Court Cases | Agency Proceedings | Recently Concluded Matters | Litigation Strategy
"EPIC has put steady pressure on the administration concerning its policies on encryption, wiretapping, and other issues." – The Washington Post
"EPIC's Freedom of Information Act work attracts widespread praise."
– Legal Times
Court Cases
EPIC makes frequent use of the Freedom of Information Act (FOIA) to obtain information from the government about surveillance and privacy policy. Public disclosure of this information improves government oversight and accountability. It also helps ensure that the public is fully informed about the activities of government. The following cases are those that we are currently litigating:
EPIC v. the Virginia Department of State Police, et al., Case No. 08-01357 (Va. Gen. Dist. Ct.)
In January 2008, HB1007 was introduced before the Virginia General Assembly. If enacted, the bill would exempt the Virginia Fusion Intelligence Center (Virginia Fusion Center) – and other Commonwealth agencies assigned to the Virginia Fusion Center – from Virginia privacy and government transparency laws. The Virginia Fusion Center is an intelligence database that collects information on ordinary citizens. Shortly after HB 1007 was introduced, the Virginia Fusion Center’s administrative head implied that federal policies might have been the impetus for HB 1007, but did not provide further details.
EPIC filed Virginia FOIA requests with the Virginia Department of State Police (the VSP) for public records that directly relate to alleged federal government involvement with HB 1007. EPIC urged the VSP to provide the requested public records as soon as possible because of the public records’ relevance to the Virginia General Assembly’s consideration of HB 1007. The VSP refused to disclose any public records in response to EPIC's requests. On March 21, 2008, EPIC filed a lawsuit challenging the VSP's failure to disclose public records and failure to comply with the Virginia FOIA.
EPIC v. Department of Justice, Civ. No. 06-0096 (D.D.C. 2006 HHK)
In December 2005, the New York Times reported that President Bush secretly issued an executive order in 2002 authorizing the National Security Agency to conduct warrantless surveillance of international telephone and Internet communications on American soil. EPIC submitted FOIA requests to four Department of Justice components just hours after the existence of the warrantless surveillance program was first reported. Noting the extraordinary public interest in the program — and its potential illegality — EPIC asked the agency to expedite the processing of the requests. The DOJ agreed that EPIC's requests warranted priority treatment, but failed to comply with the FOIA's usual time limit of twenty working days. In January 2006, EPIC filed a lawsuit against the DOJ to compel the immediate disclosure of information concerning the NSA surveillance program, and asked the federal district court in Washington, DC to issue a preliminary injunction requiring the release of relevant documents within 20 days.
On February 16, 2006, U.S. District Judge Henry H. Kennedy ordered (pdf) the DOJ to process and release documents concerning the NSA program within 20 days, or by March 8, 2006. The day before it was required to disclose the documents, the Justice Department filed a motion asking Judge Kennedy for an additional four months to process some of the material responsive to EPIC's request, which Judge Kennedy granted. Once the DOJ completes its processing of the material, any decision to withhold the requested documents will be subject to judicial review, and Judge Kennedy will have the ability to order "in camera" production of the material and make an independent determination concerning public disclosure.
EPIC's case has been consolidated with a lawsuit (pdf) filed by the American Civil Liberties Union and National Security Archive concerning the same documents.
EPIC v. Department of Justice, Civ. No. 06-0029 (D.D.C. 2006 CKK)
In January 2006, EPIC filed suit in federal court against the Department of Justice for reports of possible misconduct submitted by the FBI to the Intelligence Oversight Board. Judge Colleen Kollar-Kotelly, the head of the Foreign Intelligence Surveillance Court, has been assigned to the case. EPIC had already obtained about twenty reports to the Intelligence Oversight Board through another Freedom of Information Act lawsuit that raise questions about compliance with federal law. Since EPIC filed suit, the FBI has released several sets of documents responsive to EPIC's request.
EPIC v. Department of Justice, Civ. No. 05-845 (D.D.C. 2005 ESH)
In a complaint filed in April 2005, EPIC asked a federal court to force the FBI to disclose information about its use of expanded investigative authority granted by sunsetting provisions of the USA PATRIOT Act. The agency agreed to quickly process EPIC's Freedom of Information Act request for the data, but did not comply with the timeline for even a standard FOIA request. The lawsuit, now pending, was filed amid numerous congressional hearings reviewing controversial sections of the USA PATRIOT Act. (Many of these provisions were slated to expire at the end of 2005 unless the administration made the case for renewal, but Congress extended the deadline for additional debate.) The FBI released a small number of documents in October 2005, after Congress had concluded its hearings and already drafted legislation to renew the sunsetting provisions. These documents included reports of intelligence misconduct from the FBI to an intelligence oversight board. In November 2005, Judge Gladys Kessler ordered the FBI to publicly release or account for 1,500 of pages responsive to the request every fifteen days. The DOJ's processing is now complete, and EPIC is considering next steps.
EPIC v. Department of Commerce et al., Civ. No. 04-1625 (D.D.C. 2004 PLF)
In July 2004, EPIC obtained heavily redacted documents through the FOIA revealing that the Census Bureau had provided the Department of Homeland Security's Bureau of Customs and Border Protection with statistical data on people who identified themselves on the 2000 census as being of Arab ancestry. The redacted information was withheld at the insistence of Customs. EPIC appealed the withholdings to both the Commerce Department (the parent agency of the Census Bureau) and Customs. Neither agency responded within the time frame required by law. EPIC filed suit in September 2004 to compel the agencies to release the redacted information. Commerce responded to EPIC's appeal, and EPIC dropped its suit against that agency. The case against Customs is pending.
EPIC v. Department of Homeland Security et al., Civ. No. 04-0944 (D.D.C. 2004 RMU)
The suit stems from four FOIA requests EPIC submitted to the Transportation Security Administration and Federal Bureau of Investigation asking the agencies for information about their roles in acquiring passenger data from JetBlue Airways, Northwest Airlines, American Airlines and others. Between September 2003 and May 2004, EPIC submitted three requests to TSA for information about its role in JetBlue's disclosure of passenger data to a defense contractor and American's disclosure of passenger data to TSA contractors. The agency granted expedited processing for all of the requests, but has failed to release the information within twenty days, as required by law. Further, EPIC submitted a FOIA request to the FBI in May 2004 asking for information about its collection of a year's worth of passenger information from numerous airlines after 9/11, and requested expedited processing as provided under the FOIA and Department of Justice regulations. The Bureau refused to expedite on the grounds that "the primary activity of EPIC does not appear to be information dissemination," despite the fact that two federal judges have determined otherwise. The FBI also justified its denial by stating that EPIC had not "demonstrated any particular urgency to inform the pubic about the subject matter of [its] request beyond the public's right to know generally." EPIC filed suit in June 2004, seeking the immediate release of the requested TSA records as well as a preliminary injunction requiring the Department of Justice, the FBI's parent agency, to process EPIC's request and release the requested documents as soon as possible. The FBI relented and agreed to grant expedited processing. Both the FBI and TSA have released heavily redacted documents in response to EPIC's request. EPIC is now litigating TSA's wihholdings.
Potential Future Cases
EPIC has several significant FOIA requests pending before federal agencies which may require the initiation of litigation during the next year. Several involve government investigative activities in the wake of September 11, including a request for information concerning law enforcement use of commercial "profiling" databases. Other pending requests include a request for information on the Defense Department's purchase of information collected in public schools by an Internet filtering company, and a series of requests seeking appointment books and other records that may shed light on the policy priorities of various Administration officials during the “first 100 days" -- before the events of September 11.
EPIC participates in a variety of precedent-setting cases involving privacy issues as plaintiff, co-counsel and/or friend-of-the-court (amicus curiae). These cases include proceedings concerning communications privacy, encryption and consumer privacy.
Kohler v. Englade, Case No. 05-30541 (5th Cir. 2005)
This case inolves the question of whether the police may coerce a person to provide a DNA sample. In 2002, police initiated a DNA dragnet in Baton Rouge, Louisiana. Police targeted men in southern Louisiana and asked each of them to provide a DNA sample for analysis in order to determine if he was the serial rapist-murderer that authorities were seeking. At least 15 men, including Shannon Kohler, declined to let police take a DNA sample. In November 2002, the Baton Rouge Police Department obtained a seizure warrant to force Mr. Kohler to submit his DNA sample for the investigation. Mr. Kohler was identified by the police and news media as a suspect in the highly publicized search for a serial rapist-murderer. The police later cleared Mr. Kohler as a suspect in the investigation.
In February 2005, the District Court dismissed Mr. Kohler's claim that seizure warrant used to obtain his DNA lacked the required probable cause. The District Court found that police had probable cause based on two anonymous tips and the fact that Mr. Kohler met "certain elements of an FBI profile," which the Court characterized as "so broad and vague that it cast a net of suspicion over thousands of citizens." The Court rejected Mr. Kohler's request for a new trial on the issues. Mr. Kohler has filed an appeal with the Fifth Circuit Court of Appeals. In October 2005, EPIC filed an amicus brief arguing that the constitution protects a person's privacy interest in his DNA and explained that such dragnets have failed repeatedly to identify perpetrators.
Gonzales v. Doe, Case No. 05-0570 (2d Cir. 2005)
This lawsuit concerns the FBI's authority to issue national security letters to businesses for certain customer records without judicial approval. This investigative power, which is part of the Electronic Communications Privacy Act, also imposes a permanent nondisclosure order prohibiting the recipient from ever telling anyone he has received a national security letter.
In 2004, an anonymous Internet service provider and the American Civil Liberties Union challenged the constitutionality of this broad authority, arguing that it violates the First and Fourth Amendments because the law fails to provide adequate checks on the FBI's power to force companies to turn over sensitive customer information. They also argued that the "gag" provision violates the First Amendment because it completely and permanently forbids every recipient from disclosing the fact that he received a national security letter — regardless of whether such a sweeping ban is actually necessary. A federal court in New York found the power unconstitutional on First Amendment grounds in September 2004. The government challenged that ruling in the Second Circuit Court of Appeals.
EPIC co-authored an amicus brief with the National Security Archive arguing that the courts must provide meaningful oversight of the government's investigative activity, and that the FBI's national security letter power undermines government accountability. Other organizations supporting the brief include the Project on Government Secrecy of the Federation of American Scientists and the National Whistleblower Coalition.
In re: Sealed Case No. 02-001, 310 F.3d 717 (F.I.S.C.R. 2002)
In March 2002, the Attorney General submitted a memorandum to the Foreign Intelligence Surveillance (FISA) Court, requesting approval of newly created information sharing (minimization procedures) and other proposals, to be implemented upon approval at the Department of Justice. The Attorney General's proposed minimization procedures significantly curtailed the information screening walls. In a May 17 opinion, the FISC granted some of the Administration's newly requested powers, but refused to grant the Justice Department heightened information sharing powers proposed by the Attorney General. The FISA Court sharply criticized the DOJ and FBI for providing the tribunal misleading information in 75 cases, and limited the request of the DOJ to share intelligence information for criminal prosecutions. The government appealed the decision to the never before convened Foreign Intelligence Surveillance Court of Review, which heard oral arguments in a closed session on September 10, 2002.
EPIC joined with a coalition of civil liberties groups to file an amicus brief with the Foreign Intelligence Surveillance Court of Review. The brief stated that expanding the national security surveillance powers would jeopardize fundamental constitutional interests.
