EPIC Alert 25.03

1. In Congressional Testimony, EPIC Calls For Comprehensive Privacy Law, New Privacy Agency

EPIC President Marc Rotenberg testified before the House Financial Services Committee, calling for comprehensive privacy legislation and a new data protection agency to protect consumers from the epidemic of data breaches and identity theft in the United States. Rotenberg told the Committee that "data breaches pose enormous challenges, not only to American families, but also to our country." Rotenberg explained, "Today our country is facing cyber attacks from foreign adversaries and it is the personal data stored by companies that is the target. When these companies engage in lax security practices or freely disclose consumer data without consent, they are placing not only consumers, but also our nation at risk."

EPIC's Rotenberg focused on the need to establish a federal baseline standard that does not preempt stronger state laws. EPIC's project on state policy highlights how states are innovators in the field of privacy law. Federal privacy laws in the United States traditionally have not preempted state law. Rotenberg stressed that states need to be able to respond to "privacy threats as they emerge."

Rotenberg also called the Committee's attention to the "growing divergence between U.S. privacy laws and privacy laws in Europe." Europe will soon be implementing stronger privacy laws with the General Data Protection Regulation, which takes effect on May 24. Rotenberg stressed that this divergence between Europe and the United States could have serious consequences for trade and the U.S. economy.

EPIC has repeatedly urged Congress to address the data protection crisis. EPIC testified before the Senate Banking Committee last year in the wake of the Equifax breach, emphasizing the need to strengthen U.S. privacy laws. Rotenberg outlined the steps Congress can take to reform the credit reporting industry in an article for the Harvard Business Review last year. EPIC's Christine Bannan also set out proposals for comprehensive privacy legislation in a recent article for The Hill.

2. EPIC Challenges Facebook Privacy Settlement

EPIC has filed an amicus brief in Campbell v. Facebook, a case concerning the approval of a proposed class action settlement that allows Facebook to continue scanning private messages as long as the company posts a notice about the practice in its privacy policy.

Consumers affected by the proposed Facebook settlement filed an appeal, arguing that the deal failed to compensate users and did nothing to fix Facebook's business practices. The only change that the settlement requires of Facebook is a minor revision to the site's privacy policy disclosing that Facebook scans private messages.

In an amicus brief, EPIC urged the court to reject the proposed class action settlement. EPIC challenged the settlement because it did not require Facebook to stop scanning private messages. In fact, the company can continue scanning messages by simply burying a notice on its website. EPIC asserted that a "vague notice is not the basis for consent under the Electronic Communications Privacy Act or the California Invasion of Privacy Act." Also, there was no compensation to users for the prior violation of federal and state laws.

EPIC is dedicated to class action fairness in privacy cases and has objected to many similar settlements that failed to provide actual benefits to consumers. EPIC recently opposed a settlement with Google that allows the company to continue tracking web users. EPIC also opposed a settlement with Facebook in 2014 that permitted the site to continue an unlawful practice.

EPIC defends consumer privacy rights online. EPIC opposed the use of advanced tracking techniques that enable companies such as Facebook and Google to track users browsing habits and deliver targeted advertisements. EPIC has recommended limitations of online tracking and behavioral profiling, and urged the FTC to limit the use of cross-device tracking.

3. EPIC FOIA: IRS Agrees to Fulfill EPIC's Request for Trump Tax Records

The IRS acknowledged last week that it will fulfill EPIC's FOIA request seeking certain tax records of President Trump and the President's businesses. It marks the first time, to EPIC's knowledge, that the IRS has agreed to process a third-party FOIA request for the President's tax information.

EPIC is seeking tax records relating to settlements with the IRS, which the agency is required to disclose to the public upon request. "Donald J. Trump has consistently refused to disclose any personal tax records or the tax records of his businesses, leaving the American public 'in the dark' as to his financial entanglements with Russia," EPIC wrote in the request. "The public urgently requires as much information about President Trump's finances as the IRS can lawfully release."

