EPIC Alert 27.04
EPIC Alert 27.04 - March 5, 2020
- EPIC to Supreme Court: Robocall Ban is Constitutional
- EPIC, Coalition Urge Real Time Remote ID for All Drones
- EPIC Files Complaint with FTC about Airbnb's Secret
- EPIC Comments on California Privacy Law
- EPIC's Rotenberg Urges OECD to 'Defend Democratic Values'
- News in Brief
- EPIC in the News
- EPIC Bookstore
- Upcoming Conferences and Events
In a recent amicus brief for the U.S. Supreme Court, EPIC defended the Telephone Consumer Protection Act, a law that prohibits unwanted robocalls. EPIC told the Court that the robocall ban is "constitutionally permissible and serves important governmental interests."
Arguing in Barr v. American Association of Political Consultants, EPIC explained that "the harm caused by unwanted automated calls" is more acute than when the robocall ban was enacted in 1991. EPIC said "without the autodialer ban, the assault of unwanted calls could make cell phones unusable."
"Now is not the time to eliminate the TCPA autodialer ban," EPIC wrote. "For good reason the law prohibits most automated calls, with a few narrowly drawn exemptions."
EPIC also explained that "a minor amendment to an otherwise constitutional law, passed decades after the original enactment, should not take down an act of Congress."
Senator Markey, Representative Eshoo, and more than a dozen members of Congress also filed an amicus brief in support of the consumer privacy law. EPIC frequently files amicus briefs on the TCPA, including in the related case, Gallion v. Charter Communications.
EPIC, joined by other organizations, submitted comments to the FAA regarding the agency's proposed rule for drone IDs. EPIC urged the FAA to require real-time public access to drone ID information. EPIC also recommended that the FAA provide privacy protections for recreational users and conduct a privacy impact assessment of the risks associated with drone surveillance.
EPIC has long advocated for the identifiability of drones and drone operators. In 2015, EPIC argued "drones should be required to broadcast their registration information to allow members of the public" to easily identify the operator and to determine the location, purpose, and surveillance capabilities of the drone.
In this week's comments, EPIC also noted that the FAA's "rulemaking arises at a time of growing concern about the deployment of drones in the United States, and the specific recognition that foreign adversaries conduct surveillance of the American public through commercial drones that the FAA has failed to regulate."
Last year, the European Union established a drone regulation similar to the one EPIC has urged the FAA to adopt. The Interior Department recently grounded Chinese-made drones, warning of surveillance risks.
As EPIC explained in its complaint, an Airbnb system secretly rates customers' "trustworthiness" based on such factors as using "negative language" online. The company's opaque, proprietary algorithm also considers "posts on the person's social network account" and the individual's relationships with others, adjusting that person's "trustworthiness" score based on those associations.
EPIC said the company failed to comply with "established public policies" for AI decision-making, such as the OECD AI Principles and the Universal Guidelines for AI. "Airbnb has failed to show that its technique meets the fairness, transparency, and explainability standards," EPIC wrote.
EPIC has previously brought complaints to the FTC about the employment screening firm HireVue and the Universal Tennis Rating, an opaque scoring algorithm. EPIC has also petitioned the FTC to conduct a rulemaking on the use of artificial intelligence in commerce. The EPIC AI Policy Sourcebook includes the OECD AI Principles, the Universal Guidelines for AI, and other AI policy frameworks.
In comments on proposed revisions to the California Consumer Privacy Act, EPIC backed changes to strengthen consumer protections. EPIC expressed support for the work of the California Attorney General on the CCPA and provided the recommendations to "further safeguard the privacy of California consumers."
Specifically, EPIC called for "changes that will allow consumers to know precisely who has obtained their data and for what purpose"; limitations on the collection of IP addresses; stronger notice requirements; and improved procedures for consumers to learn what personal data a company has on them or to opt out of the sale of their data.