The Court's decision, released in November, permits the government to remove the separation that has long existed between officials conducting surveillance on suspected foreign agents and criminal prosecutors investigating crimes. The Court of Review concluded that the FISC read into FISA limitations on the Act's scope of FISA that never existed and appear nowhere in the statute. The court concluded that the changes to FISA under the USA PATRIOT Act are constitutional, although just barely. The opinion was the first issued by the Court of Review since FISA's inception in 1978. FISA contains no provision for appeal of this decision. The coalition is currently considering any further approaches to address these issues.
EPIC initiates and defends cases involving all aspects of free speech, including anonymity, opinion, fair use, censoring, and privacy.
EPIC is not involved in any pending free speech cases at this time.
Agency Proceedings
EPIC participates in the agency rule-making process as an advocate of the public interest. Such proceedings address issues like location privacy, public access to electronic court records and communications security. EPIC typically works in close association with privacy and consumer organizations, technical experts, and legal scholars.
Air Travel Privacy
In the Matter of Interim Rule Concerning the United States Visitor and Immigrant Status Indicator Technology Program, Docket No. DHS-2007-0002 (comments filed with the Department of Homeland Security Border and Transportation Security Doctorate)
In November 2004 comments, EPIC urged the Department of Homeland Security to consider privacy implications as it expands the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program. In August 2004, the agency announced that it would expand US-VISIT to the 50 busiest land border points of entry by the end of that year. It also expanded the category of individuals who are subject to US-VISIT to include visa waiver travelers and Mexican citizens traveling to and from the U.S. EPIC's comments emphasized the potential for mission creep within the program, and noted the importance of safeguarding the accuracy and security of the information collected through US-VISIT.
In the Matter of Privacy Act System of Records Notice and Privacy Impact Assessment, Secure Flight Test Records; Notice of Emergency Clearance Request, Secure light Test Records, Docket No. TSA-2004-19160 (comments filed with the Transportation Security Administration and Office of Management and Budget)
In October 2004, EPIC called upon the Transportation Security Administration to suspend the test phase of Secure Flight until the program's significant privacy issues were resolved and the government was willing to be more forthcoming about the program's details. EPIC also urged the Office of Management and Budget not to permit TSA to collect a month's worth of passenger information for Secure Flight testing purposes until the program's privacy and transparency issues were addressed.
In the Matter of Privacy Act System of Records Notice, Transportation Security Threat Assessment System and Transportation Worker Identification Credentialing System, Docket No. TSA-2004-19166 (comments filed with the Transportation Security Administration)
EPIC urged the Transportation Security Administration in October 2004 comments to tightly safeguard personal information in two data collection programs. The Transportation Workers Identification Credentialing System (TWIC) and the Transportation Security Threat Assessment System (T-STAS) compile data on a variety of people directly and indirectly related to the transportation industry. EPIC's comments noted the dangers of identity theft, misappropriation and mission creep if the data collected for these programs are not properly protected.
In the Matter of Privacy Act System of Records Notice, Registered Traveler Operations Files, Docket No. TSA-2004-17982 (comments filed with the Transportation Security Administration)
In July 2004, EPIC urged the Transportation Security Administration not to deploy the final phase of the Registered Traveler program until it conducted a full evaluation of the program's privacy implications. Citing the agency's record of secrecy and little regard for individual privacy interests in the development of programs such as CAPPS II, EPIC recommended that TSA revise its information collection and maintenance practices to comply fully with the intent of the Privacy Act.
In the Matter of Interim Final Rule and Notice Concerning the Implementation of US-VISIT, Docket No. BTS 03-01 (comments filed with the Department of Homeland Security Border and Transportation Security Doctorate)
These comments were submitted February 5, 2004 in response to a notice announcing the implementation of the United States Visitor and Immigrant Status Technology (US-VISIT). EPIC urged DHS to define how Privacy Act obligations affect US-VISIT, to consider the significance of international privacy standards in the collection and use of personal information by the agency on non-U.S. citizens, and to prohibit the expansion of US-VISIT uses outside the program's defined mission.
In the Matter of Privacy Act System of Records Notice Concerning the Arrival Departure Information System, Docket No. DHS/ICE-CBP-001 (comments filed with the Department of Homeland Security Bureau of Immigration and Customs Enforcement and Bureau of Customs and Border Protection)
EPIC filed these comments on January 12, 2004 in response to DHS's announcement that the Arrival Departure Information System (ADIS) would begin to collect biometric and biographic data for use by the United States Visitor and Immigrant Status Technology (US-VISIT). EPIC argued that ADIS should not be exempt from Privacy Act requirements, and urged DHS to reduce ADIS's proposed 100-year data retention period and comply with international privacy standards.
In the Matter of Manifest Requirements Under Section 231 of the Immigration and Nationality Act, INS No. 2182-01 (comments filed with the Immigration and Naturalization Service)
On February 3, 2003, EPIC filed comments in response to a proposed rule that would require commercial airline carriers transporting passengers to or from the United States to submit passenger manifest information electronically to the Immigration and Naturalization Service. EPIC argued that the collection of such information, particularly that of United States citizens and lawful permanent residents, raises significant issues under both the Privacy Act and the Constitution. A final rule has not been issued.
Financial Privacy
In the Matter of Fair Credit Reporting Medical Information Regulations, Docket No. 04-09; RIN 1557-AC85; Regulation V, Docket No. R-1188; RIN 3064-AC81; No. 2004-16; RIN 1550-AB88 (comments to the Office of the Comptroller of the Currency, Office of Thrift Supervision, Federal Deposit Insurance Corporation, National Credit Union Administration, and Board of Governors of the Federal Reserve System)
In May 2004, EPIC and a coalition of privacy advocacy organizations filed comments with five federal agencies which issued a proposed regulation under the Fair and Accurate Credit Transactions Act. The coalition supported the regulation's general prohibition on creditors obtaining or using medical information about a consumer in connection with deciding whether the consumer is eligible for credit. The comments urged that financial institutions not be permitted to routinely request consent to obtain medical information and that affiliate sharing be limited.
In the Matter of Interagency Proposal to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliliey Act, FTC FIle No. 034815 (comments filed with the Federal Trade Commission)
In comments filed with the Federal Trade Commission on March 29, 2004, EPIC submitted comments in response to this rulemaking designed to simplify privacy notices issued under the Gramm-Leach-Bliley Act. EPIC supported the creation of short privacy notices that start with a "call to action," an unambiguous statement that the individual must take affirmative action in order to protect their financial privacy. EPIC noted that such notices, if designed properly, will assist individuals in understanding their rights and opt-out methods. EPIC also suggested that a checkbox format for the notices would be favorable, as that would allow individuals to score or compare privacy policies across different companies.
In the Matter of Free Annual File Disclosures, FTC File No. R411005 (comments filed with the Federal Trade Commission)
In passing the Fair and Accurate Credit Transactions Act of 2003, Congress directed the Federal Trade Commission to implement a centralized source where individuals could obtain a free credit report annually from each of the three nationwide credit reporting agencies. In comments to the FTC filed on April 16, 2004, Professor Daniel Solove joined EPIC in arguing that individuals should be able to use the source to obtain credit reports without allowing credit reporting agencies to resell their personal information. The comments also attempt to limit the credit reporting agencies' ability to claim that there are too many requests, thus justifying a delay in delivery of the credit report. Already under the law, the credit reporting agencies have a full fifteen days to comply with a request for a report. The comments argue that no more delay is necessary, as the credit reporting agencies regularly provide reports to retailers and other creditors within seconds of making a request.
In the Matter of FACT Act Biometric Study, File No. R411005 (comments filed with the Department of the Treasury)
On April 1, 2004, EPIC submitted comments in response to the Department of Treasury's call for public response on the use of biometrics and similar technologies to combat identity theft. EPIC argued that increased use of biometrics will not combat identity theft in an effective or cost-efficient manner. In fact, such technologies could worsen the identity theft situation for some members of the public and impose a new nationwide system of identity for virtually all Americans. Furthermore, less invasive and less costly alternatives could be implemented to effectively combat identity theft. EPIC argued that it is not necessary to implement a nationwide system of biometrics to curb identity theft. Instead, we could address identity theft in a more cost-effective and privacy-friendly manner by changing aspects of the credit granting system.
In the Matter of Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, OCC File No. 03-18, BOG File No. OP-1155, OTS File No. 03-35 (comments filed with the Department of the Treasury)
On October 14, 2003, EPIC and the U.S. Public Interest Research Group urged the Department of Treasury to strengthen proposed guidance on security notices to bank customers. The proposed guidelines specified when a financial institution must give notice to a customer when their personal information has been accessed without authorization. The comments urged the agency to expand the definition of "sensitive consumer information," and to require financial institutions to report statistical information on all security events to federal regulators. The Treasury Department is now considering whether to modify the proposed guidance.
In the Matter of Experian (complaint filed with the Federal Trade Commission)
On September 16, 2003, EPIC urged the Federal Trade Commission to investigate the marketing practices of credit reporting agency Experian. The complaint alleged that the company broadly disseminates advertising offers for "free" credit reports, but actually provides an expensive credit monitoring service that individuals must cancel within thirty days. EPIC also argued that Experian's advertising is not only misleading, but also stokes fears of inaccuracy in credit reports in order to drive up sales of the company's products.
In the Matter of Rules, Policies, and Procedures for Corporate Activities and Bank Activities, Docket No. 03-02 (comments filed with the Office of the Comptroller of the Currency)
In February 2003, the Office of the Comptroller of the Currency (OCC) issued a proposed interpretation of its "visitorial powers" that would effectively prevent the application of state consumer protection laws to national banks. Such a broad reading would negate state efforts to pass opt-in or other financial privacy laws.
EPIC and U.S. PIRG filed comments with the OCC on April 4, 2003, urging the agency to reject a the proposed rule, as federal privacy law generally operates as a regulatory baseline and allows states to enact greater protections if they so choose. EPIC argued that its proposal would undermine the effectiveness of these laws and well-established principles of federalism, and urged the agency to reject the proposal. The agency has not announced its final rule.
Homeland Security
In the Matter of Privacy Act System of Records Notice, The Homeland Security Operations Center Database, Docket No. DHS-2005-0029 (comments to the Department of Homeland Security)
The Department of Homeland Security has proposed to exempt a vast database from legal requirements that protect privacy and promote government accountability. The agency's plan leaves individuals without the ability to correct inaccurate information and without protection against possible abuse of the database. In May 2005, more than forty organizations opposed the plan in comments filed with the agency.
Internet Privacy
In the Matter of Deployment of Internet Protocol, Version 6, Docket No. 040107006-4006-1 (comments filed with the Department of Commerce National Institute of Standards and Technology National Telecommunications and Information Administration)
In comments filed March 8, 2004, EPIC urged the deployment and use of strong privacy protecting technologies in IPv6, the protocol designed to replace the current network protocol used on the Internet. EPIC recommended that all IPv6 vendors make privacy and security enhancing features such as encryption standard. EPIC also said that the privacy and security features within IPv6 should not be compromised with vulnerabilities by the application of the Communications Assistance to Law Enforcement Act, which would threaten both the security of network communications and the stability of the network architecture.
Location Privacy
In the Matter of Event Data Recorders, Docket No. HTSA-2004-18029 (comments to the National Highway Traffic Safety Administration)
In August 13, 2004 comments, EPIC urged the National Highway Transportation Security Administration to create privacy protections for "Event Data Recorders," black boxes in vehicles that record crash data. EPIC noted that the boxes can become platforms for broader surveillance and that information collected by them should be subject to fair information practices.
