EPIC Alert 26.22

1. Court Rules U.S. AI Commission Must Disclose Records to EPIC

A federal court has ruled that the National Security Commission on Artificial Intelligence is an "agency" subject to the Freedom of Information Act. The decision means that the AI Commission must disclose records in response to a FOIA request from EPIC about the activities of the Commission. The Commission has received more than 200 closed-door briefings and failed to provide the public or the press any information in advance about its secret meetings or any opportunity to meaningfully participate in the work of the Commission.

EPIC has sought to make the activities of the AI Commission open to the public since the Commission was established last year. When the Commission ignored EPIC's FOIA request for information about meetings of the Commission, agendas, draft documents, and communications, EPIC filed suit. In subsequent briefing, EPIC made clear that the Commission is subject to FOIA under the plain text of the law.

Judge Trevor N. McFadden, writing in EPIC v. AI Commission, rejected the Commission's arguments that it is exempt from the FOIA. "[L]ike a stranger offering candy to a child, the Government invites the Court not to read [the FOIA] literally," the court wrote. "The Government has not convinced the Court that it should ignore what Congress said."

"Congress could have hardly been clearer," the court explained. "Having said that FOIA applies to 'any . . . establishment in the executive branch,' . . . it chose to call the Commission an 'establishment in the executive branch."

EPIC President Marc Rotenberg told Law360 that the decision is "a milestone in EPIC's ongoing efforts to ensure an open and accountable process for the development of AI policy in the United States."

The AI Commission recently released a report to Congress, which criticized the EU General Data Protection Regulation and called for greater "government access to data on Americans."

In 2018, EPIC and leading scientific organizations, including AAAS, ACM and IEEE, and nearly 100 experts urged the White House to ensure a public process for the development of AI policy. EPIC's case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

2. EPIC to Congress: Create a Data Protection Agency

In advance of a hearing on "Legislative Proposals to Protect Consumer Data Privacy," EPIC told the Senate Commerce Committee that the U.S. needs a Data Protection Agency.

"The U.S. is one of the few developed countries in the world without a data protection agency," EPIC wrote. "The practical consequence is that the U.S consumers experience the highest levels of data breach, financial fraud, and identity theft in the world. And U.S. businesses, with their vast collections of personal data, remain the target of cyber-attack by criminals and foreign adversaries. The longer the U.S. continues on this course, the greater will be the threats to consumer privacy, democratic institutions, and national security."

EPIC explained that the Federal Trade Commission's problems "are not lack of budget or staff. The FTC has not even filled the current post for a Chief Technologist. The FTC has simply failed to use its resources and authorities to safeguard consumers. Given the enormity of the challenge, the United States would be best served to do what other democratic countries have done and create a dedicated Data Protection Agency, based on a legal framework that requires compliance with baseline data protection obligations."

EPIC recently obtained documents revealing 3,000 new complaints against Facebook since the Commission proposed a $5 billion settlement with Facebook. EPIC's Freedom of Information Act lawsuit had previously uncovered 26,000 complaints pending against the social media giant. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said to the Committee.

EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress, sets out the key elements of a modern privacy law, including federal baseline legislation and the creation of a Data Protection Agency.

3. DHS Agrees to Release Documents About Election Cybersecurity to EPIC

The Department of Homeland Security, in a new filing from EPIC v. DHS, has agreed to reconsider its decision to withhold key documents about election security. The federal agency will now reprocess multiple records sought by EPIC under the Freedom of Information.

EPIC filed a FOIA lawsuit in 2017, immediately after the agency's decision to designate election systems as "critical infrastructure." The announcement followed the determination that Russia meddled in the 2016 presidential election. The designation also gave the DHS new responsibilities to help protect state election systems.

Over the course of litigation, DHS has provided hundreds of pages to EPIC about the agency's role in election system security. But the agency has also withheld information sought by EPIC, including: (1) documents concerning contacts between DHS and State Election Officials, (2) Election Task Force meeting minutes, (3) documents about risk characterizations and analysis reports on Russian interference; and (4) incident reports and vulnerabilities in election systems.