EPIC previously sued the IRS for the release of the President's personal tax returns to correct misstatements of fact about his financial ties to Russia. President Trump tweeted "I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by the President's own lawyers. That case, EPIC v. IRS, is now before the D.C. Circuit Court of Appeals.

EPIC is litigating several other FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity).

4. Following EPIC Letter, 31 Senators Demand Answers from CFPB on Equifax Investigation

A group of 31 Senators recently wrote to Acting Director Leandra English and Director Mick Mulvaney of the Consumer Financial Protection Bureau about the agency's failure to pursue the probe of the 2017 Equifax breach. The letter, which came shortly after EPIC urged the Senate Banking Committee to investigate the CFPB, warned that the agency "has a clear duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary."

Former CFPB director Richard Cordray authorized an investigation into Equifax last September when news of the breach broke. But after he was replaced by Mick Mulvaney in November, the investigation stalled. According to reports, the CFPB has not issued subpoenas, has not planned any on-site exams of Equifax's security systems, and has declined assistance from other agencies.

In a Senate hearing this month, responding to a question from Senator Merkley (D-OR) about the investigation, Mulvaney claimed that "there has been no change in the position from the previous leadership of the CFPB regarding Equifax." However, the CFPB has declined to respond to the Senators' letter, and the CFPB refuses to "confirm or deny" whether an investigation is ongoing.

In addition to EPIC's letter to Senate Banking, EPIC filed a FOIA request seeking records about Mulvaney's alleged decision to halt the CFPB's Equifax investigation. EPIC President Marc Rotenberg also testified at a hearing before the House Financial Services last week, calling for comprehensive privacy legislation and the creation of a U.S. data protection agency. Rotenberg previously testified before the Senate Banking Committee last fall about the Equifax breach and the need to reform the credit reporting industry.

5. EPIC Files FOIA Request About DHS's Investigation of Voter Fraud

EPIC has filed a Freedom of Information Act request to the Department of Homeland Security seeking records about DHS's investigation of state voter fraud. Since the recent termination of the Presidential Advisory Commission on Election Integrity, President Trump suggested that the DHS investigate voter fraud, which falls outside the agency's jurisdiction.

The agency has stated that its top priority is securing election systems from cyberattacks. "Diverting agency resources to investigate claims of voter fraud may undermine the cooperation with state and county election officials that is crucial in keeping election's secure," EPIC explained in the FOIA request.

EPIC previously submitted a statement to Congress seeking assurances that DHS will not continue the work of the Commission, which was disbanded while facing an EPIC lawsuit to halt the Commission's unlawful collection of state voter data.

Earlier this month, the DHS admitted that Russian hackers successfully penetrated election systems in the 2016 Presidential Election. In related FOIA lawsuit EPIC v. DHS, EPIC is seeking the agency's full research and analysis of the 2016 Russian interference.

EPIC Book Review: 'Automating Inequality'

Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor, by Virginia Eubanks

In Automating Inequality, Professor Virginia Eubanks turns a critical eye towards the increasing use of data mining, decision algorithms, and predictive risk modeling to show how these technologies are detrimental to poor and working-class citizens. Her efforts reveal how these tools criminalize the poor, perpetuate inequality, and create systems of mass surveillance rather than assisting individuals in need or promoting good policies.

Eubanks lays the groundwork for the book, tracing the treatment of the poor and working class from poorhouses up to present-day databases. The problems with automation are laid bare through three examples: the automation of welfare benefits in Indiana; the algorithm that determines which individuals get homeless services in Los Angeles; and the predictive scoring of kids in Allegheny county that determines the likelihood of abuse and neglect.

The experiences of the individuals and families described in the book demonstrate how automated systems have become "digital poorhouses." There are the unfair decisions that terminate benefits to eligible individuals; the invasive collection of data to police the poor; and the predictive risk models that condemn individuals for being poor and not for their actual behavior.

Automating Inequality is a warning to us all as automated systems are used in every facet of society. It is also a call to live up to our national values of liberty, equity, and inclusion. Eubanks highlights the problems and provides strategies to address the digital poorhouses created by automated systems. She warns that we are all at risk in a world of high-tech profiling. As the author notes, "technological tools tested on the poor will eventually be used on everyone."