In the Matter of Release of Customer Information During 9-1-1 Emergencies, RM-10715 (comments filed with the Federal Communications Commission)
On August 15, 2003, EPIC submitted comments in response to a petition asking the Federal Communications Commission to clarify the legal preconditions to the release of customer-specific information in emergency situations. EPIC voiced its support for the petition, arguing that a rulemaking would provide useful guidance to the emergency services industry and set expectations for consumer privacy in emergency situations. On November 14, 2003 the FCC issued a Second Further Notice of Proposed Rulemaking revising the FCC's E911 rules and clarifying which technologies and services are required to transmit consumers' location information to public safety answering points.
Postal Privacy
In the Matter of Privacy Act System of Records Notice, Postal Service Distribution Quality Improvement, Docket No. (comments to the United States Postal Service)
EPIC and Privacy Rights Clearinghouse filed comments in August 2004 suggesting privacy improvements to a Postal Service system that will employ commercial databases to improve delivery rates. The comments call upon the Postal Service to require the commercial database vendor to abide by a strong set of fair information practices.
Public Records
In the Matter of Privacy and Court Records (comments filed with the Florida Supreme Court)
In October 2004 comments to a committee formed by the Florida Supreme Court, EPIC recommended protections for personal information that appears in public records. EPIC advised that personal data in public records are being commodified for purposes unrelated to government oversight.
Radio Frequency Identification (RFID)
In the Matter of Proposed Rule Concerning Electronic Passports, RIN 1400-AB93 (comments to the Department of State)
In April 2005, EPIC and other civil liberties groups filed comments to urge the State Department to scrap its plans to require RFID passports for all American travelers. The proposal was flawed because the Department lacks legal authority to require RFID travel documents. The State Department had also failed to show the benefits of the passports. Furthermore, it had failed to conduct a meaningful assessment of RFID technology or to consider more reliable technologies.
RFID Workshop Comment P049106 (comments presented at Federal Trade Commission workshop)
In July 2004, EPIC filed detailed comments at a Federal Trade Commission Workshop calling for the adoption of strong Privacy Guidelines for RFID Technology to protect consumers against potential abuses of the tracking technology.
Voter Privacy
In the Matter of the Social Security Administration's Proposed Rule Change Regarding a New Routine Use for Social Security Administration System Records Entitled Mater Files of the Social Security Number Holders and SSN Applications, Docket No. 60-0058 (comments to the Social Security Administration)
In September 2004 comments to the Social Security Administration, EPIC urged the agency not to create a new routine use of the Social Security Number for state voter registration purposes. EPIC asked the agency not to implement this routine use until state election administrations agree not to require voters to present their Social Security cards in order to vote in federal elections.
Recently Concluded Matters
EPIC v. Department of the Treasury, Civ. No. 05-2256 (D.D.C. 2005 PLF)
In November 2005, EPIC filed a lawsuit asking a federal court to order the Internal Revenue Service to release documents about law enforcement and intelligence requests for taxpayer records since 9/11. EPIC submited two FOIA requests seeking the information in July 2004 and September 2005, but the IRS failed to disclose documents in response. The IRS released two sets of documents during the course of the lawsuit, which has been settled.
EPIC v. Department of Justice & Department of the Treasury, Civ. No. 02-0063 (D.D.C. 2002 CKK)
In 2001, the Wall Street Journal and other publications reported that federal law enforcement agencies were purchasing personal information from private-sector profiling corporations. To focus debate on private sector profiling, and the reliance of government upon these profiles, EPIC sent a series of FOIA requests to federal law enforcement agencies in July 2001. Documents received from the Internal Revenue Service showed that both ChoicePoint and Experian possess large contracts with the agency for desktop access to citizen's personal information. Other documents showed that INS and DOJ obtained citizen information on ten Latin American countries through ChoicePoint, which led to a series of front-page news items in the affected countries. EPIC challenged the government's substantial redactions in the documents, and settled the case in 2006.
EPIC v. Department of Justice, Civ. No. 04-1736 (D.D.C. 2004 HHK), 04-2164 (D.D.C. 2004 HHK)
In September 2004, the Transportation Security Administration announced plans to test Secure Flight, a new passenger prescreening system. The agency said that "Secure Flight will involve the comparison of information for domestic flights to names in the Terrorist Screening Database (TSDB) maintained by the Terrorist Screening Center (TSC), to include the expanded TSA No-Fly and Selectee Lists, in order to identify individuals known or reasonably suspected to be engaged in terrorist activity." EPIC submitted a FOIA request to the FBI asking for information about the database and its role in Secure Flight. EPIC asked that the information be released expeditously, noting the intense media interest surrounding the issue. The FBI denied EPIC's request for expedited processing on the grounds that there is no urgency to inform the public about the database and "the primary activity of the American Civil Liberties Union [sic] is not information dissemination, which is required for a requester to qualify for expedited processing under this standard." EPIC applied for an emergency court order on October 13 to compel the agency to release the records, arguing that information about the database should be made available before October 25, which was the deadline for public comments on TSA's plans for testing Secure Flight. The FBI granted expedited processing the next day, but did not released the documents. Judge Kennedy dismissed the case on November 24 because expedited processing was no longer at issue. However, EPIC filed a second suit and application for an emergency court order on December 15, arguing that the FBI had failed to meet the FOIA's deadline for processing even a standard, non-expedited request. EPIC agreed to dismiss its application for an emergency court order in exchange for the FBI's agreement to release the requested documents by March 1, 2005. After the documents were released, EPIC and the FBI settled the case.
EPIC v. Transportation Security Administration et al., Civ. No. 03-1846 (D.D.C. 2003 CKK)
In August 2003, EPIC requested from the Transportation Security Administration "Capital Asset Plan and Business Case" (Exhibit 300) materials that TSA had prepared on the controversial Computer Assisted Passenger Profiling System (CAPPS II), and any privacy impact assessments the TSA had conducted on CAPPS II. The Exhibit 300 is an assessment that the Office of Management and Budget requires of agencies seeking funding for projects and includes, among other things, an evaluation of privacy and security risks that a project might pose. Furthermore, the E-Government Act of 2002 requires agencies to prepare a privacy impact assessment before developing or procuring information technology that collects, maintains or disseminates identifiable information.
TSA agreed to process the documents, but failed to respond to EPIC's request for expedited processing. On September 8, 2003, EPIC applied for an emergency court order requiring TSA to immediately release the requested documents. TSA relented and agreed to complete processing the material by September 25, five days before public comments were due on TSA's proposed Privacy Act notice for the controversial system. TSA then refused to release the documents on September 25, claiming that they were exempt from disclosure under the Freedom of Information Act. In June 2004, Judge Colleen Kollar-Kotelly ordered TSA to review the documents for material that is factual and thus must be released under the FOIA.
EPIC v. Department of Defense, Civ. No. 04-1219 (D.D.C. 2004 CKK)
In May 2004, EPIC sent a FOIA request to the Defense Intelligence Agency asking for records about the agency's use of Verity K2 Enterprise, a program that reportedly mines data from the intelligence community and Internet searches to identify foreign terrorists and U.S. citizens connected to foreign terrorism activities. The agency denied EPIC's request for expedited processing of the requested material, explaining that EPIC had failed to demonstrate an urgency to inform the public about the data mining program. EPIC filed suit in July 2004 seeking the immediate release of the records. Judge Colleen Kollar-Kotelly ruled on December 12 that EPIC was not entitled to expedited processing because it had failed to show an urgency to inform the public about Verity K2 Enterprise specifically rather than defense data mining generally. The Defense Intelligence Agency released responsive documents in April 2005, and EPIC agreed to dismiss the case.
EPIC v. National Aeronautics and Space Administration (N.D. Cal. 2004)
Through an October 2003 FOIA request to NASA, EPIC obtained documents revealing that the Northwest Airlines disclosed millions of passenger records to NASA for use in data mining and passenger profiling research. The agency withheld some documents that are responsive to EPIC's request. EPIC filed suit in January 2004 to obtain additional documents about the Northwest disclosure. Through negotiation, EPIC obtained hundreds of additional records from NASA that were originally withheld by the agency.
ACLU and EPIC v. Department of Justice, 321 F. Supp. 2d 24 (D.D.C. 2004 ESH)
In October 2003, EPIC, the ACLU and allied library and booksellers' organizations submitted a FOIA request to the FBI seeking information about the agency's enforcement of Section 215 of the USA PATRIOT Act. When FBI denied expedited processing, EPIC and the ACLU filed suit in federal court seeking the immediate release of the requested records. On May 10, 2004, U.S. District Judge Ellen Huvelle ordered the FBI to expeditiously process the request. Judge Huvelle also determined that "EPIC is indeed 'primarily engaged in disseminating information' for the purposes of expediting [a FOIA] request." Some responsive records were released in June 2004, and more documents were released in July.
EPIC v. Department of Justice, Civ. No. 03-02078 (D.D.C. 2003 JR)
In September 2003 EPIC asked the Department of Justice for documents related to a memorandum sent to federal prosecutors on August 14. The memorandum urged all prosecutors to contact members of the House of Representatives who had voted to deny funding for the execution of "sneak and peek" warrants authorized by the Patriot Act. The DOJ refused to expedite processing of EPIC's request on the grounds that the memorandum is not a subject of exceptional media interest, and raises no questions about the government's integrity that might affect public confidence. The DOJ further determined that there is no urgency to inform the public about the issues raised by the memorandum. On October 14, EPIC filed suit in federal court and asked that the DOJ be ordered to release immediately the requested material. EPIC filed for partial summary judgment to resolve the issue of expedited processing in October. The DOJ opposed EPIC's motion and filed a cross motion for summary judgment in November. Judge James Robertson heard oral argument on December 8. On December 19, Robertson held that EPIC properly filed suit without first asking the DOJ to reconsider its decision not to process EPIC's request expeditiously, but that EPIC's request was not entitled to expedited processing. EPIC appealed the decision to the DC Circuit, and the DOJ cross appealed. However, the parties agreed to dismiss their appeals when the DOJ released the documents EPIC had requested, and the issue of expedited processing became moot.
ACLU and EPIC v. Department of Justice, 2003 U.S. Dist. LEXIS 8363 (D.D.C. 2003 ESH)
In September 2002, the House Judiciary Committee released the Justice Department's response to the committee's June 13 letter seeking information about implementation of the USA PATRIOT Act. The response shed some light on the use of the new law, but DOJ classified a large amount of important information required for proper public oversight.
EPIC, joined by the ACLU and library and booksellers' organizations, filed suit under FOIA seeking the disclosure of some part of the information classified as "confidential." The lawsuit covers some of the information the Justice Department withheld from the House Judiciary Committee.
In late November 2002, Judge Huvelle ordered the Justice Department to complete its processing of the EPIC/ACLU information request by January 15, 2003. The Department withheld most of the responsive material and moved for summary judgment; EPIC/ACLU filed an opposition and a cross-motion for summary judgment. In a decision issued on May 19, 2003, the court held that all of the withheld material is properly classified.
