Latest News - April 25, 2014
Following an extensive public comment process, the National Institute of Standards and Technology has removed a cryptographic algorithm from its guidance for random number generators deployed by government vendors. NIST recommends that current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible. NIST cited in own evaluation and "a lack of public confidence in the algorithm." Last year the NY Times reported that the NSA had intentionally weakened cryptographic standards to enable surveillance, raising concerns about the reliability of key Internet standards. In February, NIST released new guidelines for the development of cryptographic standards. EPIC, joined by several organizations, urged the agency to explain the extent of NSA's role in the standards development process. EPIC previously recommended that NIST inform the public of the full extent of the NSA's involvement in the Cybersecurity Framework. The Computer Security Act of 1987 was passed explicitly to prevent NSA involvement in domestic computer security. For more information, see EPIC: Computer Security Act of 1987.
The Supreme Court is set to hear oral arguments next week in two cases concerning the warrantless search of a cell phone following an arrest. EPIC filed a "friend of the court" brief, signed by twenty-four technical experts and legal scholars, arguing that the Fourth Amendment requires a warrant because of the vast amount of personal information available on a cellphone. EPIC wrote, "Allowing police officers to search a person's cell phone without a warrant following an arrest would be a substantial infringement on privacy, is unnecessary, and unreasonable under the Fourth Amendment." Also the Supreme Court this week agreed to review a case considering whether the police may detain a person based on a mistaken interpretation of the law. In Heien v. North Carolina, the person was detained by the police because of a broken taillight. EPIC routinely files amicus briefs in cases raising novel privacy issues. For more information, see EPIC: Riley v. California and EPIC: Amicus Curiae Briefs.
inBloom, a private company that acquired student information from school districts across the country, has shut down. The company said its work "has been stalled because of generalized public concerns about data misuse..." inBloom and other companies, including Google, acquired student data following revisions to the Family Educational Rights and Privacy Act by the Department of Education that significantly weakened the student privacy law. In 2012, EPIC sued the Education Department for removing student privacy protections. Last year, EPIC testified before the Colorado State Board of Education on student privacy issues concerning inBloom. Early this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy.
A national survey conducted by Pew Research Center and Smithsonian Magazine find the American public optimistic about revolutions in health science and transportation, and concerned about technologies of surveillance. According to the survey, 63% of Americans think it would be a change for the worse if "personal and commercial drones are given permission to fly through most U.S. airspace," while 22% think it would be a change for the better. And 65% expressed concern about increased dependence on robots. Similarly, 53% of Americans think it would be a change for the worse if most people wear implants or other devices that constantly show them information about the world around them. Women are especially wary of a future in which these devices are widespread. Google Glass, an example of such technology, has come under scrutiny from Data Protection authorities as well as Congress. EPIC, joined by 100 other organizations and experts, petitioned the Federal Aviation Administration to address public concerns about privacy and drones. For more information, see EPIC: Google Glass and Privacy and EPIC: Domestic Drones.
A federal court of appeals has ruled that the Department of Justice must release the legal analysis justifying the controversial "targeted killing" drone program. The government argued in New York Times v. Department of Justice that the analysis should be exempt from release as a privileged communication. But the ACLU and the New York Times, supported by EPIC and other open government organizations, argued that because the government relied on the legal reasoning to justify the drone program it cannot be kept secret. The Second Circuit agreed, ruling that the after "senior Government officials have assured the public" that the program is "lawful and that . . . advice establishes the legal boundaries," it can no longer claim that the document is exempt from FOIA. EPIC has pursued a similar case for more than seven years, seeking the disclosure of the OLC's legal analysis of the Warrantless Wiretapping program. And earlier this year EPIC wrote in the New York Times that if "the Justice Department expects others to follow its advice, the analysis that supports its conclusions should be made public." For more information, see EPIC: New York Times v. DOJ and EPIC: EPIC v. DOJ - Warrantless Wiretapping Program.
