11, modeled after the 9-11 Commission For more information see: EPIC: Open Government and FOIA Rocks.
- Senator Franken Questions Uber About Use of Passenger Data + (Dec. 17, 2014)
Senator Franken has received a response from Uber about the the ride-sharing company's privacy practices. Last month, Franken asked Uber to answer ten questions about the company treats use of passenger data. Specifically, Franken questioned Uber's use of the "God view" tool, which allows the company to track individual customers in real time. Uber failed to answer several of Senator's questions and provided "a surprising lack of detail." EPIC recently proposed "Privacy Rules for Uber," as part of the "Rideshare Privacy Act of 2015." EPIC wrote that "there should be clear legal limits on the use of 'God view,'" explaining, "any use of that feature to track or stalk passengers should be prohibited by law. And all of these legal rights should be backed with meaningful fines if the company crosses the line." EPIC concluded, "the collection of detailed information on Uber passengers is a real problem that can no longer be ignored." For more information, see EPIC: Drivers Privacy Protection Act and EPIC: Automobile Event Data Recorders (Black Boxes) and Privacy.
- Leahy FOIA Reform Bill Passes in Senate + (Dec. 9, 2014)
The Senate has unanimously passed the Freedom of Information Improvement Act of 2014. (Outline of bill.) The bill, cosponsored by Senator Patrick Leahy (D-VT) and Senator John Cornyn (R-TX), requires Federal agencies to operate under a "presumption of openness." "The FOIA Improvement Act will help open the government to all Americans by placing an emphasis on openness and transparency, rather than allowing agencies simply to hide behind exemptions," Leahy and Cornyn said in a joint statement. The FOIA Improvement Act will also close a loophole that agencies have used to make requesters pay excessive fees, even when the agency takes years to process the request. EPIC has recommended many of these reforms, including changes to the "(b)(5)" exemption for agency memos. The bill goes next to the House for consideration. For more information, see EPIC: FOIA and FOIA.ROCKS.
- Senator Leahy Calls on the President to End Bulk Collection of Phone Records + (Dec. 4, 2014)
Today Senator Patrick Leahy (D-VT) urged President Obama to end the dragnet collection of U.S. telephone records under Section 215 of the Patriot Act. The current authorization for the NSA's bulk collection program expires on Friday, December 5, 2014. Senator Leahy's comments follow the recent efforts to pass the USA FREEDOM Act of 2014, which would end the NSA's surveillance program. Senator Leahy said that ending the reauthorization of the program "would not be a substitute for comprehensive surveillance reform legislation - but it would be an important first step." In June EPIC, joined by many organizations, urged the President and Attorney General to end the bulk collection program. And in 2013 EPIC petitioned the Supreme Court, arguing that a special surveillance court exceeded its authority when it ordered Verizon to turn over records on all of its customers to the NSA. For more information, see In re EPIC and EPIC: Foreign Intelligence Surveillance Act Reform.
- EPIC Uncovers DOD Student Data Collection Procedures + (Nov. 26, 2014)
The Department of Defense has released to EPIC documents on the "Joint Advertising and Market Research Studies" Recruiting Database. The database includes sensitive student information, including home address and grade point average. DOD obtains this information from high schools offering military aptitude tests, state DMVs, and commercial data brokers. The documents sought by EPIC shed light on how DOD collects, retains, uses, and safeguards student information within the database. The documents provided to EPIC also reveal that many parents demanded that DOD remove their children's records from the system. In 2005, EPIC, joined by more than 100 organizations, urged former Secretary of Defense Donald Rumsfeld to end the database because it collected unnecessary information, did not permit individuals to opt-out, and was housed at a private-sector direct marketing company. The agency now permits individuals to opt-out. For more information, see EPIC: Student Privacy and EPIC: DOD Recruiting Database.
- White House to End Controversial "Secure Communities" Program + (Nov. 24, 2014)
President Obama's executive action on immigration will end the "Secure Communities" program. Secure Communities is a controversial deportation program that relies on extensive data collection and biometric identification. Many states, including Illinois, New York, and Massachusetts, withdrew from the Homeland Security program, warning that it undermined public safety and encouraged racial profiling. Secure Communities will be replaced by the Priority Enforcement Program, a targeted program that will focus on removing convicted criminals. EPIC, joined by a coalition of 70 organizations, previously urged the Inspector General of the Department of Justice to review the Secure Communities program. For more information, see EPIC: Secure Communities and Privacy; See also TRAC: Immigration.
- Senate Committee Endorses FOIA Improvements Act + (Nov. 20, 2014)
A bill cosponsored by Senator Patrick Leahy (D-VT) and Senator John Cornyn (R-TX) to improve the Freedom of Information Act has passed unanimously out of the Senate Judiciary Committee. The bill will strengthen the Office of Government Information Services, and will require new reporting on the use of exemptions and audits of agency FOIA processes. The FOIA Improvement Act codifies the presumption of openness and requires that agencies must demonstrate a foreseeable harm in order to withhold information. It will also close a loophole that allows agencies to still charge fees to requesters no matter how long the agency delays processing a request. The House of Representatives has already passed similar legislation. For more information see: EPIC: Open Government and FOIA.ROCKS.
- Senate Republicans Block US Surveillance Reform + (Nov. 19, 2014)
An effort led by Senator Patrick Leahy (D-VT) to pass the USA FREEDOM Act failed on a narrow procedural vote last night. The FREEDOM Act would have ended the NSA's bulk collection of US telephone records. The bill would also improve oversight and accountability of the Foreign Intelligence Surveillance Act. Last year, EPIC petitioned the Supreme Court to suspend the bulk collection of Americans' telephone records. EPIC's petition was supported by dozens of legal scholars and former members of the Church Committee. EPIC also testified in Congress in support of improved reporting for domestic surveillance activities. For more information, see EPIC: Foreign Intelligence Surveillance Act Reform and In re EPIC.
- Senator Markey Asks Justice Department About Cell Phone Tracking Program + (Nov. 17, 2014)
Senator Edward J. Markey (D-MA) has sent detailed questions to Attorney General Holder about recent reports that law enforcement agencies have deployed aircraft equipped with cell tower simulators to capture mobile phone communication. The devices, known as "IMSI catchers" or "Stingray," identify and track cell phone users. Senator Markey wrote "the sweeping nature of this program and likely collection of sensitive records...raise important questions about how the Department protects the privacy of Americans" with no connection to unlawful activities. EPIC successfully sued the FBI to obtain documents about the agency's use of Stingray devices. EPIC has also filed amicus curiae briefs in the U.S. Supreme Court and the Supreme Court of New Jersey arguing that location tracking is a search under the Fourth Amendment and should only be conducted with a judicial warrant. For more information, see EPIC: Locational Privacy and EPIC v. FBI (Stingray).
- Senator Leahy Urges Swift Passage of USA Freedom Act + (Nov. 13, 2014)
Senator Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, has urged swift passage of the USA FREEDOM Act, which would end the government's dragnet collection of telephone records. The bipartisan bill, which Senator Leahy introduced in July, would also improve oversight accountability for domestic surveillance activities. It has broad bipartisan support among the Intelligence Community, the technology industry, and privacy advocates. Senator Leahy said "Congress should pass the bipartisan USA FREEDOM Act without delay." Last year EPIC petitioned the US Supreme Court to end the NSA bulk record collection program. Former members of the Church Committee and dozens of legal scholars supported the EPIC petition. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance.
- Post-Snowden, Social Media Users Concerned About Access to Personal Data + (Nov. 13, 2014)
According to the Pew Research Report "Public Perceptions of Privacy and Security in the Post-Snowden Era," most users of social media are very concerned about businesses and government accessing their personal data. 80% of adults "agree" or "strongly agree" that Americans should be concerned about the government's monitoring of phone calls and internet communications. 64% believe there should be more regulation of advertisers. Almost all users rank their social security number as the most sensitive piece of personal data. EPIC has asked the House Committee on Homeland Security to suspend a DHS program that is monitoring social networks and media organizations. EPIC has recommended that the FTC to establish privacy protections for online advertising. EPIC has also urged the US Congress over many years to limit the use of the Social Security Number for commercial purposes. For more information, see EPIC: Public Opinion on Privacy, EPIC: Facebook Privacy, EPIC: Social Media Monitoring, and EPIC: Social Security Numbers.
- NSA Vows to Disclose Zero-Day Vulnerabilities + (Nov. 13, 2014)
In a speech delivered at Stanford University, National Security Agency director Michael Rogers announced that the NSA will no longer stockpile "zero-day exploits", software glitches that could facilitate cyber espionage. In the past, the NSA has kept these vulnerabilities secret for use in counterintelligence. Admiral Rogers announced, "the default setting is if we become aware of a vulnerability, we share it." By disclosing vulnerabilities, the NSA allows software developers to fix the glitches and keep the internet more secure. Admiral Rogers recognized that "'a fundamentally strong Internet is in the best interest of the U.S.'" In December 2013, the President's Review Group on Intelligence and Communications Technologies recommended that "US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The Review Group report contains 45 other similar recommendations that EPIC generally supports and the White House has pledged to adopt. Earlier this year, the NSA's policies on zero-day exploits came under scrutiny when an glitch known as the "Heartbleed bug" threatened to undermine SSL encryption across the entire internet. For more information, see EPIC: In re EPIC and EPIC: NSPD-54 Appeal.
- Court Dismisses Video Privacy Case Against Redbox + (Nov. 5, 2014)
A federal court of appeals has ruled that a lawsuit against Redbox will not continue. The plaintiffs argued that Redbox's disclosure of personal information to a customer service center violated the Video Privacy Protection Act of 1988. The Seventh Circuit ruled that since customer service is part of Redbox's "ordinary course of business," the disclosure is permissible under the Act. The Court also determined that the statute created standing and that it was unnecessary to show additional harm. Earlier this year, a federal court ruled that a privacy class action lawsuit against Hulu, the video streaming service, could continue. In that case, Hulu shared user data with Facebook for advertising purposes, in violation of the VPPA. EPIC has supported the Video Privacy law since its inception and has defend the statute in Congressional testimony and amicus briefs. For more information, see EPIC: Harris v. Blockbuster; EPIC: Lane v. Facebook; and EPIC: Video Privacy Protection Act.
- Senator Rockefeller Questions Whisper About Privacy Practices + (Oct. 24, 2014)
Senator Rockefeller has asked Whisper to answer several questions about the company's practices and policies. Whisper said that it does not track users and that it respects users' decisions to opt out of geolocational tracking. But the Guardian revealed that Whisper tracks "the precise time and approximate location of all messages" and specifically tracks certain users the company deems "newsworthy." Senator Rockefeller, chair of the Senate Committee on Commerce has asked Whisper to explain its tracking, data retention, and disclosure practices. EPIC has several similar matters pending before the Federal Trade Commission. For more information, see EPIC: WhatsApp, EPIC: Snapchat, and EPIC: FTC.
- 50 Organizations Urge Obama to Update Freedom of Information Act + (Oct. 24, 2014)
EPIC has joined a coalition of more than 50 organizations that has asked President Obama to strengthen the Freedom of Information Act. "Only statutory reform and your public commitment to that reform will ensure the commitments you have made last beyond your presidency," the groups wrote. President Obama signed a memorandum in support of Open Government the day after he was inaugurated in 2009, but open government groups say he has not done enough to promote government transparency. The groups are now urging the President to commit to a "presumption of openness" and to endorse the "foreseeable harm" standard mandated by the Attorney General. The groups would also like to see the President support a narrowing of the communication privilege and end the withholding of documents more than 25 years old. Finally, the groups said that agencies that miss statutory deadlines should not charge fees and that the FOIA ombudsman should be strengthened. For more information, see EPIC: Open Government.
- EPIC Recommends Research on "Privacy Enhancing Technologies" + (Oct. 23, 2014)
In comments to a federal agency developing a privacy research agency, EPIC expressed support for Fair Information Practices and the Consumer Privacy Bill of Rights. EPIC also recommended research on Privacy Enhancing Technologies ("PETs") that "minimize or eliminate the collection of personally identifiable information." EPIC highlighted current privacy issues including identity theft, security breaches, financial fraud, and the increasing use of predictive analytics in big data analysis. Earlier this year, EPIC submitted comments on "Big Data and the Future of Privacy" and called for the end of opaque algorithmic profiling. The White House's subsequent report on Big Data and the Future of Privacy incorporated several recommendations from EPIC and other privacy organizations. For more information, see EPIC: Big Data and the Future of Privacy.
- New Report Reviews Progress on Signals Intelligence Reform + (Oct. 23, 2014)
The Office of the Director of National Intelligence has released the first report on the implementation of Presidential Policy Directive 28. In January, the President proposed a revised policy for foreign signals intelligence. Under the revised directive, PPD-28, intelligence agencies are required to "review and update" their policies and "establish new ones as necessary" to safeguard personal information collected through signals intelligence. Signals intelligence activities must also be "as tailored as feasible," and there must be limitations on the querying, use, dissemination, and retention of personal information. The report states that all intelligence agencies in place by January 17, 2015, one year after the President's speech. EPIC previously challenged the NSA's bulk collection of domestic and international call detail records. EPIC has also filed Freedom of Information Act requests with the NSA and other intelligence agencies elements seeking disclosure of current procedures regarding surveillance conducted under Executive Order 12333. For more information, see EPIC: EO 12333 and In re EPIC.
- Obama Issues Executive Order to Strengthen Consumer Privacy + (Oct. 17, 2014)
President Obama signed an Executive Order today to Improve the Security of Consumer Financial Transactions. The Order will require enhanced security features for government financial transactions, including chip-and-PIN technology which has greatly reduced financial fraud and identity crimes in Europe. The Executive Order states that "the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality..." The White House also announced a series of measures to safeguard consumer financial security, including more secure payment systems, efforts to reduce identity theft and support "algorithmic transparency." EPIC has endorsed many of these proposals. The White House also announced a summit on cybersecurity and consumer protection. For more information, see EPIC: "Cybersecurity and Data Protection in the Financial Sector" (House 2011), EPIC: "Cybersecurity and Data Protection in the Financial Sector" (Senate 2011), and EPIC: Identity Theft.
- Data Protection Commissioners Urge Limits on "Big Data" + (Oct. 17, 2014)
The International Data Protection Commissioners have adopted a resolution on Big Data. The resolution endorses several privacy safeguards, including purpose specification, data minimization, individual data access, anonymization, and meaningful consent when personal data is used for big data analysis. The data protection commissioners also passed a resolution supporting the UN High Commissioner's report on Privacy in the Digital Age and the Mauritius Declaration on the Internet of Things. Earlier this year, EPIC joined by 24 organizations petitioned the White House to accept public comments on its review of Big Data and the Future of Privacy. EPIC also submitted extensive comments detailing the privacy risks of big data and calling for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. For more information, see EPIC: Big Data and EPIC: Internet of Things.
- At OECD Global Forum, EPIC Urges "Algorithmic Transparency" + (Oct. 3, 2014)
Speaking to delegates at the OECD Global Forum for the Knowledge Economy in Tokyo, EPIC President Marc Rotenberg urged OECD member countries to endorse "algorithmic transparency," the principle that data processes that impact individuals be made public. Mr. Rotenberg explained that companies are too secretive about what they collect and how they use personal data. Mr. Rotenberg also spoke about the growing risk of identity theft and cited the recent data breaches at Target, Home Depot, and JP Morgan, and urged OECD countries to update privacy laws. Earlier this year, EPIC submitted extensive comments on the White House's review of "Big Data and the Future of Privacy." EPIC called for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. For more information, see EPIC - Big Data, The Public Voice, CSISAC.
- EPIC v. CIA: EPIC Seeks Details of CIA Surveillance of Congress + (Oct. 2, 2014)
EPIC has filed a Freedom of Information Act lawsuit against the Central Intelligence Agency for the Inspector General's report on the CIA's spying on a key Congressional oversight committee. The EPIC lawsuit follows from reports that that the CIA infiltrated a a computer network used by Senate staff to investigate the agency's detention and interrogation program. Senator Dianne Feinstein, Chair of the Senate Intelligence Committee, stated that the CIA's conduct raised far-reaching concerns about Constitutional separation of powers, and violations of computer crime and wiretapping laws. The CIA subsequently confirmed that the CIA's Inspector General had conducted an investigation and concluded the agency had "improperly" accessed Senate computers. EPIC sent a FOIA request to the CIA for the Inspector General's report but received no response. EPIC has sued for public release of the report. For more information, see: EPIC: EPIC v. CIA - CIA Spying on Congress.
- FTC To Explore "Big Data" and Discrimination + (Sep. 10, 2014)
The Federal Trade Commission will host a workshop entitled "Big Data: A Tool for Inclusion or Exclusion?" The FTC will explore the effects of "big data" analytics on low-income and other underserved communities. Several members of the EPIC Advisory Board will be participating. Earlier this year, the FTC published a report on data brokers, warning that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." The White House also convened a task force and published a report on "big data" this year. At EPIC's urging, the White House included public participation in the review process. EPIC submitted extensive comments, warning about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: FTC.
- Pew Survey: Users Online Self-Censor Discussion of Government Surveillance + (Sep. 9, 2014)
According to the Pew Research Report "Social Media and the 'Spiral of Silence,'" most users of social media are afraid to talk about government surveillance on Facebook, Twitter, and other social platforms. Users were more willing to share their views on government surveillance if they thought others shared the same view. Those who thought they held minority views were more likely to self-censor—an effect known as the "spiral of silence." In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. A subsequent Congressional hearing led the DHS to cancel the program. For more information, see EPIC v. DHS: Media Monitoring and EPIC: Public Opinion on Privacy.
- Federal Trade Commission Orders Google to Refund Parents $19 Million for Unauthorized Charges + (Sep. 5, 2014)
The Federal Trade Commission has reached a settlement with Google over allegations that the company unfairly charged parents millions of dollars for their children's in-app purchases. The settlement mandates that Google provides full refunds for unauthorized purchases. The FTC agreement will be subject to public comments. Comments are due October 6, 2014. The Commission has previously settled charges with Apple and sued Amazon for charging parents for their kids unauthorized in-app purchases. Previously EPIC has urged the FTC to require companies subject to privacy consent orders to adhere to the Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Search Engine Privacy.
- Home Depot Data Breach Exposes Millions of Credit Card Records + (Sep. 4, 2014)
A data breach at Home Depot might have exposed millions of consumers' credit card records, according to an announcement from Home Depot's corporate center. "We're looking into some unusual activity that might indicate a possible payment data breach," the announcement read, "If we confirm a breach has occurred, we will make sure our customers are notified immediately." In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. In May of this year, the President's science advisors surprisingly found little risk in the massive collection of personal data by companies. However, a recent FTC report on data brokers warned that "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." EPIC has urged the White House to enact the Consumer Privacy Bill of Rights and to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: Identity Theft.
- Congress Investigates Airline Privacy Practices + (Aug. 20, 2014)
Senator John Rockefeller (D-WV) is currently seeking information from ten U.S. airlines concerning how airlines safeguard consumer traveler data. Senator Rockefeller has requested information regarding: (1) the type of information airlines collect; (2) airlines' data retention periods; (3) airline privacy and security safeguards governing consumer information; (4) whether consumers may access and amend their information; (5) whether airlines sell or disclose consumer information and if so, to whom do they disclose the consumer data; and (6) how airlines inform consumers about airline privacy policies governing consumer information. EPIC routinely urges the Department of Homeland Security to provide privacy protections for air travelers and end the agency's secret "risk-based" passenger profiling. For more information, see EPIC: Air Travel Privacy, EPIC: Passenger Profiling, EPIC: Secure Flight, and EPIC: EPIC v. DHS (Suspension of Body Scanner Program).
- Senator Schumer Calls On Regulators to Make Fitness Data Private + (Aug. 14, 2014)
Senator Charles Schumer has denounced the data collection practices of "activity trackers" such as FitBit. "Activity trackers" are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "internet of things." EPIC has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC has made several recommendations to improve the privacy protections on devices such as "activity trackers," including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information, see EPIC: FTC and EPIC: Practical Privacy Tools.
- Documents Obtained by EPIC Lawsuit Show NSA’s Internet Metadata Program Was Sharply Criticized By FISA Judges While Congressional Oversight Lagged for Years + (Aug. 12, 2014)
In a FOIA lawsuit against the Department of Justice, EPIC has obtained many documents about the NSA's Internet Metadata program. These include the Government's original FISA application seeking authorization to collect data from millions of e-mails, as well as declarations from NSA officials describing the program. The documents show that FISA Court Judge John Bates chastised the agency for "long-standing and pervasive violations of the prior [court] orders in this matter.'' The FISA Court first authorized the program in 2004, but the documents obtained by EPIC show that the legal justification was not provided to Congress until 2009. The documents also reveal that the DOJ withheld information about the program in testimony for the Senate Intelligence hearing prior to the reauthorization of the legal authority. The program was shut down in 2011 after a detailed review. For more information, see EPIC v. DOJ (FISA Pen Register) and EPIC: Foreign Intelligence Surveillance Court.
- EPIC Demands Report Detailing CIA's Surveillance of Congress + (Aug. 7, 2014)
EPIC has filed a Freedom of Information Act request for the Central Intelligence Agency Inspect General's report detailing the agency's surveillance of the Congressional Intelligence Committee. In March 2014, Senator Dianne Feinstein (D-CA), head of the Senate Intelligence Committee, publicly accused the CIA of secretly removing documents from the Committee, searching computers used by the Committee, and attempting to intimidate congressional investigators by requesting a Federal Bureau of Investigation inquiry of their conduct. The Committee had been investigating the CIA's torture program. After Senator Feinstein publicly accused the agency of spying, the CIA's Inspector General conducted an investigation and concluded that the agency's actions had been improper. However, the Inspector General has failed to the actual report public. EPIC has demanded a copy of the full report, as well as associated documents. For more information see: EPIC: FOIA Cases and EPIC v. CIA (Domestic Surveillance).
- Senators Markey and Hatch Introduce Student Privacy Legislation + (Jul. 30, 2014)
Today, Senators Edward Markey (D-MA) and Orrin Hatch (R-UT) introduced legislation to require privacy safeguards for education records and prohibit the use of student information for advertising purposes. The "Protecting Student Privacy Act of 2014" would give students the right to access and amend their records that are held by private companies. The bill also requires schools to minimize the amount of personally identifiable information transferred to private companies. The bill requires companies to destroy student information "when the information is no longer needed for the specified purpose." The bill incorporates many of the proposals EPIC set out in the Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy.
- Senator Leahy Introduces Bill to End NSA Bulk Record Collection + (Jul. 29, 2014)
Today Senator Patrick Leahy (D-VT), joined by Democratic and Republican Senators, introduced legislation to end the NSA's practice of collecting telephone records of Americans. Leahy described the bill as "the most significant reform of government surveillance authorities since Congress passed the USA PATRIOT Act 13 years ago." The USA Freedom Act would require require the government to specify specific "search terms" to obtain telephone record information. The government would have to demonstrate that it has a "reasonable, articulable suspicion" that the search term is associated with a foreign terrorist organization. The bill also requires a comprehensive transparency report for the use of FISA surveillance authorities. However, the bill exempts the FBI from certain reporting requirements. Civil liberties organizations support the bill. EPIC previously filed a Petition for Mandamus with the U.S. Supreme Court, seeking to end the bulk collection of American's phone records. EPIC's petition was supported by legal scholars, technical experts, and former members of the Church Committee. For more information, see In re EPIC and EPIC: FISA Reform.
- Obama Drone Order Fails to Safeguard Privacy + (Jul. 25, 2014)
According to reports, President Obama is set to issue an executive order on drone privacy. The order would call for the development of voluntary best practices for the commercial use of drones. Senator Markey and Representative Welch immediately responded to the reports with a letter to the President urging "strong, enforceable rules - not voluntary best practices...." EPIC has testified in Congress in support of a comprehensive drone privacy law. EPIC called for drone legislation to include use limitations, data retention limitations, transparency, and public accountability. The Federal Aviation Administration agreed to address drone privacy issues after an EPIC-led coalition petitioned the agency two years ago. Last year, EPIC urged the agency to mandate minimum privacy standards for drone operators. For more information, see EPIC: Domestic Drones.
- EPIC Tells Congress FTC Does Not Enforce Consent Orders + (Jul. 25, 2014)
EPIC has sent a letter to the House Committee on Oversight and Government Regulation stating that the Federal Trade Commission rarely enforces "Section 5" consent orders. EPIC also said that the Commission has never modified a consent order in response to public comments or required companies to implement the Consumer Privacy Bill of Rights. The Committee believed the Commission has gone too far to protect the privacy of American consumers. EPIC wrote "the opposite is true." Senator Rockefeller also wrote a letter, urging the Committee not to interfere in the FTC's "well-established legal authority." For more information, see EPIC: Wyndham Hotels and EPIC: FTC.
- Senators Leahy and Cornyn Introduce FOIA Reform Bill + (Jun. 25, 2014)
A bipartisan Freedom of Information Act reform bill was introduced today by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX). The FOIA Improvement Act of 2014 addresses chronic problems with overuse of exemptions by federal agencies, excessive fee assessments, and the culture of secrecy. The bill will codify a "presumption of openness" in the processing of FOIA requests. The bill will require agencies to weigh the public interest in disclosure against the agency’s interest in secrecy before withholding documents such as Office of Legal Counsel memos. The FOIA Improvement Act will also close a loophole that agencies have used to make requesters pay excessive fees, even when the agency takes years to process the request. EPIC has recommended many of these reforms. EPIC specifically recommended proposed changes to the "(b)(5)" exemption. For more information see: EPIC: FOIA Cases.
- Obama Renews Unlawful NSA Bulk Record Collection Program + (Jun. 20, 2014)
Today the Attorney General and the Director of National Intelligence announced that the President will seek a renewal of the court order authorizing the NSA's bulk collection of American telephone records through September 12, 2014. The President has chosen to renew this order despite his promise in March 2014 to end the bulk collection program and the widespread opposition from members of Congress, and the recommendations of expert panels. The Attorney General's statement suggests that "legislation would be required" to end the program, but it was the President's decision to seek renewal of the Foreign Intelligence Surveillance Court order. EPIC, along with 25 other privacy organizations, wrote a letter to the President last week urging him not to renew the order. Last summer, EPIC petitioned the Supreme Court to end the NSA's telephone record collection program. EPIC's argued that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered the production of all domestic telephone records. For more information, see In re EPIC.