EPIC v. Department of Defense, 241 F. Supp. 2d 5 (D.D.C. 2002 JDB)
This case grows out of an FOIA request EPIC submitted to the Defense Department in February 2002 concerning DOD's new Information Awareness Office and its director, retired Admiral John Poindexter. In response to the request, DOD denied EPIC's request for "news media" fee status, thus imposing a substantial financial barrier to EPIC's effort to obtain responsive documents. Noting that DOD's action was the first denial of an EPIC request for preferred fee status in the 8-year life of the organization, EPIC filed suit against the agency and moved for a preliminary injunction. Oral argument was held before Judge Bates on July 19, 2002. On January 16, Judge Bates today issued a decision rejecting the Defense Department's denial. Judge Bates ruled that EPIC is entitled to "preferred fee status" under the FOIA and ordered the Pentagon to "expeditiously" process EPIC's almost year-old request for information concerning Admiral John Poindexter and the Information Awareness Office. The DOD agreed to pay EPIC's $24,000 attorney's fees and continue to process EPIC's request for responsive documents. The case was settled in 2003.
Center for National Security Studies, et al. v. Department of Justice, Civ. No. 01-2500 (D.D.C. 2001 GK)
This case, in which EPIC was plaintiff and acted as co-counsel, sought disclosure of information concerning more than one thousand individuals who, according to the government, were "detained" in the wake of the September 11th terrorist attacks. The government has continually refused to disclose the data in response to Freedom of Information Act requests submitted by a broad coalition of civil liberties and human rights groups, resulting in unprecedented secrecy surrounding the status of the individuals.
Members of Congress, the news media and civil liberties groups have all raised questions as to whether those jailed since September 11 are being accorded applicable constitutional protections. The FOIA lawsuit asserted that the requested information involves a matter of extraordinary public interest and that the secrecy surrounding the detentions is at odds with longstanding principles of open judicial proceedings. Under a court-approved schedule to expeditiously litigate the case, briefing began in mid-January 2002 and the court heard oral argument at the end of May 2002.
In a decision issued on August 2, 2002, U.S. District Judge Gladys Kessler directed the Justice Department to disclose, within 15 days, the identities of individuals detained in connection with its September 11 terrorist investigation. Detainees desiring confidentiality of their identities can file statements requesting non-disclosure. The government appealed the ruling, and Judge Kessler granted a stay pending the appeal. Oral argument was held before the D.C. Circuit Court of Appeals on November 18, 2002. The Court of Appeals issued a divided opinion on June 17, 2003, endorsing the Justice Department's efforts to keep secret the identities of hundreds of individuals detained after the September 2001 terrorist attacks. The plaintiffs filed a petition for writ of certiorari with the Supreme Court on September 29, 2003. The Supreme Court denied the petition on January 12, 2004.
EPIC v. Department of Homeland Security et al., Civ. No. 03-1255 (D.D.C. 2003)
In March 2003, EPIC requested from the Transportation Security Administration any privacy assessments of the Computer Assisted Passenger Prescreening System (CAPPS II), and from Department of Defense information concerning Pentagon involvement in the controversial airline passenger screening system. Neither agency completed processing the requests, despite their agreement to "expedite" the process. EPIC filed suit on June 11, 2003, alleging that the Department of Homeland Security (as the parent department of TSA), TSA, and DOD failed to comply with the disclosure requirements of the Freedom of Information Act, and asking a federal judge to order the disclosure of information concerning the development of CAPPS II. DHS filed a motion for summary judgment in October 2003, and EPIC responded with a cross motion for summary judgment. In November EPIC agreed to settle the suit.
EPIC v. Department of Defense, C.A. No. 02-2478 (D.D.C. 2002)
Following a FOIA request for information about the DOD's Total Information Awareness project, the DOD denied EPIC's request for expedited processing. EPIC brought suit on December 17, 2002 challenging this denial. Because the issue is related to our "news media" status at issue in our earlier case against DOD, proceedings in this case were stayed pending that decision and were resolved by the same decision.
EPIC v. Transportation Security Administration, Civ. No. 02-2437 (D.D.C. 2002)
The Aviation Security and Transportation Act, passed in the wake of the September 11, 2001, terrorist attacks, authorizes the Transportation Security Administration (TSA) to maintain watchlists and notify law-enforcement, aviation and airline officials of the names of people suspected of posing "a risk of air piracy or terrorism or a threat to airline or passenger safety." In a FOIA request submitted to TSA in early October 2002, EPIC requested information about the number of names on all aviation-security watchlists, procedures for posting and removing names and all complaints from people who claim to have mistakenly been included on the lists. TSA failed to respond to the request within the legal time limit, prompting EPIC's lawsuit, which was filed on December 11, 2002. EPIC voluntarily dismissed the case in April 2003.
EPIC v. Office of Homeland Security, et al., Civ. No. 02-0620 (D.D.C. 2002)
In December 2002, U.S. District Judge Colleen Kollar-Kotelly issued a decision permitting EPIC to pursue discovery concerning the "nature of the authority" delegated to the Office of Homeland Security (OHS) and its Director, Tom Ridge. The ruling was in response to a Freedom of Information Act lawsuit filed by EPIC after OHS took the position that it is not subject to the open government law. As part of its "Watching the Watchers" project, EPIC is pursuing various FOIA requests relating to governmental security and investigative activities undertaken in the wake of the September 11 terrorist attacks. The work of OHS and its director, Governor Tom Ridge, is central to those issues. After EPIC filed suit, seeking the disclosure of OHS documents concerning proposed national identification systems, the government moved to dismiss the case on the ground that OHS is not an "agency" subject to FOIA. Discovery is now proceeding. Following the court's discovery ruling, EPIC obtained a substantial amount of information concerning the functions of the Office, most of which indicated that OHS did not exercise agency-like authority. EPIC agreed to a voluntary dismissal of the case in April 2003.
EPIC v. Department of Transportation, et al., Civ. No. 02-0475 (D.D.C. 2002)
In this lawsuit, part of the "Watching the Watchers" project, EPIC sought disclosure of information concerning the new Transportation Security Administration's consideration of air travel security systems. The litigation was initiated when TSA failed to respond to EPIC's request for expedited processing of responsive documents. The agency agreed to complete its processing by mid-June 2002, at which time the suit was settled. Material released as a result of this lawsuit led to the filing of a second FOIA request, which became the subject of EPIC v. Transportation Security Administration, Civ. No. 02-2437, described above.
EPIC v. Department of Justice & Federal Bureau of Investigation, Civ. No. 00-1849 (D.D.C. 2002)
On July 11, 2000, the existence of an FBI Internet monitoring system called "Carnivore" was widely reported. Although the public details were sketchy, reports indicated that the Carnivore system is installed at the facilities of an Internet Service Provider (ISP) and can monitor all traffic moving through that ISP. The FBI claims that Carnivore "filters" data traffic and delivers to investigators only those "packets" that they are lawfully authorized to obtain. Because the details remain secret, the public is left to trust the FBI's characterization of the system and -- more significantly -- the FBI's compliance with legal requirements.
In order to make public the details of Carnivore, EPIC immediately submitted an FOIA request to the FBI and requested expedited treatment. When the Bureau and DOJ failed to respond in a timely manner, EPIC filed suit seeking expedited processing of Carnivore documents. Under pressure from the court, the FBI began releasing material in periodic installments and completed the processing in January 2001. The released documents have already brought critical information to the public, and the litigation is continuing to determine whether the FBI has improperly withheld relevant information. The Bureau submitted an index describing withheld information in early May 2001, and EPIC challenged the adequacy of the FBI's document search. In an order issued in March 2002, the court agreed with EPIC and directed the Bureau to initiate a new search for responsive documents.
The new search uncovered more documents, including those indicating that an FBI anti-terrorism investigation possibly involving Usama bin Laden was hampered by technical flaws in the Bureau's controversial Carnivore Internet surveillance system. The Carnivore "software was turned on and did not work correctly." The surveillance system captured not only the electronic communications of the court-authorized target, "but also picked up E-Mails on non-covered" individuals (a violation of federal wiretap law), resulting in the destruction of the lawfully obtained material. The documents describe the incident as part of a "pattern" indicating "an inability on the part of the FBI to manage" its foreign intelligence surveillance activities. EPIC voluntarily dismissed the case and the Justice Department agreed to settle EPIC's claim for attorneys fees with a payment of $10,000.
EPIC v. National Security Agency, Civ. No. 99-3197 (D.D.C. 1999)
In a significant case reported on by the New York Times and other publications, EPIC asked a federal court to order the release of controversial documents concerning potential government surveillance of American citizens. EPIC's lawsuit sought the public disclosure of internal National Security Agency (NSA) documents discussing the legality of the agency's intelligence activities. NSA refused to provide the documents to the House Intelligence Committee, resulting in an unusual public reprimand of the secretive spy agency. Rep. Porter J. Goss, chairman of the oversight panel, wrote in a committee report in May 1999 that NSA's rationale for withholding the legal memoranda was "unpersuasive and dubious." He noted that if NSA lawyers "construed the Agency's authorities too permissively, then the privacy interests of the citizens of the United States could be at risk." Soon after the release of the Intelligence Committee report, EPIC submitted a Freedom of Information Act (FOIA) request to NSA for the documents.
After EPIC filed suit for the release of the material, NSA released approximately 100 documents reflecting the agency's interpretation of the legal restrictions on surveillance of "U.S. persons." This material has been incorporated into several media reports on Project Echelon and is a significant contribution to the public body of information on national security surveillance and the rights of Americans.
EPIC v. Federal Trade Commission, Civ. No. 99-2689 (D.D.C. 1999)
EPIC filed suit in federal district court in Washington seeking the disclosure of records about privacy complaints received by the Federal Trade Commission. It is EPIC's contention that the FTC has failed to take action on the many privacy complaints that the agency has received from consumers. In order to evaluate the effectiveness of the current privacy system in the United States, EPIC believes it is critical to look at how the FTC responds to complaints from the public. EPIC filed the initial information request in June 1999. In a letter to the Commission, EPIC requested "copies of all records concerning the FTC's investigation of privacy complaints." The request included letters, electronic mail, web submissions, fax transmissions, and formal complaints. EPIC told the Commission it was interested in "records regarding alleged privacy violations by a specific company or organization and requests for general assistance in a privacy matter, whether or not a specific company or organization is indicated." At a Senate hearing in July 1999, EPIC criticized a report from the FTC on Internet privacy, saying that it failed to provide any actual information about consumer privacy complaints or the effectiveness of industry programs to protect privacy. We noted that EPIC had filed a Freedom of Information Act (FOIA) request regarding the handling of complaints and said that information would be provided to the Senate Committee once a response from the FTC was received.
Since the initiation of the lawsuit, the FTC released several hundred pages of responsive material. These documents have contributed to EPIC's oversight of the Commission's handling of privacy complaints.
Nelson v. Salem State College, Case No. SJC-09519 (Mass. 2005)
In June of 1995, officers of the Salem State College police force, with the knowledge of college administrators, installed a hidden video camera and VCR in the college’s off-campus Small Business Development Center. The video camera was used to investigate possible illegal entries in the center after normal business hours and was set to record twenty-four hours a day. During the summer of 1995, Gail Nelson, a secretary at the Small Business Development Center, often brought a change of clothes to work and changed in a cubicle. Ms. Nelson later learned about the covert surveillance from a co-worker.
Ms. Nelson filed suit against the college and officials, arguing that they had violated the Fourth Amendment, Article 14 of the Massachusetts Declaration of Rights, and state law by secretly videotaping her in a cubicle. The claims were dismissed by the trial court, which found that the Ms. Nelson had no reasonable expectation of privacy in a cubicle. Ms. Nelson appealed to the Massachusetts Appeals Court. Before the court reached a decision, the Supreme Judicial Court decided to take the case. EPIC filed an amicus brief arguing that society is prepared to recognize an expectation of privacy in the workplace as reasonable. In April 2006, the court ruled in favor of the college.