As the result of a Freedom of Information Act request, EPIC has received several hundred pages of documents related to the Federal Trade Commission's investigation of Facebook business practices. The documents include assessments by the FTC of Facebook's privacy changes and communications with the company. EPIC has repeatedly pressed the Commission to enforce the 2012 Consent Order which barred the company from future changes to privacy settings without user consent and committed Facebook to develop a "comprehensive privacy program." EPIC also recently filed a complaint with the FTC about Facebook's acquisition of Whatsapp, an instant messaging service. The EPIC complaint resulted in a stern warning from the FTC not to violate Whatsapp user privacy. For more information see: EPIC: Facebook Privacy.
In a letter to the White House, a coalition of US organizations urged the Administration to recognize the recent opinion by the Court of Justice, the highest court in Europe, that ended a European data retention mandate. The European law required telephone and internet companies to retain metadata on customers for national security purposes. The European Court of Justice ruled that this practice violates the fundamental right to privacy and is illegal. The US groups argue that the opinion "bears directly on the White House's review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy." The groups urged the White House to 1) recognize the Court's decision in its upcoming report on big data and privacy; and 2) end the NSA telephone record collection program. The letter states that the decision by European Court "is the most significant legal opinion from any court in the world on the risks of big data and the ongoing importance of privacy protection." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. More recently, EPIC submitted extensive comments warning the White House of the enormous risks of current big data practices. For more information, see EPIC: Data Retention and EPIC: Big Data and the Future of Privacy.
In a recently concluded Freedom of Information Act lawsuit, EPIC tried to obtain legal analysis concerning the controversial PRISM surveillance program. The Justice Department responded that "no responsive records" exist. An earlier FOIA case brought by EPIC revealed that the Office of Legal Counsel provided advice on the warrantless wiretapping program of President Bush. But apparently no similar memos exist on the legality of the mass collection of Internet traffic by the NSA. For more information, see EPIC v. DOJ (PRISM).
A federal judge has ruled that the Federal Trade Commission has the power to enforce data security standards. In the case FTC v. Wyndham, the Commission alleged that criminals stole hundreds of thousands of credit card numbers from hotel guests because Wyndham Hotels maintained lax data security. Wyndham responded that the FTC could not bring an enforcement action against the company without first publishing regulations. Judge Esther Salas held that the FTC's authority to investigate "unfair or deceptive" business practices included data protection. FTC Chairwoman Edith Ramirez stated earlier, "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." For more information, see EPIC: Federal Trade Commission, and EPIC: Big Data and the Future of Privacy.
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act, a bipartisan bill that would provide privacy safeguards for event data recorders or "black boxes." Introduced by Senators John Hoeven (R-ND) and Amy Klobuchar (D-MN), the bill prohibits unauthorized access to data that records the activities of drivers. Under the Act, data could only be obtained with: (1) written consent of all of the car owners or lessees; (2) a court or administrative order; (3) a federal transportation safety investigation if personally identifiable information is redacted; (4) emergency car crash medical response; or (5) traffic safety research if personally identifiable information is redacted. Last year EPIC, consumer privacy organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy by establishing many of the proposed safeguards in the Driver Privacy Act. For more information, see EPIC: Event Data Recorders and Privacy.
The Federal Trade Commission has notified Facebook and WhatsApp that they must honor their privacy commitments to users. According to the letter from the Director of the FTC Bureau of Consumer Protection, "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter followed a detailed complaint from EPIC and CDD concerning the privacy implications of the $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards prior to the sale. The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." For more information, see EPIC: In re: WhatsApp, EPIC: In re: Facebook and EPIC: Federal Trade Commission.
The Government Accountability Office has issued a report, warning that federal agencies "have not been consistent or fully effective in responding to data breaches." The GAO found that "the number of reported information security incidents involving personally identifiable information has more than doubled over the last several years." The report further states, "the increasing number of cyber incidents at federal agencies, many involving the compromise of personally identifiable information, highlights the need for focused agency action to ensure the security of the large amount of sensitive personal information collected by the federal government." EPIC recently warned the White House about the enormous risks to Americans of current "big data" practices. EPIC and more than 20 organizations have urged the Administrations to establish strong privacy safeguards and improve accountability across the government and private sector. For more information, see EPIC: Big Data and the Future of Privacy.
Top News Archive
EPIC v. DOJ
Riley v. California
Facebook - WhatsApp