- Senate Cybersecurity Information Sharing Bill Proposed + (Jun. 20, 2014)
Senators Dianne Feinstein and Saxby Chambliss have proposed the Cybersecurity Information Sharing Act of 2014. The Senate bill is similar to the House Cyber Intelligence Sharing and Protection Act (CISPA), which was opposed by civil liberties organizations and would have been vetoed by the White House if enacted. Like CISPA, the Senate bill allows companies to monitor private communications on their networks and to disclose user activity to the government. The bill would also exempt companies from liability for monitoring communications or disclosing user information. However, the Senate bill makes some attempt to limit the collection of personally identifiable information. EPIC recently won a five-year court battle with the NSA and obtained National Security Presidential Directive 54. The directive was issued by President Bush in 2008 and is the foundational legal document for U.S. cybersecurity policies. The Presidential Directive reveals the government’s long-standing interest in enlisting private sector companies to monitor user activity. For more information, see EPIC: Cybersecurity.
- Coalition to President: End NSA's Bulk Collection Program Now + (Jun. 17, 2014)
EPIC and a coalition of 25 organizations urged the President and the Attorney General to end the NSA's bulk record collection program when the current authority expires on June 20. In January, the President committed to "end the Section 215 bulk metadata program as it currently exists." The coalition letter states, "[t]he NSA's Bulk Metadata program is simply not effective." Both the Privacy and Civil Liberties Oversight Board report and the President's Review Group report found the NSA's bulk collection to be ineffective. EPIC petitioned the Supreme Court to end the NSA's bulk collection of telephone records after the program was revealed last summer. EPIC's petition argued that the Foreign Intelligence Surveillance Court exceeded its authority when it ordered the production of all domestic telephone records. For more information, see In re EPIC.
- Senate to Hold Homeland Security Oversight Hearing + (Jun. 10, 2014)
The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program).
- Senate Holds Hearing on Consumer Location Privacy Protection + (Jun. 6, 2014)
The Senate recently held a hearing on the Location Privacy Protection Act of 2014 authored by Senator Franken. In an opening statement, Senator Franken said his "bill makes sure that if a company wants to get your location...they need to get your permission first." FTC Director, Jessica Rich, testified that location data is "sensitive information" that "raises privacy concerns." The FTC recently signed a 20-year consent order with Snapchat after finding the app was collecting location information in contradiction to its stated privacy policy. The FTC investigated Snapchat after EPIC filed a complaint with the agency detailing the companies deceptive practices. EPIC also filed an amicus brief in a location privacy case in which the New Jersey Supreme Court case announced a landmark decision, holding that individuals have an expectation of privacy in their cell phone data.For more information, see EPIC: Location Privacy.
- Report - Half of American Adults Data Hacked So far This Year + (May. 29, 2014)
A new report finds that 432 million online accounts in the US have been hacked this year, concerning about 110 million Americans. In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. Earlier this month, the President's science advisors found little risk in the continued collection of personal data. However, the FTC's recent report on data brokers warned that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." Earlier, EPIC urged the White House to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: Identity Theft and EPIC: Choicepoint.
- FTC Report on Data Brokers Fails to Address Consumer Privacy Concerns + (May. 27, 2014)
The Federal Trade Commission has published "Data Brokers: A Call for Transparency and Accountability." The report follows from a FTC Investigation of the data broker industry. The report describes the unbounded collection of personal information about American consumers that is then widely sold in the private sector. The Commission recommended modest legislative changes and failed to address many of consumers' privacy concerns, including profiling and "scoring" of consumers. Commissioner Julie Brill issued a statement, calling for more substantial consumers safeguards. Senators Rockefeller and Markey have also introduced The Data Broker Accountability and Transparency Act of 2014 (DATA Act), which would regulate data brokers and other companies that profit from the sale of consumer information. In 2005, EPIC testified before the the House Commerce Committee on "Identity Theft and Data Broker Services" and Urged Congress to establish comprehensive regulation of the data broker industry following the disclosure that Choicepoint was selling personal information to criminals engaged in identity theft. For more information, see EPIC: Choicepoint, EPIC: Privacy and Consumer Profiling, and EPIC: FTC.
- EPIC Defends Commercial Driver Privacy + (May. 27, 2014)
EPIC has submitted comments on a proposed Commercial Driver's License Drug and Alcohol Clearinghouse. Under a new law, employers of commercial drivers will be required to report drug and alcohol test results to the Clearinghouse. Employers will also be required to check the database for test results on drivers. EPIC's comments urged the Transportation Department to: (1) require anyone reporting test results to immediately correct errors and notify employers and potential employers of the inaccurate data; (2) revoke Clearinghouse registration and access for those who fail to comply with Clearinghouse rules; (3) clarify that in addition to the administration petition process, individuals may still amend their records pursuant to the Privacy Act; and (4) implement privacy enhancing techniques like data deletion and anonymization. For more information, see EPIC: Workplace Privacy.
- House Adopts Weakened NSA Reform Bill, Senators Now Look to Improve Privacy and Transparency Protections + (May. 23, 2014)
The U.S. House of Representatives has voted to adopt a modified USA "FREEDOM" Act. The bill no longer prohibits bulk collection of communications records. Other key provisions were also removed. Senator Leahy said that the bill is "an important step towards reforming" surveillance authorities, but expressed disappointment that the current version "does not include some of the meaningful reforms contained in the original" bill. In 2013 EPIC filed a Petition to the Supreme Court seeking to end bulk collection of telephone call records. EPIC also testified before the House in 2012 that the FISA should not be renewed without adoption of new reporting requirements. For more information, see EPIC: FISA and EPIC: FISA Reform.
- Senate Judiciary Committee Hearing on FBI to Consider Drones, Facial Recognition + (May. 20, 2014)
The Senate Judiciary Committee's oversight hearing of the FBI will take place of Wednesday, May 21. This is the first FBI oversight hearing since James Comey took over as Director. At the last oversight hearing, Director Mueller admitted that the FBI uses drones for domestic surveillance. The FBI promised to establish privacy guidelines but has failed to do so. The FBI has also failed to address the privacy implications of license plate readers and facial recognition technology. The FBI's Next Generation Identification program, a massive biometric system, is set to go fully operational this year; yet the agency has not established civil liberties safeguards. The database will employ facial recognition, iris recognition, and voice recognition. Documents obtained by EPIC under the FOIA indicate the agency is prepared to accept a 20% error rate for recognition techniques. For more information, see EPIC v. FBI - Next Generation Identification.
- EPIC Testifies on Student Privacy before California State Assembly + (May. 16, 2014)
EPIC's Student Privacy Project Director Khaliah Barnes testified before the California State Assembly Education Committee and Select Committee on Privacy, on "Ensuring Student Privacy in the Digital Age." EPIC's testimony: (1) explained how the U.S. Education Department’s regulations encourage mass collection of student data; (2) described the privacy risks that students today face; (3) underscored the need for data security safeguards for states, schools, and private companies accessing student information; and (4) recommended that California adopt EPIC's Student Privacy Bill of Rights. Earlier this week, Senators Markey and Hatch proposed bipartisan student privacy legislation. For more information, see EPIC: Student Privacy.
- Senators Markey and Hatch Propose Student Privacy Legislation + (May. 15, 2014)
Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have proposed a "Protecting Student Privacy Act." The draft bill would "(1) requires that data security safeguards be put in place to protect sensitive student data that is held by private companies; (2) prohibits the use of students' personally identifiable information to advertise or market a product or service; (3) provides parents with the right to access the personal information about their children - and amend that information if it"s incorrect — that is held by private companies just as they would if the data were held by the school itself; (4) makes transparent the name of companies that have access to student information by directing school districts to maintain a record of all outside companies with which the school contracts; (5) minimizes the amount of personally identifiable information that is transferred from schools to private companies; [and] (6) ensures private companies cannot maintain dossiers on students in perpetuity by requiring the companies to later delete personally identifiable information." The legislation highlights many of the protections EPIC endorsed in its Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy.
- House Judiciary Committee to Consider Bill to End Bulk Surveillance, Improve NSA Oversight + (May. 5, 2014)
The House Judiciary Committee has scheduled a markup of the USA Freedom Act. The proposed "Manager's Amendment", sponsored by James Sensenbrenner (R-WI), would prevent bulk collection of phone records and other business records, and would limit the scope of phone record searches. The bill would also (1) limit the collection of US persons communications by the NSA's PRISM program, (2) require public reports on the use of FISA surveillance, (3) require declassification of significant FISA Court opinions, and (4) create a public advocate at the FISA Court. In 2012, EPIC testified before the House Judiciary Committee on the need for public reports and the declassification of significant FISC opinions. In 2013, EPIC filed a petition with the Supreme Court, alleging that the bulk collection of telephone record was unlawful. For more information, see EPIC: FISA Reform and In re EPIC.
- White House Publishes Report on "Big Data and Future of Privacy" + (May. 1, 2014)
The White House has released a report on big data and the future of privacy. The report "Big Data: Seizing Opportunities, Preserving Values" makes several recommendations to the President: "(1) advance the Consumer Privacy Bill of Rights; (2) pass national data breach legislation; (3) extend privacy protections to non-U.S. persons; (4) ensure data collected on students in schools is used for educational purposes; (5) expand technical expertise to stop discrimination; and (6) amend the Electronic Communications Privacy Act." The report identifies discrimination as a key concern, stating "A significant finding of this report is that big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace." The report also recommends the adoption of Privacy Enhancing Technologies. EPIC urged public participation in the review process. The White House report incorporates several recommendations from EPIC and other privacy organizations. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: "Privacy in the Commercial World."
- Court Denies Hulu's Motion to Dismiss Privacy Case + (May. 1, 2014)
A federal court has ruled that a privacy class action lawsuit against Hulu, the video streaming service, may continue. Hulu users allege that the company violated the Video Privacy Protection Act by transferring personally identifiable information to both Facebook and the advertising company comScore. The Judge ruled that Hulu's transfer to Facebook of unique IDs, including the user's IP address and Facebook ID, as well as specific video titles would violate the video privacy law. However, the judge determined that Hulu only transmitted anonymized user IDs to comScore and that therefore there could be no legal violation. In 2009, EPIC filed an amicus brief in a similar case in which a company disclosed consumers' identities and video rental histories to Facebook. For more information, see Harris v. Blockbuster and EPIC: Video Privacy Protection Act.
- Pew Survey Finds Opposition to Drones, Robots, and Google Glass + (Apr. 21, 2014)
A national survey conducted by Pew Research Center and Smithsonian Magazine find the American public optimistic about revolutions in health science and transportation, and concerned about technologies of surveillance. According to the survey, 63% of Americans think it would be a change for the worse if "personal and commercial drones are given permission to fly through most U.S. airspace," while 22% think it would be a change for the better. And 65% expressed concern about increased dependence on robots. Similarly, 53% of Americans think it would be a change for the worse if most people wear implants or other devices that constantly show them information about the world around them. Women are especially wary of a future in which these devices are widespread. Google Glass, an example of such technology, has come under scrutiny from Data Protection authorities as well as Congress. EPIC, joined by 100 other organizations and experts, petitioned the Federal Aviation Administration to address public concerns about privacy and drones. For more information, see EPIC: Google Glass and Privacy and EPIC: Domestic Drones.
- Coalition Urges White House to Recognize EU Opinion; End NSA Telephone Records Program + (Apr. 16, 2014)
In a letter to the White House, a coalition of US organizations urged the Administration to recognize the recent opinion by the Court of Justice, the highest court in Europe, that ended a European data retention mandate. The European law required telephone and internet companies to retain metadata on customers for national security purposes. The European Court of Justice ruled that this practice violates the fundamental right to privacy and is illegal. The US groups argue that the opinion "bears directly on the White House's review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy." The groups urged the White House to 1) recognize the Court's decision in its upcoming report on big data and privacy; and 2) end the NSA telephone record collection program. The letter states that the decision by European Court "is the most significant legal opinion from any court in the world on the risks of big data and the ongoing importance of privacy protection." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. More recently, EPIC submitted extensive comments warning the White House of the enormous risks of current big data practices. For more information, see EPIC: Data Retention and EPIC: Big Data and the Future of Privacy.
- Car Data Privacy Bill Moves Forward in Senate + (Apr. 10, 2014)
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act, a bipartisan bill that would provide privacy safeguards for event data recorders or "black boxes." Introduced by Senators John Hoeven (R-ND) and Amy Klobuchar (D-MN), the bill prohibits unauthorized access to data that records the activities of drivers. Under the Act, data could only be obtained with: (1) written consent of all of the car owners or lessees; (2) a court or administrative order; (3) a federal transportation safety investigation if personally identifiable information is redacted; (4) emergency car crash medical response; or (5) traffic safety research if personally identifiable information is redacted. Last year EPIC, consumer privacy organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy by establishing many of the proposed safeguards in the Driver Privacy Act. For more information, see EPIC: Event Data Recorders and Privacy.
- Federal Agencies Fail to Safeguard "Big Data," Breaches Doubled in Just a Few Years + (Apr. 10, 2014)
The Government Accountability Office has issued a report, warning that federal agencies "have not been consistent or fully effective in responding to data breaches." The GAO found that "the number of reported information security incidents involving personally identifiable information has more than doubled over the last several years." The report further states, "the increasing number of cyber incidents at federal agencies, many involving the compromise of personally identifiable information, highlights the need for focused agency action to ensure the security of the large amount of sensitive personal information collected by the federal government." EPIC recently warned the White House about the enormous risks to Americans of current "big data" practices. EPIC and more than 20 organizations have urged the Administrations to establish strong privacy safeguards and improve accountability across the government and private sector. For more information, see EPIC: Big Data and the Future of Privacy.
- EPIC Warns White House About Privacy Risks of "Big Data" + (Apr. 7, 2014)
In response to a request from the White House, EPIC has submitted extensive comments on "Big Data and the Future of Privacy." EPIC warned the White House about the enormous risk to Americans of current "big data" practices but also made clear that problems are not new, citing the Privacy Act of 1974 which responded to the challenges of "data banks." EPIC noted the dramatic increases in identity theft and security breaches. EPIC called for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. EPIC wrote "It is vitally important to update current privacy laws to minimize collection, secure the information that is collected, and prevent abuses of predictive analytics." EPIC and more than 20 organizations previously urged the White House to establish privacy protections for user data that is being gathered by large companies and government agencies. A report from the White House is expected on April 17. For more information, see EPIC: Big Data and the Future of Privacy.
- After Public Outcry, Microsoft Reverses Course on Email Search + (Apr. 5, 2014)
After criticism by bloggers, consumers, and privacy advocates - including EPIC - Microsoft will change a troubling provision in its privacy policy. In March, Microsoft searched a blogger's private Hotmaill account to determine whether the subscriber to the Microsoft service received leaked versions of Windows 8. At the time, Microsoft claimed that the search was permissible under the Microsoft Online terms of service. This week Microsoft, announced it would no longer search customers' accounts itself if it suspected wrongdoing and would instead refer such matters over to law enforcement. According to Microsoft, Hotmail has 170 million active users. For more information see: EPIC: Consumer Privacy Bill of Rights.
- NGO Coalition Tells President "Establish Privacy Protections for Big Data" + (Apr. 2, 2014)
EPIC along with more than 20 other organizations sent comments to the White House on "Big Data and the Future of Privacy." The organization urged the President to establish new safeguards for organizations collecting "big data" including transparency, accountability, robust privacy techniques, and meaningful evaluation. The groups also urged the President to enact the Consumer Privacy Bill of Rights. The incidents of security beaches and identity theft continue to increase in the United States. Meanwhile a new report reveals that consumers are secretly scored by businesses. And the President recently decided to renew the NSA's ineffective telephone record collection program. The White House agreed to accept public comments after EPIC and two dozen organizations petitioned the Office of Science and Technology Policy. The White House has sponsored several conferences on Big Data and the Future of Privacy, though some of the meeting have been closed to the public. A report from the White House is expected on April 17. For more information, see EPIC: Big Data and the Future of Privacy.
- President Obama Renews Unlawful, Ineffective Surveillance Authority + (Mar. 29, 2014)
According to the Attorney General and the Director of National Intelligence, President Obama has renewed the NSA's authority to collect all of the telephone records of all American telephone customers. The "Section 215" program exceeded Congressional authority and was found to be ineffective by two expert panels. At a speech on January 17, 2014, President Obama ordered a transition that will end the Section 215 bulk telephony metadata program as it currently exists. However, according to DNI Clapper, the United States filed an application with the FISC to reauthorize the existing program as previously modified for 90 days, and the FISC issued an order approving the government's application. The order issued expires on June 20, 2014. EPIC and others have strongly objected to the renewal of the 215 program. For more information, see EPIC In re EPIC.
- Senator Leahy Urges President to End NSA Record Collection Program on Friday + (Mar. 27, 2014)
In remarks published this week, Senator Patrick Leahy, Chairman of the Senate Judiciary Committee and co-sponsor of the USA FREEDOM Act, said "I welcome the President's statement that he plans to end the bulk collection of American’s phone records. That is a key element of what I and others have outlined in the USA FREEDOM Act, and that is what the American people have been demanding." Senator Leahy added, "the President could end bulk collection once and for all on Friday by not seeking reauthorization of this program. Rather than postponing action any longer, I hope he chooses this path." EPIC and others have urged the President not to renew the NSA telephone record collection authority when it expires this week. For more information, see In re EPIC.
- Deadline Approaches for End of NSA's Telephone Record Collection Program + (Mar. 24, 2014)
March 28 marks the deadline set by President Obama to end the NSA's bulk collection of American's telephone records. Last week, Attorney General Eric Holder confirmed that the Justice Department is ready to meet the deadline that the President has set. After extensive meetings with leaders of the Intelligence Community, both the President's Review Group and the Privacy and Civil Liberties Oversight Board found the program was ineffective and likely exceeded current legal authority. Senator Leahy, who held extensive public hearings, has stated "This program is not effective. It has to end." EPIC, supported by dozens of legal scholars and former members of the Church Committee, petitioned the US Supreme Court in July 2013 to end the "215" program. For more information, see In re EPIC and EPIC: NSA Verizon Phone Record Monitoring.
- White House Updates Privacy Policy, Maintains Anonymous Access But Also Data Retention + (Mar. 24, 2014)
A revised privacy policy for the White House will go into effect on April 18, 2014. Users will continue to be able to access information posted on the White House web site anonymously, though personal information will be required for some services. The data retention practice has not changed nor has the policy for the disclosure of personal data to other entities. According to the White House privacy policy, "Information you choose to share with the White House (directly and via third party sites) may be treated as public information." The White House had previously proposed a "Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights", though the policy does not reflect this approach. In the first report ever published on online privacy, "Surfer Beware: Personal Privacy and the Internet," EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." EPIC had also urged the White House to establish Privacy Act safeguard for the use of social media services. EPIC For more information, see EPIC: Privacy and Government Contracts with Social Media Companies.
- Drones, Privacy & You + (Mar. 18, 2014)
Jeramie D. Scott
EPIC National Security CounselRussell Senate Office Building
Washington, DC 20002
March 18, 2014 - White House to Accept Public Comments on Big Data and Privacy Review + (Mar. 5, 2014)
The White House is requesting public comments on the Obama Administration's "Big Data and the Future of Privacy" review. EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the Office of Science and Technology Policy last month to accept public comments. The petition stated, "The public should be given the opportunity to contribute to the OSTP's review of 'Big Data and the Future of Privacy' since it is their information that is being collected and their privacy and their future that is at stake." The letter sets out several important questions, including whether current laws are adequate and whether it is possible to maximize the benefits of big data while minimizing the risks to privacy. Comments are due by March 31, 2014. For more information, see EPIC: Big Data and the Future of Privacy.
- House Passes FOIA Reform Bill + (Feb. 28, 2014)
The House of Representatives has passed the FOIA Oversight and Implementation Act of 2014. The bill would strengthen the Office of Government Information Services, require agencies to update their FOIA regulations, and mandate the use of a single, free website for submitting FOIA requests and appeals and receiving information about the status of the FOIA request. The bill would also require that agencies seeking to withhold information under one of the FOIA's exemptions demonstrate that there would be a "specific identifiable harm," tied to the purpose of the exemption, if disclosure occurred. The bill does not address several key transparency community proposals, including recommendations to limit the use of exemptions and to make it easier to track legislative proposals for new FOIA exemptions. The Senate is currently considering a similar bill. For more information see: EPIC: Open Government.
- White House and MIT to Host Conference on Big Data and Privacy + (Feb. 24, 2014)
On March 3, 2014, the White House and MIT will cohost "Big Data Privacy: Advancing the State of the Art in Technology and Practice." The conference is part of the White House's Big Data and the Future of Privacy initiative and will feature keynotes from Counselor to the President John Podesta and Secretary of Commerce Penny Pritzker. Scholars, privacy advocates, government representatives and private sector leaders will explore the opportunities and challenges of big data and examine the use of Privacy Enhancing Techniques. President Obama has called for a "comprehensive review of big data and the future of privacy." In response, EPIC and a coalition of consumer and scientific organizations outlined key questions for the White House to explore, and also asked the Office of Science and Technology Policy to encourage public participation. For more information see EPIC: Big Data and the Future of Privacy, EPIC: Privacy and Consumer Profiling, and EPIC: Privacy Tools.
- EPIC, Coalition Urge President Obama to Advance Privacy Bill of Rights + (Feb. 24, 2014)
EPIC along with a coalition of over 40 public interest organizations has urged the President to implement the Consumer Privacy Bill of Rights, a comprehensive framework for privacy protection. The letter comes on the two-year anniversary of the Administration's introduction of the Privacy Bill of Rights, which includes baseline privacy principles, such as individual control and transparency, respect for context and focused collectionm and better access, accuracy, and accountability. The President called the Privacy Bill of Rights a "blueprint for privacy in the information age" and said his Administration "will work to advance these principles and work with Congress to put them into the law." The letter from the organizations states, "We urge you to work with those in Congress who favor the privacy rights of Americans, who support updates to privacy law, and who understand why this issue is so critical to so many Americans. And let those who stand in the way explain to their constituents why they believe that it is not necessary for Congress to do anything further to protect the fundamental rights of Americans." For more information, See EPIC: White House: Consumer Privacy Bill of Rights.
- Senators Rockefeller and Markey Propose Data Broker Legislation + (Feb. 13, 2014)
Senators Rockefeller and Markey have introduced the The Data Broker Accountability and Transparency Act of 2014 (DATA Act). The proposed Act imposes transparency and accountability requirements on data brokers and other companies that profit from the collection and sale of consumer information. Under the DATA Act, consumers would be able to access their personal information, make corrections, and opt out of marketing schemes. The DATA Act would empower the FTC to impose civil penalties on violators, and would prohibit data brokers from collecting consumer data in deceptive ways. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: Federal Trade Commission, EPIC: Choicepoint and EPIC: Privacy and Consumer Profiling.
- Senate Hears from Privacy Oversight Board, NSA "Metadata" Program is Ineffective + (Feb. 12, 2014)
At a Senate Judiciary Committee hearing today, members of the Privacy and Civil Liberties Oversight Board discussed their review of the Section 215 program, concerning the collection of telephone records on US telephone customers. The Privacy Civil Liberties Board 238 page report found that the program was not effective and had not prevented any terrorist incidents. Recent reports also indicate that only 30% of phone records are actually collected, calling into question the value of the "metadata" program. Senate Judiciary Chairman Patrick Leahy stated that "the administration has not demonstrated" that the program "is uniquely valuable to justify the massive intrusion upon American's privacy." The President recently announced that the current bulk collection program would end and announced a transition process, requiring judicial approval of queries, prior to the expiration of the current authority on March 28. For more information, see EPIC: NSA Verizon Phone Record Monitoring.
- EPIC, Coalition Urge White House to Listen to Public on "Big Data and Privacy" + (Feb. 10, 2014)
EPIC, joined by 24 consumer privacy, public interest, scientific, and educational organizations petitioned the White House's Office of Science and Technology Policy to accept public comments on the Big Data and The Future of Privacy study now underway. The Office's primary function is to advise the President on scientific and technological issues. The President announced the Big Data review during a recent speech on NSA reform. The petition calls on the Office of Science and Technology Policy to incorporate the concerns and opinions of the public and lays out a number of important questions to consider, including whether current laws are adequate and also whether it is possible to maximize the benefits of big data while minimizing the risks to privacy. For more information, see EPIC: Privacy and Consumer Profiling.
- New Limits on NSA Telephone Record Program Established, Authority Expires March 28 + (Feb. 7, 2014)
The Foreign Intelligence Surveillance Court has granted the government’s motion to limit access by the NSA to the bulk telephone records provided by US telephone companies. Under the new rules, the government cannot "query" the telephone metadata until after the court finds that there is a "reasonable, articulable suspicion that the selection term is associated with" a terrorist organization. The new rules also limit query results to telephone numbers within "two hops" of the selector. President Obama announced the new legal requirement during his recent speech on surveillance reform, when he committed to end the NSA’s bulk record collection program. The NSA's authority to force US telephone companies to turn over records on all their customers will expire on March 28th. The President has recommended that the Intelligence Community and the Attorney General propose an alternative to the bulk collection program prior to that deadline. For more information, see EPIC: FISC and EPIC: NSA Verizon Phone Record Monitoring.
- EPIC Recommends Safeguards For Facial Recognition Technology + (Feb. 5, 2014)
In a letter to the Department of Commerce, EPIC called on the agency to develop a facial recognition framework based on the Fair Information Practices ("FIPs"). The National Telecommunications and Information Administration is meeting to address the commercial use of facial recognition, which has seen a backlash. Google banned facial recognition apps and services and Europe required Facebook to discontinue the use of facial recognition for photo tagging. Today Senator Al Franken raised concerns about NameTag. Senator Franken, in a letter to the app developer, called for the delay of the apps release until best practices are established. In comments to the Federal Trade Commission, EPIC previously recommended the suspension of facial recognition technology until adequate safeguards are established. For more information, see EPIC: Face Recognition.
- FTC Chair Ramirez Urges Senate to Act on Data Security Legislation + (Feb. 5, 2014)
The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission.