Gilmore v. Gonzales, 2006 U.S. App. LEXIS 1856 (9th Cir. 2006)
This case challenged the government's unpublished law or regulation requiring passengers to present identification to fly on commercial airlines. John Gilmore argues that the requirement violates numerous constitutional protections, including the rights to travel, petition and freely assemble, be free from unreasonable search and seizure, and have access to due process of law. In March 2004, the U.S. District Court for the District of Northern California dismissed Gilmore's case. In that proceeding, the government not only refused to provide the court with the text of the law or regulation requiring airline passengers to show identification, but declined even to acknowledge whether the requirement exists. Furthermore, the district court judge accepted the government's assurance that the court did not have jurisdiction to review the law or regulation, failing to independently determine the legal basis for that claim. In August 2004, EPIC filed an amicus brief arguing that the district court's failure to examine the government's authority to enforce the law or regulation allows the government to impose secret law upon the public, thus avoiding meaningful review by courts as required by the Constitution. In January 2006, the 9th Circuit ruled in the government's favor, upholding the identification requirement.
American Bankers Association v. Lockyer, 2005 U.S. Dist. LEXIS 22437 (E.D.Cal. 2005)
In 2003, California enacted the California Financial Information Privacy Act, commonly known as "SB1." SB1 provides the strongest financial privacy protection in the nation. It allows customers to "opt-out" of information-sharing practices between affiliated institutions, companies that have common ownership. SB 1 also bars financial institutions from sharing information about consumers with nonaffiliated third parties unless an individual gives his or her express "opt in" consent. In April 2004, the American Bankers Association (ABA), the Financial Services Roundtable and the Consumer Bankers Association filed suit, arguing that SB 1 is preempted or superceded by the federal Fair Credit Reporting Act (FCRA). As interpreted by the banking industry, the FCRA imposes a preemptive ceiling on state privacy statutes, thereby preventing any state or local regulation concerning affiliate sharing of consumer information. EPIC, joined by a coalition of consumer and civil liberties groups representing 41 million individuals, filed an amicus brief in support of SB1, arguing that affiliate sharing causes identity theft and fraud, and is inconsistent with fair information practices. In October 2005, the court held that FCRA preempts portions of California's landmark financial privacy law. Despite the ruling, provisions of California law that require opt-in consent before data can be sold to third parties (non-affiliates) are still valid.
Kehoe v. Fidelity Bank, 421 F.3d 1209 (11th Cir. 2005)
In this case, James Kehoe sued Fidelity Bank for purchasing hundreds of thousands of motor vehicle records from the state of Florida in violation of the federal Drivers Privacy Protection Act. Fidelity Bank had purchased 565,600 names and addresses from the Florida motor vehicles department from June 2000-2003. Fidelity was able to obtain the information for only $5,656. Fidelity used the information to target residents of Palm Beach, Martin, and Broward Counties for car loan solicitations. The Drivers Privacy Protection Act, 18 USC § 2721, protects the confidentiality of motor vehicle records. It was enacted in 1993 after stalkers, murderers, and robbers were shown to have used records at DMVs in order to locate victims. In 1999, Senator Shelby amended the law to require opt-in consent before a DMV could release personal information for marketing purposes. The amendment took affect June 1, 2000, but Florida law was never updated to reflect the federal law change. The U.S. District Court for the Southern District of Florida ruled in June 2004 that James Kehoe needed to demonstrate actual damages before obtaining any monetary recovery under the DPPA. The Court relied upon the recently decided Doe v. Chao and statutory construction rules to rule that the DPPA's liquidated damages do not accrue to a plaintiff unless he can show actual damages. In August 2004, EPIC filed an amicus brief, joined by the American Civil Liberties Union of Florida, arguing that individuals are entitled to damages under the law when businesses or data brokers intentionally access motor vehicle information. In August 2005, the 11th Circuit Court of Appeals reversed the lower court and held that individuals suing to recover for violations under the Drivers Privacy Protection Act do not need to demonstrate actual harm in order to recover monetary damages.
United States v. Councilman, 418 F.3d 67 (1st Cir. 2005)
This case involved the question of whether email can be "intercepted" in violation of federal wiretap law while it is temporarily stored on an email server -- even if only for a fraction of a second. The District Court for the District of Massachusetts held in February 2003 that an online literary clearinghouse did not violate the law when it used an email service it provided to its subscribers to access their incoming email so it could view messages sent to them by a rival company. The court narrowly read the definition of "electronic communication" in the Wiretap Act to exclude any type of stored communication. The government appealed the decision to the First Circuit. In June 2004, a three-judge panel held that the clearinghouse did not violate criminal wiretap laws by acquiring users' incoming emails without their knowledge or consent. Because the emails were not actually in wires or cables between computers when accessed, but were instead temporarily stored on the service provider's computer system, the panel found the emails could not have been "intercepted" in violation of wiretap law. The full First Circuit withdrew the panel decision and reheard the case. The court reversed the panel decision, ruling 5-2 that the interception of e-mail temporarily stored while in transit to its destination violates federal wiretap law.
EPIC joined a coalition amicus brief arguing that the panel's decision creates serious constitutional questions under the Fourth Amendment guarantee against unreasonable search and seizure. The brief was also joined by the Center for Democracy and Technology, Electronic Frontier Foundation, American Civil Liberties Union, American Library Association, and Center for National Security Studies.
Maryland v. Raines, 857 A.2d 19 (Md. 2004)
This case challenged the Maryland DNA Collection Act, which allows the state to collect DNA from individuals who have committed felonies and certain misdemeanor offenses. Profiles of the DNA are then added to a state DNA database, which feeds into a national DNA database known as the Combined DNA Index System or CODIS, which is maintained by the FBI. Charles Raines argued that compelled DNA production constitutes an unreasonable search and seizure in violation of the Fourth Amendment and the Constitution of Maryland. EPIC submitted an amicus brief in his support pointing out that in many areas Maryland provides stronger privacy protection than the federal Fourth Amendment. EPIC also rebutted the government's claim that DNA collection is no different than fingerprint collection. The case was argued before Maryland's high court in June. In July 2004, the court issued an order reversing the lower court's decision.
United States v. Kincade, 379 F.3d 813 (9th Cir. 2004)
In this case, the United States Court of Appeals for the Ninth Circuit reheard its prior decision that the compelled production of a DNA sample from a parolee for inclusion in a nation-wide DNA database is an unlawful search. This case involved the Fourth Amendment protections against unreasonable government search and seizure and law enforcement accumulation and use of personal information. EPIC filed a "friend of the court" brief in support of Kincade that focused on the false notion that DNA and fingerprinting involve the same privacy concerns. While a fingerprint merely indicates whether an individual has been in a specific location, DNA can reveal health, gender, and familial information. Furthermore, because members of the same family have similar DNA patterns, an individual's DNA profile may indirectly implicate a relative. Moreover, EPIC pointed out, there is no uniform storage policy for DNA samples; rather, each state has a different policy. Not only could samples end up in the hands of researchers, but international cooperation among law enforcement agencies has opened CODIS up to other governments. The case was argued before the en banc court in March. In a close 6-5 ruling in August 2004, the Ninth Circuit Court of Appeals determined that a parolee can be forced to provide a DNA sample for the FBI's vast national DNA database.
Hiibel v. Sixth Judicial District Court of Nevada, 125 S. Ct. 18 (2004)
This case arose from the arrest of Larry Hiibel under Nevada Revised Statute § 171.123(3), which allows an officer to detain a person to ascertain his identity when there are circumstances reasonably indicating that person has committed a crime, though no probable cause to arrest. Hiibel was charged with and convicted of resisting a public officer in violation of state law, and he appealed the conviction. The Nevada District Court determined it was reasonable and necessary for an officer to ask for Hiibel's identification, and asserted that the public interest in requiring Hiibel to identify himself outweighed his right to remain silent. Hiibel filed a petition asking the Supreme Court of Nevada review the case, challenging the constitutionality of Nev. Rev. Stat. § 171.123(3). The Nevada Supreme Court denied the petition, determining that the statute is consistent with the rights against unreasonable search and seizure protected by the Fourth Amendment because it "strikes a balance between constitutional protections of privacy and the need to protect police officers and the public."
The United States Supreme Court granted certiorari on October 20, 2003. In December, EPIC filed an amicus brief discussing how existing information systems, such as the National Crime Information Center (NCIC) and the Multi-State Anti-Terrorism Information Exchange (MATRIX), may become systems of public surveillance. EPIC urged the Court to ensure that the police do not use stop-and-frisk situations for fishing expeditions of government computer databases. The Supreme Court issued its opinion on June 21, 2004, holding that Nev. Rev. Stat. § 171.123(3) is constitutional under both the Fourth and Fifth Amendments. Justice Kennedy's majority opinion noted, however, "[a]s we understand it, the statute does not require a suspect to give the officer a driver's license or any other document. Provided that the suspect either states his name or communicates it to the office by other means -- a choice, we assume, that the suspect may make -- the statute is satisfied and no violation occurs." Hiibel petitioned for a rehearing, but was denied.
Doe v. Chao, 540 U.S. 614 (2004)
The Department of Labor was sued by a class of coal miners who filed claims with the government for black lung benefits. To process the benefit claims, the Department of Labor used each applicant's Social Security Number to identify that applicant's claim. As identification numbers, the SSNs were subsequently disclosed to other applicants, as well as those applicants' employers and lawyers. The SSNs were also made publicly available in administrative law decisions and computerized legal research databases.
Several coal miners filed suit against the government, alleging violations of the Privacy Act. The United States District Court for the Western District of Virginia granted summary judgment against all the miners with the exception of Buck Doe, who was awarded $1,000 in statutory damages. The court explained that an individual must prove "actual damages" to obtain the $1,000 statutory damages available under the Privacy Act, and that because emotional distress is the chief means of proving damage in privacy cases, such emotional distress is sufficient evidence to allow recovery under the Privacy Act. The court found that Doe had demonstrated enough emotional distress to justify recovery, and thus was entitled to statutory damages. On appeal, the Fourth Circuit determined that Doe was not entitled to damages under the Privacy Act because he failed to show that any tangible consequences flowed from the emotional distress he experienced due to the disclosure of his SSN.
The Supreme Court granted certiorari in June 2003 to consider the question of whether an individual bringing suit under the Privacy Act for wrongful SSN disclosure must prove that he suffered actual monetary damages as a result of the disclosure in order to recover the minimum damages provided by the Privacy Act. EPIC, 12 privacy organizations, and 16 legal scholars and technical experts filed an amicus brief arguing that the Privacy Act provides damages for those who suffer "adverse effects." The brief pointed to the dangers of SSN disclosure, the tradition of providing similar awards in other privacy laws, and the history of the Privacy Act. On February 24, 2004, the Supreme Court ruled in a 6-3 decision that an individual must prove he has suffered actual damage before he can receive a $1,000 minimum statutory award when the government wrongfully discloses his SSN.
City of Chicago v. BATF, 123 S. Ct. 1352 (2003)
The City of Chicago brought a civil suit against a number of firearms manufacturers, wholesalers, and dealers alleging that they unreasonably facilitate the unlawful possession and use of firearms in Chicago and therefore constitute a public nuisance under Illinois law. Seeking information necessary to this otherwise unrelated lawsuit, the City submitted a request under FOIA to the Bureau of Alcohol, Tobacco, and Firearms ("ATF") in late 1998, seeking disclosure of nationwide data from its trace and multiple sales databases. After ATF failed to provide some of the requested information, the City then brought suit against ATF. ATF withheld the requested information on the grounds that it fell within Exemption 6, Exemption 7(a) or Exemption 7(c) of the FOIA (the privacy exemptions).