—Jeramie D. Scott

News in Brief

EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees

In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google.

EPIC Joins Call for Increased Oversight of Intelligence Agencies

EPIC and other leading open government organizations urged Congress to promote transparency and accountability of the Intelligence agencies. The groups called for the release of annual public reports, all significant opinions by the Foreign Intelligence Surveillance Court, and an accounting on the number of Americans subject tp foreign intelligence surveillance. EPIC previously called on lawmakers to require federal agencies to obtain a warrant before searching information about Americans in foreign intelligence databases. Through a Freedom of Information Act lawsuit, EPIC obtained a report detailing the FBI's failure to follow procedures regarding the use of foreign intelligence data for a domestic criminal investigation. EPIC has also testified in Congress on reforms to the Foreign Intelligence Surveillance Act.

EPIC Files FOIA Request About Mulvaney's Decision to Halt CFPB Equifax Investigation

EPIC has filed an urgent Freedom of Information Act request for records about Acting Director Mulvaney's decision to shut down the CFPB investigation of Equifax. The 2017 data breach, likely undertaken by a foreign adversary, compromised the personal data of 143 million Americans. Last year CFPB warned that US servicemembers were at particular risk as a result of the Equifax breach. EPIC is seeking communication between Mulvaney and Equifax officials, as well as records of meetings and any related memos regarding the decision to close the investigation. In a letter to the Senate Banking Committee, EPIC also recommended that the Committee undertake a thorough investigation of the CFPB's recent decision regarding the investigation.

EPIC Urges Senate to Investigate Mulvaney's Failure to Pursue Equifax Probe

According to recent reports, the Consumer Financial Protection Bureau has shut down the investigation of the 2017 Equifax data breach that exposed the personal data of 145.5 million Americans. CFPB Acting Director Mulvaney failed to seek subpoenas or obtain sworn testimony from Equifax executives. Mr. Mulvaney also ended plans to test Equifax's security systems, and rejected offers from regulators to assist with the investigation. EPIC urged the Senate Banking Committee to investigate, stating: "If the reports are accurate, Director Mulvaney's failure to pursue a thorough investigation of the Equifax matter verges on malfeasance." Last fall, EPIC President Marc Rotenberg testified at a Senate hearing on the Equifax breach. EPIC described the data breach as one of the worst in U.S. history. EPIC's Christine Bannan also proposed steps to strengthen data protection safeguards for American consumers.

EPIC Advises Congress on Uber Data Breach, Bug Bounties

EPIC submitted a statement to the Senate in advance of a hearing to examine the October 2016 Uber breach and the value of bug bounty programs. Last fall, Uber admitted that hackers stole the data of 57 million Uber customers and drivers and that the company paid the hackers $100,000 to delete the data. This has raised legal questions about Uber's failure to notify those affected by the breach and about "bug bounty" programs, where companies pay hackers that bring vulnerabilities to their attention. EPIC explained to the Senate that, "bug bounty programs do not excuse non-compliance with data breach notification laws." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other similar transportation companies.

EPIC Supports Data Protection Legislation for India

In response to a white paper on data protection from the Indian government, EPIC provided detailed comments, backing comprehensive legislation. The white paper analyzes data protection laws from around the world, comparing the approaches of different countries. The Indian government proposes a data protection framework based on seven principles: (1) technology agnosticism, (2) holistic application, (3) informed consent, (4) data minimization, (5) controller accountability, (6) structured enforcement, and (7) deterrent penalties. In comments on the proposal, EPIC backed India's efforts to adopt data protection legislation, and recommended also a private right of action and breach notification. Last year, the Supreme Court of India ruled that privacy is a fundamental right. EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world.

Congressional Task Force Releases Report on Election Security

The Congressional Task Force on Election Security released its final report this month detailing vulnerabilities in U.S. election systems. The report includes many recommendations, purchasing voting systems with paper ballots, post-election audits, and funding for IT support. The report also proposes a national strategy to counter efforts to undermine democratic institutions. Election experts have said that Congress has not done enough to safeguard the mid-term elections. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI(cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).