- "I will reform our surveillance programs," President Obama Tells Nation + (Jan. 29, 2014)
Stating that "America must move off a permanent war footing," President Obama announced (video) at the State of the Union that "working with this Congress, I will reform our surveillance programs." (50:30) The President continued, (text) "because the vital work of intelligence community depends on public confidence, here and abroad, that the privacy of ordinary people is not being violated." Citing the need to close the prison in Guantanamo, the President also said "we counter terrorism not just through intelligence and military action but by remaining true to our constitutional ideals and setting an example for the rest of the world." EPIC and other consumer privacy organizations have urged the President to move forward the Consumer Privacy Bill of Rights and to support the International Privacy Convention.
- White House Announces Review of "Big Data and the Future of Privacy" + (Jan. 23, 2014)
Following the President's speech on reform of the intelligence collection programs, White House counselor John Podesta has announced "a comprehensive review of the way that 'big data will affect the way we live and work; the relationship between government and citizens; and how public and private sectors can spur innovation and maximize the opportunities and free flow of this information while minimizing the risks to privacy." This is the first major privacy initiative announced by the White House since the release of the Consumer Privacy Bill of Rights in 2012. The undertaking will involve key officials across the federal government, including the President’s Science Advisor and the President's Council of Advisors on Science and Technology. EPIC has participated in several workshops and studies concerning the intersection of privcy and "big data."
- EPIC, Amnesty International Urge President Obama to Support Privacy in Annual State of the Union + (Jan. 23, 2014)
EPIC President Marc Rotenberg, Amnesty International Secretary General Salil Shetty, and members of the EPIC Advisory Board have asked President Obama to support privacy and the international privacy convention in the annual State of the Union speech next week. The State of the Union falls this year on January 28, which is also International Privacy Day. EPIC and Amnesty are urging the President to express support for privacy as a fundamental human right and to begin the process of ratification of the international Privacy Convention, supported by more than forty countries around the world. In 2013, many members of the US Congress, including Senator Patrick Leahy, expressed support for International Privacy Day. Members of the EPIC Advisory Board also wrote to then Secretary of State Hillary Clinton about the Privacy Convention, urging US support. For more information, EPIC - Council of Europe Privacy Convention, EPIC - Letter to Secretary Clinton (2010).
- EPIC Files Appeal, Challenging Secrecy of Presidential Directives + (Jan. 22, 2014)
EPIC has filed a Statement of the Issue Presented with the D.C. Circuit Court of Appeals. EPIC is appealing a lower court decision that NSPD 54 -- a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States -- is not subject to disclosure under the Freedom of Information Act. EPIC sought the Presidential Directive, signed by President Bush in January 2008, from the National Security Agency after the White House disclosed the existence of the Directive but not the substance. After the agency failed to respond to EPIC's FOIA request, EPIC filed an administrative appeal, and then a lawsuit. The lower court ruled in EPIC v. NSA that the Presidential Directive is not subject to the FOIA because it was not under "the control" of the NSA. It was the first time a federal court has ruled that an Presidential Directive is not subject to the Freedom of Information Act. EPIC is now asking the Court of Appeals to determine, "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA." For more information, see EPIC v. NSA: Cybersecurity Authority.
- Obama Announces End of NSA Telephone Record Collection Program + (Jan. 18, 2014)
In a widely anticipated speech (video) on reform of the NSA, President Obama announced he would end the NSA telephone record collection program, first requiring a court order for all queries and then ending the NSA massive record request prior to the next renewal. EPIC, legal scholars, the President’s Review Group, and sponsors of the USA FREEDOM Act, including Senator Patrick Leahy and Senator Ron Wyden had urged the President to take this step. The President also said that the Administration would move to implement “a majority of the recommendations” made by the Review Group. The President announced several other reform measures, including a public advocate for the Foreign Intelligence Surveillance Court, new privacy rights for non-US citizens, more transparency for data collection, a narrowed focus on foreign data collection, greater oversight of signals intelligence, a new Privacy Coordinator at the White House, and a new panel to look closely at privacy and “Big Data.” Still, the President may not have gone far enough to address the scope of NSA programs, the privacy rights of those outside the US, and the need to ensure stronger technical safeguards for Internet stability and reliability. The President also did not indicate whether the U.S. would move to ratify the Council of Europe Privacy Convention or seek legislation to enact the Consumer Privacy Bill of Rights. For more information, see White House Fact Sheet
- Senate Commerce Committee Considers Rules for Domestic Drones + (Jan. 17, 2014)
The Senate Committee on Commerce, Science, and Transportation held a hearing on "the Future of Unmanned Aviation in the U.S. Economy: Safety and Privacy Considerations." Senator Diane Feinstein noted the threat that drones pose to both privacy and safety, and described how a drone once flew outside her home during a demonstration. Later in the hearing, Senator Ed Markey, who held up an AR Parrot Drone during the hearing, has written legislation to safeguard privacy. And Senator Cory Booker said that drones put him "between my Star Trek aspirations and my Terminator fears." The Committee heard testimony from FAA Administrator Michael Huerta. The FAA is responsible for integrating drones into the U.S. domestic airspace by 2015. EPIC had petitioned the FAA to implement privacy rules for drones. The FAA responded to EPIC's petition and has required, as an interim step, each of the six selected test sites for drone deployment to establish a public privacy policy. For more information, see EPIC: Domestic Unmanned Aerial Vehicles and Drones.
- Review Group to Senate: NSA Program Has Not Prevented Threats + (Jan. 15, 2014)
Members of the President's Review Group presented their recommendations for NSA reform a Senate Judiciary Committee hearing. EPIC participated in the work of the Review Group. The export panel set out 46 recommendations on a range of issues from reforming intelligence surveillance directed at United States persons to promoting prosperity, security, and openness in the networked world. The Members stated the the NSA's bulk collection of metadata had not prevented threats against the United States and recommend that the it be ended. Acknowledging privacy concerns, former CIA Deputy Director Michael Morrell also stated that "there is quite a bit of content in metadata." Last year, EPIC filed a petition in the Supreme Court challenging the legality of the NSA's telephone record collection program. Legal scholars and former members of the Church Committee supported the EPIC petition. The Supreme Court dismissed the petition without ruling on the merits. For more information, see In re EPIC.
"there is quite a bit of content in metadata" - Morrell, former CIA Deputy Director - Senator Markey Outlines New Student Privacy Legislation at EPIC Event + (Jan. 14, 2014)
At a briefing on Capitol Hill hosted by EPIC, Senator Ed Markey announced plans to introduce legislation protecting student data. Senator Markey set out four principles his bill would cover: (1) student information may never be used to market products to children; (2) parents must have the right to access and amend student information held by private companies; (3) schools and private companies must safeguard student information; and (4) companies must delete student information after it is no longer needed for educational purposes. Senator Markey made the remarks at EPIC event "Failing Grade: Education Records and Student Privacy," which included leading experts in technology, student privacy, and the Chief Privacy Officer at the Department of Education. Last year, Senator Markey sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on privacy. The Education Department provided a response, suggesting that when schools outsource to private companies, they should ensure that the companies protect student data. For more information, see EPIC: Student Privacy.
- Senator Leahy Proposes Consumer Privacy Legislation + (Jan. 9, 2014)
Senator Leahy has introduced the Personal Data Privacy and Security Act of 2014. The Act would strengthen privacy and data security by establishing a national standard for data breach notification, and requiring companies to create a data privacy and security program to protect and secure sensitive data. The bill follows a massive data breach at Target that compromised the personal data of more than 40 million consumers. Senator Leahy stated that the bill "aims to better protect Americans from the growing threats of data breaches and identity theft" and said there would be a hearing in the Judiciary Committee later this year. In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights. For more information, see EPIC: Privacy Legislation and EPIC: Identity Theft.
- NY Judge Rules NSA Program Legal, Split Emerges Among Courts + (Dec. 30, 2013)
A federal judge in New York has ruled that the NSA's telephone metadata program is legal. The ruling comes less than two weeks after a federal judge in Washington, DC issued an injunction against the telephone record collection program—calling it an "unreasonable search under the Fourth Amendment." The opinions create a split amongst the district courts as to the legality of the NSA's program. Both opinions are expected to be appealed. The President's Review Group recently released its report recommending the end of the NSA's bulk collection of telephony metadata. EPIC filed a Petition in the U.S. Supreme Court challenging the legality of the program, shortly after the disclosure earlier this summer. For more information, see In re EPIC and EPIC: FISC Verizon Order.
- Expert Panel Calls for End of NSA Bulk Data Collection + (Dec. 19, 2013)
The President's Review Group on Intelligence and Communications Technologies has concluded that the NSA’s collection of bulk telephone records should end. In a sweeping report "Liberty and Security in a Changing World," the review panel set out 46 recommendations, which would limit NSA surveillance, expand judicial oversight, create new transparency requirements, update federal privacy laws, and create a new privacy agency. Other recommendations include the application of the Privacy Act of 1974 to both U.S. and non-U.S. persons, support for strong encryption techniques, and the cessation of U.S. practice of stockpiling software vulnerabilities known as "zero day" exploits. Earlier this year, EPIC met with the review group and submitted extensive comments to the panel, specifically urging the end of the bulk record collection program. EPIC had earlier petitioned the Supreme Court to find the program unlawful. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance.
- Senate Report Shines Light on How Data Brokers Operate + (Dec. 18, 2013)
A Senate Committee Majority Staff report released today highlights the oft-concealed practices of Data Brokers. The report finds that data brokers lack transparency and collect sensitive personal information, while individuals lack basic rights to know what data is collected or how it is used. The brokers, the report notes, prevent business customers from revealing how data is obtained. The report also exposed how personal information is often used to target the financially vulnerable. Thus far, the data broker industry has largely escaped federal regulation. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC's complaint to the FTC against data broker Choicepoint lead to a $10 million settlement. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission.
- Senate Confirms Judge Wald for Privacy Oversight Board + (Dec. 13, 2013)
The Senate confirmed the reappointment of Judge Patricia M. Wald to the Privacy and Civil Liberties Oversight Board. Judge Wald's current term was set to expire next month, but President Obama re-nominated her on March 21, 2013. Last year, EPIC recommended that the Oversight Board, consistent with its mandate, pursue a broad agenda, including (1) suspension of the Fusion Center Program ; (2) limiting closed-circuit television surveillance; (3) eliminating the use of body scanners; (4) establishing privacy regulations for drones; (5) improving Information Sharing Environment (ISE) and Suspicious Activity Reporting (SARS) Standards; and (6) Privacy Act adherence. More recently, EPIC addressed the Board at a workshop on NSA Surveillance. And in response to a public rulemaking, EPIC also provided extensive comments on a proposed rule governing the Board's Freedom of Information Act practices. The Board adopted nearly all of EPIC's recommendations on transparency. For more information, See EPIC: Foreign Intelligence Surveillance Act and EPIC: Open Government.
- Presidential Task Force to Recommend Changes at NSA + (Dec. 13, 2013)
The Review Group on Intelligence and Communications Technologies, established to recommend surveillance reforms, will send a final report to the President this Sunday. According to one news article, the task force will recommend putting a civilian leader in charge of NSA, separating out the code-breaking "Information Assurance Directorate," and splitting the U.S. Cyber Command off into a separate military unit. The Review Group will also recommend new limits on the NSA’s ability to search telephone call records, proposing that telephone records be stored with a third party rather than the NSA. The group will also recommend safeguards for the data of European citizens, and restrictions on the use of National Security Letters. Earlier this year, EPIC filed a petition with the U.S. Supreme Court, supported by legal scholars and former members of the Church Committee, arguing that the NSA bulk collection program was unlawful. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Foreign Intelligence Surveillance Act Reform, and EPIC: In re EPIC.
- Next Privacy Multistakeholder Process to Focus on Facial Recognition + (Dec. 10, 2013)
The National Telecommunications and Information Administration has announced that the next privacy multistakeholder process will focus on "privacy safeguards for the use of facial recognition technology." The process was designed by the Obama Administration to apply the Consumer Privacy Bill of Rights to industry, and recently developed a voluntary code of conduct regarding mobile app transparency. In comments to the agency, EPIC recommended that the CPBR be codified in the form of comprehensive privacy legislation. For more information, see EPIC: NTIA Multistakeholder Process.
- White House Proposes New Open Government Plan + (Dec. 6, 2013)
The Obama Administration has released a preview of the Open Government National Action Plan, which sets out commitments to improve the public’s access to information and improve government information management. The report covers a wide range of topics, including efforts to improve public participation in government, proposals to modernize management of government records and update the Freedom of Information Act (FOIA), as well as plans to transform the security classification system, increase transparency of foreign intelligence surveillance activities, make privacy compliance information more accessible, and strengthen protections for whistleblowers. Regarding the FOIA, the Administration proposes to establish a FOIA modernization committee, improve training for government employees, and develop a unified online FOIA system. If adopted, the proposed commitments would clarify the records requesting process and make the FOIA more accessible to the public. EPIC joined other open government organizations to advise the Administration on modernizing the FOIA. EPIC also regularly comments on proposed changes to agency FOIA regulations. For more information, see EPIC: Open Government.
- United Nations Considers Privacy Resolution + (Nov. 22, 2013)
In response to growing concern about the scope of electronic surveillance, the U.N. General Assembly is considering a resolution affirming that privacy is a fundamental right. Civil society organizations have long urged international organizations to update and strengthen global frameworks for privacy protection. The UN resolution now under consideration is a response to reports that the United States conducted surveillance of many foreign leaders, including Brazil's President Dilma Rousseff and German Chancellor Angela Merkel. Brazil and Germany are leading the effort at the United Nations on the privacy resolution. The European Parliament is pursuing an investigation of the "Mass Surveillance of EU Citizens." And the United States Congress is considering legislation, such as the USA FREEDOM Act, to reign in surveillance activities. For more information, see Public Voice - The Madrid Declaration.
- EPIC Files FOIA Request with FTC About Facebook Investigation + (Nov. 19, 2013)
EPIC filed a Freedom of Information Act request with the Federal Trade Commission for documents concerning the FTC's recent "investigation" of Facebook's policy changes. The investigation concerned changes to Facebook’s Data Use Policy that permit the use of the names, images, and content of Facebook users for commercial endorsement without user consent. Following announcement of the proposed change, EPIC and several several privacy groups wrote to the FTC objecting to the changes as a violation of a 2011 consent order with Federal Trade Commission. Senator Markey also expressed concern about the policy changes. The Commission opened an investigation which was then quietly closed allowing Facebook to go forward with the changes. For more information, see EPIC: Federal Trade Commission and EPIC: FOIA.
- Bipartisan Introduction of Do Not Track Kids Legislation in Senate and House + (Nov. 18, 2013)
Senators Markey (D-MA) and Kirk (R-IL), along with Representatives Barton (R-TX) and Rush(D-IL), have introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation. The bill would amend the Children's Online Privacy Protection Act by extending protection to teens ages 13-15, requiring consent for the collection of personal information, and creating an "eraser button" that allows children to delete personal information. California recently enacted a bill, which also provides for an "eraser button" that would require websites to allow minors to remove their own information. The bill would also require online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for collection of personal information. EPIC recommended similar update to COPPA in testimony before the Senate Commerce Committee in 2010. For more information, see EPIC: Children's Privacy.
- CATO Institute Capitol Hill Briefing: Mission Creep at the TSA and the Case for Privatization + (Nov. 14, 2013)
CATO Institute Capitol Hill Briefing: Mission Creep at the TSA and the Case for Privatization
Khaliah Barnes,
EPIC Administrative Law Counsel121 Cannon House Office Building
Washington, DC
November 14, 2013 - The Year in Government Information: NSA Surveillance, Bin Laden Photos, White House Logs and More + (Nov. 8, 2013)
The Year in Government Information: NSA Surveillance, Bin Laden Photos, White House Logs and More
Alan Butler,
EPIC Appellate Advocacy CounselABA Administrative Law Conference
Washington, D.C.
November 8, 2013 - EPIC Obtains Information About Government-Corporate Cybersecurity Practices + (Nov. 1, 2013)
As a result of a Freedom of Information Act lawsuit against the Department of Homeland Security, EPIC has obtained documents which reveal that the Department of Defense required companies to disclose information about Internet traffic on private networks. These documents contradict Homeland Security’s assertions that companies participating in a DOD pilot project would not be compelled to transmit information to federal agencies. The documents obtained by EPIC under the FOIA also indicate that the National Security Agency, a branch of the Department of Defense, is engaging in offensive cybersecurity measures. A statement to the Senate, EPIC warned that the National Security Agency has become a "black box" for public information about cybersecurity. For more information, see EPIC v. DHS: Defense Contractor Monitoring.
- Leahy and Sensenbrenner Introduce USA FREEDOM Act + (Oct. 29, 2013)
The Democratic Chair of the Senate Judiciary Committee and the Republican author of the Patriot Act have introduced the USA FREEDOM Act, which would reform the Foreign Intelligence Surveillance Act and limit NSA surveillance activities. A bi-partisan coalition, including 17 Senators and 70 Members of Congress, have joined as original co-sponsors. Key provisions of the FREEDOM Act increase transparency of intelligence activities, prevent end-runs around the FISA Court, and improve public reporting. In 2012 EPIC testified before the House Judiciary Committee about the need to reform FISA and to improve oversight of the FISA court. The FREEDOM Act also ends the controversial bulk phone records collection program. EPIC has brought a challenge in the Supreme Court to the phone records program, explaining that it is unlawful under current law. For more information, see EPIC: In re EPIC and EPIC - Foreign Intelligence Surveillance Act.
- EPIC Files in Supreme Court, Responds to Government in NSA Challenge + (Oct. 28, 2013)
EPIC has filed a reply brief in In re EPIC with the U.S. Supreme Court, responding to the Government's brief, which was filed after two extensions. The government argues the Supreme Court cannot hear the case. EPIC responded that it "simply cannot be correct" that the order of the Foreign Intelligence Surveillance Court, an inferior court, is not reviewable by the Supreme Court. EPIC also explained that the order is clearly unlawful. "No court has ever determined that 'relevance' permits the compelled production of such vast quantities of irrelevant personal information," EPIC said, noting that Congressman Sensenbrenner, co-author of the USA PATRIOT Act, has written that "This expansive characterization of relevance makes a mockery of the legal standard." EPIC also outlined the extraordinary impact of the NSA telephone record collection on all Americans: "These telephone records are unique and identifiable, and reveal a great deal of private information about millions of telephone users. In no instance has the Government established any individualized suspicion to support the collection of this information." For more information, see In re EPIC.
- Senator Markey Investigates Student Data Disclosures + (Oct. 24, 2013)
Senator Edward Markey has sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on student privacy rights. Among other questions, Senator Markey asks why the Department made changes to the Family Educational Rights and Privacy Act, a federal student privacy law; whether the Department "performed an assessment of the types of information" that schools disclose to third party vendors; and whether students and their families can obtain their information held by private companies. The letter states, "By collecting detailed personal information about students' test results and learning abilities, educators may find better ways to educate their students. However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children." EPIC has sent a letter to the Senate and House Committees on Education, urging Congress to restore privacy protections for student data. For more information, see EPIC: Student Privacy and EPIC: EPIC v. The Deptartment of Education.
- EPIC Urges Congress to Protect Student Privacy + (Oct. 10, 2013)
In a letter to the Senate and House Committees on Education, EPIC has asked Congress to restore privacy protections for student data. EPIC's letter follows a court opinion concerning recent changes to the Family Educational Rights and Privacy Act. EPIC has warned that the changes in the student privacy law allow the release of student records for non-academic purposes and undercut parental and student consent provisions. EPIC has urged Congress to investigate the impact of the revised regulations. "Students and families are losing control over sensitive information," EPIC wrote, "and private companies are becoming the repositories of student data and even the data maintained by the schools is far more extensive than ever before." For more information, see EPIC: Student Privacy.
- Gov. Brown Signs New California Privacy Laws + (Oct. 9, 2013)
California Governor Jerry Brown has signed several new Internet privacy bills into law. Assembly Bill 370 amends the California Online Privacy Protection Act by requiring that businesses disclose how they respond to Do Not Track signals or other mechanisms used by consumers to prevent the surreptitious collection of their browsing history. The Governor has also signed Senate Bill 568, which provides for an "eraser button" that would require websites to allow minors to remove their own information. Finally, California has enacted Senate Bill 255, which prohibits "revenge porn": the posting of explicit images or videos without the victim's consent. The passage of these laws has led many to observe that California is "driving Internet privacy policy." For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Children’s Online Privacy.
- EPIC FOIA - FBI Says 20% Error Rate Okay for Facial Recognition + (Oct. 4, 2013)
EPIC's Freedom of Information Act lawsuit has produced new documents about "Next Generation Identification" and the FBI's plans for facial recognition. According to the document obtained by EPIC, "NGI shall return an incorrect candidate a maximum of 20% of the time." That number is much greater than expected. Earlier this year, EPIC received documents from the FBI regarding the use of facial recognition and state DMV photos. The FBI has still not updated a 2008 Privacy Impact Assessment on facial recognition technology despite telling Congress last year that a new assessment was planned. For more information, see EPIC: EPIC v. FBI - Next Generation Identification and EPIC: Face Recognition.
- Consumer Privacy Groups Ask Congress to End Secret Hearings on Data Industry + (Oct. 2, 2013)
EPIC, joined by a coalition of consumer privacy groups, has asked the House of Representatives Privacy Task Force to open to the public meetings that are now taking place in secret in the hearing rooms of Congress. "We recognize that there is value in private meetings among Members and staff and with constituents," the group wrote, but said that "with public matters of common concern" meetings should be held "in the open, a public record should be created, and various viewpoints should be heard." The groups thanked Representatives Blackburn and Welch for examining "the enormously important issue of consumer privacy" but said “there is simply no reason for your task force to hold closed-door sessions." Last year, both the White House and the Federal Trade Commission recommended enactment of consumer privacy legislation.
- Senator Leahy Urges FISA Reform at Georgetown Law + (Sep. 25, 2013)
Speaking at a conference hosted by the Georgetown University Law Center, the Chairman of the Senate Judiciary Committee called for an end "to the bulk collection of Americans' phone records." Senator Leahy said "the system set up in the 1970s to regulate the surveillance capabilities of our Intelligence Community is no longer working. We must recalibrate." Senator Leahy has introduced bipartisan legislation that would end the telephone record collection program, reduce secret law, and improve the structure of the Foreign Intelligence Surveillance Court. The Senate Judiciary Committee will hold an oversight hearing next week on the Foreign Intelligence Surveillance Act. EPIC has filed a petition with the US Supreme Court, arguing that the bulk collection of telephone toll records is unlawful. For more information, see EPIC - In re EPIC.
- California Enacts Strong Digital Privacy Law for Minors + (Sep. 24, 2013)
California Gov. Jerry Brown today signed a law to protect Privacy Rights for California Minors in the Digital World. The law, which goes into effect Jan. 1, 2015, sets out a broad range of rights for minors concerning the collection and use of their personal information by commercial service providers. The law does not limit the rights of minors, it seeks to regulate the practices of businesses. EPIC has long advocated for the privacy rights of children, testifying before the House in 1996 in support of the Children's Online Privacy Protection Act and again before the Senate in 2010 as new technologies and business practices emerged. EPIC also wrote comments to the FTC in 2011 supporting stronger regulations to protect the data concerning children. Some organizations, financed by Internet companies, are opposing the legislation. For more information, see EPIC: Children's Online Privacy Protection Act.
- Senators Call for Public Report by IC Inspector General on NSA Surveillance + (Sep. 24, 2013)
A bipartisan group of Senators, including the Chairman and Ranking Members of the Senate Judiciary Committee, have called for a full-scale review of the use of surveillance authorities by the intelligence community. The Senators emphasized that the findings and conclusions of this review be made public to "help promote greater oversight, transparency, and public accountability." The requested report would address activities conducted under Section 215 of the USA PATRIOT Act and Section 702 of the FISA, which includes the collection of the telephone call records of hundreds of millions of Americans. Specifically, the report would review the use and implementation of 215 and 702, the applicable minimization procedures, any improper use of the authorities, and examine the effectiveness over the 2010-2013 period. EPIC is currently challenging the order for bulk collection of domestic call records in its Petition for Writ of Mandamus in the U.S. Supreme Court. For more information, see In re EPIC and EPIC: FISA Reform.
- Sen. Franken Questions Apple on iPhone Fingerprint Scanning + (Sep. 21, 2013)
Senator Al Franken has raised questions about the privacy and security implications of the fingerprint reader on Apple's new iPhone 5S. "If someone hacks your password, you can change it—as many times as you want. You can't change your fingerprints," Senator Franken wrote. He also pressed Apple for additional details on the protection available to users against law enforcement access to biometric data. In Congressional testimony, EPIC has previously warned that biometric identifiers will "allow for greater data collection and tracking of individuals." For more information, see EPIC: Biometric Identifiers.
- Pressure Mounts on Facebook to Withdraw Proposed Changes, New Scrutiny of "Faceprints" + (Sep. 13, 2013)
Facebook is under increasing pressure to withdraw proposed changes that would allow the company to use the names, images, and content of Facebook users for advertising without consent. After EPIC and several privacy groups wrote to the Federal Trade Commission that the changes would violate a 2011 Consent Order, the Commission has opened an investigation. Senator Ed Markey also wrote to the FTC, stating that Facebook's changes "raise[] a number of questions about whether Facebook is improperly altering its privacy policy without proper user consent and, if the changes go into effect, the degree to which Facebook users will lose control over their personal information." Senator Al Franken has called on Facebook to reconsider expansion of its facial recognition activity. In a letter to Mark Zuckerberg, Senator Franken asked "How many face prints does Facebook have?" For more information, see EPIC: EPIC: Federal Trade Commission and EPIC: Facebook Privacy.
- EPIC Meets with President's Intelligence Review Group + (Sep. 9, 2013)
EPIC President Marc Rotenberg and EPIC Advisory Board Member Steve Aftergood met today with the Review Group on Intelligence and Communication Technology. The President tasked the panel with the responsibility to assess whether the "United States employs its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust." EPIC submitted detailed recommendations and included copies of EPIC's Supreme Court petition, arguing that the current domestic surveillance program is unlawful, as well as EPIC's Congressional testimony on the FISA Amendments Act and EPIC's 2010 letter to the Foreign Intelligence Surveillance Court concerning reform of FISA procedures. The panel will accept comments from the public until October 4, 2013. Comments are to be sent to [email protected], which oddly is the domain of the current Director of National Intelligence.