The district court entered judgment in favor of Chicago, holding that the privacy exemptions 6 and 7(C) did not apply because the information did not constitute an unwarranted invasion of privacy, and that the law enforcement exemption, 7(A), did not apply because ATF had failed to explain adequately how the information could interfere with law enforcement proceedings. The court further held that even if ATF were able to adequately demonstrate that the requested information could be properly withheld from disclosure, FOIA's segregation requirement mandates that the agency encode the data and provide a redacted form of the data to the City. The Seventh Circuit affirmed, holding that there is no valid privacy interest in the information requested. The appellate court did not review the district court's segregation analysis, on the grounds that "none of the purported exemptions apply to any portion of the records requested."
EPIC submitted an amicus brief exploring the issue raised by the district court that FOIA requires the agency to encode the data and release the records. EPIC's amicus sought to resolve the apparent conflict that the case presented between open government and individual privacy by illustrating that, through the use of technology, the government can decode the information before releasing it, thereby shedding the necessary sunlight on government activities while protecting individual privacy rights.
The Supreme Court remanded the case, without decision, after Congress enacted a prohibition on the expenditure of funds to release the type of data at issue in the case.
Smith v. Doe, 259 F.3d 979 (9th Cir. 2001), 123 S. Ct. 1140 (2002), rehearing denied, 123 S. Ct. 1925 (2003)
The Supreme Court reviewed the Ninth Circuit's determination that the Alaska "Megan's Law" statute, which requires posting of information about released sex offenders on the internet, violates the ex post facto clause in part based on the fact that the information is more widely disseminated than necessary to achieve the state goal of protecting "at danger" neighborhoods from recidivist offenders.
EPIC filed an amicus brief urging the Court to hold that the Alaska Megan's law statute violates the Ex Post Facto clause of the Constitution. EPIC argued that the mandatory online dissemination of a sex offender registry is excessive when weighed against the statutory purpose of protecting people in the geographic vicinity of released offenders. The Supreme Court heard oral arguments in the case on November 13, 2002. The Supreme Court ruled on March 5, 2003, that the Alaska Megan's Law statute, even though it was retroactively applied, does not violate the Ex Post Facto Clause of the Constitution because the statute is not a punitive civil regulation.
Remsburg, Administrator of the Estate of Amy Lynn Boyer v. Docusearch, Inc., 149 N.H. 148 (N.H. 2003)
Amy Boyer was murdered after the defendant, an investigator/information broker, provided contact details to her assailant. Boyer's estate sued Defendant for wrongful death, invasion of privacy and other causes of action. On April 25, 2002, the NH District Court certified various questions to the NH Supreme Court: (1) whether a private investigator or information broker who sells information to a client pertaining to a third party has a cognizable legal duty to that third party with respect to the sale of the information; (2) if a private investigator or information broker obtains a person's social security number from a credit reporting agency as a part of a credit header without the person's knowledge or permission and sells the social security number to a client, does the individual whose social security number was sold have a cause of action for intrusion upon her seclusion against the private investigator or information broker for damages caused by the sale of the information; (3) when a private investigator or information broker obtains a person's work address by means of a pre-textual telephone call and sells the work address to a client, does the individual whose work address was deceitfully obtained have a cause of action for intrusion upon her seclusion against the private investigator or information broker for damages caused by the sale of the information; (4) if a private investigator or information broker obtains a social security number from a credit reporting agency as a part of credit header, or a work address by means of a pretextual telephone call, and then sells the information, does the individual whose social security number or work address was sold have a cause of action for commercial appropriation against the private investigator or information broker for damages caused by the sale of the information; (5) if a private investigator or information broker obtains a person's work address by means of a pre-textual telephone call, and then sells the information, is the private investigator or information broker liable under NH Rev. Stat. Ann. Section. 358-A to the person it deceived for damages caused by the sale of the information.
EPIC filed an amicus brief in July 2002 arguing that Docusearch should be liable under all claims. In February 2003, the Supreme Court of New Hampshire The court held that private investigators and information brokers have a duty to exercise reasonable care when the sale of personal information creates a risk to the individual being investigated. The court found that stalking and identity theft are two foreseeable harms that give rise to the duty to exercise care. In a significant expansion of privacy protection, the court held that the investigators could be liable for damages resulting from the sale of information obtained through pretexting. This holding exceeds federal protections against pretexting phone calls, which were enacted with the passage of the Gramm-Leach-Bliley Act. Finally, the court held that individuals may have a tort cause of action against investigators who purchase their Social Security Numbers (SSNs) from credit reporting agencies without permission. The court noted, "While a SSN must be disclosed in certain circumstances, a person may reasonably expect that the number will remain private."
The case now will be remanded to federal district court where a trial will proceed to determine whether Docusearch and the other defendants were actually liable for Amy Boyer's death.
United States v. Bach, Case No. 02-1238 (8th Cir. 2002)
In October of 2000, police officers in Minnesota began investigating Dale Robert Bach for potential child pornography crimes. As part of the investigation, an officer obtained a search warrant to be served upon Yahoo, an internet service provider (ISP) in California. Minnesota requires that an officer be present at the service of a search warrant. Rather than adhering to the requirements provided by Minnesota law, the officer investigating Mr. Bach served the search warrant to Yahoo by fax. Upon receiving the fax, Yahoo employees retrieved all data from Mr. Bach's account, including deleted email messages. Yahoo then mailed the disk to Minnesota, where the data became evidence in Bach's federal criminal prosecution.
At trial, Bach moved to have the evidence suppressed, citing both violations of the Minnesota statute, as well as violations of a federal statute. The district court held that the evidence should be suppressed as the search was illegal under both federal and state laws. The government appealed to the circuit court. In May 2002, Yahoo! and others filed an amicus brief that said that a Minnesota trial court ruling requiring police officers to be physically present for search warrants would threaten client privacy, slow the searches and disrupt business.
EPIC filed an amicus brief in the Eighth Circuit arguing that police officer presence is required during the service of a warrant on an ISP. EPIC argues that the service of a search warrant by fax machine doesn't adequately safeguard Fourth Amendment guarantee of a "reasonable" search. EPIC's brief detailed the history of U.S. search and seizure law, which has mandated officer presence at the service of a warrant since the 1700s.
The Eighth Circuit ruled in October that service of a warrant on an ISP by fax complies with the "reasonableness" requirements of the Fourth Amendment. The defendant petitioned for a motion of reconsideration, for which EPIC filed a supplementary brief by December 16. On January 2, the court denied the defendant's motion for rehearing and the motion for rehearing en banc, with four judges out of the ten active judges on the Circuit voting for rehearing en banc.
In Re Doubleclick Privacy Litigation, Case No. 00-CIV-0641 (NRB) (S.D.N.Y. 2000)
EPIC and Junkbusters filed a formal objection to a proposed settlement. The settlement was proposed by the plaintiffs and defendants in this litigation in an effort to resolve several class-action lawsuits against Doubleclick for online tracking of individuals. Because the litigation is a class action, and the settlement will bind almost every person in the United States that uses the Internet, EPIC argued that the settlement is not fair, reasonable, or adequate because Doubleclick has not significantly changed its business practices. Despite EPIC’s formal objection, the Court approved the proposed settlement on May 21, 2002.
Paramount Pictures et al. v. ReplayTV, Inc. and SonicBlue Inc., Case No. CV01-09358 (C.D. Cal. 2001)
EPIC, joined by a coalition of civil liberties and consumer groups, filed an amicus brief asking a federal court to overrule a decision mandating enforced surveillance of ReplayTV 4000 television users. Previously, numerous television studios persuaded a judge to issue an order requiring SONICblue to electronically monitor and record the TV uses of its customers. The ReplayTV 4000 is a personal video recorder (PVR) that allows users to digitally store television programming to hard disks for later viewing. In the amicus brief, EPIC argued that the court order infringes on individuals' privacy rights and intellectual freedom.
In early June, the judge issued an order holding that ReplayTV would NOT be required to electronically collect data on its customers. In the order, the court stated that it was required "to decide whether the Magistrate Judge, based on the evidence and information before him, rendered a decision that was clearly erroneous or contrary to law." The court further stated, "Although each of the issues raises serious questions, which have been very well briefed on all sides, the Court is persuaded to reverse the Magistrate Judge's Order on the grounds that it impermissibly requires defendants to create new data which does not now exist."
Conboy v. AT&T Corp., 241 F.3d 242 (2d Cir. 2001)
In an amicus brief filed with the Second Circuit Court of Appeals, EPIC urged the court to provide meaningful recourse for consumers whose personal information has been improperly disclosed by telephone service providers. The case involved the telephone privacy provisions of the Telecommunications Act of 1996, which prohibits the disclosure of “customer proprietary network information,” including unlisted phone numbers and telephone billing records. In a decision issued in February 2001, the court held that the Act did not authorize the recovery of damages or the entry of an injunction.
EPIC, et al. v. Federal Communications Commission, 227 F.3d 450 (D.C. Cir. 2000)
In a joint effort with the American Civil Liberties Union and the Electronic Frontier Foundation, EPIC filed an action in the federal appeals court to block new rules that would enable the FBI to dictate the design of the nation's communication infrastructure. The challenged rules -- adopted by the FCC under the controversial Communications Assistance to Law Enforcement Act (CALEA) -- would enable the Bureau to track the physical locations of cellular phone users and monitor Internet traffic. CALEA was enacted by Congress in 1994 and requires the telecommunications industry to design its systems in compliance with FBI technical requirements to facilitate electronic surveillance. In negotiations over the last few years, the FBI and industry representatives were unable to agree upon those standards, resulting in the recent FCC ruling. EPIC opposed the enactment of CALEA in 1994 and participated, along with the ACLU and EFF, as a party in the FCC proceeding. The U.S. Court of Appeals for the District of Columbia Circuit issued its opinion in August 2000 and ruled that law enforcement agencies must meet the highest legal standard before using new surveillance capabilities. The Court stressed that carriers cannot be required "to provide the government with information that is 'not authorized to be intercepted.'"
Competition Policy Institute v. US West, No. 99-1427 (1999), cert. denied, 530 U.S. 1213 (2000)
EPIC staff, with the assistance of the Covington & Burling law firm and in association with fourteen consumer organizations and nineteen law professors, filed this amicus brief in support of a petition for certiorari to the Supreme Court. The brief asked the Court to review a decision of the Tenth Circuit which held that telephone companies may offer only an opt-out privacy notice to their subscribers prior to the disclosure of customer record information (“CPNI”) for marketing purposes. The brief argued that the decision of the Tenth Circuit jeopardizes an individual’s right to privacy. The brief further argued that the FCC’s CPNI order need not implicate First Amendment concerns, and that the FCC properly interpreted the internet of the Congress by choosing the most effective means for protecting the privacy interests of consumers. The Court declined the request for review.
Recording Industry Association of America v. Verizon, 240 F. Supp. 2d 24 (D.D.C. 2003)
EPIC and a coalition of civil liberties groups filed an amicus brief in the District of Columbia challenging the Recording Industry Artists of America's attempt to identify a Verizon ISP subscriber. The groups argued that a portion of the Digital Millennium Copyright Act is unconstitutional since it violates individuals' right to anonymous communications.
