EPIC Alert 26.19

1. Civil Society Urges Global Moratorium on Facial Recognition

Speaking at the annual meeting of the privacy commissioners, EPIC President Marc Rotenberg presented a declaration from civil society calling for a moratorium on the further deployment of facial recognition. The declaration, organized by the Public Voice coalition, has gathered the support of almost 90 organizations and many leading experts in more than 30 countries around the world.

The declaration calls on countries to (1) suspend the further deployment of facial recognition for mass surveillance; (2) review all facial recognition systems to determine whether personal data was obtained lawfully; (3) undertake research to assess bias and risk; and (4) establish legal rules, technical standards, and ethical guidelines before further deployment occurs.

The Public Voice declaration warns that facial recognition technology "has evolved from a collection of niche systems to a powerful integrated network capable of mass surveillance and political control. Facial recognition is now deployed for human identification, behavioral assessment, and predictive analysis."

"Unlike other forms of biometric technology, facial recognition is capable of scrutinizing entire urban areas, capturing the identities of tens or hundreds of thousands of people at any one time," the declara stion continues. "Facial recognition can amplify identification asymmetry as it tends to be invisible or at best, opaque."

EPIC's Rotenberg explained that there is growing opposition to the deployment of facial recognition around the world and urged the international data protection commissioners to act.

2. In Amicus Brief, EPIC Urges Court to Reject FTC-Facebook Settlement

EPIC has filed an amicus brief in United States v. Facebook, a case concerning the proposed settlement between the Federal Trade Commission and Facebook. "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest," EPIC argued.

EPIC explained that the proposed settlement "largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices."

EPIC also noted that the FTC "seems entirely unconcerned by Facebook's planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission."

EPIC previously filed a motion to intervene in the case that has not yet been resolved by the court. Through a Freedom of Information Act Request, EPIC has uncovered more than 29,000 complaints against Facebook currently pending at the Commission.

EPIC also filed the original complaint that created legal authority for the FTC to oversee Facebook. In 2011, EPIC urged the Commission to require Facebook to restore the privacy settings of users, give users access to all of the data that Facebook keeps about them, stop making facial recognition profiles without users' consent, make the results of the government privacy audits public, and stop secretly tracking users across the web.

3. EPIC to Supreme Court: Public Should Have Free Access to Georgia's State Code

EPIC has filed an amicus brief in the U.S Supreme Court case Georgia v. Public.Resource.Org, which concerns Georgia's copyright of the state's official annotated code. EPIC's brief, signed by thirty-five experts in law and technology, urges the Supreme Court "to recognize that free access to the law is not only guaranteed by our country's traditions but also enabled by digital technologies."

EPIC explained that, in other contexts, the Court has recognized that "access to the law is broader than access to judicial opinions and statutory text; meaningful knowledge of the law facilitates public debate and access to justice." EPIC argued that "fairness and judicial efficiency also weigh in favor of free access to Georgia's law" because free access "places citizens on a more equal footing in the legal system, and allows pro se parties to represent themselves more easily, saving the judiciary time, effort, and expense."

EPIC also urged the Court to "reject Georgia's archaic argument that publishing costs justify the state's copyright claim." EPIC wrote that "the advent of the Internet has made possible the rapid, widespread, and inexpensive distribution of legislative and judicial materials. At this moment in history, the official law of the states should be freely available to the public." EPIC explained that "the federal government has worked to ensure that government materials, including legal materials, are broadly accessible to the public; the states should do the same."

EPIC and its staff have worked for almost thirty years to promote online access to judicial opinions and court documents, and open access to government information. EPIC routinely files amicus briefs in U.S. Supreme Court cases concerning emerging privacy and civil liberties issues.

4. Data Ownership Won't Protect Consumers, EPIC Warns Congress

EPIC recently advised the Senate Banking Committee for a hearing on "Data Ownership: Exploring Implications for Data Privacy Rights and Data Valuation" that "data portability" will not help consumers, but would likely facilitate mergers and consolidation in the Internet industry.

"An approach based on data ownership and portability will accelerate industry consolidation," EPIC told the committee. "It ducks the hard the problem of breaking up big tech, helps not at all with data protection, and imagines markets that do not exist."

EPIC instead called on Congress to adopt comprehensive data privacy legislation that (1) contains a strong definition of personal data; (2) creates an independent data protection agency; (3) protects the right of individuals to access, control, and delete data; (4) imposes strong obligations on data controllers; (5) ensures algorithmic transparency; (6) requires data minimization; (7) prohibits "take-it-or-leave-it" or "pay-for-privacy" terms; (8) provides for a right of action; (9) limits government access to data; and (10) establishes a federal baseline for privacy protection without preempting stronger state laws.