- President Announces Intelligence Review Group, EPIC Presses for FISA Reform + (Aug. 28, 2013)
President Obama met this week with the members of a newly formed group of experts to review intelligence and communications technologies. The group consists of computer security advisor Richard Clark, former CIA Director Michael Morell, and legal scholars Geoffrey Stone, Cass Sunstein, and Peter Swire. The White House said the group would advise the President on how "the United States can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure." This week, EPIC contacted each of the review group members to provide important materials regarding the protection of privacy and civil liberties. EPIC sent to the Review Group members copies of EPIC's Supreme Court petition, arguing that the current domestic surveillance program is unlawful, as well as EPIC's Congressional testimony on the FISA Amendments Act and EPIC's 2010 letter to the Foreign Intelligence Surveillance Court concerning reform of FISA procedures. For more information, see EPIC: FISA Reform.
- NSA Violated Law Thousands of Times and Intercepted American Communications + (Aug. 19, 2013)
An internal audit has revealed that the NSA violated both legal rules and privacy restrictions thousands of times each year since 2008, leading to the unauthorized surveillance of American communications. According to the 2012 report, there were 2,776 violations in the previous 12 months alone. A "large number" of calls placed from Washington DC were intercepted when its area code was confused with that of Egypt. Another document shows how NSA analysts are trained to avoid giving "extraneous information" to their "FAA overseers" when they want to target an individual. In 2006, EPIC wrote to the Senate Judiciary Committee regarding instances of intelligence gathering misconduct by the FBI that were uncovered through EPIC's Freedom of Information Act requests. EPIC is currently petitioning the NSA to suspend its domestic surveillance program pending a public comment period. EPIC has also filed a petition with the U.S. Supreme Court challenging the legal authority of the FISA Court to authorize the NSA's program.
- Chairman Leahy Calls For End of NSA Telephone Surveillance Program + (Jul. 31, 2013)
Senator Patrick Leahy said in an oversight hearing that the NSA's domestic telephone surveillance program should be terminated. "This program is not effective. It has to end," said the Chairman of the Senate Judiciary Committee. Senator Leahy has also introduced the FISA Accountability and Privacy Protection Act, to strengthen oversight of the government surveillance programs. Representatives from the NSA and Justice Department testified about the legality of the NSA's collection of all telephone records in the United States. But both Democratic and Republican Committee members expressed concern about the scope and secrecy of the program. EPIC has filed a petition with the U.S. Supreme Court challenging the legal authority of the FISA Court to authorize the NSA's program. For more information, see In re EPIC - NSA Telephone Records Surveillance.
- NSA Surveillance to Get Senate Scrutiny + (Jul. 30, 2013)
"NSA Surveillance to Get Senate Scrutiny"
Marc Rotenberg,
EPIC Executive Directorand
Steven Bradbury, former head
the Office of Legal Counsel in the U.S. Department of JusticeMinnesota Public Radio
The Daily Circuit
July 30, 2013 - House Narrowly Defeats Bill to End NSA Domestic Surveillance Program + (Jul. 25, 2013)
In a surprisingly close vote, the House of Representatives voted 217 to 205 not to suspend funding for the controversial NSA program that has resulted in the collection of all call records of all American telephone customers. The outcome followed intense lobbying by the Administration and leaders of the intelligence community. The measure was introduced by Justin Amash (R-MI) and John Conyers (D-MI). EPIC has filed a petition with the US Supreme Court, charging that the program violates section 215 of the Patriot Act. A decision by the Court is expected in early October. For more information, see EPIC - In re Electronic Privacy Information Center.
- FISA Court Renews Unlawful Surveillance Program, DOJ Defends Program + (Jul. 22, 2013)
According to the Director of National Intelligence, on July 19, 2013 the Government "filed an application with the Foreign Intelligence Surveillance Court seeking renewal of the authority to collect telephony metadata in bulk, and that the Court renewed that authority." In a separate filing, in a July 18 response to a challenge brought by the ACLU, the Department of Justice said that a federal district court in New York could not overturn the order of the FISA court. And in a July 16 letter to Congressman Sensenbrenner the Department asserts that "because the telephony metadata must be available in bulk to allow the NSA to identify records of terrorist communications, there are 'reasonable grounds to believe' that the data is relevant to an authorized investigation. EPIC has recently filed a petition with the US Supreme Court, challenging the lawfulness of the NSA domestic surveillance program. For more information, see EPIC - In re Electronic Privacy Information Center.
- EPIC Updates Congress on Organization's Response to NSA Surveillance + (Jul. 16, 2013)
EPIC has sent a letter to the House Judiciary Committee describing EPIC's response to the NSA domestic surveillance program in anticipation of a hearing on FISA oversight. "In our view, the secret court simply lacks the legal authority to authorize this program of domestic surveillance," EPIC writes. EPIC has filed a petition with the U.S. Supreme Court challenging the Verizon Order issued by the Foreign Intelligence Surveillance Court. EPIC is also petitioning the NSA to create public rules governing its surveillance authorities. For more information, see In Re EPIC and EPIC: NSA Petition.
- Justice Department Revises Rules on Obtaining Reporters' Records + (Jul. 16, 2013)
The Department of Justice has issued a report outlining the department's revised rules for obtaining records from journalists. The change in policy comes after the controversy concerning the Justice Department's subpoena of Associated Press calling records. The new rules establish a presumption that reporters will be notified when their records are sought and also raises the legal standard for access under the [3]Privacy Protection Act of 1980[/3], a law that is intended to protect journalists' records from government access. Following the AP controversy, EPIC filed a Freedom of Information Act request seeking the legal basis for the Justice Department's subpoena of reporters' phone records. For more information, see EPIC: Free Flow of Information Act and EPIC: Privacy Protection Act.
- EPIC Asks FTC To Investigate "Magna Carta" App + (Jul. 14, 2013)
EPIC filed a complaint with the Federal Trade Commission against Samsung, the publisher of a mobile app for Jay-Z's new album "Magna Carta Holy Grail." The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users phones. The Magna Carta app also includes hidden spam techniques that force users to promote the album. Well known music critic John Pareles wrote "Jay-Z Is Watching, and He Knows Your Friends." EPIC asked the Commission to require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights. Previously, EPIC filed an FTC complaint against Snapchat, the publisher of a mobile app that falsely claimed to delete photos and videos "forever." For more information, see EPIC: Federal Trade Commission and EPIC: Samsung "JAY-Z Magna Carta" App.
- Senate Adopts Immigration Bill with E-Verify Requirement + (Jul. 5, 2013)
The Senate has passed an expansive immigration bill that includes employment verification by the federal government for all U.S. employees -- "E-Verify" -- within five years. In testimony before Congress, EPIC warned of inaccurate employment determinations in the E-Verify system and said that Privacy Act safeguards must be strengthened to ensure fairness and accountability. In June 2011, EPIC filed comments with the Department of Homeland Security in opposition to the expansion of E-Verify. For more information, see EPIC: E-Verify and Privacy and EPIC: Spotlight on Surveillance - E-verify System.
- EPIC Alert 20.13 + (Jul. 2, 2013)
======================================================================= E P I C A l e r t ======================================================================= Volume 20.13 July 2, 2013 ----------------------------------------------------------------------- Published by the Electronic Privacy Information Center (EPIC) Washington, DC http://www.epic.org/alert/epic_alert_20.13.html "Defend Privacy. Support EPIC." http://epic.org/donate ======================================================================== TAKE ACTION: Sign EPIC's Petition Against NSA Domestic Surveillance ======================================================================== [1] SIGN EPIC's Petition to the NSA [2] SHARE EPIC's Petition via Email, Mailing Lists [3] POST EPIC's Petition on Facebook, Social Media [4] LEARN More about the NSA's Domestic Surveillance Programs [5] SUPPORT EPIC ======================================================================== [1] SIGN EPIC's Petition to the NSA ======================================================================== "the right of the people . . . to petition the Government for a redress of grievances." - First Amendment, United States Constitution EPIC's campaign to promote a public rulemaking on the NSA domestic surveillance program is underway. EPIC will be posting updates and new signatories weekly. Below is the text of EPIC's petition to the NSA. Please sign at http://epic.org/NSApetition or send email to [email protected] with the subject header: "I support EPIC's Petition to the NSA". "Dear General Alexander and Secretary Hagel: The undersigned individuals and organizations, concerned about the rule of law and the protection of Constitutional freedoms, hereby petition the National Security Agency to conduct a public rulemaking on the agency's monitoring and collection of communications traffic within the United States. 5 U.S.C. § 553(e). We believe that the NSA's collection of domestic communications contravenes the First and Fourth Amendments to the United States Constitution, and violates several federal privacy laws, including the Privacy Act of 1974, and the Foreign Intelligence Surveillance Act of 1978 as amended. The NSA's collection of solely domestic communications, which has been acknowledged by the President, the Director of National Intelligence, and the Chair and Ranking Member of the Senate Select Committee on Intelligence, also constitutes a legislative rule that "substantively affects the public to a degree sufficient to implicate the policy interests animating notice-and-comment rulemaking" under the Administrative Procedure Act. EPIC v. DHS, 653 F.3d 1, 6 (D.C. Cir. 2011). Accordingly, the NSA's collection of domestic communications, absent the opportunity for public comment, is unlawful. We hereby petition the National Security Agency, a component of the Department of Defense, for relief. We ask the NSA to immediately suspend collection of solely domestic communications pending the completion of a public rulemaking as required by law. We intend to renew our request each week until we receive your response. Sincerely, Marc Rotenberg Dr. Alessandro Acquisti James Bamford Grayson Barber Professor Ann Bartow Professor Colin Bennett Professor Christine Borgman Professor Julie E. Cohen Dr. Danah Boyd Simon Davies Dr. Whitfield Diffie Dr. Cynthia Dwork Professor David Farber Addison Fischer Professor David Flaherty Professor Michael Froomkin Professor Urs Gasser Deborah Hurley Professor Jerry Kang Sheila Kaplan Professor Ian Kerr Rebecca MacKinnon Mary Minow Dr. Pablo Molina Dr. Peter G. Neumann Professor Helen Nissenbaum Ray Ozzie Deborah C. Peel, MD Chip Pitts Professor Anita Ramasastry Professor Ronald Rivest Professor Pam Samuelson Bruce Schneier Dr. Barbara Simons Edward G. Viltz For More Information: EPIC: Rulemaking Petition to the NSA http://epic.org/NSApetition FISC: Order Permitting NSA Phone Surveillance (Apr. 23, 2013) http://epic.org/privacy/nsa/Section-215-Order-to-Verizon.pdf EPIC: NSA - Verizon Phone Record Monitoring http://epic.org/privacy/nsa/verizon/default.html EPIC: The Administrative Procedure Act (APA) http://epic.org/open_gov/Administrative-Procedure-Act.html ======================================================================== [2] SHARE EPIC's Petition via Email, Mailing Lists ======================================================================== EPIC's petition benefits from having as many signatories as possible. Please email and share widely on private lists: http://epic.org/NSApetition [email protected] ======================================================================== [3] POST EPIC's Petition on Facebook, Social Media ======================================================================== EPIC will be posting the NSA petition on its Facebook page and Twitter feed. Please help get the message out by posting to your own Facebook page, Twitter feed, and Tumblr or other social media accounts: http://epic.org/NSApetition [email protected] ======================================================================== [4] LEARN More about Domestic Surveillance ======================================================================== Stay informed with EPIC's pages on current revelations about the federal government's domestic surveillance programs and the history of domestic surveillance since 9/11: EPIC: Amicus Brief in Clapper v. Amnesty International (Sept. 24, 2012) http://www.epic.org/amicus/fisa/clapper/EPIC-Amicus-Brief.pdf EPIC: Testimony before the House Judiciary Committee on the FISA Amendments Act (May 31, 2012) http://epic.org/redirect/073012-epic-fisa-testimony.html EPIC: Testimony before the 9/11 Commission on "Security and Liberty: Protecting Privacy, Preventing Terrorism" (Dec. 8, 2003) http://http://epic.org/privacy/terrorism/911commtest.pdf Marc Rotenberg Op-Ed.: "It Is Time to Return to Oversight of Surveillance Authority." The Washington Post, June 12, 2013. http://www.washingtonpost.com/opinions/it-is-time-to-return-to- oversight-of-surveillance-authority/2013/06/12/522fe660-d217- 11e2-9577-df9f1c3348f5_story.html FISC: Order Permitting NSA Phone Surveillance (Apr. 23, 2013) http://epic.org/privacy/nsa/Section-215-Order-to-Verizon.pdf EPIC: NSA - Verizon Phone Record Monitoring http://epic.org/privacy/nsa/verizon/default.html EPIC: The Administrative Procedure Act (APA) http://epic.org/open_gov/Administrative-Procedure-Act.html NSA: Minimization Procedures in Foreign Intelligence (Jul. 28, 2009) http://epic.org/redirect/062613-nsa-minimization.html NSA: Procedures for Targeting Non-US Persons (July 28, 2009) http://epic.org/redirect/062613-nsa-targeting.html EPIC: Letter to FCC re: NSA Surveillance (Jun. 11, 2013) http://epic.org/privacy/terrorism/fisa/EPIC-FCC-re-Verizon.pdf FISA: Verizon Order (Apr. 23, 2013) http://epic.org/privacy/nsa/Section-215-Order-to-Verizon.pdf EPIC: Foreign Intelligence Surveillance Act http://epic.org/privacy/terrorism/fisa/ EPIC: Clapper v. Amnesty Int'l http://epic.org/amicus/fisa/clapper/ EPIC: USA PATRIOT Act http://epic.org/privacy/terrorism/usapatriot/ ======================================================================== [5] SUPPORT EPIC ======================================================================== EPIC is a 501(c)(3) nonprofit. We have no clients, no customers, and no shareholders. More than ever, we need your support: http://epic.org/donate ======================================================================== [6] EPIC in the News ======================================================================== "Your child's data is stored in the cloud [video]." CNN Money, June 28, 2013. http://money.cnn.com/2013/06/28/technology/innovation/inbloom/ index.html?iid=HP_LN "FTC's 'Reclaim Your Name' alone won't rein in data brokers, experts say." CSO Online, June 28, 2013. http://www.csoonline.com/article/735616/ftc-s-reclaim-your-name- alone-won-t-rein-in-data-brokers-experts-say Opinion: "When Big Brother Meets Big Data." The Huffington Post, June 27, 2013. http://www.huffingtonpost.com/rep-rush-holt/government- surveillance-supercomputers_b_3510905.html "FTC’s Data Privacy Expectations Could Be Clearer, Panelists Say." MainJustice.com, June 26, 2013. http://www.mainjustice.com/2013/06/26/ftcs-data-privacy- expectations-could-be-clearer-panelists-say/ "Tech companies fret over loss of consumers' trust after NSA revelations." The Hill, June 24, 2013. http://thehill.com/blogs/hillicon-valley/technology/307183-tech- companies-fret-over-loss-of-consumers-trust#ixzz2XLrdhSJV "Obama Meets with privacy watchdog panel . . . in private." The Washington Times, June 23, 2013. http://www.washingtontimes.com/news/2013/jun/23/obama-meets-privacy- watchdog-panel-private/?utm_source=RSS_Feed "EPIC publishes comments on DHS biometric border management." Biometric Update, June 21, 2013. http://www.biometricupdate.com/201306/epic-publishes-comments-on- dhs-biometric-border-management/ Opinion: "BOVARD: Transportation security doesn't include the freedom to molest." The Washington Times, June 20, 2013. http://www.washingtontimes.com/news/2013/jun/20/transportation- security-doesnt-include-the-freedom/ "FBI director confirms limited drone use in U.S." Constitution Daily, June 19, 2013. http://blog.constitutioncenter.org/2013/06/fbi-director-confirms- limited-drone-use-in-u-s/ "Tech companies jockey to seem the most transparent." CNN, June 18, 2013. http://www.cnn.com/2013/06/18/tech/web/tech-companies-data- transparent "Yahoo releases number of data requests, calls for transparency." The Christian Science Monitor, June 18, 2013. http://www.csmonitor.com/Innovation/2013/0618/Yahoo-releases- number-of-data-requests-calls-for-transparency "FBI Driver's License Photo Searches Raise Privacy Questions." Information Week Security, June 18, 2013. http://www.informationweek.com/security/privacy/fbi-drivers- license-photo-searches-raise/240156871 "More Data on Privacy, but Picture Is No Clearer." The New York Times, June 17, 2013. http://www.nytimes.com/2013/06/18/technology/more-data-on-privacy- but-picture-is-no-clearer.html?_r=0 "Body scanner ruling could squelch NSA domestic spying." CNet, June 17, 2013. http://news.cnet.com/8301-13578_3-57589640-38/body-scanner-ruling- could-squelch-nsa-domestic-spying/ Marc Rotenberg Op-Ed.: "It Is Time to Return to Oversight of Surveillance Authority." The Washington Post, June 12, 2013. http://www.washingtonpost.com/opinions/it-is-time-to-return-to- oversight-of-surveillance-authority/2013/06/12/522fe660-d217- 11e2-9577-df9f1c3348f5_story.html For More EPIC in the News: http://epic.org/news/epic_in_news.html ======================================================================= Join EPIC on Facebook and Twitter ======================================================================= Join the Electronic Privacy Information Center on Facebook and Twitter: http://facebook.com/epicprivacy http://epic.org/facebook http://twitter.com/epicprivacy Join us on Twitter for #privchat, Tuesdays, 11:00am ET. Start a discussion on privacy. Let us know your thoughts. Stay up to date with EPIC's events. Support EPIC. ======================================================================= Privacy Policy ======================================================================= The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name. In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information." ======================================================================= About EPIC ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax). ======================================================================= Donate to EPIC ======================================================================= If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave. NW, Suite 200, Washington, DC 20009. Or you can contribute online at: http://www.epic.org/donate Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government and private-sector infringement on constitutional values. Thank you for your support. ======================================================================= Subscription Information ======================================================================= Subscribe/unsubscribe via web interface: http://mailman.epic.org/mailman/listinfo/epic_news Back issues are available at: http://www.epic.org/alert The EPIC Alert displays best in a fixed-width font, such as Courier. ------------------------- END EPIC Alert 20.13------------------------
- Senator Leahy Introduces Legislation to Limit NSA Domestic Surveillance + (Jun. 25, 2013)
Senator Patrick Leahy (D-VT), joined by several other Senators, has introduced a bill that will amend certain provisions of the USA PATRIOT ACT and the FISA Amendments Act to address recent revelations about domestic surveillance by the National Security Agency. The provisions of the bill will increase the threshold for the NSA to obtain domestic metadata and require court-approved minimization procedures. In addition, the bill will move up expiration dates on surveillance authorities to June 2015. In a statement, Senator Leahy said, "these are all commonsense, practical improvement that will ensure that the broad and powerful surveillance tools being used by the Government are subject to appropriate limitations, transparency, and oversight." EPIC recommended similar proposals in testimony last year before the House Judiciary Committee. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: NSA Petition.
- Senator Rand Paul Seeks Answers About FBI's Domestic Drone Use + (Jun. 21, 2013)
Senator Rand Paul issued a letter to FBI Director Robert Mueller seeking answers about the FBI's domestic use of drones. In a Senate Judiciary Committee hearing on FBI oversight, Director Mueller admitted that the FBI uses drones for domestic surveillance. Mueller also stated there were no guidelines in place to regulate the FBIs use of drones and protect the privacy of Americans. EPIC petitioned the Federal Aviation Administration last year to conduct a public rulemaking to address the threat to privacy and civil liberties the domestic use of drones pose. EPIC also petitioned the Bureau of Customs and Border Protection this year to establish privacy regulations for its use of drones. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.
- NSA Targeting and Minimization Procedures Released + (Jun. 21, 2013)
The Guardian has posted the procedures used by the National Security Agency to target non-US citizens under the Foreign Intelligence Surveillance Act, as well as the minimization procedure for information collected about US citizens. The documents indicate that "[a] person whose location is not known will be presumed to be a non-United States person," and that the NSA maintains databases of the telephone numbers, email accounts, and other identifiers of US citizens. EPIC recently petitioned the NSA to suspend its domestic surveillance pending public comment. Last year, in testimony for the House Judiciary Committee, EPIC urged Congress not to reauthorize the FISA Amendments Act until adequate oversight procedures were in place. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: NSA Petition.
- Privacy Officials Seek Answers on Google Glass + (Jun. 19, 2013)
Over thirty privacy officials, including the Privacy Commissioner of Canada and the Chairman of the Article 29 Working Party, have written to Google demanding information on Google Glass. "[W]e would strongly urge Google to engage in a real dialogue with data protection authorities about Glass," they wrote, and listed eight specific questions, including how Glass complies with privacy laws and how Google intends to use the information collected by Glass. Recently, members of the Bi-Partisan Privacy Caucus wrote to Google with similar questions about Glass. Following the letter, Google announced that it would not approve any facial recognition apps for Glass. For more information, see EPIC: Google Glass.
- Senators Push For Release of Foreign Intelligence Surveillance Court Orders + (Jun. 12, 2013)
A bipartisan group of senators, led by Senator Jeff Merkley (D-OR) and Senator Mike Lee (R-UT), has proposed a bill that would declassify the opinions of the Foreign Intelligence Surveillance Court. In 2012 testimony before the House Judiciary Committee, EPIC recommended the publication of Foreign Intelligence Surveillance Court Opinions prior to the renewal of the FISA Amendments Act. Last week, EPIC charged the Foreign Intelligence Surveillance Court with acting outside of its authority. In a letter to Congress, EPIC stated, "The Foreign Intelligence Surveillance Court ordered an American telephone company to disclose to the NSA records of wholly domestic communications. The FISC lacks the legal authority to grant this order." EPIC asked Congress to conduct hearings and determine whether the specialized court, charged with overseeing the collection of foreign intelligence, may also authorize surveillance of solely domestic communications. EPIC has also filed Freedom of Information Act request a with the Department of Justice, seeking the agency's justification for the NSA domestic surveillance program. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty, and EPIC: USA Patriot Act.
- Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority + (Jun. 8, 2013)
Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a post to the Guardian by Glenn Greenwald. For more information, see EPIC: Presidential Directives and Cybersecurity, EPIC: EPIC v. NSA - Cybersecurity Authority and EPIC: Cybersecurity Privacy Practical Implications.
- Congress Begins Investigation of NSA Domestic Surveillance Program + (Jun. 7, 2013)
Following the revelation of that the National Security Agency is monitoring domestic communications, members of Congress are initiating new oversight proceedings. The Senate Intelligence Committee will review the program's legal authority. Members of the House Judiciary Committee wrote to President Obama, saying, "We believe this type of program is far too broad and inconsistent with our nation's founding principles." During a hearing of the Senate Appropriations Committee, Sen. Mark Kirk (R-IL)asked Attorney General Eric Holder whether the NSA has spied on members of Congress. EPIC has sent a letter to leaders in Congresscalling for an investigation into the NSA's activities, and alleging that the FISC's authorization of the Verizon search was unlawful. For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act.
- Sweeping NSA Domestic Surveillance Order Approved Without Any Ties to Foreign Intelligence Collection + (Jun. 6, 2013)
An unprecedented order from the Foreign Intelligence Surveillance Court indicates that the FBI and the NSA obtained vast amounts of data on Verizon customers without any ties to a foreign intelligence investigation. Last year, in testimony for the House Judiciary Committee, EPIC urged Congress not to renew the Foreign Intelligence Surveillance Act without first establishing appropriate oversight mechanisms. EPIC warned "there is simply too little known about the operation of the FISA today to determine whether it is effective and whether the privacy interests of Americans are adequately protected." For more information, see EPIC: Foreign Intelligence Surveillance Act, EPIC: Clapper v. Amnesty Int'l, and EPIC: USA Patriot Act.
- Texas Bill to Require Warrants for E-mail Searches Awaits Governor's Signature + (May. 29, 2013)
The Texas legislature has passed H.B. No. 2268, a bill that creates a warrant requirement for law enforcement access to stored electronic communications and customer data. The law, which was presented to Governor Rick Perry this week, is the first successful state effort to establish an across-the-board warrant requirement for stored communications. Congress is considering similar changes to the federal Electronic Communications Privacy Act. Others have proposed more sweeping privacy reforms, and there are bills in both the House and Senate that would establish location privacy protections. EPIC testified before the Texas Legislature on H.B. 1608, a location privacy companion to H.B. 2268. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy.
- Senator Paul Introduces Bill to Protect Fourth Amendment, Abolish "Third Party Doctrine" + (May. 28, 2013)
Senator Rand Paul (R-Ky) has introduced the Fourth Amendment Preservation and Protection Act of 2013, which would prohibit the warrantless collection of information about individuals held by third parties. The law would overturn the "third party doctrine," which has been widely criticized by courts and legal scholars. The bill has been referred to the Senate Judiciary Committee. Senator Paul will receive a 2013 EPIC Champion of Freedom Award in Washington, DC on June 3. For more information, see EPIC: Awards Dinner and EPIC: Electronic Communications Privacy Act.
- Congress Seeks Answers on Google Glass Privacy Risks + (May. 17, 2013)
Members of the bipartisan Privacy Caucus sent a letter to Google seeking answers to questions about Glass, a wearable computer that routinely records video and audio, and gathers locational data. Among several questions, the Members of Congress asked "how Google plans to prevent Google Glass from unintentionally collecting data about the user/non-user without consent?" and whether Glass would be able to use facial recognition technology. Recently, Attorneys general for 38 states and the District of Columbia reached a $7 million settlement with Google over the unauthorized collection of data from wireless networks, including private WiFi networks of residential Internet users. Early last year, Google collapsed its privacy policies, prompting objections from EPIC state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Glass and Wearable Computers.
- White House Supports Media Shield Law + (May. 16, 2013)
Following the controversy concerning the Justice Department’s subpoena of Associated Press calling records, the Obama administration announced support for a media shield law. The White House has asked Senator Charles E. Schumer to reintroduce the Free Flow of Information Act, a bill that would limit government access to information about confidential sources and would allow journalists to move to quash subpoenas of their phone records. EPIC is currently seeking the legal basis for the Justice Department’s subpoena of phone records through a Freedom of Information Act request. For more information, see EPIC: Free Flow of Information Act.