The case arose after Verizon refused to comply with a subpoena sent by the RIAA in July 2002, compelling the ISP to release the name of a customer accused of illegally trading hundreds of songs. RIAA filed suit seeking to have a court enforce the subpoena and force Verizon to disclose the customer's name. The RIAA's subpoena was sent pursuant to a provision of the DMCA that permits a copyright owner to send a subpoena (without filing a lawsuit) ordering a "service provider" to turn over information about a subscriber. On January 21, 2003, the district court ruled in favor of RIAA, and Verizon appealed. On December 19, 2003, the D.C. Circuit ordered the district court to quash RIAA's subpoena. The RIAA petitioned for a rehearing en banc, but was denied. The RIAA petitioned the Supreme Court for writ of certiorari in May 2004, but the petition was denied.
Ashcroft v. ACLU, 03-218 (2004)
EPIC was co-plaintiff and co-counsel in the second challenge to efforts by Congress to limit free speech on the Internet. This case attacked the constitutionality of the Children's Online Protection Act (COPA), a law that would require commercial web operators to "card" web patrons before providing access to information that some communities might deem "harmful to minors." A judge in Philadelphia granted the ACLU/EPIC/EFF motion for a preliminary injunction in February 1999. Following a Justice Department appeal, the Third Circuit Court of Appeals heard oral argument in the case in November 1999 and upheld the lower court in an opinion issued in June 2000. The Department of Justice filed a petition for certiorari seeking Supreme Court review of the case, which was granted in May 2001. Oral argument was held in November 2001, and the Court issued a decision on May 13, 2002, vacating the Third Circuit opinion and remanding the case for further consideration of whether COPA's use of "community standards" to identify material that is harmful to minors violates the First Amendment. In March 2003 the Third Circuit once again upheld the preliminary injunction, finding that COPA violates the First Amendment. In August 2003 the Department of Justice again petitioned the Supreme Court to review the case. On June 29, 2004, the Supreme Court upheld the lower court injunction against enforcement of the COPA, finding that the government failed to show that there are no "less restrictive alternatives" to COPA, and that "there is a potential for extraordinary harm and a serious chill upon protected speech" if the law goes into effect.
United States, et al. v. American Library Association. et al., Civil Action No. 01-CV-1322 (2003)
EPIC served as co-counsel in Multnomah County Library v. United States, which was ultimately consolidated into United States v. American Library Association. This case challenged a new federal law that forces libraries to censor constitutionally protected speech on the Internet. The Children's Internet Protection Act (CIPA) requires libraries that participate in certain federal programs to install "technology protection measures" on all of their Internet access terminals, regardless of whether federal programs paid for the terminals or Internet connections. There are more than 16,000 public libraries nationwide, and 95 percent of them currently provide Internet access for their patrons.
Under CIPA, libraries must install "blocking technology measures" to prevent access to material that is "obscene, child pornography," or "harmful to minors," or forfeit much-needed federal funds. Even the makers of the blocking programs touted by the law's proponents do not claim to block only the categories of material that CIPA designates. Additionally, as documented by EPIC's "Faulty Filters" report and other studies, the programs routinely and inexplicably block sites that clearly do not fall under the categories proscribed by the law. The lawsuit also challenges CIPA on privacy grounds. The law provides that library patrons engaged in "bona fide research" may request that they be given access to material blocked by a filtering system. But such a procedure, according to the complaint, forces libraries to violate "patrons' privacy and anonymity rights contrary to the longstanding practices and policies of the library community."
In July 2001, a special three-judge federal court in Philadelphia denied a government motion to dismiss the case. The case went to trial in March 2002. The panel ruled on May 31 that the law was unconstitutional because it would restrict substantial amounts of protected speech "whose suppression serves no legitimate government interest." The decision also notes that the law infringes upon the First Amendment right to anonymity because it forces patrons to reveal their identity in order to get certain cites unblocked. The statute provides for an automatic right of review to the Supreme Court, and the government filed an appeal before the Supreme Court in July 2002. The Court heard oral argument on March 5, 2003. On June 23, 2003, the Court ruled that CIPA is constitutional, and that public libraries can be required to install software designed to block sexually explicit Web sites.
Watchtower Bible v. City of Stratton, 240 F.3d 553 (6th Cir. 2001), cert. granted, 2001 U.S. LEXIS 9772
EPIC, the ACLU, and 14 legal scholars filed an amicus curiae brief with the Supreme Court in this case which implicates privacy rights, as well as the First Amendment rights of anonymity, expression, and freedom of association. The case concerns a city ordinance that requires those going door-to-door to obtain a permit and to identify themselves prior to and during petitioning. The lower court found that neither requirement violated the First Amendment freedom of expression or right to anonymity.
Anonymity is a core First Amendment value that enables the expression of political ideas, participation in the political process, membership in political associations, and the practice of religious belief without fear of government intimidation or public retaliation. The brief argues that the city ordinance, in forcing people to sacrifice their anonymity, chills activity protected by the First Amendment.
The Court ruled on June 17, 2002 that the ordinance violated the right of anonymity inherent in the First Amendment freedom of speech. The Court stated that "it is offensive, not only to the values protected by the First Amendment, but to the very notion of a free society, that in the context of everyday public discourse a citizen must first inform the government of her desire to speak to her neighbors and then obtain a permit to do so."
Universal Movie Studios, Inc. v. Eric Corley, No. 00-9185 (2d Cir.)[273 F.3d 429 (2d Cir. 2001), amended by Universal City Studios, Inc. v. Reimerdes, 2001 U.S. Dist. LEXIS 12548]
In this case, involving the application of the Digital Millennium Copyright Act (DMCA), EPIC joined in an amicus brief with the American Civil Liberties Union and other national organizations, urging the court of appeals to protect the longstanding balance between copyright law and the First Amendment. At issue is the distribution of software called DeCSS that allows users to bypass the security system of DVD movie disks. Several Hollywood movie studios sued Eric Corley, editor and publisher of a print and Web publication, for posting the software on his Web site and for linking to other Web sites that post it. The studios claimed that Corley's actions violated a provision of the DMCA, which prohibits manufacturing or offering technology that allows users to bypass measures that protect access to copyrighted works. The ACLU/ EPIC brief explains that the "fair use" doctrine has traditionally limited copyright liability by protecting the use of copyrighted works in criticism, parody, comment, news reporting, teaching and scholarship. A decision was issued in November 2001, rejecting the First Amendment challenge to the DMCA.
Reno v. Condon, 528 U.S. 147 (2000)
When the Supreme Court faced the constitutionality of federal regulation over the distribution of information contained within state driving records, EPIC filed an amicus brief arguing that the 1994 Drivers Privacy Protection Act is a proper exercise of the federal legislative authority. The Court agreed, finding that Congress did not run afoul of federalism principles.
Microsystems Software, Inc. v. Scandinavia Online, 226 F.3d 35 (1st Cir. 2000)
EPIC served as "of counsel" to the American Civil Liberties Union in this appeal of a district court injunction prohibiting the online distribution of software that decodes the CyberPatrol content filtering product. The case raised several important and novel issues, including the reach of U.S. law in cyberspace, the scope of U.S. copyright law, the free speech rights of "mirror site" operators, and the public interest in disclosure of information concerning the impact of Internet filtering systems. The First Circuit Court of Appeals upheld the lower court's decision. However, in October 2000, the Librarian of Congress announced two classes of works subject to an exemption from the prohibition on circumvention of technological measures that control access to copyrighted works under the Digital Millennium Copyright Act. One is "Compilations consisting of lists of websites blocked by filtering software applications." This is the type of activity that was at issue in the Cyber Patrol litigation.
Air Travel Privacy
In the Matter of Northwest Airlines, Docket No. 16939 (complaint filed with the Department of Transportation)
On January 20, 2004, EPIC filed a complaint against Northwest Airlines with the Department of Transportation. EPIC alleged that Northwest committed an unfair and deceptive trade practice by disclosing millions of passenger records to the National Aeronautics and Space Administration (NASA) in violation of the airline's publicly posted privacy policy. In September 2004, the DOT concluded that Northwest's privacy policy "did not unambiguously preclude it from sharing data" with NASA, and that "even if it did, such a promise would be unenforceable as against public policy[.]" Though EPIC petitioned the DOT for review of its determination, the decision was upheld in March 2005.
In the Matter of Interim Final Privacy Act Notice Concerning Aviation Security Screening Records, Docket No. DHS/TSA-2003-1 (comments filed with the Department of Homeland Security)
EPIC filed these comments on September 30, 2003 in response to the second of two Federal Register notices concerning the Computer Assisted Passenger Profiling System (CAPPS II). EPIC's comments criticized the lack of government transparency in CAPPS II, noting that the Transportation Security Administration has disclosed little information about the system in response to repeated Freedom of Information Act requests, and also has failed to prepare a Privacy Impact Assessment of the system, as required by federal law. The comments addressed TSA's failure to provide individuals with meaningful access to personal information and meaningful opportunities to correct inaccurate, irrelevant, untimely and incomplete information. EPIC also noted CAPPS II's exemption from the requirement that a system maintain only information that is "relevant and necessary" to perform the system's function, and asserted that TSA's broadly drawn "routine uses" of CAPPS II data would only heighten the system's privacy problems. CAPPS II was ultimately abandoned in 2004 due in part to privacy concerns.
In the Matter of JetBlue Airways and Acxiom Corporation (complaint filed with the Federal Trade Commission)
On September 22, 2003, EPIC filed a complaint with the Federal Trade Commission (FTC) regarding the information sharing practices of JetBlue Airways and Acxiom Corporation, an information systems company. EPIC's complaint alleged that JetBlue and Acxiom disclosed personal information of about 1.5 million passengers with Torch Concepts, an information mining company that is a Department of Defense subcontractor. Torch Concepts then published some of the passenger information. The complaint alleged that by sharing this passenger information, both JetBlue and Acxiom breached the companies' privacy policies that specifically promised not to disclose such information without consumer consent. This breach of promise, alleged the complaint, violates Section 5(a) of the Federal Trade Commission Act, which prohibits unfair and deceptive acts or practices that affect commerce. The FTC investigated the complaint, but chose not to take action.
In the Matter of Privacy Act Notice Concerning Aviation Security Screening Records, Docket No. DOT/TSA 010-OST-1996-1437 (comments filed with the Department of Transportation)
On February 24, 2003, EPIC submitted comments on the application of federal privacy rules to the collection and use of personal information obtained by the Transportation Security Administration (TSA) for use in an air passenger profiling database proposed in a Privacy Act notice published in the Federal Register on January 15, 2003. EPIC argued that the notice did not provide sufficient information for the public to contribute meaningfully to the rulemaking procedure. The comments also discussed the privacy and security risks of the Computer Assisted Passenger Profiling System (CAPPS II) and the need for greater transparency for the other projects pursued by the TSA. The Department of Homeland Security published a second Privacy Act Notice on CAPPS II in August 2003, in response to which EPIC submitted further comments (see above).
Anonymity
In the Matter of Digital Broadcast Copy Protection, MB Docket No. 02-230 (comments filed with the Federal Communications Commission)
In comments to the Federal Communications Commission submitted in early December 2002, EPIC recommended against the adoption of a Digital Television Broadcast Flag mandate unless it incorporates privacy protections for viewer data. The comments stated that the Broadcast Flag could erode anonymity in consumption of media and circumvent well-established public policy that protects viewer data. The FCC announced on November 4, 2003 that it will adopt the mandate.