Because the 2020 election is fast approaching, EPIC sought the prompt release of these records so that Congress and the public could assess the effectiveness of the DHS security program. The recent court filing between EPIC and the DHS should move the process forward. The case is EPIC v. DHS, 17-2047 (D.D.C).

4. EPIC Backs Save .ORG Campaign

EPIC has joined Access Now and other NGOs urging ICANN to halt the sale of the .ORG domain to a private equity firm. The Internet Society recently announced that it plans to sell the Public Interest Registry, which manages the .ORG domain, to Ethos Capitol. The announcement follows a decision to remove price caps on domain name purchases that was widely opposed by the user community.

EPIC's Marc Rotenberg, who was a founding board member and former chair of PIR, told Gizmodo he was "very disappointed" by the news. "We built the .org domain with the specific goal of promoting the noncommercial use of the Internet," Rotenberg said.

"There are many models, including ICANN itself, that could allow for effective management of the domain by a non-profit corporation," Rotenberg added. "There are critical elements of transparency and accountability that will be lost when the Public Interest Registry is acquired by a private equity firm."

The PIR website currently states, "PIR's believes that a best practice is transparency and accountability to itself, its stakeholders, and the public. The release of our annual IRS 990 Form provides publicly-available financial information to maintain our non-profit status in good standing."

5. Max Schrems Speaks at EPIC

European privacy advocate Max Schrems recently spoke to the Privacy Coalition about the GDPR at EPIC's offices in Washington, DC.

Max's group None of Your Business (NOYB) is leading the effort to enforce the GDPR—the new privacy law of the European Union—through the use of collective actions.

Max is also responsible for one of the leading privacy cases in modern privacy law, Schrems v. DPC, which protected the personal data of Europeans by striking down the "Safe Harbor" arrangement.

Max and EPIC have challenged the use of "standard contractual clauses" in a case before the European Court of Justice, known as "Schrems 2.0." The case considers whether the transfer of personal data to the U.S. using standard contract clauses violates the fundamental rights of Europeans.

News in Brief

EPIC Publishes 2020 Edition of The Privacy Law Sourcebook

EPIC has published the 2020 edition of The Privacy Law Sourcebook. The Privacy Law Sourcebook is the leading reference book for those interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws and key international privacy laws such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. PLS 2020 also features the California Consumer Privacy Act and the Illinois Biometric Privacy Act. PLS 2020 is available in print and Kindle editions. Other publications, including those by members of the EPIC Advisory Board, are available at the EPIC Bookstore.

CBP Drops Airport Face Scanning Proposal

Customs and Border Protection has removed its proposal to require U.S. citizens to undergo mandatory face recognition at airports, following widespread protest. Currently, only foreign nationals are required to undergo facial screening at airports. According to a CBP spokesperson, the agency has "no current plans to require U.S. citizens to provide photographs upon entry and exit from the United States," and that it "intends to have the planned regulatory action...removed from the unified agenda next time its published." Senator Ed Markey previously blasted CBP's proposal. After CBP reversed its proposed plan, Senator Markey stated "we cannot take our right to privacy for granted. Americans still need protection from facial recognition technology..." and that the planned to introduce legislation to ban biometric surveillance. EPIC is pursuing a lawsuit to uncover documents about the opt-out procedures in CBP's Biometric Entry-Exit program. Congress has explained to Congress and the agency that its Biometric Entry-Exit program unfairly burdens travelers exercising their rights to opt-out of biometric identification. EPIC recently launched a global campaign calling for a moratorium on the use of face recognition for mass surveillance.

Facebook Asks Supreme Court to Review Face Scan Decision

Facebook has filed a petition asking the Supreme Court to review a decision that allows lawsuits against Facebook for the unlawful collection of facial images. In Patel v. Facebook, the Ninth Circuit held that that an Illinois biometrics law protects "concrete privacy interests" and that violations of the law "pose a material risk of harm to those privacy interests." EPIC filed an amicus brief in the case, arguing that users can sue companies that violate rights protected by privacy laws. EPIC has long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. EPIC recently launched a campaign and resource page to ban face surveillance.