- Amendment to Immigration Bill Seeks to Limit Drone Surveillance on Border + (May. 15, 2013)
The Senate Judiciary Committee has approved an Amendment to the immigration bill to limit the range of drones surveillance in the United States. The immigration bill grants the Bureau of Customs and Border Protection authority to operate surveillance drones continuously within the border region. Senator Dianne Feinstein's (D-CA) Amendment reduces the patrol area of surveillance drones from 100 miles around the border to 25 miles. More than two-thirds of the US population lives within 100 miles of the border. In February 2013, EPIC petitioned the Bureau of Customs and Border Protection to suspend the border drone surveillance program pending the establishment of concrete privacy regulations. The petition followed the production of documents to EPIC under the Freedom of Information Act demonstrating that the border drones had the ability to intercept electronic communications and identify human targets. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.
- EPIC Asks House Committee to Press DOJ on News Media Subpoenas + (May. 15, 2013)
For the House Judiciary Committee hearing on Oversight of the United States Department of Justice, EPIC has sent a letter to Committee Members regarding the surveillance of Associated Press reporters. EPIC asked the Committee to determine whether the Justice Department complied with regulations on news media subpoenas, which were enacted in 1980 after passage of the Privacy Protection Act. For more information, see EPIC: Privacy Protection Act of 1980 and EPIC: Warrantless Surveillance Program.
- On Proposed Trade Agreement, EPIC Says Keep Privacy Off the Table + (May. 10, 2013)
EPIC has submitted comments to the U.S. Trade Representative addressing the Transatlantic Trade and Investment Partnership, a proposed trade agreement between the US and the European Union. In its comments, EPIC recommended that the TTIP negotiations exclude consumer privacy and data policy. Mindful of the US' progress in recent years on developing the Consumer Privacy Bill of Rights and the EU's General Data Protection Regulation, EPIC cautioned the USTR that an attempt to harmonize existing privacy regulations would not end well. If provisions about cross-border data flows arises, EPIC urged the USTR to ensure that consumers are given the highest level of privacy protections. EPIC also recommended that all drafts of negotiating texts be made publicly available since previous negotiating documents in similar trade agreement negotiations have been kept secret. EPIC has recently begun a new FOIA project to obtain information about the statements of US officials who participate in international negotiations concerning privacy and data protection. For more information, see EPIC: TTIP. and EPIC: Open Government.
- White House Launches Open Data Project + (May. 10, 2013)
The President issued an Executive Order and memorandum this week outlining the administration's new "Open Data Policy." According to the White House, the goal is to make information "accessible, discoverable, and usable by the public" and to "promote interoperability and openness." The Executive Order states that agencies should also "safeguard individual privacy, confidentiality, and national security." The White House has launched Project Open Data, a collection of code, tools, and case studies to help agencies adopt the open data policy. An article in Foreign Policy this week "Think Again: Big Data" raises provocative questions about the actual value of "Big Data." For more information on Open Government issues, see: EPIC: Open Government and EPIC: Privacy Act.
- Senate Confirms Chairman of Privacy and Civil Liberties Oversight Board + (May. 7, 2013)
Today the Senate voted to confirm David Medine as the Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), an agency established to review executive branch actions and to protect privacy and civil liberties after 9/11. EPIC urged the creation of an independent privacy agency after 9/11. At the first meeting of the agency in 2012, EPIC set out several priorities for PCLOB, including (1) suspension of the fusion center program, (2) limitations on CCTV surveillance, (3) removal of airport body scanners, (4) establishing privacy regulation for drones, (5) updating data disclosure standards, and (6) ensuring Privacy Act adherence. For more information, see EPIC: The 9/11 Commission Report and EPIC: The Sui Generis Privacy Agency.
- 2012 FISA Orders Up, National Security Letters Down, No Surveillance Request Denied + (May. 2, 2013)
According to the 2012 Foreign Intelligence Surveillance Act (FISA) Report, the Department of Justice submitted 1,856 applications to the Foreign Intelligence Surveillance Court (FISC), a 6.4% increase over 2011. Of the 1,856 search applications, 1,789 sought authority to conduct electronic surveillance. The FISC did not deny any of the applications, although one was withdrawn by the Government. However, the FISC did make modifications to 40 of the applications, including one from the 2011 reporting period. In addition to the FISA orders, the FBI sent 15,229 National Security Letter requests for information concerning 6,223 different U.S. persons. This is a modest decrease from the 16,511 requests sent in 2011. Almost no information is available about FISA surveillance beyond the figures contained in the annual FISA letter, sent to the Senate each year by the Department of Justice, Office of Legislative Affairs. EPIC has recommended greater reporting of FISC applications and opinions, similar to what is disclosed in the Federal Wiretap Reports. For more information, see EPIC: Foreign Intelligence Surveillance Act Court Orders 1979-2012 and EPIC: Foreign Intelligence Surveillance Act.
- House Subcommittee Considers Geolocation Privacy + (Apr. 26, 2013)
The House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations today heard testimony today on proposed Geolocation Privacy safeguards for the collection and use of location data generated by cellphones and other devices. As EPIC recently noted in a letter to the House Judiciary committee, and testimony before the Maryland House of Delegates and Texas House of Representatives on similar bills, ECPA does not protect location records; courts are divided on whether such records are protected by the Fourth Amendment. For more information, see EPIC: Locational Privacy.
- Senate Committee Clears Update to Email Privacy Law + (Apr. 26, 2013)
The Senate Judiciary Committee has approved a bill that would update the Electronic Communications Privacy Act, a 1986 law that provides privacy protections for email and digital communications. The update, sponsored by Senator Patrick Leahy (D-VT) and co-sponsored by Senator Mike Lee (R-UT), would extend protections to communications that are stored in the cloud. Earlier this year, the Supreme Court declined to review a decision by the South Carolina Supreme Court which held that ECPA does, protect emails stored on remote computer servers. EPIC, joined by 18 national organizations filed an amicus brief, urging the Supreme Court to clarify the scope of e-mail privacy protections. In March, EPIC sent a letter to the House Judiciary Committee, recommending a comprehensive review of the law. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Jennings v. Broome.
- White House Releases Unclassified Summary of Presidential Cybersecurity Directive + (Apr. 19, 2013)
The White House has released an unclassified summary of Presidential Policy Directive 20. The Policy Directive sets out the cybersecurity authority of the National Security Agency in the United States and has raised concerns about government surveillance of the Internet. The existence of the Directive was detailed in a story in the Washington Post in 2012, and EPIC immediately pursued the public release of the document. According to the White House, PPD-20 "established principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools." EPIC is still pursuing the release of the full document. For more information see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (NSPD 54).
- White House Threatens to Veto CISPA Unless Privacy Protections Improved + (Apr. 16, 2013)
In a Statement of Administration Policy, the White House threaten to veto the controversial Cyber Intelligence Sharing and Protection Act (CISPA) unless more robust privacy and civil liberties protections are added and newly authorized information sharing goes through a civilian agency. EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process for CISPA. The markup for CISPA remained closed, and currently as drafted, CISPA would allow companies to disclose vast amounts of customer and client information to other companies and the government, including the National Security Agency, for "cybersecurity purposes." EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
- EPIC's Rotenberg Urges State Attorneys General to Safeguard Consumer Privacy + (Apr. 16, 2013)
Speaking at the annual conference of the National Association of Attorneys General, EPIC President Marc Rotenberg said that the state AG's cannot sit on the sidelines as consumers face increasing risks of identity theft, security breaches, and secretive profiling. Rotenberg said the onus shouldn’t be on consumers to keep up with every-changing policy practices. “There is no reason that a customer should have to go back and check their privacy settings when a company changes its business practice." The Attorneys General recently fined Google $7 m for violating state consumer protection laws when the companies vehicles, loaded with Internet packet sniffers, intercepted private residential communications. EPIC has also launched a promotional video "Good to Really Know" with information for consumers about online privacy. For more information, see EPIC: Consumer Privacy Bill of Rights and EPIC: Consumer Privacy.
- EPIC Supports Public Mark Up for Controversial Cyber Security Bill + (Apr. 4, 2013)
EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
- EPIC Testifies in Austin on Texas Location Privacy Bill + (Mar. 28, 2013)
EPIC's Appellate Advocacy Counsel Alan Butler testified before the Texas State Assembly on a privacy bill for telephone location data. The House bill, would establish a warrant requirement for location data and a comprehensive reporting requirement, similar to the federal wiretap reports. Mr. Butler discussed the need for clear rules governing location surveillance that satisfy Fourth Amendment standards, as well as the importance of public reporting and accountability. He also testified at a Senate Committee hearing on the proposal. EPIC recently submitted amicus briefs in State v. Earls and In re U.S. (5th Cir.) regarding location privacy. For more information, see EPIC: Locational Privacy.
- EPIC to Senate: Privacy Laws Needed for Drones in the US + (Mar. 21, 2013)
At a Senate Judiciary Committee hearing on "the Future of Drones in America," EPIC Domestic Surveillance Project Director Amie Stepanovich testified in support of new privacy safeguards prior to the deployment of drones in the United States. Also testifying at the hearing were Professor Ryan Calo, and representatives of law enforcement and the drone industry. The hearing was well attended and Senators across the committee expressed support for the development of new privacy legislation. Documents obtained by EPIC under the Freedom of Information Act indicate that the federal government has deployed domestic drones with the ability to intercept electronic communication and to identity human targets. In response to the revelations, EPIC has petitioned the Bureau of Customs and Border Protection, demanding the suspension of the drone program pending the development of privacy regulations. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.
- The Future of Drones in America: Law Enforcement and Privacy Considerations + (Mar. 20, 2013)
"The Future of Drones in America: Law Enforcement and Privacy Considerations"
Amie Stepanovich,
Director, EPIC Domestic Surveillance ProjectSenate Judiciary Committee
Washington, D.C.
March 20, 2013 - Congressman Markey Introduces Drone Privacy Legislation + (Mar. 19, 2013)
Congressman Markey has introduced the "Drone Aircraft Privacy and Transparency Act of 2013." The Bill sets out comprehensive transparency requirements for drone operators to protect privacy from unregulated drone surveillance. Under the terms of the bill, drone operators would be required to submit a detailed data collection and data minimization statement prior to obtaining a license to operate drones in the United States. The bill also states that surveillance by law enforcement agencies will require a warrant or extreme exigent circumstances.Congressman Markey said that privacy legislation is necessary to "prevent flying robots from becoming spying robots." For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.
- EPIC Highlights Need for Broad Reform of Federal Privacy Law + (Mar. 18, 2013)
In response to a request from the House Judiciary Committee, EPIC has recommended a comprehensive review of the federal communications privacy law. Congress will begin hearings this week on ECPA Part 1: Lawful Access to Stored Content. EPIC's letter to the Committee noted the recent settlement by the state Attorneys General with Google in the Street View matter and the reluctance of federal officials to pursue a similar investigation. EPIC also noted growing confusion in the lower courts about the application of the federal privacy law. Finally, EPIC pointed out that the current law provides inadequate protection for private location records. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy.
- EPIC to Testify at Senate Hearing on Drones and Domestic Surveillance + (Mar. 18, 2013)
Amie Stepanovich, the Director of EPIC's Domestic Surveillance Project, will testify this week before the Senate Judiciary Committee on "the Future of Drones in America." The hearing will feature expert testimony from EPIC Advisory Board member Professor Ryan Calo. Documents recently obtained by EPIC under the Freedom of Information Act indicate that the Bureau of Customs and Border Protection has deployed drones in the United States with the ability to intercept electronic communication and to identity human targets. As a consequence, EPIC has launched a petition urging the agency to suspend the drone program pending the establishment of comprehensive privacy regulations. Following a similar petition from EPIC, the FAA recently agreed to establish privacy rules for drone deployment. For more information, see EPIC: Domestic Unmanned Aerial Vehicles and Drones.
- EPIC Prevails in Social Media Monitoring FOIA Suit + (Mar. 4, 2013)
EPIC has obtained a court order and an opinion in a Freedom of Information Act lawsuit against the Department of Homeland Security, requiring the agency to turn over more documents about the monitoring of social media and Internet media organizations. EPIC had previously obtained several hundred pages of documents, revealing that the agency monitors the internet for reports that “reflect adversely” on the agency or the federal government. EPIC also obtained a list of very broad search terms used by the agency to monitor social media. As a result of EPIC’s findings, Congress held a hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy." For more information see: EPIC: EPIC v. Department of Homeland Security: Media Monitoring.
- EPIC Testifies Before Maryland Legislature on Location Privacy + (Feb. 28, 2013)
EPIC Appellate Advocacy Counsel Alan Butler testified before the Maryland House Judiciary Committee on H.B. 887, a location privacy bill that will establish a search warrant requirement for the collection of private location information. Mr. Butler discussed the current state of location tracking and privacy under the state and federal constitutions. The Maryland bill will require a warrant for location tracking and an annual report on electronic surveillance reports, similar to the federal wiretap reports. EPIC recently submitted amicus briefs in State v. Earls and In re US regarding location privacy. For more information, see EPIC: Locational Privacy and EPIC: State v. Earls.
- FTC Approves Final Settlement over Consumer Tracking, Fails to Enforce FIPs or Suggest Best Practices for Anonymization + (Feb. 26, 2013)
The Federal Trade Commission adopted a proposed settlement with Compete, Inc., over allegations that Compete failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its toolbar and survey panel would collect. The FTC also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The settlement requires Compete to obtain consumers' express consent before collecting any data through its software, to delete personal information already collected, and to provide directions for uninstalling its software. In comments to the agency, EPIC recommended that the FTC also require the Compete to implement Fair Information Practices similar to those contained in the Consumer Privacy Bill of Rights, and develop a best practices guide to de-identification techniques. The FTC declined to adopt EPIC’s recommendations, stating that it "does not provide specific technical guidance in areas like [anonymization], which are constantly changing," and "may not impose additional obligations that are not reasonably related to such conduct or preventing its recurrence." For more information, see EPIC: Federal Trade Commission and EPIC: Re-Identification.
- EPIC Thanks Congress for FOIA Oversight, Calls for Renewed Attention to Transparency + (Feb. 20, 2013)
EPIC, along with more than 40 transparency organizations, thanked the House Committee on Oversight for sending a letter to the Department of Justice about the importance of the Freedom of Information Act. The open government organizations said "outdated FOIA regulations, excessive fee assessments, growing FOIA backlogs, and the misuse of exemptions are issues that continually frustrate FOIA requesters" and expressed hope that the Committee would share the Department of Justice's responses with the public. EPIC also joined more than two dozen transparency groups in a letter to President Obama, asking him to renew his commitment to transparency and FOIA. The President issued a memorandum on Transparency and Open Government in 2009.For more information see: EPIC: Open Government.
- "Sniff up to snuff," says Supreme Court in Drug-detecting Dog Case + (Feb. 19, 2013)
The Supreme Court ruled today in Florida v. Harris that the police may use drug detection dogs to conduct searches without a warrant even when the dog finds drugs they are not trained to detect. The Florida Supreme Court had ruled that the search was unlawful because the State failed to provide field performance records to establish the dog's reliability. The U.S. Supreme Court unanimously reversed in an opinion written by Justice Elena Kagan, rejecting the Florida court's "inflexible checklist" of necessary evidence in favor of a more flexible, "common-sensical standard." EPIC filed an amicus curiae brief in the case, arguing that "investigative techniques should be used based on research, testing, and data indicating reliability." EPIC cited a recent National Academy of Sciences report highlighting the lack of reliable standards for investigative techniques. Late last week, the Department of Justice announced a new initiative to improve forensics reliability. For more information, see EPIC: Florida v. Harris.
- New Legislation Aimed At Protecting Privacy From Domestic Drones + (Feb. 15, 2013)
Congressman Poe (R-TX) and Congresswoman Zoe Lofgren (D-CA) have introduced the "Preserving American Privacy Act of 2013," targeted at providing individual privacy protections in regard to drone surveillance. The bill would require all drone operators to submit a public data collection statement that includes a description of the drone's purpose and intended operations. The bill also would require a warrant in order for drone surveillance information to be received as evidence and includes a ban on equipping drones with firearms. EPIC has twice (1, 2) asked Congress to protect individual privacy against increased use of domestic drones. EPIC, joined by over 100 organizations, experts, and members of the public, petitioned the FAA to establish privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- White House Issues New Executive Order, Presidential Directive on Cybersecurity + (Feb. 13, 2013)
In conjunction with the 2013 State of the Union, President Obama has signed a public Executive Order on cybersecurity and "critical infrastructure." The Order grants new powers to federal agencies to share cybersecurity information with private companies. Affected federal agencies will "conduct regular assessments of privacy and civil liberties impacts." The President also issued Presidential Policy Directive 21, which directs the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a secret directive that grants cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- States Move to Limit Drone Surveillance + (Feb. 7, 2013)
Oregon became the most recent state to consider limits on the deployment of drones in the United States. A new bill sets out licensing requirements for drone use in Oregon and would fine those who use unlicensed drone to conduct surveillance. New limitations are also proposed for federal evidence collected by drone use in a state court. Florida, North Dakota, and Missouri are among the other states that are also considering laws that limit drone use within their jurisdiction. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.
- Congress Challenges Justice Department Commitment to Open Government + (Feb. 7, 2013)
In a letter to the director of the Office of Information Policy, a Congressional oversight committee has asked a series of question, challenging the government's compliance with the FOIA. The Office of Information Policy is tasked with "encouraging agency compliance with the Freedom of Information Act (FOIA) and for ensuring that the President's FOIA Memorandum and the Attorney General's FOIA Guidelines are fully implemented across the government." The letter from Chairman Issa (R-CA) and Ranking Member Cummings (D-MD) called on the Justice Department to address concerns about "outdated FOIA regulations, exorbitant and possibly illegal fee assessments, FOIA backlogs, the excessive use and abuse of exemptions, and dispute resolution services." EPIC makes frequent use of the FOIA to obtain information from the government about surveillance and privacy policy. EPIC has also raised concerns in comments to federal agencies and to the Office of Government Information Services about systemic problems with FOIA compliance. For more information, see EPIC: Open Government and EPIC: FOIA Litigation Docket.
- US NGOs Urge US Government To Support EU Privacy Proposals + (Feb. 5, 2013)
EPIC has joined a coalition of leading US consumer and civil liberties organizations who have expressed concern about the role of US officials in the development of European privacy law. In a letter to the US Secretaries of State, Justice, and Commerce, the groups wrote to seek a meeting to ensure that US lobbying efforts in Europe "are not averse to the views expressed by the president." The letter states that "without exception," members of the European Parliament reported that US governmental agencies and businesses were "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." The letter, endorsed by 18 US NGOss, emphasizes the President's commitment to protecting privacy, set out in the Consumer Privacy Bill of Rights. Last fall, EPIC Executive Director Marc Rotenberg testified in support of a proposed EU privacy reform before the European Parliament, and a groups of transatlantic consumer organizations wrote a letter expressing their support for the EU effort to update and modernize privacy law. For more information, see EPIC: EU Data Protection Directive.
- Senator Leahy Supports International Privacy Day + (Jan. 28, 2013)
Senator Patrick Leahy, Chairman of the Senate Judiciary Committee, today issued a statement in commemoration of January 28, International Data Privacy Day. International privacy day marks the adoption of the Council of Europe Privacy Convention, the first global framework for privacy protection. Senator Leahy said, "In the Digital Age, Americans face new threats to their digital privacy and security as consumers and businesses alike collect, share and store more and more information in cyberspace. Data Privacy Day is an important reminder about the need to improve data privacy as we reap the many benefits of new technologies." EPIC has urged the United States to ratify the Privacy Convention. For more information, see EPIC: Electronic Communications Privacy Act, EPIC: International Privacy Day, and EPIC - Facebook, International Privacy Day.
- FTC Denies White House Involvement in Decision to Close Google Investigation + (Jan. 18, 2013)
In response to a FOIA request filed by EPIC, the Federal Trade Commission has stated that there are no records of "communications . . . between the White House and the FTC regarding the Commission's antitrust inquiry into Google." In a closely watched proceeding, the Federal Trade Commission announced in early January that it had closed an antitrust inquiry into Google's business practices. EPIC has previously expressed concern about anticompetitive practices by Internet firms. In 2000, EPIC filed a complaint with the Federal TradeCommission regarding the proposed merger of Doubleclick, an Internet advertising company and Abacus, a catalog database firm. In 2007, EPIC opposed Google's acquisition of DoubleClick, which was approved by the FTC over the objection of former FTC Commissioner Pamela Harbor. In 2011, EPIC wrote to the FTC about Google's use of YouTube search rankings to give preferential treatment to its proprietary content over non-Google content. EPIC has also testified before the Senate Judiciary Committee regarding growing market concentration of essential Internet services. For more information, see EPIC: Open Government and EPIC: Federal Trade Commission.
- Senator Leahy Sets Out Judiciary Committee Agenda for New Congress + (Jan. 17, 2013)
On January 16, 2013, Georgetown University Law School hosted Senator Patrick Leahy (D-VT), the chairman of the Senate Judiciary Committee. Leahy set out the agenda of the Judiciary Committee in the 113th Congress, vowing to commit the Committee to addressing "out most fundamental rights, and our most basic freedoms." Updates to key legislation, including laws on e-mail privacy and cybersecurity, are included in the Committee's agenda. The Chairman explained that the Committee would also address the need for oversight of US counterterrorism programs as well as privacy issues involved with the growing use of domestic surveillance drones. Furthermore, Senator Leahy emphasized the importance of open government as an American value, promising to "continue to fight for transparency that keeps the government accountable to the people." For more information, see EPIC: Electronic Communications Privacy Act, EPIC: Open Government, and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.
- EPIC Hosts Event on Drones and Surveillance at National Press Club + (Jan. 15, 2013)
On January 15, 2013 EPIC hosted "Drones and Domestic Surveillance," at the National Press Club in Washington, DC. The symposium brought together experts in law, technology, and public policy to discuss the expanding use of unmanned vehicles in the United States. The event featured Representative Ted Poe (R-TX) as the keynote speaker and was moderated by EPIC's Executive Director, Marc Rotenberg. Congressman Poe announced his plans to introduce a bill in 2013, co-sponsored by Congresswoman Zoe Lofgren (D-CA) to protect privacy against increased drone use. Panelists at the event included technologist Bruce Schneier, privacy scholars Laura Donohue and Orin Kerr, CATO fellow Julian Sanchez, EPIC's Amie Stepanovich, and Gretchen West of AUVSI. EPIC, and a coalition of experts and organizations, have petitioned the Federal Aviation Administration to develop privacy regulations for drone use. For more information, see EPIC: Drones and Domestic Surveillance and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.
- California Attorney General Releases Mobile App Privacy Guidelines + (Jan. 10, 2013)
California Attorney General Kamala Harris has issued a report describing best practices for mobile application privacy. The report, "Privacy on the Go," recommends that app developers implement safeguards such as privacy-by-design and notice, but stops short of setting forth a comprehensive set of Fair Information Practices. The report follows a law that requires all service providers doing business in California, such as mobile app developers, to have a privacy policy available to consumers. The report also occurs while the White House's privacy multistakeholder process is attempting to develop a voluntary code of conduct for mobile app transparency. For more information, see EPIC: Mobile and Location Privacy.
- Senate to Debate Privacy Amendments for Surveillance Law + (Dec. 26, 2012)
The Senate is scheduled to debate several proposals that would establish new safeguards for the FISA Amendments Act, a controversial law that allows surveillance of the phone and email communications of US citizens without a warrant. Earlier this year, EPIC testified before the House Judiciary Committee, and recommended increased transparency and new public reporting of the Government's surveillance activities. Currently, the FISA letter to Congress provides little information about Government conduct. "Congress should not reauthorize the FISA Amendments Act until adequate oversight procedures are in place," EPIC Executive Director Marc Rotenberg said at the May hearing. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International.
- FTC Releases Updated Children’s Online Privacy Rule + (Dec. 19, 2012)
The Federal Trade Commission has updated the Children's Online Privacy Protection Act. The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or "cookies)", and prevents third-party advertisers from secretly collecting children’s personal information without parental consent for behavioral advertising purposes. EPIC supported the changes and responded to criticisms from industry groups. In 2010, EPIC testified before the United States Senate that the 1998 law was critical to protect the privacy of children but that updates were also essential in light of new business practices, the emergence of social networks, smartphone apps. A subsequent FTC report found that many child-directed mobile apps lack adequate privacy safeguards. For more information, see EPIC: FTC and EPIC: Children's Online Privacy.
- FTC Pursues Investigation of Data Brokers + (Dec. 19, 2012)
The Federal Trade Commission has issued orders requiring nine data brokerage companies to provide the agency with information about how they collect and use data about consumers. The agency said it will use the information to study privacy practices in the data broker industry. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC brought a complaint to the FTC against the data broker Choicepoint that produced a $10 million settlement, then the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission.
- National Academy of Sciences to Undertake Independent Assessment of Airport Body Scanners + (Dec. 19, 2012)
After years of pressure from political leaders, civil liberties and health advocates, including EPIC, there will be an independent review of the health risks posed by backscatter x-ray devices. A National Academy of Sciences committee will assess “whether exposures comply with applicable health and safety standards” for passengers and airport employees. The study is limited to radiation and safety testing, and will not examine the privacy implications or effectiveness of the x-ray machines. In 2012, both the House and the Senate introduced legislation calling for an independent assessment of the controversial devices. Europe has also effectively banned the use of backscatter X-ray devices. EPIC has a FOIA lawsuit against DHS concerning body scanner radiation risks. In response to another EPIC lawsuit, the agency will begin a public comment process on the airport screening program in March 2013. For more information see: EPIC: Whole Body Imaging Technology and Body Scanners.
- Representative Markey Introduces Privacy Legislation for Aerial Drones + (Dec. 18, 2012)
Representative Ed Markey (D-MA) has introduced the Drone Aircraft Privacy and Transparency Act. The bill calls for the Federal Aviation Administration to complete a report on the privacy implications of domestic drone use. In addition, the bill will require drone operators to submit a data collection and data minimization statement concerning the collection of personally identifiable information. EPIC has twice (1, 2) asked Congress to protect individual privacy against increased use of domestic drones. EPIC, joined by over 100 organizations, experts, and members of the public, petitioned the FAA to establish privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- Senate Judiciary Committee Approves Location Privacy Bill + (Dec. 14, 2012)
The Location Privacy Act of 2011, sponsored by Senator Al Franken has been reported favorably by the Senate Judiciary Committee. The bill requires affirmative consent for the collection and disclosure of location information, an important protection for cell phone users and users of location-based services. EPIC previously recommended similar protections for location data and filed comments with the Federal Communications Commission advocating location privacy safeguards under the Communications Act. For more information, see EPIC: Locational Privacy and EPIC: Electronic Communications Privacy Act.