In the Matter of Notice and Recordkeeping for Use of Sound Recordings Under Statutory License, Docket No. RM 2002 (comments filed with the Copyright Office)
On April 5, 2002, in comments to the Copyright Office, EPIC joined the Electronic Frontier Foundation (EFF) in advocating that individuals should be able to listen to webcasts anonymously. The comments come in response to proposed changes to copyright regulations that would require information collection and the assignment of a unique identifier to listeners. Shortly after EPIC and EFF filed the comments, the Recording Industry Artists of America dropped its request that listener logs be linked to personally identifiable information.
Financial Privacy
In the Matter of Financial Services Modernization Act or Gramm-Leach-Bliley Act (GLBA), 15 USC § 1608, Study on Information-Sharing Practices Among Financial Institutions and Their Affiliates (comments filed with the Treasury Department)
On May 1, 2002, EPIC, Privacy Rights Clearinghouse, U.S. PIRG and Consumers Union submitted comments for a U.S. Treasury Department study on the effectiveness of Gramm-Leach-Bliley Act financial privacy protections. The study is required by law to shed light on the information sharing practices of the financial services industry. The comments describe flaws in the implementation of the GLB Act and demonstrate the benefits for consumers if an "opt-in" approach is adopted for financial information sharing. After consideration of these comments, the FTC issued a final rule in the matter on May 22, 2002 under which the opt-out provisions were made more stringent.
Internet Privacy
In the Matter of Amazon.com (complaint filed with the Federal Trade Commission)
On April 22, 2003, EPIC and 11 consumer organizations alleged in a complaint to the Federal Trade Commission that Amazon.com illegally collected and disclosed children's personal information in violation of the Children's Online Privacy Protection Act (COPPA), which specifically protects the privacy of Internet users under the age of 13 by requesting parental consent for the collection or use of any personal information of those users. In November 2004, Federal Trade Commission staff recommended that the agency not pursue Amazon.com under the Children's Privacy Protection Act despite the fact that the "Toy Store" website targets children and collects personal information. The agency relied heavily on a single sentence in the company's privacy policy, and concluded that the site wasn't covered by the privacy law.
In the Matter of Rules and Regulations Implementing the Controlling Pornography and Marketing Act of 2003, FCC Docket No. 04-53 (comments filed with the Federal Communications Commission)
EPIC argued that in passing the Telephone Consumer Protection Act of 1991, Congress shielded wireless devices from automatic dialer, prerecorded, and artificial voice telemarketing. In comments filed on April 30, 2004, EPIC argued that the Federal Communications Commission should strive to enhance this shield, and prevent commercial messages to wireless devices from becoming the scourge that spam has become to individuals with e-mail accounts. The Commission's actions in this arena are extremely important, as more individuals are receiving SMS and e-mail on wireless phones. If the Commission fails to shield these devices from an onslaught of "mobile service commercial messages," ("MSCMs") consumers will not adopt these technologies, or use them to a more limited extent by keeping them powered off. Furthermore, EPIC argued, since many users are charged for SMS or for bandwidth associated with receiving messages, it is unfair to allow commercial senders to transfer the costs of their advertising onto the user. Because of cost and annoyance risks, literally, the survival and utility of wireless communications devices depends on Commission action to provide isolation from constant commercial interruption.
In the Matter of Communications Assistance for Law Enforcement Act Joint Petition For Rulemaking, RM-10865 (comments filed with the Federal Communications Commission)
EPIC submitted comments on April 12, 2004 in response to a public notice seeking comments on a petition for expedited rulemaking concerning the Communications Assistance for Law Enforcement Act (CALEA) filed by the Department of Justice, the Federal Bureau of Investigation, and the Drug Enforcement Administration. EPIC's comments urged the Federal Communications Commission to reject the request of federal law enforcement agencies to expand CALEA to cover Internet Service Providers and "Voice over IP" services. Such an expansion contravenes Congressional intent, would allow law enforcement to capture information on non-suspects, and law enforcement agencies have not demonstrated a need for expanding CALEA. In August 2004, the Commission tentatively determined that Internet phone calls are subject to wiretapping by law enforcement under CALEA.
In the Matter of CAN-SPAM Rulemaking (Do Not E-Mail), FTC Project No. R411008 (comments filed with the Federal Trade Commission)
In March 31, 2004 comments to the Federal Trade Commission regarding the CAN-SPAM Act and the "Do Not E-Mail" Registry, EPIC argued that the Do Not Email Registry must be understood to be one part of a multi-tiered, international approach to protecting consumers from spam, and that the Do Not Email registry should protect individual privacy interests on the Internet by using domain-level listings to protect the privacy of individual email addresses. Consistent with EPIC's comments, the Commission ruled in August 2004 that marketers cannot send commercial e-mail to wireless devices without the explicit consent of the consumer, a much stronger protection against spam than that provided by the CAN-SPAM Act passed by Congress in 2003.
In the Matter of Microsoft Corp. (complaint filed with Federal Trade Commission)
In July 2001, EPIC and a coalition of consumer groups urged the Federal Trade Commission to investigate Microsoft for unfair and deceptive practices in the marketing and deployment of the Microsoft Passport system. In August 2001, EPIC filed supplemental materials with the Federal Trade Commission detailing security flaws in the Passport system, issues with Kids Passport compliance with the Children's Online Privacy Protection Act, and other new information that emerged after the filing of the original complaint.
On August 8, 2002, the FTC announced that it had settled a case based on EPIC's complaint. The FTC found that Microsoft made a series of false representations about Passport. First, the company, despite guarantees to the contrary, did not employ reasonable methods to protect the privacy of personal information collected by Passport. Second, the company falsely represented that the Passport Wallet service provided extra security over standard e-commerce transactions. Third, the company did not disclose that Passport tracked users' visits to web sites, when in fact a log of user activity was maintained by the company for months. Fourth, Kids' Passport failed to provide parental control over collection of information online.
In the Matter of Doubleclick (complaint filed with the Federal Trade Commission)
In February 2000, EPIC, joined by Junkbusters, filed an extensive complaint with the Federal Trade Commission alleging that Doubleclick’s decision to engage in user-identified profiling after representing to more than 1,000,000 users of the Internet and by means of an explicit privacy policy at more than 1,000 web sites that it would engage in only anonymous profiling. EPIC asserted that such action is an unfair and deceptive trade practice in violation of the FTC Act. (See prior entry on the Doubleclick court litigation.)
Telecommunications Privacy
In re Telecommunications Rulemaking, Docket No. UT-990146 (comments filed with the State of Washington, Utilities and Transportation Commission)
On May 22, 2002, EPIC submitted comments for a Washington State Utilities and Transportation Commission rulemaking regarding the WUTC's proposed CPNI rules. The proposed rules create an opt-in regime for more sensitive customer information, such as call logs, while retaining an opt-out (pending the FCC's federal CPNI rulemaking) for less sensitive information such as services that an individual subscribes to. EPIC's comments urged the WUTC to adopt an opt-in rulemaking for all customer data, including CPNI, but applauded the Commission's efforts to place heightened restrictions on some sensitive customer information.
In November, Washington State adopted rules more protective of
customer privacy than those adopted in July by the Federal Communications Commission,
which Order specifically left open the possibility of more protective state
regulation. The Washington rules mandate opt-in--express approval--for all "call
detail" information, and permit information sharing only within companies
under common ownership.
The rules were challenged immediately upon their adoption by Verizon on a variety
of grounds. On August 26, 2003, a U.S. district court in Seattle ruled that
even though there is a significant state interest in protecting consumer privacy,
Washington State's attempt to restrict the sharing of CPNI was unconstitutional
under the First Amendment.
In the Matter of Telecommunications Carriers' Use of Customer Proprietary Network Information, CC Docket No. 96-115; CC Docket No. 96-149 (Federal Communications Commission)
In this proceeding, EPIC and seventeen other civil liberties and consumer protection groups filed comments with the Federal Communications Commission (FCC) urging it to protect the privacy of telephone customers by adopting an opt-in policy towards use of customer information by telecommunications carriers.
The FCC's request for public comments relates to the use by telecommunications carriers of "customer proprietary network information" (CPNI), which includes the name, telephone number, call information and services subscribed to by a telephone customer. In 1998, the FCC promulgated its initial rule regarding CPNI, which required telecommunication carriers to obtain explicit customer approval (opt-in) before using such information in any manner inconsistent with provision of services (for example, building detailed profiles based on personal information obtained through private telephone calls). An alternative approach is opt-out, which enables the carrier to use CPNI until a customer informs it otherwise. The FCC rejected an opt-out approach as insufficiently protective of customer privacy, because opting-out places the burden on the customer, many of whom are wholly unaware of their right to opt-out.
In U.S. West v. FCC, 182 F.3d 1224 (10th Cir. 1999), the U.S. Court of Appeals for the 10th Circuit ruled that the FCC's opt-in approach did not pass First Amendment scrutiny because the decision to require "opt-in" was not adequately considered or supported by existing facts. In response to this 1999 court decision, the FCC in October 2001 issued a request for public comments, seeking advice on, among other things, whether an opt-in approach inherently violates the First Amendment. EPIC's position, articulated in its comments, is that an opt-in approach is the only method to adequately protect customers' legitimate and constitutionally protected interest in privacy. Opt-out methods do not protect privacy because they place the burden on the customer to understand and reply to confusing notices. EPIC's comments note that 86 percent of consumers favor opt-in for communications services.
On April 30, 2002, EPIC met with representatives of the Federal Communications Commission (FCC) regarding the pending CPNI rulemaking. Upon the FCC’s request, EPIC provided supplemental materials strengthening the argument that (1) opt-out has failed to protect consumer privacy when implemented in similar regimes, specifically Gramm-Leach-Bliley, and (2) opt-out permits aggrandized information sharing, which can lead to real harms (such as identity theft) to consumers. The Federal Communications Commission released the new CPNI rulemaking on July 16. The Order provides for opt-in—or express consent—customer approval for carriers' release of customer information to third parties, but permits opt-out consent for release of information to affiliated parties. The Order specifically states that the Commission will not block or preempt state efforts to further protect CPNI.
Telemarketing
In the Matter of Telemarketing Rulemaking, FTC File No. R411001 (comments filed with the Federal Trade Commission)
On April 10, 2002, EPIC and thirteen leading consumer advocacy groups filed comments with the Federal Trade Commission on the Telemarketing Sales Rule (TSR). The groups advocated the creation of a telemarketing "do-not-call" registry, a requirement that telemarketers send Caller ID information, and for a prohibition on automatic dialers that produce abandoned calls.
The FTC published its final rule in December 2002. The rule establishes a national DNC list that will accommodate both Internet and toll-free phone number enrollment. The new regulations also require telemarketers to transmit caller ID information, establish new rules for the use of pre-acquired account number information, and prohibit "abandoned" calls. Congress passed implementing legislation in February 2003. The DNC's implementation is now the subject of contentious litigation.
In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278 (comments filed with the Federal Communications Commission)
EPIC and ten leading advocacy groups filed comments in early December 2002 with the Federal Communications Commission on the Telephone Consumer Protection Act (TCPA). The comments advocated the creation of a telemarketing "do-not-call" registry and for the requirement that telemarketers send Caller ID information. The comments further recommended that the FCC work in conjunction with the FTC in developing the list. EPIC filed comments before the FTC in a similar proceeding in April 2002 (see above).
Litigation Strategy
EPIC's litigation strategy follows five principles:
Last Updated:
April 2, 2008
Page URL: http://www.epic.org/privacy/litigation/default.html