EPIC recently published "Grading on a Curve: Privacy Legislation in the 116th Congress," which breaks down privacy bills introduced in Congress and evaluates them according to the ten factors EPIC highlighted to the Senate Banking Committee.

5. EPIC to Congress: FOIA Critical to Homeland Security Oversight

EPIC recently told a House committee that the Freedom of Information Act is critical to keep the Department of Homeland Security accountable. EPIC's statement came before a House Homeland Security Committee hearing on "The Public's Right to Know: FOIA at the Department of Homeland Security."

"Oversight of DHS' FOIA implementation is critical because watchdog groups such as EPIC utilize FOIA to keep the DHS accountable," EPIC wrote. "No federal agency has greater budget authority to develop systems of surveillance directed towards U.S. residents."

EPIC told the committee that the DHS must improve its processing of FOIA requests and review administrative appeals expeditiously. EPIC also said that Congressional oversight of the agency is crucial.

EPIC has brought many FOIA cases against the DHS, including those concerning backscatter x-ray devices in airports, a DHS program to track journalists, and the CBP biometric entry-exit system. In 2011, EPIC urged Congress to end the agency's political review of FOIA requests. In 2012, EPIC led an effort to reform the DHS treatment of fee waivers. And in 2016, EPIC submitted extensive comments about the DHS's revised FOIA regulations, leading to the agency ultimately adopting several of EPIC's recommendations.

News in Brief

EPIC to Massachusetts Legislature: Ban Facial Recognition

EPIC Policy Director Caitriona Fitzgerald recently testified before the Massachusetts Legislature in support of a bill to establish a moratorium on the use of facial recognition by state agencies. Under S. 1385 and H. 1538 the use of facial recognition technology by the state would be banned until privacy and security safeguards are in place. EPIC recommended eight principles that must be adhered to prior to deployment of facial recognition technology: (1) prohibition on mass surveillance; (2) provably non-discriminatory; (3) minimal retention; (4) transparency; (5) security; (6) monitoring for inappropriate uses; (7) accountability; and (8) independent auditing. EPIC noted the growing use of facial recognition technology in China and Hong Kong, as well as the bipartisan support for a facial recognition moratorium in Congress.

EPIC to Congress: Reauthorize SAFE WEB Act, Pass Federal Privacy Law

In a statement to the House Commerce Committee, EPIC recommended reauthorization of the SAFE WEB Act and federal baseline privacy legislation. "The Safe WEB Act should be reauthorized - cross-border enforcement and cooperation is critical for effective protection of US consumers. But it is just as critical for effective protection that Congress enact a comprehensive baseline privacy legislation and establish a U.S Data Protection Agency," EPIC said in advance of the hearing. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress, sets out the key elements of a privacy law. EPIC previously testified before both the House Commerce Committee and the Senate Commerce Committee on the SAFE WEB Act.

NGOs Object to U.S.-U.K. CLOUD Agreement, Urge Congressional Action

A coalition of 20 civil society organizations are objecting to the proposed U.S.-U.K. CLOUD Act Agreement, which will allow cross-border data access and wiretapping by law enforcement agencies. In a letter to Congress, the groups explained the Agreement "fails to adequately protect the privacy and due process rights of U.S. and U.K. citizens." The coalition urged Congress to block the Agreement. In testimony before the European Parliament and in an amicus brief for the Supreme Court in United States v. Microsoft, EPIC has argued that cross-border access to personal data requires robust human rights protections, including notice, judicial authorization, and transparency.

EPIC on Libra: "Facebook Clearly Cannot be Trusted With Consumers' Financial Data"

During a recent House Financial Services hearing, Rep. Nydia Velazquez [D-NY] grilled Mark Zuckerberg about the misrepresentations Facebook made to regulators when it acquired WhatsApp—misrepresentations that led to fines in the EU. "Why should we believe what you and Calibra are saying about protecting customer #privacy and financial data?" said Rep. Velazquez. EPIC raised the same issue in a July statement to the House Financial Services Committee, saying "Facebook clearly cannot be trusted with consumers' financial data" and outlining Facebook's long history of failing to protect user data. EPIC is challenging the proposed settlement between the Federal Trade Commission and Facebook, charging that the Commission has failed to investigate thousands of pending complaints against the company.