- Appeals Court Upholds Non-Harmful Phone Spoofing + (Dec. 14, 2012)
A federal appeals court has ruled that a state law prohibiting all caller ID spoofing is preempted by the federal Truth in Caller ID Act of 2009. Under the federal law, it is only unlawful to transmit misleading caller information with the intent to defraud or cause harm. EPIC urged the Senate in 2007 and House of Representatives in 2006 and 2007 to establish this intent requirement to protect the use of Privacy Enhancing Technologies, which limit the disclosure of actual identity. The appeals court's ruling upholds this important privacy protection. For more information, see EPIC: Illegal Sale of Phone Records and EPIC: Comments to FCC on TCIA Rules.
- Senate Committee to Consider Location Privacy Bill + (Dec. 6, 2012)
The Senate Judiciary Committee is set to consider S. 1223, the Location privacy Act of 2011, sponsored by Senator Al Franken. The bill would establish important privacy protections for cellphone users and require affirmative consent for the collection or disclosure of location data by service providers. EPIC previously recommended new protections for location data as part of the update of federal law. EPIC also filed comments with the Federal Communications Commission supporting guidelines for the protection of location data under the federal Communications Act. For more information, see EPIC: Locational Privacy and EPIC: Electronic Communications Privacy Act.
- EPIC: Hearing on FTC Nominee Should Address FTC's Settlement Process for Privacy Violations + (Dec. 4, 2012)
In a letter to the Senate Commerce Committee, EPIC has recommended that Congress require the Federal Trade Commission to consider more carefully the public's views on proposed privacy settlements. EPIC also recommended that the FTC require compliance with the Consumer Privacy Bill of Rights for companies that violate consumer privacy. The Committee is holding a hearing on the nomination of Joshua Wright to the FTC. The letter states that EPIC takes no position on the nomination of Dr. Wright, but encourages Congress to take the opportunity to explore the Commission's response to growing public concerns about privacy. EPIC routinely submits comments to the FTC on proposed consent orders, most recently on the Compete, Inc. settlement. EPIC has also recommended that the FTC promote the Consumer Privacy Bill of Rights in privacy settlements. For more information, see EPIC: Federal Trade Commission.
- EPIC Urges Congress to Suspend Funding for Body Scanner Program + (Nov. 29, 2012)
In a letter to Representatives Mike Rogers and Shelia Jackson-Lee, EPIC has asked Congress to suspend funding for the airport body scanner program until the TSA has completed a court-ordered public rulemaking. The letter follows a House oversight hearing where members of Congress learned that the TSA had shipped millions of dollars worth of backscatter X-ray devices to warehouses. Earlier the TSA stated that it was moving the devices to smaller airports for efficiency reasons. Backscatter X-ray devices are currently prohibited in Europe. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program), EPIC: Whole Body Imaging Technology and Body Scanners ("Backscatter" X-Ray and Millimeter Wave Screening) and EPIC: EPIC: Body Scanner FAQ.
- Senate Committee Updates ECPA, Modifies Video Privacy Law + (Nov. 29, 2012)
The Senate Judiciary Committee approved a bill that updates the Electronic Privacy Communications Act and modifies the Video Privacy Protection Act. The bill generally requires law enforcement to obtain a warrant before accessing email or other electronic communications and allows for blanket consent of video viewing information. An amendment by Senator Feinstein, adopted by the Committee, limited the opt-in to two years or till whenever the user withdraws consent. EPIC previously testified against a proposal that would weaken the consent provision of the Video Privacy Protection Act. EPIC has also favored more extensive updates for ECPA, including coverage of locational information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Video Privacy Protection Act.
- NSA Withholds Cybersecurity Directive, EPIC to Appeal + (Nov. 20, 2012)
The National Security Agency has responded to a Freedom of Information Act Request from EPIC, seeking the public release of Presidential Policy Directive 20. The Directive, first reported by the Washington Post, is believed to expand the NSA's cybersecurity authority. In response to EPIC, the NSA argued that the Agency does not have to release the document because it is a confidential presidential communication and it is classified by the NSA. EPIC is litigating similar claims against the NSA, including the release of NSPD 54, a 2008 presidential directive setting out the NSA’s cybersecurity authority. In an official statement to Congress earlier this year, EPIC explained that the NSA was a “black hole for public information about cybersecurity.” EPIC plans to appeal the NSA's determination. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority.
- EPIC Submits Comments to FTC on Consumer Tracking Settlement + (Nov. 20, 2012)
EPIC submitted comments to the Federal Trade Commission on a recent settlement with Compete, Inc. The settlement arises from allegations that Compete failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its toolbar and survey panel would collect. The FTC also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The proposed settlement requires Compete to obtain consumers’ express consent before collecting any data through its software, to delete personal information already collected, and to provide directions for uninstalling its software. EPIC expressed support for the settlement, but recommended that the FTC also require the Compete to implement Fair Information Practices similar to the Consumer Privacy Bill of Rights, make the compliance reports publicly available, and develop a best practices guide to de-identification techniques, as anonymization has become more critical for online privacy. For more information, see EPIC: Federal Trade Commission and EPIC: Re-Identification.
- Senate Reauthorizes SAFE WEB Act + (Nov. 15, 2012)
The Senate has approved a House bill to reauthorize the SAFE WEB Act. The SAFE WEB Act gives the Federal Trade Commission additional tools to combat cross-border fraud, spam, and spyware. EPIC previously testified before both the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation on the SAFE WEB Act. EPIC said that it supported legislation that safeguards privacy and ensures government oversight while enabling the FTC to work more closely with consumer protection agencies in other countries. For more information, see EPIC: Federal Trade Commission.
- Congress to Scrutinize TSA's "Scanner Shuffle" + (Nov. 14, 2012)
The House Subcommittee on Transportation Security is holding an oversight hearing this week, "TSA's Recent Scanner Shuffle: Real Strategy or Wasteful Smokescreen?" The hearing announcement follows a decision by the TSA to remove the backscatter x-ray devices from major US airports. In a statement for the record, EPIC highlighted public concerns about the use of body scanners, including health and privacy risks, and the failure of the TSA to take public comments on the program. In July 2011, the federal appeals court in Washington, DC ruled that that the Department of Homeland Security must "act promptly" to receive public comments. For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program), EPIC: Whole Body Imaging Technology and Body Scanners ("Backscatter" X-Ray and Millimeter Wave Screening) and EPIC: EPIC: Body Scanner FAQ.
- William Bryant Inn of Court + (Nov. 13, 2012)
Amie Stepanovich,
EPIC Associate Litigation CounselU.S. District Courthouse
Washington, D.C.
November 13, 2012 - DHS Privacy Review Fails to Address DHS Monitoring of Online Dissent + (Nov. 9, 2012)
The Department of Homeland Security released a Privacy Compliance Review which found that the DHS social media monitoring program complied the DHS's own privacy requirements. Documents obtained by EPIC through a FOIA lawsuit revealed that DHS is monitoring social networks and media organizations for criticism of the agency. Congress held a Hearing earlier this year to determine why DHS is tracking political statements on Twitter and social networks. EPIC's lawsuit against DHS is ongoing. For more information, see EPIC: EPIC v. Department of Homeland Security: Media Monitoring.
- Lawmakers Gain "Partial Glimpse" into Data Brokers' Business Practices + (Nov. 8, 2012)
Members of the Congressional Bi-Partisan Privacy Caucus released the responses of several data brokers to an inquiry into their business practices. Data brokers collect and sell the personal information of consumers to third parties, typically without the knowledge of the consumers themselves. The lawmakers reported that most of the companies did not consider themselves "data brokers," and that "[m]any questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers." The Federal Trade Commission recently called for data-broke legislation in a report on consumer privacy. In 2005, EPIC brought a complaint against the data broker Choicepoint that produced a $10 million settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission.
- EPIC to Congress: Protect Privacy Against Drone Surveillance + (Nov. 5, 2012)
EPIC participated in a Congressional Hearing on the Impact of Domestic Drone Use Technology on Privacy and Constitutional Rights of All Americans, held at Rice University in Houston, Texas. Congressman Ted Poe (R-TX), sponsor of H.R. 6449: Air Travelers' Bill of Rights Act of 2012, convened the hearing. Joining Congressman Poe were Representatives Michael McCaul (R-TX), Hank Johnson (D-GA), and Sandy Adams (R-FL). EPIC's Amie Stepanovich testified on the need for specific laws to limit drone surveillance in the United States. In a prepared statement, EPIC recommended a warrant requirement for drone surveillance by police as well as data use limitations, and transparency obligations for drone operators. In February, EPIC, joined by over 100 organizations, experts, and members of the public, petitioned the FAA to begin a rule making on the privacy impact of drone use. The Agency has not yet responded to the EPIC Petition. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- EPIC Comments on FTC Rent-to-Own Computer Spying Settlement + (Oct. 26, 2012)
EPIC has submitted comments on a series of settlements between the Federal Trade Commission and companies that offered computers on a rent-to-own basis, typically to low-income consumers. The companies installed surveillance technology that secretly recorded keystrokes, location information, screenshots, and even took webcam photos. The settlements prohibit the companies from deceptively collecting information from consumers or collecting location information without consent, and require them to destroy the illegally-gathered data. EPIC expressed support for the settlements, and also recommended that the FTC also require the companies to implement Fair Information Practices similar to the Consumer Privacy Bill of Rights; make the compliance reports publicly available, and hold a workshop on privacy and inequality. EPIC routinely comments on the FTC's proposed settlements concerning consumer privacy. For more information, see EPIC: Federal Trade Commission.
- Congressional Field Forum on Drones + (Oct. 25, 2012)
Congressional Field Forum on Drones Amie Stepanovich,
EPIC Associate Litigation CounselHouse Judiciary Subcommittee on Crime, Terrorism, and Homeland Security
Houston, TX
October 25, 2012 - FBI Exempts Massive Database from Privacy Act Protections + (Oct. 10, 2012)
The Federal Bureau of Investigation has exempted the FBI Data Warehouse System, from important Privacy Act safeguards. The database ingests troves of personally identifiable information including race, birthdate, biometric information, social security numbers, and financial information from various government agencies. The database contains information on a surprisingly broad category of individuals, including "subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI’s missions; individuals whose information is collected and maintained for information system user auditing and security purposes." The Federal Bureau of Investigation has exempted these records from the notification, access, and amendment provisions of the Privacy Act. Earlier this year, EPIC opposed the Automated Targeting System, another massive government database that the Department of Homeland Security exempted from Privacy Act provisions. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System.
- Senate Report Finds Fusion Centers "Wasteful," Likely Violate Federal Privacy Laws + (Oct. 3, 2012)
A Senate Investigations Committee has released a new report on "State and Local Fusion Centers", government data warehouses that store an enormous amount of information on Americans. The Senate report found that Fusion Centers, operated by the Department of Homeland Security, "often produced irrelevant, useless or inappropriate intelligence" and stored records on U.S. persons, "possibly in violation of the Privacy Act." In 2007, EPIC's "Spotlight on Surveillance" warned that Fusion Centers would lead to "abuse and misuse." In subsequent FOIA cases, and comments to the DHS, EPIC helped document the many problems with the federal Fusion Center program, including lack of oversight and ineffective privacy safeguards. For more information, see EPIC: Information Fusion Centers and Privacy and EPIC: EPIC v. Virginia Department of State Police: Fusion Center Secrecy Bill.
- Senate Considers Amendment to Weaken Internet Privacy Law + (Sep. 20, 2012)
A senate committee is today considering changes to the Video Privacy Protection Act, a law which safeguards the video viewing records of Internet users. The amendment would allow companies to obtain blanket consent for the use of customer information in the future, whether or not users knew who would receive the information or why it was being disclosed. In testimony before the Senate in January, EPIC strongly opposed the amendment and recommended instead changes that would update the law to provide greater safeguards for Internet users. A federal court recently held that the video law protects the privacy of Hulu subscribers. As the court explained, "Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved." The amendment is backed by Netflix and various industry lobbyists. For information, see EPIC, Video Privacy Protection Act.
- House Renews Foreign Intelligence Surveillance Powers + (Sep. 12, 2012)
The House has voted to reauthorize the FISA Amendments Act (301-118). The Act authorizes programs of surveillance intended to target foreign agents, but allows collection of private communications of United States citizens without individualized suspicion. In May 2012, EPIC Executive Director Marc Rotenberg testified before the House Judiciary Committee on the legislation and recommended new oversight procedures. The Senate has yet to consider the measure. Senator Ron Wyden (D-OR) and others have expressed concern about renewal of the Act. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International USA.
- Rep. Markey Introduces Mobile Privacy Act + (Sep. 12, 2012)
Representative Edward Markey (D-MA) introduced "The Mobile Device Privacy Act," a bill that would require companies disclose the existence of monitoring software to consumers and obtain consent before using this software to collect personal information. The bill, H.R. 6337, would also direct the Federal Trade Commission and the Federal Communications Commission to develop rules implementing the act’s provisions. Recently, EPIC filed comments with the FCC urging the Commission to require mobile carriers to implement comprehensive fair information practices. For more information, see EPIC: Customer Proprietary Network Information and EPIC: Location Privacy.
- FTC Finalizes Settlement with Myspace + (Sep. 11, 2012)
The Federal Trade Commission has finalized the terms of a settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC commented on the settlement, recommending that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House’s Consumer Privacy Bill of Rights. In response to EPIC’s comments, the FTC decided to accept the proposed settlement without modification but said that “the privacy program mandated under the consent order will require Myspace to address many of the consumer protections discussed in your comment.” For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy.
- New Congressional Report Recommends TSA Address Privacy and Health Concerns with Airport Bodyscanners + (Sep. 11, 2012)
"Rebuilding TSA into a Smarter, Leaner Organization," a new House Report critiques the Transportation Security Administration for "failing to meet taxpayers' expectations." The report, prepared by the House Committee on Homeland Security, recommends that the TSA sponsor "an independent analysis" of the health risks of body scanners and install privacy filters on all devices. The Report cites the decision in EPIC v. DHS, pointing out that the TSA has failed to abide by the ruling of a federal appeals court to "act promptly" to receive public comments. For more information, see EPIC v. Department of Homeland Security - Full Body Scanner Radiation Risks and EPIC v. TSA - Body Scanner Modifications (ATR).
- New CRS Report Finds Few Protections For Drone Surveillance + (Sep. 7, 2012)
"Drones in Domestic Surveillance Operations," a new report from the the Congressional Research Service, examines current law, the Fourth Amendment, and recently introduced legislation. The CRS finds that "the prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues." In testimony before a House Subcommittee earlier this year, EPIC's Amie Stepanovich stated, "there are substantial legal and constitutional issues involved in the deployment of aerial drones by federal agencies that need to be addressed." EPIC recommended that the FAA develop privacy rules, that DHS conduct a privacy assessment, and that Congress establish new privacy safeguards. EPIC, joined by over 100 organizations, experts, and members of the public, has also petitioned the FAA to begin a rulemaking on the privacy impact of drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- 2012 Democrat Platform Endorses Internet Privacy + (Sep. 4, 2012)
The 2012 Democratic National Platform supports the administration’s Internet Privacy Bill of Rights to protect consumer privacy. Separate provisions in the platform call for privacy protections for broadband deployment, intellectual property enforcement, and cybersecurity laws; the Democratic platform opposes voter identification laws. However, the platform is silent on the Fourth Amendment, and retreats from the 2008 Democratic platform that opposed surveillance of individuals that were not suspected of a crime. In 2008, Candidate Obama promised to "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy.” The 2012 Republican Platform was released last week. The Libertarian and Green Party platforms are also available. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Voter Photo ID and Privacy, EPIC: National Security Letters, and EPIC: Cybersecurity Privacy Practical Implications.
- Republican Party Seeks To Limit Drone Surveillance + (Aug. 28, 2012)
The 2012 Republican Party Platform advocates Fourth Amendment limits on government drones. “We support pending legislation to prevent unwarranted or unreasonable governmental intrusion through the use of aerial surveillance or flyovers on U.S. soil, with the exception of patrolling our national borders.” Senator Rand Paul (R-KY) and Representative Austin Scott (R-GA), introduced legislation earlier this year to limit aerial drone surveillance. In March, the House approved an amendment to the National Defense Authorization Act of 2013, introduced by Representative Landry (R-LA), that prohibits information collected without a warrant by drones operated by the Department of Defense from being used in court. Congressman Ed Markey (D-MA) has also proposed comprehensive legislation for drones. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- Federal Court Applies Video Privacy Law to Streaming Services + (Aug. 20, 2012)
A federal court recently held that the Video Privacy Protection Act applied to companies that provide video streaming services over the Internet. The opinion, which is the first to address the issue, relies on the forward-looking nature of the law, reasoning that "Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved." EPIC previously testified before the Senate Judiciary Committee and recommended several ways that Congress could strengthen the Act, such as by confirming that it applies to streaming services and allowing users to inspect the information that video providers collect about them. The Senate is considering an amendment that would weaken the consent provision of the law by allowing companies such as Netflix to obtain blanket consent to routinely disclose a consumer’s video viewing records. For more information, see EPIC: Video Privacy Protection.
- White House Pulls Down TSA Petition + (Aug. 9, 2012)
At approximately 11:30 am EDT, the White House removed a petition about the TSA airport screening procedures from the White House "We the People" website. About 22,500 of the 25,000 signatures necessary for a response from the Administration were obtained when the White House unexpectedly cut short the time period for the petition. The site also went down for "maintenance" following an article in Wired that sought support for the campaign.
- Federal Appeals Court Holds that Driver's Privacy Law Applies to Parking Tickets + (Aug. 9, 2012)
The Seventh Circuit Court of Appeals held that a federal driver’s privacy law prevented a Chicago suburb from issuing tickets that contained the driver's name, address, driver's license number, date of birth, height and weight. The Driver's Privacy Protection Act is a federal law passed after a California actress was murdered by a stalker who obtained personal information from the state department of motor vehicles. EPIC recently filed a "friend of the court" brief arguing that resellers of state driver records should be strictly liable under the Act. For more information, see EPIC: Driver’s Privacy.
- White House TSA Petition Passes 20,000 Signatures + (Aug. 7, 2012)
A petition, posted at the White House website "We The People," urging the Transportation Security Agency to "Follow the Law!" has received more than 20,000 signatures. If 25,000 people sign the petition before August 9, 2012, the White House will respond.The petition asks President Obama to force the Transportation Security Administration to begin the public comment process on the controversial airport body scanner program, as the agency was ordered to do by a federal court more than a year ago. For more information see EPIC v. DHS (Suspension of Body Scanners).
- Senate Confirms Four Members of the Privacy Civil Liberties Oversight Board + (Aug. 3, 2012)
The Senate voted late Thursday to confirm four nominees to the Privacy and Civil Liberties Oversight Board before its summer recess. The Board was created by Congress in 2004, at the recommendation of the 9/11 Commission, to advise the President and other senior executive branch officials and ensure that privacy and civil liberties are protected as laws, regulations, and executive branch policies are implemented. It was reconstituted as an independent agency in 2007, but since then Congress has failed to confirm all five members of the board. After yesterday's confirmations the Board can "do work," but it cannot hire staff until the Senate confirms its Chairman. For more information, see EPIC: Privacy Oversight and EPIC: The Sui Generis Privacy Agency.
- Markey Bill Would Limit Drone Surveillance + (Aug. 1, 2012)
Representative Ed Markey (D-MA) has announced a bill aimed at protecting individual privacy from drone surveillance. Rep. Markey said, "When it comes to privacy protections for the American people, drones are flying blind." The draft bill requires the FAA to establish privacy safeguards for drone operators and creates new limits on data collection by law enforcement agencies. Earlier this year, EPIC, joined by over 100 organizations, experts, and members of the public, petitioned FAA to begin a rulemaking on the privacy impact of drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- Court Orders Homeland Security to Answer EPIC's Petition + (Aug. 1, 2012)
The US Court of Appeals for the DC Circuit has ordered the DHS to respond to EPIC's mandamus petition to "enforce the court's mandate" by August 30. EPIC filed the "extraordinary writ" after a year had passed since the federal agency was ordered to begin a public rulemaking on the controversial airport body scanner program. A coalition of organizations, led by the Competitive Enterprise Institute, has filed an amicus brief in support of the EPIC petition and a separate petition to the White House has gathered more than 16,000 signatures. For more information, see EPIC v. DHS (suspension of airport body scanners).
- Senate Committee Considers Updates to Federal Privacy Act + (Jul. 31, 2012)
The Senate Oversight of Government Management Subcommittee held a hearing today on "The State of Federal Privacy and Data Security Law: Lagging Behind the Times?" The hearing focused on S.1732, the Privacy Act Modernization for the Information Age Act of 2011, and S.3414, an amendment to the Cybersecurity Act of 2012, introduced by Senator Daniel Akaka (D-HI). Both measures would strengthen privacy protections for personal information collected by government agencies. Senate witnesses agreed that after the Supreme Court decision in FAA v. Cooper, the Privacy Act should be amended to compensate individuals for provable, nonpecuniary harms. EPIC has made several recommendations to update the federal privacy law and also warned about the deployment of new agency profiling systems. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System.
- Senate Amendment Would Weaken Video Privacy Act + (Jul. 30, 2012)
The Senate is considering an amendment that would weaken the consent provision of the Video Privacy Protection Act by allowing companies such as Netflix to obtain blanket consent to routinely disclose a consumer’s video viewing records EPIC previously testified before the Senate Judiciary Committee and recommended that Congress strengthen the consumer privacy law by giving users access to the information collected about them, by extending the scope of coverage, and by increasing the penalties for violations of the law. For more information, see EPIC: Video Privacy Protection.
- Franken Amendment Seeks to Protect Cybersecurity Privacy + (Jul. 30, 2012)
The Senate is expected to consider the Cybersecurity Act of 2012 prior to the August recess. Unlike the Secure IT Act, the Cybersecurity Act would avoid the NSA takeover of the Internet. However, privacy concerns remain about the broad authority of Internet companies to monitoring Internet users and turn information to the government. An amendment sponsored by Senator Al Franken (D-Minn) would limit this surveillance. A provision that limits the disclosure of cybersecurity threat information remains in the Act. Earlier this year, EPIC recommended to the Senate that the Freedom of Information Act limitation be removed. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
- White House TSA Petition Passes 15,000 + (Jul. 23, 2012)
A petition posted at the White House website "We the People" urging the Transportation Security Agency to "Follow the Law!" has received more than 15,000 signatures. If 25,000 people sign the petition before August 9, 2012, the White House will respond. The petition asks President Obama to force the TSA to begin the public comment process on the controversial airport body scanner program, as the agency was ordered to do by a federal court more than a year ago. For more information see EPIC v. DHS (suspension of airport body scanners).
- FISA Reform Proposal Moves Forward in Senate + (Jul. 20, 2012)
The Senate Judiciary Committee has approved a bill that would established new safeguards for the Foreign Intelligence Surveillance Amendments Act. The Act provides for court approval of 'programs of surveillance' that allow for the collection of communications of US citizens. The bill, sponsored by Senator Patrick Leahy (D-VT), would renew the Act but also establish new reporting requirements to improve government accountability. In May 2012, EPIC Executive Director Marc Rotenberg testified before the House Judiciary Committee, and recommended increased oversight and reporting. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International USA.
- Airport Body-Scanning: Will TSA Follow the Law? + (Jul. 19, 2012)
CATO Institute Briefing: Airport Body-Scanning: Will TSA Follow the Law?
Ginger McCall, Counsel
EPIC Open Government Project Director2212 Rayburn House Office Building
Washington, DC
July 19, 2012 (lunch provided) - Using Unmanned Aerial Systems Within the Homeland: Security Game Changer? + (Jul. 19, 2012)
Congressional Hearing: "Using Unmanned Aerial Systems Within the Homeland: Security Game Changer?"
Amie Stepanovich,
EPIC Associate Litigation CounselHouse Committee on Homeland Security
311 Cannon Building
Washington, DC
July 19, 2012 - EPIC Asks Congress to Adopt Privacy Safeguards for Drones + (Jul. 19, 2012)
Today's House Homeland Security Oversight Subcommittee hearing, "Using Unmanned Aerial Systems Within the Homeland: Security Game Changer?” examined federal use of drones in the United States. University of Texas Professor Todd Humphreys testified about how he gained full flight control of a drone operated by someone else. On the second panel, EPIC's Amie Stepanovich testified on the privacy implications of domestic drone use, alongside Gerald Dillingham and Chief Deputy William McDaniel. In February, EPIC, joined by over 100 organizations, experts, and members of the public, petitioned FAA to begin a rulemaking on the privacy impact of drone use. The Agency has not yet responded the EPIC Petition or addressed privacy concerns. EPIC recommended that the FAA develop privacy rules, that DHS conduct a privacy assessment, and that Congress establish new privacy safeguards. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- EPIC Recommends Protections for Use of Commercial Facial Recognition Technology + (Jul. 18, 2012)
In a statement for the record, EPIC called on the Senate Subcommittee on Privacy, Technology, and the Law to protect the ability of individuals to control the disclosure of their identity. The hearing on "What Facial Recognition Technology Means for Privacy and Civil Liberties" will feature witnesses from the government, private companies, and academia. EPIC recommended that Fair Information Practices ("FIP") be enforced against companies that collect facial recognition data. These legal obligations would include limitations on collection, use, and retention of the data, informed consent, security, accessibility, and accountability. "In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques." For more information, see EPIC: Facial Recognition.
- EPIC Urges FTC to Develop Meaningful Privacy Protections for Mobile Services + (Jul. 11, 2012)
EPIC has submitted comments to the Federal Trade Commission concerning "Advertising and Privacy Disclosures in a Digital World". The FTC is currently exploring ways businesses could improve privacy notices for mobile devices. EPIC pointed out that many of the techniques, such as privacy icons, suffer from the same problems as traditional privacy notices. EPIC recommended that the FTC focus instead on substantive privacy protections, such as those found in the federal Privacy Act, sectoral privacy laws, and the Consumer Privacy Bill of Rights, proposed by the White House. An earlier FTC report called for new privacy legislation and an FTC investigation documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission.