Supreme Court Hears Arguments in Public Access to Law Case

The U.S. Supreme Court heard oral arguments this week in Georgia v. Public.Resource.Org, which concerns the copyright of a state's official law. EPIC filed an amicus brief in the case, signed by 35 experts in law and technology, stating that "free access to the law is guaranteed by our country's traditions and enabled by digital technologies." EPIC explained that "the federal government has worked to ensure that legal materials are broadly accessible to the public; the states should do the same." EPIC and its staff have long promoted online access to judicial opinions and open access to government information. EPIC routinely files amicus briefs in the US Supreme Court in cases concerning emerging privacy and civil liberties issues.

Robust Privacy Bill Introduced in the Senate

Ranking Member Cantwell, and Senators Schatz, Klobuchar, and Markey have introduced the Consumer Online Privacy Rights Act, a strong framework for data protection. The bill is based on Fair Information Practices and includes a private right of action so individuals can enforce their rights. The Act would also establish new standards for algorithmic accountability. The bill follows a framework recently announced by Senate Democrats for data protection and privacy. "The Consumer Online Privacy Rights Act is outstanding. The bill gives consumers meaningful rights, holds companies accountable, and protects stronger state safeguards. With the addition of a data protection agency, the bill would establish a comprehensive approach for privacy protection for the U.S.," EPIC Policy Director Caitriona Fitzgerald said in a statement. EPIC's legislative report graded the Consumer Online Privacy Rights Act an A-.

Senators Demand Answers on Algorithmic Bias in Healthcare

Senators Cory Booker (D-NJ) and Ron Wyden (D-OR) sent letters to health insurance companies and two government agencies (the FTC and Centers for Medicare and Medicaid Services) asking how they're addressing bias in health care algorithms. The Senators wrote: "Unfortunately, both the people who design these complex systems, and the massive sets of data that are used, have many historical and human biases built in. Without very careful consideration, the algorithms they subsequently create can further perpetuate those very biases." Booker and Wyden recently introduced the Algorithmic Accountability Act, which would direct businesses to correct discriminatory algorithms. EPIC has promoted Algorithmic Transparency, supported the Universal Guidelines for AI, and published the first reference book on AI policy.

Senator Markey Blasts DHS Plan for Facial Recognition at Airports

Senator Ed Markey has blasted the DHS's proposal to mandate facial recognition at US airports, stating "this proposal would amount to disturbing government coercion, and as the recent data breach at Customs and Border Protection shows, Homeland Security cannot be trusted to keep our information safe and secure." Senator Markey asked the DHS to withdraw the proposal and said he would introduce legislation to "ensure that innocent American citizens are never forced to hand over their facial recognition information." EPIC is pursuing a lawsuit to uncover documents about the CBP Entry-Exit program. In comments to the agency and Congress, EPIC explained that the agency unfairly burden travelers who exercise their rights to opt-out of biometric identification. EPIC has recently launched a global campaign, calling for a moratorium on the use of facial recognition for mass surveillance.

FTC Announces Privacy Shield No Penalty Enforcement Action

The FTC entered into settlements with four companies that misrepresented their participation in the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. These frameworks permit the transfer of Europeans' personal data to the U.S. with an assurance of privacy protection. The settlements require the companies to halt misrepresentations about compliance, but provides no remedy to those EU citizens whose personal data was collected. EPIC has repeatedly told Congress that that the FTC lacks effective enforcement authority. In recent comments on the Privacy Shield, EPIC also noted the absence of a comprehensive U.S. federal privacy law and a data protection authority with the authority to enforce privacy rights. Under the Schrems decision, which provided the basis for the Privacy Shield, the Court of Justice explained that "everyone whose rights and freedoms are violated" have "the right to an effective remedy."