EPIC Recommends Privacy Act Compliance for FBI Criminal Database

EPIC has advised the FBI to withdraw a proposal to remove Privacy Act compliance obligations for the National Crime Information Center. The FBI is seeking broad exemptions to regulations that promote records accuracy, ensure data subject access, and limit over collection of personal data. EPIC wrote that the proposed exemptions would "lead to increasing record inaccuracy and the misuse of personal information." There are numerous reports of misuse of the data in the NCIC and growing concerns about record accuracy. In 2003, EPIC organized a coalition of nearly 90 organizations to urge accuracy in the NCIC record systems. EPIC also submitted amicus briefs to the Supreme Court in Herring v. US and Kansas v. Glover warning about inaccurate records in police databases that would lead to unlawful searches and car stops.

EPIC to Congress: Consumers Must Be Protected in Merger Reviews

In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review should consider data protection. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram.

EPIC Joins Coalition Calling for Reform of Section 702 of FISA

EPIC joined a coalition of organizations calling for Congress to reform Section 702 of the Foreign Intelligence Surveillance Act amidst debate over whether to reauthorize related authorities which are about to expire. The letter follows release of FISA Court rulings that FBI violated the law when it searched for information about Americans in communications intercepted for foreign intelligence purposes. The Court also required the agency use new safeguards. The coalition letter urges Congress to prohibit these "backdoor searches" and calls for an end to "abouts" collection - a broad surveillance technique involving collection of communications that are not to or from a surveillance target. In January 2018, as the result of a FOIA lawsuit EPIC obtained a report explaining how the FBI searches of Americans' data collected under the 702 program.

EPIC Backs Moratorium on TSA Facial Recognition Program

In a statement to the Senate Commerce Committee, EPIC has called for a moratorium on the use of facial recognition by the Transportation Security Administration. "Because TSA has failed to establish the necessary privacy safeguards, including ensuring that travelers are able to exercise their legal right to opt-out," EPIC said, "we request you suspend the TSA's use of facial image technology pending the completion of required public rulemaking by CBP." EPIC added, "There is currently no legal authority for DHS' or TSA's use of facial recognition technology." After a Buzzfeed story earlier this year featured documents obtained by EPIC about plans to expand facial recognition at airports, Senators Ed Markey (D-MA) and Mike Lee (R-UT) called for the suspension of the program. Many cities and states are moving now to limit the use of facial recognition technology.

Axon Ethics Board: No License Plate Readers Without Public Input

A new report from the Axon AI and Policing Technology Ethics Board details problems with automated license plate readers, including the disproportionate impact on communities of color and the long-term tracking of innocent drivers. The Axon report recommends public review prior to use of license plate readers. The report also recommends that license plate reader alerts should not be sufficient grounds to stop a vehicle. EPIC made a similar recommendation in an amicus brief for the U.S. Supreme Court for Kansas v. Glover, arguing against traffic stops based solely on alerts that a registered owner's license is suspended. EPIC previously obtained documents about the extensive use of license plate readers by the Department of Homeland Security and the Federal Bureau of Investigation. EPIC's Senior Counsel Jeramie Scott has warned about the risk of mass surveillance with technologies such as license plate readers.

Danielle Citron Testifies on Corporate Responsibility for Online Activity

EPIC Board Member Danielle Citron recently testified before the House Energy & Commerce Committee regarding corporate responsibility for online activity. Professor Citron stated, "Section 230 should be revised to condition the legal shield on reasonable content moderation practices in the face of clear illegality that causes demonstrable harm. That would return the statute to its original purpose—to allow companies to act more responsibly, not less." In an amicus brief filed with the Second Circuit Court of Appeals last year, EPIC said that Section 230, a provision in the Communication Decency Act, was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." Professor Citron was recently selected for the prestigious MacArthur Fellowship and is the author of Hate Crimes in Cyberspace, available at the EPIC Bookstore.

DOJ Proposes to Resume DNA Collection of Detainees

The Department of Justice has proposed a rule that effectively requires the DHS to collect DNA from any non-US person the agency detains or arrests. The deadline for public comments is November 12, 2019; comments can be submitted here. EPIC has supported increased privacy protections for DNA. In an amicus brief to the Supreme Court, EPIC argued that law enforcement's warrantless collection of DNA is unconstitutional. In the 2013 brief, EPIC described the "dramatic and unpredictable" expansion of the government's DNA collection over the past decade.

Privacy Commissioners Adopt Resolutions, Plan Future Direction

Meeting in Tirana, Albania, the 41st International Conference of Data Protection and Privacy Commissioners adopted resolutions on privacy as a fundamental right, human error in data breaches, and social media and violent extremist content online. The Commissioners also adopted resolutions on strategic direction, cross-border enforcement, and regulatory cooperation between data protection agencies and consumer protection and competition authorities. Civil society has urged the data protection commissioners to support a moratorium on facial recognition technology. A petition organized by the Public Voice received support from more than 80 organizations and 500 individuals (including leading experts) in more than 40 countries. Privacy International and the Open Markets Institute were among the civil society speakers at the conference. The 2020 conference will be held in Mexico City. The ICDPPC will also be renamed the "Global Privacy Assembly."