- Law Enforcement Requests to Wireless Carriers Topped 1.3 Million in 2011 + (Jul. 9, 2012)
In response to recent letters from Congressman Ed Markey (D-MA), nine mobile wireless carriers have provided detailed reports of law enforcement requests for user cell phone records. These requests come from agencies - across all levels of government - seeking text messages, caller locations, and other information in the course of investigations. The reports show that companies turn over thousands of records a day in response to subpoenas, court orders, police emergencies, and other requests. The volume of requests has increased as much as 16 percent for some companies over the last five years, and some carriers have rejected as many as 15 percent of all requests that they found legally questionable or unjustified. EPIC recently filed amicus briefs in the Fifth Circuit and New Jersey Supreme Court arguing that disclosure of historical and real-time cell phone location information violates a reasonable expectation of privacy and thus requires a warrant under the Fourth Amendment. For more information, see EPIC: In re Historic Cell-Site Location Information, EPIC: State v. Earls.
- Executive Order Grants Authority to Seize Private Communications Facilities + (Jul. 9, 2012)
The White House has released a new Executive Order seeking to ensure the continuity of government communications during a national emergency. The Executive Order grants new powers to the Department of Homeland Security, including the ability to collect certain public communications information. Under the Executive Order the White House has also granted the Department the authority to seize private facilities when necessary, effectively shutting down or limiting civilian communications. In 2011, Congress considered similar provisions in cybersecurity legislation, which would have allowed the government to disconnect communications traffic in times of national security. Following public protest, congress abandoned the proposal. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
- Administration Releases More Details on Privacy Multistakeholder Meeting + (Jun. 28, 2012)
The National Telecommunications and Information Administration published a notice with new information about the privacy multistakeholder process. The purpose of the initiative is to implement the White House Consumer Privacy Bill of Rights; the first meeting will focus on mobile applications.The meeting will be held on Thursday, July 12 at the Department of Commerce. However, there will be limited opportunity for those outside of Washington, DC to participate in the "multistakeholder" meeting. In previous comments to the agency, EPIC said that the Administrative Procedure Act, a well established legal framework for soliciting public comment, is a better and more transparent way to produce a meaningful outcome. For more information, see EPIC: NTIA Multistakeholder Process.
- Senate Judiciary Holds Hearing on Voter Suppressions + (Jun. 27, 2012)
The Senate Judiciary Committee held a hearing on “Prohibiting the Use of Deceptive Practices and Voter Intimidation Tactics in Federal Elections." The Senate is considering new legislation to address the problem of deceptive practices and voter intimidation. Committee Chairman Patrick Leahy cited "burdensome identification laws" as one of the obstacles to public participation in federal elections. A new report highlights similar problems in the recent Canadian national election. EPIC has published reports on deceptive campaign practices and filed briefs in opposition to unnecessary voter ID requirements. For more information see EPIC Voting Privacy and EPIC - Crawford v. Marion County.
- House Panel Votes to Renew Surveillance Law Without New Safeguards + (Jun. 21, 2012)
The House Judiciary Committee voted to reauthorize the FISA Amendments Act, HR 5949, through Dec. 31, 2017 without any changes. The Act authorizes "programs of surveillance" intended to target foreign agents, but also allows collection of private communications of United States citizens without individualized suspicion. EPIC Executive Director Marc Rotenberg recently testified before the Committe and recommended that Congress strengthen oversight procedures to protect privacy and limit possible misuses of the legal authority. But amendments to improve accountability introduced by Rep. John Conyers (D-MI), Rep. Jerold Nadler (D-NY), Rep. Bobby Scott (D-VA), and Rep. Sheila Jackson-Lee (D-Texas), were all defeated. In the Senate, Senator Ron Wyden (D-OR) and others have expressed concern about renewal of the Act. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International USA.
- Senator Schumer: High Resolution Mapping Must Respect Privacy + (Jun. 20, 2012)
Senator Charles Schumer (D-NY) has sent a letter to Apple and Google after the companies announced high-definition, 3-D aerial mapping products. Apple’s Flyover displays detailed images of metropolitan areas, while Google will collect 3-D images for its mapping service. Neither company has indicated if aerial drones will be used to collect imagery. Senator Schumer expressed concern about the privacy implications of the new services. He asked the companies to provide advanced notification when the aerial surveillance was to occur, allow individuals to opt-out of having their property displayed, and ensure blurring of individuals and sensitive infrastructure. The full-scope of Apple and Google's aerial surveillance program is not known. In 2010, it was revealed that Google’s "Street View" vehicles were also collecting vast amounts of personal communications from private wi-fi networks. For more information, see EPIC: Investigations of Google Street View and EPIC: Unmanned Aerial Vehicles and Drones.
- House to Consider Bill to Reauthorize Expansive Surveillance Law + (Jun. 18, 2012)
The House Committee on the Judiciary will markup the FISA Amendments Act Reauthorization Act of 2012 on Tuesday, June 19, 2012. The Act authorizes government surveillance of international communications, including the private communications of United States citizens. Currently, the law provides little information to Congress or the public about these surveillance activities. EPIC Executive Director Marc Rotenberg recently testified at an oversight hearing, and called on Congress to strengthen oversight procedures and increase transparency before the Act is renewed. In a recent report by the Senate Intelligence Committee, Senators Mark Udall and Ron Wyden also said that the FISA contains a loophole that allows the government "to circumvent traditional warrant protections and search for the communications of a potentially large number of American citizens." For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International.
- New Report Finds Border Surveillance Drone Program Inefficient and Ineffective + (Jun. 12, 2012)
A new Report highlights problems with the drone program operated by Bureau of Customs and Border Protection. The Bureau has purchased 10 drones, costing approximately $18 million each, and has expended an additional $55.3 million for maintenance and operations. But according to the Office of Inspector General, the Bureau "needs to improve planning of its unmanned aircraft systems program to address its level of operation, program funding, and resource requirements, along with stakeholder needs." Also, despite the Bureau’s limited mission to safeguard the borders, the Bureau often flies missions for the FBI, the DOD, NOAA, local law enforcement, and other agencies. This practice made headlines last year when police in North Dakota used a Bureau drone to arrest a U.S. citizen. This week Sen. Rand Paul (R-KY) and Rep. Austin Scott (R-GA) introduced bills in the Senate and the House to limit the use of drones for surveillance in the United States.. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- EPIC Urges FTC to Protect Privacy of Myspace Users + (Jun. 8, 2012)
EPIC submitted comments to the Federal Trade Commission on a proposed settlement with Myspace. The settlement follows from allegations that Myspace allowed advertisers to access personally-identifying information after promising to keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, submit to independent audits, and refrain from privacy misrepresentations. EPIC expressed support for the settlement in general, but recommended that the FTC make the settlement at least as protective as a previous settlement with Facebook. Additionally, EPIC said, the FTC should require Myspace to implement practices consistent with the White House's Consumer Privacy Bill of Rights. For more information, see EPIC: Federal Trade Commission and EPIC: Social Networking Privacy.
- LinkedIn Breach Leads to 6.5 Million Stolen Passwords + (Jun. 7, 2012)
The professional social network LinkedIn suffered a security breach that exposed the passwords of over 6 million users. A user on a Russian Web forum reported downloading 6 million LinkedIn passwords. LinkedIn later confirmed that some of the passwords corresponded to LinkedIn accounts, deactivated those passwords, and advised all users to update their passwords. EPIC testified about the growing problem of data breaches in 2011 before the House Financial Services Committee and the Senate Banking Committee. For more information, see EPIC: Cybersecurity and Privacy.
- EPIC to Congress: "Strengthen FISA Oversight" + (Jun. 1, 2012)
EPIC Executive Director Marc Rotenberg will testify before the House Judiciary Subcommittee on the FISA Amendments Act of 2008. The Act authorizes Government surveillance of international communications, including the private communications of U.S. citizens. EPIC will recommend increased transparency and new public reporting of the Government's surveillance activities. Currently, the FISA letter to Congress provides little to no information about Government conduct. "Congress should not reauthorize the FISA Act until adequate oversight procedures are in place," Rotenberg said. The hearing will be webcast. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Clapper v. Amnesty International.
- Congressional Hearing: The FISA Amendments Act of 2008 + (May. 30, 2012)
Congressional Hearing: The FISA Amendments Act of 2008
Marc Rotenberg,
EPIC Executive DirectorHouse Judiciary Committee
Washington, D.C.
June 31, 2012 - EPIC to Testify on Foreign Intelligence Surveillance Act + (May. 25, 2012)
EPIC Executive Director Marc Rotenberg is scheduled to testify before the House Judiciary Committee at a hearing on May 31, 2012 regarding the FISA Amendments Act of 2008. For more information, see EPIC: Foreign Intelligence Surveillance Act and EPIC: Foreign Intelligence Surveillance Court.
- Senate Approves FDA Transparency Amendment + (May. 24, 2012)
The Senate has approved a pro-transparency amendment sponsored by Senator Patrick Leahy (D-VT) to the Food and Drug Administration Safety and Innovation Act. Senator Leahy's amendment will preserve public access to information in the agency's possession related to drugs and pharmaceuticals. The Act originally would have allowed the agency to deny public access to information relating to drugs obtained from a federal, state, local, or foreign government agency if that agency had requested that the information be kept confidential. Many members of the government transparency and accountability community objected in a letter to Congress, highlighting the importance of transparency regarding drug information and the potential health and safety risks created by the original language. For more information, see Openthegovernment.org and EPIC: Open Government.
- House Approves Amendment to Defense Spending Bill to Limit Defense Drones Surveillance + (May. 17, 2012)
The House of Representatives has approved an amendment, introduced by Congressman Landry (R-LA), to the National Defense Authorization Act to prohibit information collected by Department of Defense drones without a warrant from being used as evidence in court. New legislation requires the Federal Aviation Administration to develop rules governing the operation of drones in the U.S. National Airspace. Shortly after passage, EPIC, joined by over 100 organizations, experts, and members of the public, submitted a petition to the FAA requesting a public rulemaking on the privacy impact of drone use in US airspace. The petition is still pending with the agency. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- Privacy Board Approved by Judiciary Committee, Vote Moves to Senate + (May. 17, 2012)
The Senate Committee on the Judiciary has approved President Obama's five nominees for the Privacy and Civil Liberties Oversight Board. The Board is an independent entity charged with ensuring that fundamental rights are protected in the implementation of government programs, including cybersecurity. Originally convened in 2004, the five seats on the Board have remained vacant for the past five years. Senator Leahy, the Chairman of the Judiciary Committee, said, "When we worked to create this board, we did so to ensure that our fundamental rights and liberties would be preserved…The Senate should move quickly to confirm the nominees to the board so that they can get to their important work." For more information, see EPIC: 9/11 Commission Report and "The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11."
- EPIC Supports Geolocation Privacy Act, Suggests Improvement + (May. 16, 2012)
In a Statement for the Record, EPIC has expressed support for H.R. 2168, the "Geolocational Privacy and Surveillance Act," which prohibits the interception of location information by private parties and government agents acting without a search warrant. The bill will be considered at a hearing before the House Subcommittee on Crime, Terrorism, and Homeland Security. EPIC said "as communications technologies evolve, new forms of personal information are generated that require new legal safeguards." EPIC also recommended that Congress adopt purpose-specification and data limitation requirements for data stored by private companies, require affirmative consent prior to the collection of location data, and clarify an exception that permits the interception of location data made available through publicly accessible systems. For more information, see EPIC: Location Privacy.
- EPIC Proposes Update to Privacy Act to Address Recent Supreme Court Decision + (May. 14, 2012)
Following the recent decision of the Supreme Court in FAA v. Cooper, EPIC has set out proposed changes to the Privacy Act that would compensate individuals for provable nonpecuniary harms caused by willful violations of the Privacy Act. In Cooper, the Supreme Court held that the Privacy Act "does not unequivocally authorize" compensatory damages for mental or emotional distress. Justice Sotomayor, joined by Justices Ginsburg and Breyer, wrote in dissent that "the primary, and often only, damages sustained as a result of an invasion of privacy are . . . mental or emotional distress." EPIC recommended that the Privacy Act explicitly define "actual damages" to include provable mental and emotional distress. EPIC's letter follows an earlier request from Senator Daniel Akaka (D-HI) for comment on S.1732, the Privacy Act Modernization for the Information Age Act of 2011. For more information, see, EPIC: FAA v. Cooper and EPIC: The Privacy Act of 1974.
- EPIC Calls on FTC to Develop Substantive Privacy Protections at Workshop on Mobile Advertising + (May. 11, 2012)
EPIC submitted comments to the Federal Trade Commission for the May 30 workshop on mobile advertising disclosures. EPIC recommended that the agency focus on the development of substantive privacy protections, such as the Consumer Privacy Bill of Rights announced by the President earlier this year, for mobile services. EPIC also recommended that the workshop address a series of problems with the "notice and consent" approach, as well as the merits of innovative, nonverbal approaches proposed by privacy scholars. The workshop follows an FTC report calling for privacy legislation and an investigation that documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission.
- On Google Spy-Fi, Senator Durbin Calls for Update to Wiretap Law, FCC Chair Agrees Law Should Protect Unencrypted Communications + (May. 11, 2012)
In a hearing with Federal Communications Commission Chairman Julius Genachowski, Senator Dick Durbin (D. IL.) criticized the agency's decision to issue a mere $25,000 fine against Google following the investigation of Street View data collection. (Hearing video beginning at 64:20) Senator Durbin said that Google's interception and collection of private wi-fi communication was a clear violation of privacy. Chairman Genachowski defended the agency's decision but agreed with the committee chairman that "the law should protect people even if they have unencrypted wi-fi." Senator Durbin said that he would consider changes to the law if that is necessary. Senator Durbin also asked the FCC to provide the legal memoranda supporting the FCC's decision not to find Google guilty of violating the Communications Act. EPIC has a similar FOIA request pending with the agency. For more information, see EPIC: FCC Investigation of Google Street View and EPIC: Electronic Communications Privacy Act.
- Classified Report Finds Vulnerabilities in Body Scanner Program + (May. 4, 2012)
The Department of Homeland Security Office of Inspector General has completed an investigation into the effectiveness of the body scanner program as deployed in airports as a primary passenger screening system. The unclassified summary of the report notes that several vulnerabilities were found in the program, which has already cost more than $87 million. The full report consists of "Sensitive Security Information" (SSI) and will not be released to the public, according to the Inspector General. EPIC has challenged the SSI designation, arguing that it is an improper standard for classification. The Government Accountability Office, technical experts, Members of Congress, and bloggers have also questioned the effectiveness of the devices. In a federal lawsuit, EPIC challenged the body scanner program, calling it "invasive, unlawful, and ineffective." For more information, see EPIC v. DHS (Suspension of body scanners).
- Following Maryland, Congress and California Consider Bills Banning Employers From Asking for Facebook Passwords + (May. 1, 2012)
Reps. Eliot Engel (D-NY) and Jan Schakowsky (D-IL) introduced the Social Networking Online Protection Act, a bill that would prohibit employers, colleges, universities, and K-12 schools from seeking usernames or passwords for the social media accounts of employees or students. Similar legislation was introduced in California. Maryland became the first state to ban employers from asking employees or applicants for social networking passwords. Senators Blumenthal and Schumer have asked the Equal Employment Opportunity Commission and the U.S. Department of Justice to investigate the practice. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.
- FOIA "Ombudsman" Releases Open Government Report + (May. 1, 2012)
In response to several demands from Congress, the Office of Government Information Services (OGIS) has released a long-delayed report with recommendations to improve the administration of the Freedom of Information Act. The report addresses several FOIA processing issues, but doesn't examine the significant issue of delays in FOIA processing and efforts by agencies - such as the Department of Justice - to create new obstacles for FOIA requestors. And OGIS did not address EPIC's pending request to determine whether DHS's practice of vetting FOIA requests by political appointees is permissible. For more information, see EPIC: Open Government.
- Flawed Cybersecurity Bill Passes House, Headed for Senate without Privacy, FOIA Safeguards + (Apr. 27, 2012)
The House of Representatives passed the Cyber Intelligence Information Protection Act ("CISPA"), a cybersecurity bill that allows the government to obtain detailed information about Internet users from the private sector. The bill preempts established privacy protections in other federal laws and opens the door for increased surveillance of individuals in the United States. The bill also creates a new Freedom of Information Act exemption, which will reduce government transparency and accountability. Earlier this year, EPIC said in a statement to the Senate that the Freedom of Information Act provides the public important information about network security, and warned that the National Security Agency has become a “black hole” for public information about cybersecurity. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relatioship).
- District Court Panel Admonishes South Carolina in Voter ID Case + (Apr. 26, 2012)
A three-judge panel overseeing a critical voter ID case, State of South Carolina v United States of America, set out an unusually detailed requirements in an Scheduling and Procedures Order issued today. According to the concurring statement of Judge Bates, joined by Judge Kollar-Kotelly, the state has engaged in delaying tactics even as it has urged a swift resolution of the matter, concerning new voting ID procedures adopted by the state. The court cited South Carolina's lack of responsiveness to the Department of Justice, "despite repeated requests" for the "final versions of the implementing procedures" for provisions of the law. The court expects to issue a final ruling in early September 2012., prior to the fall Presidential election. For more information, see EPIC: Voter Photo ID and Privacy.
- White House Targets Use of Technology by Human Rights Abusers + (Apr. 24, 2012)
President Obama signed an executive order authorizing U.S. officials to impose sanctions against persons involved in the use of information and communications technology to facilitate human rights abuses in Syria and Iran. EPIC previously filed a Freedom of Information Act request seeking information regarding the export of surveillance technology by U.S. companies. In 2006, EPIC urged the Commerce Department to reexamine policies that allow for the export of surveillance technology to China. For more information, see EPIC: Freedom of Information Act.
- Bi-Partisan Privacy Caucus Demands Answers on Drones and Privacy + (Apr. 19, 2012)
Congressman Markey (D-Mass) and Congressman Barton (R-TX) sent a letter to the Federal Aviation Administration (FAA), raising concerns about the increased use of drones in the United States. The Congressmen noted, "there is...potential for drone technology to enable invasive and pervasive surveillance without adequate privacy protections." The letter called on the FAA's Acting Administrator to supply key information about the drone program, including plans to ensure that the drone licensing process includes privacy protections and public transparency. In February, EPIC, joined by a coalition of more than 100 organizations, experts, and members of the public, petitioned the FAA to conduct a rulemaking on the privacy implications of domestic drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones.
- Coalition Urges Congress to Remove Cybersecurity FOIA Limitations + (Apr. 18, 2012)
An open government coalition has asked House lawmakers to oppose provisions in "CISPA" that would cut off public access to information held by federal agencies. The Cyber Intelligence Sharing and Protection Act would allow the government to refuse to disclose broad swaths of information, otherwise subject to FOIA, that companies provide to the government. More than three dozen groups have signed the petition - including Openthegovernment.org, the Sunlight Foundation, Project On Government Oversight, and EFF. The groups have asserted that the legislation "constitutes a wholesale attack on public access to information under the Freedom of Information Act" and would impede the public's ability to evaluate whether the government is adequately combating cybersecurity threats. In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information see EPIC: Cybersecurity, EPIC: EPIC v. NSA, Litigation Under the Federal Open Government Laws 2010.
- Maryland Passes Bill Banning Employers from Demanding Facebook Information + (Apr. 11, 2012)
The Maryland legislature passed the first bill banning employers from asking employees or applicants for social networking passwords. The bill was introduced after Robert Collins, an employee at the Department of Public Safety and Correctional Services, was asked to turn over his Facebook password as part the process of being reinstated as a corrections officer. Recently, Senators Blumenthal and Schumer asked the Equal Employment Opportunity Commission and the U.S. Department of Justice to investigate the practice of employers asking job applicants to surrender user names and passwords for social networking sites like Facebook. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.
- EPIC to Commerce Department: Establish Privacy Rights + (Apr. 4, 2012)
EPIC submitted comments to the National Telecommunications and Information Administration of the Department of Commerce, urging the agency to implement the principles set out in the White House Consumer Privacy Bill of Rights. The Department of Commerce announced it would convene a multistakeholder process to develop enforceable codes of conduct for consumer privacy protection. EPIC wrote that the Administrative Procedures Act is a more effective and transparent way to solicit public comment and produce a meaningful outcome. For more information, see EPIC: White House - Consumer Privacy Bill of Rights and EPIC: Administrative Procedure Act Comments.
- EPIC to Congress: Privacy Act Modernization Bill Should be Stronger + (Mar. 27, 2012)
In response to a request from Senator Daniel Akaka(D-HI), EPIC sent a letter explaining that S.1732, the Privacy Act Modernization for the Information Age Act of 2011, should be strengthened to ensure better privacy protection. The Privacy Act of 1974 governs federal agencies' collection, retention, and use of personally identifiable information. In October 2011, Senator Akaka proposed the Privacy Act Modernization bill, which would update the Privacy Act of 1974. EPIC's letter points out that the proposed circumstances under which agencies can disclose personal information should be narrowly tailored. EPIC also noted that certain proposed amendments in the bill insufficiently warn individuals of government security breaches affecting individuals' personal information. For more information, see EPIC: The Privacy Act of 1974.
- Federal Trade Commission Calls for Privacy Legislation + (Mar. 26, 2012)
Today the Federal Trade Commission released Protecting Consumer Privacy in an Era of Rapid Change. The FTC report called for the enactment of baseline privacy legislation and for legislation that gives consumers the right to access personal information held by data brokers. However, the framework is not as extensive as the White House Consumer Privacy Bill of Rights and depends on industry self-regulation. EPIC previously commented on an earlier draft of the framework, pointing out that the FTC "mistakenly endorses self-regulation and 'notice and choice,' and fails to explain why it has not used its current Section 5 authority to better safeguard the interests of consumers." For more information, see EPIC: Federal Trade Commission.
- Senators Call for Investigation into Employer Demands for Facebook Passwords + (Mar. 26, 2012)
Senators Blumenthal and Schumer asked the Equal Employment Opportunity Commission and the Department of Justice to investigate the practice of employers asking job applicants to surrender Facebook user names and passwords. The Senators pointed out that accessing an applicant's profile could reveal sensitive information that employers are not permitted to ask about or base hiring decisions on. Thus, employers could be violating the Civil Rights Act and other federal laws, including the Stored Communication Act and the Computer Fraud and Abuse Act, which prohibit "unauthorized access" to electronic information. “Requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both [Acts]," the letter states. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.
- House of Representatives Issues FOIA Request Management Report Card + (Mar. 20, 2012)
The U.S. House of Representatives Committee on Oversight and Government Reform issued a "Report Card on Federal Government's Efforts to Track and Manage FOIA Requests." The Report Card assigned letter grades to agencies based upon their "ability and willingness . . . to submit information" to the House Committee about the agencies’ FOIA tracking systems. This information included the requester's name, the date of the request, a description of the records sought by requesters, the date the request was closed, and whether the agency provided responsive records to the request. The Federal Trade Commission was one of the highest scoring agencies, earning an "A+" for its FOIA management. The Department of Justice, the Department of Defense, and the Department of Homeland Security each received a "D" letter grade for their FOIA tracking systems. For more information, see: EPIC: Open Government.
- EU and US Privacy Officials Convene + (Mar. 19, 2012)
Policymakers from the United States and the European Union are participating in a joint conference today on Privacy and Protection of Personal Data. EU Vice President Viviane Reding and US Commerce Secretary John Bryson issued a common statement reaffirming a commitment to privacy protection. US and EU consumer and privacy organizations also issued a statement commending the new US Consumer Privacy Bill of Rights but cautioning that the US has far more to do to safeguard the interests of users of new Internet-based services. For more information, see Public Voice - The Madrid Declaration.
- House and Senate Call for Investigation on Airport Body Scanner Radiation Risks + (Mar. 15, 2012)
Both the House and the Senate introduced bills last month that would require the Department of Homeland Security "to contract with an independent laboratory to study the health effects of backscatter x-ray machines used at airline checkpoints operated by the Transportation Security Administration," and to provide improved notice of the health effects to airline passengers. The bills focus on the health effects of those screened by the backscatter x-ray machines, including frequent air travelers, flight crews, and individuals with greater sensitivity to radiation, such as children, pregnant women, the elderly, and cancer patients. In 2010, EPIC filed a Freedom of Information Act lawsuit asking a court to force the Department of Homeland Security to disclose documents about radiation testing results and agency fact sheets on radiation risks. For more information, see EPIC: EPIC v. DHS - Full Body Scanner Radiation Risks.
- Open Government Groups Oppose Cyber Security FOIA Exemption + (Mar. 14, 2012)
Open government organizations have sent a letter to Senator John McCain, opposing specific provisions in a cybersecurity bill he introduced. The SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. FOIA exemptions limit public access to government information. The organizations stated, "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information, see EPIC: Cybersecurity.
- EPIC Urges Senate to Safeguard FOIA for Cybersecurity + (Mar. 12, 2012)
In a detailed statement to the Senate for a hearing on the "Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see EPIC: Cybersecurity.
- Senators Seek Study on Voter ID Laws + (Feb. 29, 2012)
A group of U.S. senators have asked the Government Accountability Office to study the “alarming number” of new state laws that will make it “significantly harder” for millions of eligible voters to cast ballots this November. New state identification laws, by one estimate, will have a direct impact on 21 million American citizens who do not have a government-issued photo ID. The majority of those people are young would-be voters, the elderly, African Americans, Hispanics, and those earning $35,000 per year or less. For more information, see EPIC: Voting Privacy and Voter Photo ID and Privacy.
- Virginia Senate Narrowly Approves Voter ID Law + (Feb. 28, 2012)
The Virginia Senate passed a controversial voter photo ID law by one vote. The bill now goes to the Virginia House for consideration. Voter ID laws implicate the privacy rights rights of voters and also discourage voter turnout particularly among poorer voters who may not have necessary credentials, such as a drivers license. In 2007, EPIC challenged the Indiana voter photo ID law. For more information, see EPIC: Voting Privacy and EPIC: Crawford v. Marion County.