Congress Extends Section 215 Surveillance Program

Congress has temporarily extended Section 215 of the Patriot Act, a controversial surveillance law that allows collection of the telephone records of Americans. EPIC had urged the Senate Judiciary Committee to end the NSA's phone record collection program. EPIC wrote "events of the past few years make clear that Section 215 should not be renewed." In 2013, following the Snowden disclosures, EPIC filed a petition with the Supreme Court, challenging the lawfulness of Section 215. Congress found the 215 program was ineffective and passed the USA Freedom Act to limit data collection. NSA has since acknowledged significant compliance problems. Both Democrats and Republicans have expressed concerns about the surveillance program. The temporary renewal in the House spending bill extends the law until March 15, 2020.

EPIC in the News

• Don't Gift an Internet-Connected Toy This Holiday, Valliant News, Dec. 6, 2019
• Your Smart TV Could Give Hackers a Window on Your World, TechNewsWorld, Dec. 6, 2019
• EPIC Gets OK To Seek Federal AI Panel's Records, Law360, Dec. 5, 2019
• Is It Finally Time for a National Bureau of Privacy?, Washingtonian, Dec. 5, 2019
• Advocacy groups press FTC to subpoena tech firms during children's privacy review, The Hill, Dec. 5, 2019
• Report: Privacy policy and competition, Brookings Institute, Dec. 5, 2019
• Considering AI In Hiring? As Its Use Grows, So Do The Legal Implications For Employers., Forbes, Dec. 5, 2019
• Federal Court Decides AI Commission is Subject to FOIA, Federal News Network, Dec. 5, 2019
• EPIC Renews Push for a New Agency, POLITICO Morning Tech, Dec. 4, 2019
• 'Secret' Artificial Intelligence Commission Subject to FOIA, Bloomberg Law, Dec. 4, 2019
• Microsoft on election security: Part 2, POLITICO, Dec. 3, 2019
• Use of AI software in recruitment raises questions about accuracy, bias, Canadian HR Reporter, Dec. 2, 2019
• Twitter revamps policies to comply with privacy laws, The Hill, Dec. 2, 2019
• They see you when you're shopping, The Seattle Times, Dec. 2, 2019
• Senate Republicans Push New Privacy Initiative, Wall Street Journal, Dec. 2, 2019
• Enhancing protections for sensitive information in congressional investigations, The Hill, Dec. 1, 2019
• Looking Ahead: What Now for Europe and Its Data Handling and Privacy Landscape?, CPO Magazine, Nov. 29, 2019
• New US Federal Privacy Bill Proposed, Bank Info Security, Nov. 28, 2019
• Contract for Web Can't Fix Privacy Problems if Security isn't Included, Decipher, Nov. 27, 2019
• They See You When You're Shopping, New York Times, Nov. 26, 2019
• Senate Democrats unveil sweeping data privacy bill as bipartisan talks drag on, POLITICO Pro, Nov. 26, 2019
• Online Privacy Bill Calls For Fines, Consumers' Right To Sue, Law360, Nov. 26, 2019
• Expert Says Senate Democrats' Sweeping Online Privacy Bill Answers Public Demand for 'Transformative Shift', Common Dreams, Nov. 26, 2019
• Senate takes another stab at privacy law with proposed COPRA bill, Ars Technica, Nov. 26, 2019

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (2020)

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (2020)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. EPIC’s Privacy Law Sourcebook also includes extensive contact information for privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (2019)

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

2019 Cato Institute Surveillance Conference. Dec. 6, 2019. Cato Institute, Washington, DC. Alan Butler, EPIC General Counsel.

Emerging AI Policy Frameworks, and EPIC's Cases to Ensure AI Transparency. Dec. 12, 2019. Harvard University, Cambridge, MA. Marc Rotenberg, EPIC President.

Yale CEO Leadership Forum. Dec. 17-18, 2019. New York, NY. Marc Rotenberg, EPIC President.

2020 Aspen Institute Roundtable on Artificial Intelligence. Jan. 12-14, 2020. Santa Barbara, CA. Marc Rotenberg, EPIC President.

EPIC International Champion of Freedom Awards. Jan. 22, 2020. Brussels, Belgium.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.

EPIC Champion of Freedom Awards Dinner. June 3, 2020. Washington, DC.