EU-U.S. Privacy Shield Renewed, Still in Dispute in Court

The European Commission has renewed the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The Commission concluded the recent FTC-Facebook settlement did not bar enforcement actions related to the Privacy Shield. The Commission also noted positively the appointment of a Ombudsperson to receive complaints about U.S. surveillance, FTC enforcement actions for false Privacy Shield certifications, and assurances from the U.S. intelligence community that specific selectors are used to limit foreign intelligence collection. The Commission did urge the FTC to bring actions for substantive violations of the Shield. In comments on the Privacy Shield and in a letter to Congress, EPIC called for a permanent end to the broad telephone record collection under Section 215 of the Patriot Act. The validity of the Privacy Shield is still in dispute in several cases before Europe's highest court.

Ninth Circuit Leaves in Place Case that Allows Users to Sue Facebook for Face-Scans

A federal appeals court has let stand a ruling that users can sue Facebook for collecting and using their facial images. The court previously held in Patel v. Facebook that an Illinois biometrics law protects "concrete privacy interests" and violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that the violation of a privacy law is sufficient for users to sue a company. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition.

D.C. City Council Reflects on the Use of Police Body Cameras

The D.C. City Council recently held a public roundtable on Five Years of the Metropolitan Police Department's Body-Worn Camera Program: Reflections and Next Steps. In 2015, EPIC testified before the D.C. City Council regarding police body-worn cameras. EPIC warned of the surveillance risks of body cameras and argued there are more effective means to address police accountability. EPIC previously testified before the DC City Council in 2008, warning that "facial recognition that will make it possible to identify people in public places." EPIC also launched the Observing Surveillance project in 2003 to draw attention to the growing surveillance of DC residents by integrated camera systems. California has recently banned the use of police-worn body cameras.

Senator Cantwell to FTC: Settlement Lets Facebook "Off the Hook"

Senator Maria Cantwell [D-WA], Ranking Member on the Senate Commerce Committee, has sent a letter to Federal Trade Commission Chairman Joseph Simons regarding the FTC's controversial settlement with Facebook. "I am concerned that the settlement lets Facebook off the hook for unspecified violations, and given the many public reports of Facebook's mishandling of consumer data, it is difficult to fully understand the impact of this provision on the settlement on the data privacy protection of the millions of U.S. consumers that have used and continue to use Facebook," Cantwell wrote to Simons. Through a Freedom of Information Act Request. EPIC has obtained thousands of new consumer complaints (part 1, part 2) against Facebook. EPIC is formally challenging the proposed settlement, charging that the Commission has failed to investigate thousands of complaints against the company.

EPIC in the News

• Advocacy groups object to US-UK CLOUD Act, IAPP Daily Dashboard, October 30, 2019
• Observations from Albania, Lexology, Oct. 29, 2019
• Experts Optimistic About the Next 50 Years of Digital Life, Pew Research Center, Oct. 28, 2019
• Our Privacy Nightmare and What Can Be Done About It, Newsweek, Oct. 25, 2019
• EU Officials Say U.S. Shouldn't Broaden Surveillance Law, Bloomberg Law, Oct. 23, 2019
• FTC Privacy Settlement Too Favorable To Facebook, Watchdogs Say, MediaPost, Oct. 17, 2019
• Census Bureau seeking driver's license info, admin records, Roll Call, Oct. 16, 2019
• $5B Facebook Deal Lets Gov't Grab User Data, Court Told, Law360, Oct. 16, 2019

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The AI Policy Sourcebook 2019, edited by Marc Rotenberg (2019)

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (2019)

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Face Recognition Roundtable. Nov. 1, 2019. Policing Project, NYU School of Law. Jeramie Scott, EPIC Senior Counsel.

Grand International Committee on Disinformation and Fake News. Nov. 7, 2019. Houses of the Oireachtas. Dublin, Ireland. Marc Rotenberg, EPIC President.

Privacy and Personal Data Protection Enforcement. Nov. 18, 2019. EPIC and the UK ICO. OECD. Paris, France. Marc Rotenberg, EPIC President.

Convention 108+ And the Future Data Protection Global Standard. Nov. 19, 2019. Council of Europe. Strasbourg, France. Marc Rotenberg, EPIC President.

Privacy Legislation: The Times They Are A Changin. Nov 21, 2019. Georgetown Law Advanced eDiscovery Institute. Washington, DC. Marc Rotenberg, EPIC President.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.