- Privacy Groups to Rep. Bono-Mack: "Hold *Public* Hearings on Google Privacy Changes" + (Feb. 24, 2012)
Five privacy organizations, including EPIC, wrote today to Rep. Bono-Mack to urge the Chairwoman of a powerful Congressional committee to hold a public hearing on Google's proposed changes in business practices that will take effect March 1. Rep. Bono-Mack has held closed-door meetings with the Internet giant, but so far has scheduled no public hearings on the plan to consolidate user data, which EPIC alleges violates a 2011 Consent Order with the Federal Trade Commission. The consumer groups also asked the Congresswoman to urge Google to suspend its plan pending an investigation. They said there would be "overwhelming public support for this action" and cited recent statements from Members of Congress, Attorneys General, European Justice Officials, the President, technical experts, and IT managers in government and the private sector. For more information see EPIC: EPIC v. FTC.
- White House Sets Out Consumer Privacy Bill of Rights + (Feb. 23, 2012)
The Obama Administration put forward a comprehensive privacy framework with principles designed to establish new safeguards for consumers and new responsibilities for companies that collect and use personal information. The principles include (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability. President Obama stated that "even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever." EPIC praised the framework and the President's support for privacy, and said that the challenge ahead would be implementation and enforcement. For more information, see EPIC: Commerce Department and EPIC: Federal Trade Commission, and EPIC: White House - Consumer Privacy Bill of Rights.
- EPIC Obtains New Documents on DHS Media Monitoring, Urges Congress to Suspend Program + (Feb. 23, 2012)
EPIC has submitted a letter to Congress following a hearing on DHS monitoring of social networks and media organizations. In the letter, EPIC highlights new documents obtained as a result of a FOIA lawsuit and points out to inconsistencies in DHS' testimony about the program. Though DHS testified that it does not monitor for public reaction to government proposals, the documents obtained by EPIC indicate that the DHS analysts are specifically instructed to look for criticism of the agency and then to redirect reports that would otherwise be circulated to other agencies. EPIC wrote that the DHS' monitoring program should be suspended, as it exceeds the agency's statutory authority and chills First Amendment activity. For more information, see EPIC: EPIC v. DHS: Media Monitoring.
- 2013 Federal Budget Limits Body Scanners, But Expands Domestic Surveillance + (Feb. 20, 2012)
According to White House budget documents and the Congressional Testimony of Secretary Napolitano, DHS will not purchase any new airport body scanners in 2013. However, the agency will expand a wide range of programs for monitoring and tracking individuals within the United States. This includes the development of biometric identification techniques for programs such as Secure Communities. DHS will also seek funding for "Einstein 3," a network intrusion detection program that enables surveillance of private networks. EPIC has urged the DHS to comply with the requirements of the federal Privacy Act, and is currently pursuing several Freedom of Information Act lawsuits against the agency. For more information see, EPIC - Body Scanners and Radiation Risks, EPIC - E-Verify, EPIC - Secure Communities, EPIC - Fusion Centers, EPIC - Drones, EPIC - Cybersecurity, EPIC - Secure Flight.
- Congress Grills Department of Homeland Security + (Feb. 16, 2012)
Members of a House Committee today questioned DHS officials about the agency's monitoring of social networks and media organizations for information that "reflects adversely" on the agency or the federal government. Several members expressed support for EPIC's proposal that DHS suspend the program, warning that this activity violates First Amendment rights. New questions also arose when the DHS witnesses claimed that no other federal agencies were engaged in similar practices. According to many news sources, the FBI wants to monitor social media. The House hearing was called after EPIC obtained nearly 300 pages of documents detailing the Department of Homeland Security's activities. For more information see: EPIC v. Department of Homeland Security: Media Monitoring.
- EPIC Asks Congress to Suspend DHS Social Network Monitoring Program + (Feb. 15, 2012)
In a Statement for the Record, EPIC has asked the House Committee on Homeland Security to suspend a DHS program that has permitted the agency to gather comments critical of the agency and the government by monitoring social networks and media organizations. The hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy" was called after EPIC obtained nearly 300 pages of documents detailing the Department of Homeland Security's activities. The documents, obtained as a result of EPIC's Freedom of Information Act lawsuit, include instructions from the DHS to General Dynamics to monitor media reports that "reflect adversely" on the agency or the federal government. For more information see: EPIC v. Department of Homeland Security: Media Monitoring.
- NIST Proposes Governance Structure for Internet Identity + (Feb. 10, 2012)
The National Institute of Standards and Technology has released a report detailing the governance structure for the White House’s National Strategy for Trusted Identities in Cyberspace. EPIC, joined by the Liberty Coalition, submitted comments on the original proposal, emphasizing the need for transparency and balanced representation. NIST adopted many of EPIC’s suggestions, including the establishment of a Privacy Coordination Committee. However, the final document ignored EPIC’s recommendation that legislation be enacted to safeguard privacy. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace.
- Congress to Hold Hearing on Department of Homeland Security Social Network Monitoring + (Feb. 6, 2012)
On February 16, 2012, the House Committee on Homeland Security will hold a hearing on "DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy." The hearing was called after EPIC obtained nearly 300 pages of documents, as a result of a Freedom of Information Act lawsuit, detailing the Department of Homeland Security's monitoring of social networks and media organizations. The documents included guidelines from DHS instructing General Dynamics to monitor for media reports that "reflect adversely" on the agency or the federal government. For more information see: EPIC v. Department of Homeland Security: Media Monitoring.
- EPIC to Recommend Changes to Video Privacy Law + (Jan. 30, 2012)
At a hearing before the Senate Judiciary Committee, EPIC Executive Director Marc Rotenberg is expected to make several recommendations to Congress about how to update and modernize the Video Privacy Protection Act, a law passed by Congress in 1988. Among the changes recommended, EPIC will propose that Congress make clear that the law covers all video service providers (including Netflix), allow users to inspect the information that video providers collect about them as well as the algorithms that are used to recommend selections, treat IP addresses and user IDs as "personally identifiable information," inflation-adjust the damages provision, and require companies to encrypt the data collected on users. For more information, see EPIC Video Privacy Protection. Read EPIC's testimony.
- Congress Seeks Answers on Google's Plans for Data Consolidation + (Jan. 27, 2012)
Eight members of Congress wrote to Google asking the company to explain the "steps [that] are being taken to ensure the protection of consumers' privacy rights." The letter follows Google's announcement that it would begin combining data gathered on consumers of over 60 Google products and services, including Gmail, Google+, Youtube, and the Android mobile operating system. The members' letter includes 11 specific questions ranging from the ways in which Google collects information to the specific consequences for Android phone users. In 2010, EPIC, along with other privacy groups, wrote a letter to Google about the company's decision to combine user data among 12 Google services. The groups warned that the practical effect would be to reduce privacy protection for users of Google services. For more information, see EPIC: In re: Google Buzz and EPIC: Google search.
- Senator Leahy Expresses Support for International Privacy Day + (Jan. 24, 2012)
Senator Patrick Leahy, theChairman of the Senate Judiciary Committee, offered a statement commemorating Data Privacy Day, which takes place on January 28. Senator Leahy urged the Congress to adopt comprehensive data privacy legislation to "better protect Americans' sensitive personal data and reduce the risk of data security breaches." He also recommended changes to the Electronic Privacy Communications Act to "reflect the realities of our time" and to "keep us safe from cyber threats." EPIC will be participating in the annual Computers, Privacy, and Data Protection conference, taking place this week in Brussels. EPIC will also be announcing the recipients of the 2012 International Champion of Freedom Award and the 2012 US Privacy Champion Award. Join International Privacy Day on Facebook.
- FTC Adds Google+ to Antitrust Investigation + (Jan. 13, 2012)
Bloomberg News has reported that the Federal Trade Commission has expanded its antitrust investigation of Google to include Google's social networking service, Google+. The report comes after Google announced that it would include personal data gathered from Google+ in the results of users' searches, a move that led EPIC to urge the FTC to investigate the company. EPIC said that "Google's business practices raise concerns related to both competition and the implementation of the Commission’s consent order," referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. Google first confirmed the FTC’s antitrust investigation in June 2011. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
- EPIC Urges Trade Commission to Investigate Google Search + (Jan. 12, 2012)
In a letter to the Federal Trade Commission, EPIC has called for an investigation of recent changes by Google to Google Search, the dominant search algorithm on the Internet. EPIC cited Google's decision to include personal data, such as photos, posts, and contact details, gathered from Google+ in Google Search results. “Google’s business practices raise concerns related to both competition and the implementation of the Commission’s consent order,” EPIC said, referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of Google products and services and subjects the company to regular privacy audits. Recently, the Senate held a hearing on Google’s use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google’s acquisition of Youtube, which allowed Google to give preferential treatment to Google's own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
- Google Changes Search Results, Preferences Google+ Results + (Jan. 10, 2012)
Google is changing the results displayed by its search engine to include data from its social network, such as photos or blog posts made by Google+ users, as well as the public Internet. Although data from a user’s Google+ contacts is not displayed publicly, Google’s changes make the personal data of users more accessible. Users can opt out of seeing personalized search results, but cannot opt out of having their information found through Google search. Also, Google's changes come at a time when the company is facing increased scrutiny over whether it distorts search results by giving preference to its own content. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. Google has also acknowledged that the FTC is investigating whether Google uses its dominance in the search field to inhibit competition in other areas. For more information, see EPIC: Google/DoubleClick.
- Justice Department Challenges South Carolina's Voter ID Law + (Dec. 28, 2011)
The Justice Department has blocked South Carolina's voter ID law, calling it a violation of the federal Voting Rights Act. The Department said the new photo ID requirements would dispropotionately exclude eligible minority voters from federal elections. The South Carolina law prohibits voting by anyone who does not possess a state driver's license, US Passport, Military ID, or voter registration card. Many eligible voters who participated in the 2008 and 2010 elections may be prevented from voting in 2012. Earlier, EPIC filed an amicus brief in the Supreme Court, challenging an Indiana voter ID law. See EPIC: Voter Photo ID and Privacy and NCSL: State Voter ID Laws.
- EPIC Submits Comments on Children's Online Privacy Rule + (Dec. 22, 2011)
EPIC submitted comments to the FTC on a proposed rule for the Children's Online Privacy Protection Act. The proposed rule would revise the definition of Personally Identifiable Information to include identifiers such as cookies, IP addresses, and geolocation information. The new rules also contain data minimization and deletion requirements and simplified methods of obtaining parental consent for data collection. "The proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses," EPIC said. However, EPIC urged the FTC to further improve the rule by applying it to SMS and MMS messaging services, extending the definition of "personal information" to cover the combination of date of birth, gender, and ZIP code, and adding a data-breach notification requirement. EPIC previously testified before the Senate and filed comments with the agency. For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission.
- Senate Opens Investigation Into Google Search + (Dec. 20, 2011)
Senator Herb Kohl (D-WI) and Mike Lee (R-UT), Chairman and Ranking member of the Judiciary Antitrust Subcommittee, have sent a letter to FTC Chairman Jon Leibowitz, expressing concern about Google's business practices and the company's impact on competition in Internet search and commerce. In September, EPIC wrote to the FTC and described how Google biased YouTube search rankings to give preferential treatment to its own content following the acquisition of the Internet's largest video service provider. The EPIC letter preceded a Senate hearing on "The Power of Google: Serving Consumers or Threatening Competition?" EPIC testified before the Senate Antitrust Subcommittee in 2007 on Google's growing dominance of essential Internet services.
- Forum on Children and Teen Online Privacy + (Dec. 14, 2011)
Forum on Children and Teen Online Privacy
Marc Rotenberg,
EPIC Executive DirectorBipartisan Privacy Caucus
2322 Rayburn House Office Building,
Washington, DC
December 14, 2011 - EU Justice Minister Warns US on "Self Regulation," Draft European Privacy Law Now Available + (Dec. 7, 2011)
EU Justice Minister Viviane Reding warned this week at a speech in Brussels that a US plan for privacy self-regulation will "not be sufficient" to protect the flow of personal data between Europe and the United States. Reding also said that European companies were likely to rely on European cloud service providers as long as the US Patriot Act remained the law in the US. A draft of the European Union’s new General Data Protection Regulation is now available. The Regulation is a sweeping and comprehensive update of the 1995 EU Data Protection Directive that sets out new enforcement powers for privacy agencies. Meanwhile, a spokesperson for the White House again pledged that a long-delayed paper on privacy would soon be available. For more information, see EPIC: EU Data Protection Directive.
- EPIC to Congress: Video Act Amendments Would Weaken Online Privacy + (Dec. 6, 2011)
In response to a request from Congressman Melvin Watt (D-NC), EPIC sent a letter explaining that HR 2471, a bill to amend the Video Privacy Protection Act, would reduce privacy for Internet users by weakening the consent provision in current law. The proposal, backed by Netflix, would make the personal information of Facebook users more widely available. EPIC’s letter points out that the bill does not “modernize” the video privacy law, it simply makes it more difficult for users to protect their data. The bill is being rushed through Congress without a public hearing or debate. For more information, see EPIC: Video Privacy Protection Act.
- Senate Adopts Leahy's Open Government Amendment + (Dec. 5, 2011)
The Senate has unanimously adopted an amendment authored by Senator Patrick Leahy (D-VT) to the National Defense Authorization Act. Senator Leahy's amendment will limit an overbroad legislative exemption to the Freedom of Information Act. The amendment requires the Secretary of Defense to consider whether the disclosure of critical infrastructure information would reveal vulnerabilities that would result in harm to government property or facilities, and whether the public interest in the disclosure of this information outweighs the government’s need to withhold the information. The Senate will vote on final passage of the National Defense Authorization Act later this evening. For more information, see EPIC: Open Government.
- Congress, Public Call for TSA Reform + (Nov. 18, 2011)
Republican Members of Congress have released "A Decade Later: A Call for TSA Reform," a staff report examining the effectiveness of the Transportation Security Administration, which was formed shortly after the September 11th attacks. The Report blasted the failure of the TSA to improve aviation security while spending billions dollars on ineffective equipment and programs including airport body scanners that are "easily thwarted." Over 30,800 people have signed a petition to the White House to abolish the TSA. The Obama Administration has promised to formally respond to any petition that receives 25,000 signatures (formerly 5,000). In a lawsuit filed by EPIC, a federal appellate court found that the TSA had violated the law by deploying full-body scanners at airports nationwide without first soliciting public comment. For more information, see EPIC: Whole Body Imaging Technology and Body Scanners.
- Congress, #KWTK Presses Facebook to Disclose Secret Profiles + (Oct. 31, 2011)
Lawmakers in Washington have sent a letter to Mark Zuckerberg, Facebook's CEO, asking questions about the company's data retention practices, following a news report that a single European Facebook user obtained more than 1,200 pages of his own personal data from the company, including information that he had previously deleted. Following an effort of privacy advocates in Europe, EPIC has launched the KWTK (Know What They Know) campaign and is urging Facebook users to obtain their complete "data dossier" from the company. For more information, see EPIC: Facebook Privacy and EPIC:#kwtk.
- Sen. Rockefeller Requests FTC Report on Facial Recognition Technology + (Oct. 20, 2011)
Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which "tracks the male/female ratio and age mix of the crowd [in bars]" and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition.
- "Transatlantic Cooperation for Growth and Security: Protecting Critical Technology and Infrastructure" + (Oct. 17, 2011)
Marc Rotenberg,
EPIC Executive BoardHouse Cannon Office Building
Washington, DC
October 17, 2011 - Lawmakers Say Undeletable Supercookies Raise "Serious Privacy Concerns" + (Sep. 27, 2011)
Representatives Joe Barton (R-TX) and Ed Markey (D-MA) wrote a letter asking the FTC to investigate whether the use of "supercookie" - cookies placed on users' computers by websites such as Hulu.com that cannot be deleted -constitutes an unfair or deceptive business practice. The representatives called this kind of tracking "unacceptable" and said that the cookies "take away consumer control over their own personal information." EPIC had earlier opposed the White House's use of persistent Google Analytics cookies that track users for up to two years and supported opt-in requirements for Internet tracking techniques that are transparent for the user and easily disabled. For more information, see EPIC: Cookies and EPIC: Federal Trade Commission.
- Data Breach Legislation Moves Forward in the Senate + (Sep. 26, 2011)
Three data breach bills are headed to the Senate floor after a favorable vote in the Senate Judiciary Committee. The bills [S. 1151, S. 1535, S. 1408] set out a variety of approaches to protecting user data and warning users when personal data is improperly released. Testifying recently before the Senate and the House, EPIC has supported new measures for online privacy but warned against a federal law that would "preempt" stronger state laws.
- Sen. Schumer Calls for Investigation into “brazen” OnStar Privacy Violation + (Sep. 26, 2011)
Senator Charles Schumer (D-NY) wrote a letter to the Federal Trade Commission requesting an investigation into OnStar's announcement that it would track the location of its customers' vehicles even after the customers canceled their service. OnStar also reserved the right to sell such locational information to advertisers. In an interview with FOX News last week, EPIC Executive Director Marc Rotenberg warned that the company would make data of former customers available to third parties. For more information, see EPIC: Locational Privacy.
- Senate Holds Hearing on Google’s Anticompetitive Practices + (Sep. 21, 2011)
Today's Senate Judiciary Committee hearing "The Power of Google: Serving Consumers or Threatening Competition?” examined Google’s use of its dominance in the search market to suppress competition. The company’s executive chairman, Eric Schmidt, testified on the first panel, while witnesses from Google’s rivals Yelp and Nextag appeared on the second panel. The hearing covered a wide range of issues, including search bias, Google’s proprietary search algorithm, and the downgrading of search rankings. EPIC testified before the the same committee in 2009 on Google’s growing dominance of essential Internet services, and recently sent a letter to the Federal Trade Commission regarding Google’s biasing of Youtube search rankings to give preferential treatment to its own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
- Federal Trade Commission Proposes New Rules for Children’s Online Privacy + (Sep. 15, 2011)
Today the FTC proposed new rules for the Children’s Online Privacy Protection Act. The FTC rules would revise the definition of Personally Identifiable Information to include identifiers such as cookies and IP addresses, video and audio files containing a child's image or voice, and geolocation information. The new rules also contain data minimization and deletion requirements that promote Internet security, as well as simplified methods of obtaining parental consent for data collection, such as electronic submission and video verification. EPIC Executive Director Marc Rotenberg said that the proposed rules were "a well-reasoned and innovative approach to online privacy." EPIC had previously testified before the Senate and submitted comments to the agency. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Children’s Online Privacy.
- U.S. and European Consumer Groups Encourage Congress to Learn from EU Data Directive + (Sep. 14, 2011)
The Transatlantic Consumer Dialog, a coalition of 85 organizations from America and Europe sent a letter today to the House Subcommittee on Commerce, Manufacturing and Trade on the eve of a hearing on the EU's approach to protecting Internet privacy. The TACD letter pointed out that "US privacy laws lag woefully behind current technology and business practices" and encouraged Congress to "learn from a fair and balanced review of the EU Data Directive, just as the EU has learned much from the US experience." According to TACD, the EU Data Directive is a concise, technology-neutral legal framework that promotes trade, protects privacy, and is less burdensome than such US privacy laws as "HIPAA." EPIC is a member of TACD. For more information, see EPIC: EU Data Protection Directive.
- EPIC Warns Congress of Cybersecurity Risks to Consumers + (Sep. 14, 2011)
EPIC Executive Director Marc Rotenberg testified today before the House Subcommittee on Financial Institutions and Consumer Credit. EPIC highlighted several recent high-profile data breaches, including those involving the digital security certificates used to authenticate websites, that have compromised the private data of thousands of consumers. Citing reports from the Privacy Rights Clearinghouse, EPIC's Rotenberg said "These attacks on financial institutions produce both direct and indirect costs for consumers who must contend with the risk of identity theft and financial fraud." EPIC previously testified before the Senate Banking Committee on cybersecurity in the financial sector and the growing threat to consumer data. For more information, see EPIC: Cybersecurity and Privacy. Webcast.
- EPIC Urges FTC to Examine YouTube Search Rankings Following Google Acquisition + (Sep. 8, 2011)
EPIC sent a letter to the FTC urging the Trade Commission to investigate the extent to which Google has used its dominance in the search market to influence the marketplace of online video content. EPIC pointed specifically to the Google acquisition of YouTube and the change in the YouTube search rankings that followed. EPIC said that Google substituted its own subjective, "relevance" ranking in place of objective search criteria, such as "Hits" or "Rankings," to preference Google's own video material over non-Google material. EPIC's letter includes detailed examples using the search term "privacy." Google has acknowledged that the Commission has opened an investigation into the company's business practices for possible antitrust violations. EPIC previously testified before the Senate Judiciary Antitrust Subcommittee on Google's growing dominance of essential Internet services. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission.
- California Passes Updated Data Breach Legislation + (Sep. 1, 2011)
California has enacted Senate Bill 24, first introduced in 2001 by Senator Joe Simitian, which strengthens existing state breach notification law. Since 2002, California law has required data holders to notify individuals if their data is breached, but the law did not specify what information should be included in the notification. This new law specifies the information that should be provided, including instructions on how to contact credit agencies. The law also requires that the state Attorney General be notified in the event of a breach. EPIC testified in 2009 before the House Commerce Committee against "federal preemption" in national data breach legislation, citing important legislative innovations to protect consumers that take place in states such as California. For more information, see EPIC: ID Theft.
- FTC Finds Mobile Phone App Violated Children's Privacy Law + (Aug. 16, 2011)
W3 Innovations, a company that develops mobile phone games, settled charges with the Federal Trade Commission for violations of the Children's Online Privacy Protection Act (COPPA). In the first settlement concerning a mobile application, the Commission imposed a fine of $50,000 against the company for "illegally collecting and disclosing personal information from tens of thousands of children under age 13 without their parents prior consent." EPIC previously testified before the Senate Commerce Committee and submitted comments to the FTC on the need to update COPPA and to clarify the law's application to mobile and social networking services. EPIC also has pending complaints at the FTC regarding Facebook's facial recognition program and changes Facebook made to user privacy settings. For more information, see EPIC: FTC and EPIC: COPPA.
- Department of Homeland Security Terminates Biometric Collection Agreements With States, Intends to Continue Program Without Safeguards + (Aug. 12, 2011)
The Department of Homeland Security wrote to State Governors, stating that the agency intends to terminate agreements with state and local governments concerning the Secure Communities program. The agency states that it intends to unilaterally pursue the program despite the termination, though it fails to cite any legal authority in support of the tactic. The statement follows lawmakers' recent criticism of Secure Communities. The program collects and discloses biometric information obtained from individuals who come into contact with police. In June, California legislators urged Governor Jerry Brown to suspend the state's participation in Secure Communities, citing a “crisis of confidence” in the program. The lawmakers identified numerous risks raised by the program and noted that "victims of domestic violence have been [wrongfully] placed into deportation proceedings as the result of Secure Communities when they simply called the police for help." Previously, Illinois, New York and Massachusetts ended their participation in the program. For more, see EPIC: Secure Communities.
- Senate Passes Faster FOIA Act + (Aug. 2, 2011)
The Senate unanimously approved bipartisan legislation, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), to improve Freedom of Information Act (FOIA) processing. The Faster FOIA Act will create an advisory panel to examine agency backlogs and provide recommendations to Congress. The bill awaits action by the House of Representatives. EPIC previously testified before the House Oversight Committee about FOIA delays and politicized processing within the Department of Homeland Security. For more information see: EPIC: Open Government and EPIC: Litigation Under the Federal Open Government Laws.
- House Committee Approves Controversial Measure to Require Data Retention for All Internet Users + (Aug. 1, 2011)
The House of Representatives Judiciary Committee voted to approve a bill that will require Internet Service Providers (ISPs) to retain data on every customer to allow the government to identify and track their online activity for one year. EPIC Director Marc Rotenberg testified against the bill at the subcommittee hearing, and his arguments were cited by committee members including Representative Jerrold Nadler (D-NY). After two days of deliberation, the bill was passed with an amendment to require ISPs to retain even more information: not only internet protocol addresses, but also customer names, addresses, phone records, type and length of service, and credit card numbers. This retention is a radical contradiction of the core American value that we are innocent until proven guilty, said Representative Jason Chaffetz (R-UT). The bill purports to use the data to prosecute child pornography, but Representative James Sensenbrenner (R-WI) was "not convinced it will contribute in any meaningful way to prosecuting child pornography," and Representative Zoe Lofgren (D-CA) stated that it is an "unprecedented power grab by the federal government - it goes way beyond fighting child pornography." Representative Bobby Scott (D-VA) pointed out the data would be available for many other uses, including copyright prosecution and divorce cases. This data will be made available to law enforcement officers without a warrant or judicial oversight, and is a convenient way for law enforcement to get powers they couldn't get in the Patriot Act, said Representative Darrell Issa (R-CA). For more information, see EPIC- Data Retention.
- EPIC, Liberty Coalition Submit Comments on Governance for Internet Identities + (Jul. 22, 2011)
EPIC, joined by the Liberty Coalition, has submitted comments to the National Institute for Standards and Technology (NIST) on governance topics associated with the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC’s comments called for a structure that would "include[e] protection of consumer information and implementation of strong privacy practices." EPIC further asked for legislation that will protect sensitive personal information in the Identity Ecosystem. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace.
- House Subcommittee Approves Weak Data Breach Bill + (Jul. 21, 2011)
A House Commerce Subcommittee voted in favor of the SAFE Data Act, a data breach bill sponsored by Rep. Bono Mack (R-CA). The bill requires companies to act quickly in the case of breach and encourages minimization of data collection. However, the bill preempts stronger state laws and does not adequately protect personal information. EPIC Executive Director Marc Rotenberg testified before the Subcommittee on this bill. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. For more information, see EPIC: Identity Theft. Webcast.
- EPIC Urges Congress to Reject Data Retention Plan + (Jul. 13, 2011)
In testimony before the House Judiciary Committee, EPIC President Marc Rotenberg said that a proposal to retain identifying information on Internet users would put at risk "99.9% of Internet users." H.R. 1981, a bill to address concerns about children pornography, would require Internet Service Providers to store temporarily assigned IP addresses for future government use. And the bill would create a new immunity so that ISPs would not be liable if problems resulted. EPIC also pointed out with the increased risk of data breaches and identity theft, best practices now follow data minimization rather than data retention. Prospects for passage of H.R. 1981 dimmed at the hearing after Chairman James Sensenbrenner (R-WI) said he would oppose the measure. For more information, see EPIC - Data Retention.
- Congressional Hearing: H.R. 1981, Protecting Children from Internet Pornographers Act of 2011 + (Jul. 12, 2011)
More top news