Senators Question Intelligence Officials on Russian Election Interference

The Senate Intelligence Committee held a hearing last week with top officials from all U.S. intelligence agencies: Office of the Director of National Intelligence, CIA, NSA, Defense Intelligence Agency, FBI, and the National Geospatial-Intelligence Agency. The officials unanimously agreed that Russia interfered in the 2016 election and will interfere in the 2018 election, noting that they have already observed attempts to influence upcoming elections. Director of National Intelligence Dan Coats said: "There should be no doubt that Russia perceived that its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations." EPIC launched the Project on Democracy and Cybersecurity, after the 2016 presidential election, to safeguard democratic institutions. EPIC is currently pursuing several FOIA cases concerning Russian interference, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). EPIC also provided comments to the Federal Election Commission to improve transparency of election advertising on social media.

Senators Urge FTC to Investigate Companies Selling Social Media Influence

Senators Jerry Moran (R-KS) and Richard Blumenthal (D-CT) wrote Federal Trade Commission Acting Chair Maureen Ohlhausen to urge the FTC to investigate companies that use fraudulent automated accounts to influence social media. The techniques, known as "amplification bots," follow, retweet, and like social media content to boost a client's visibility. The Senators' letter follows a recent New York Times report on Devumi, a company engaged in such practices. Devumi's bots often steal identities, using the photos and personal information of real people, some of whom are minors. The Senators called these practices a "unique kind of social identity theft" that "have the effect of distorting the online marketplace and creating a false sense of celebrity, credibility, or importance in people, companies, or institutions that may not deserve it." The practice also violates state privacy laws concerning "the right of publicity," which EPIC has defended.

EPIC in the News

• Encryption report takes body blows, POLITICO Morning Cybersecurity, February 16, 2018
• Congress urged to adopt national data breach standard, Business Insurance, February 15, 2018
• 3 Online Policy Areas That Need Some Valentine's Day Love, Law360, February 14, 2018
• FTC Nominees Promise a Focus on Data Breaches, The Hill, February 14, 2018
• Symposium: Justices Can, and Should, Write Nuanced Ruling to Balance Competing Interests, SCOTUS Blog, February 7, 2018
• Most Important Federal Judge You Don't Know, Lifezette, February 5, 2018
• What to Know About FISA Court, the Super-Secret Panel That Grants Surveillance Warrants, Fox News, February 3, 2018
• Watchdog Asks Court To Vacate Facebook Settlement Over Message Scans, MediaPost, February 2, 2018
• Facebook's 'Fixes' Meaningful or Just Skin Deep?, US News and World Report, January 31, 2018
• FTC's New Antitrust Tilt To Narrow Its Privacy Focus, Law360, January 31, 2018
• Advocates Push Facebook To Nix Messenger Kids App, Law360, January 30, 2018

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

The Meaning of Privacy in the Age of Social Media
Renaissance Weekend
February 18, 2018
Marc Rotenberg, EPIC President
Santa Monica, CA

Piloting around Partisan Divides in Immigration, Infrastructure, and Industry
Yale CEO Summit
March 13, 2018
Marc Rotenberg, EPIC President
Washington DC

The EU at a Crossroads: From Technocracy to High Politics?
March 23-24, 2018
Marc Rotenberg, EPIC President
George Washington University Law School
Washington, DC

Techonomy NYC
May 8-9, 2018
Marc Rotenberg, EPIC President
Convene
New York, NY

RightsCon
May 16-18, 2018
Jeramie Scott, EPIC Domestic Surveillance Project Director
Toronto, Canada

Privacy and Surveillance in a Digital Era: Challenges for Transatlantic Cooperation and European Criminal Law
Annual Conference of the European Criminal Law Academic Network (ECLAN)
May 17-18, 2018
Marc Rotenberg, EPIC President (keynote)
School of Law of Queen Mary, University of London
London, England

2018 EPIC Champions of Freedom Awards Dinner
June 6, 2018
Washington, DC