EPIC also noted that many elements of a comprehensive privacy law "are missing from the CCPA including stronger enforcement, strong obligations on data controllers such as data minimization, algorithmic transparency, and prohibitions on 'pay for privacy' and 'take it or leave it' terms."
EPIC's comments follow EPIC's campaign to educate Californians about the CCPA and EPIC's recent report on federal privacy legislation, Grading on a Curve. EPIC has endorsed H.R. 4978, the Online Privacy Act (Eshoo/Lofgren), and S. 3300, The Data Protection Act (Gillibrand).
Speaking at the launch of the OECD AI Policy Observatory in Paris, EPIC President Marc Rotenberg urged OECD member countries to defend "the rule of law, fundamental rights, and democratic institutions."
Rotenberg praised the OECD for its work on the AI Principles and noted the influence of the OECD Privacy Guidelines. But Rotenberg also warned that AI decision-making will have a profound impact on employment, education, and criminal justice.
"The OECD is uniquely situated," Rotenberg said, "to promote economic growth and protect democratic values."
EPIC helped establish the OECD Civil Society Advisory Council and has gathered support for the Universal Guidelines for AI, a policy framework to protect human rights. EPIC's Rotenberg first urged "algorithmic transparency" at the OECD global forum in Japan in 2014.
EPIC Pursues Disclosure of FAA Drone Committee Records
EPIC has filed a reply brief in EPIC v. Drone Advisory Committee urging the D.C. Circuit to reverse a decision that allowed FAA to conduct much of its policy work on drones in secret. EPIC filed suit in 2018 against the industry-dominated Advisory Committee, which ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records to EPIC, but the agency withheld records from subcommittees that participated in the policy process. EPIC told the Court of Appeals that the FAA's interpretation of the Federal Advisory Committee Act would circumvent the open meetings law. The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.).
In FOIA Case, EPIC Obtains Details on State Department's Facial Recognition Program
In response to EPIC's Freedom on Information Act lawsuit, EPIC v. State, the State Department has provided EPIC with several agency agreements concerning State Department facial recognition program. The Consular Consolidated Database contains millions of images from visa and passport applicants, which other federal agencies are now accessing for purposes unrelated to the processing of visa and passport application. The State Department agreements include the Labor, Interior, and Defense Departments. Several of the documents EPIC obtained concealed the name of the federal agency accessing the State Department database. In a related EPIC FOIA lawsuit, EPIC obtained documents concerning Customs and Border Protection use of images from the State Department.
EPIC Obtains DHS Report About 2016 Election Threats
Through EPIC's lawsuit against the DHS, EPIC obtained a previously undisclosed Report about security breaches prior to the 2016 Presidential Election. The DHS/FBI report "Threats of Federal, State, and Local Government Systems" describes attacks on US elections and includes recommendations for cybersecurity risks. In the FOIA lawsuit, EPIC seeks to determine whether the DHS responded effectively to election security threats in 2016, The case is EPIC v. DHS, 17-2047 (D.D.C.).
EPIC Obtains Documents from Mississippi Corrections
In response to a public records request, EPIC received documents from the Mississippi Department of Corrections detailing their use of risk assessment tools. The results show that the Department uses risk assessments from pre-trial through parole. The document released to EPIC also show efforts to comply with the validation requirements of state law passed in 2019. The documents disclosed include also sample scoring sheets, scripts, four different trainings, and a manual on the risk assessment software. EPIC has obtained documents about pre-trial risk assessments from several states as well as a scoring system developed by the DHS to assign risk assessments to travelers, including U.S. citizens.
EPIC Obtains Documents About TSA's VIPR Program
Through a FOIA request, EPIC has obtained documents (pt. 1, 2, 3) about the TSA's "Visible Intermodal Prevention and Response" program. Created in 2004, the VIPR teams worked with law enforcement agencies to conduct warrantless searches at public events, including festivals, sporting events, and bus stations. The TSA released to EPIC planning guidance, an operations directive, operating procedures, and activity summary reports. However, the EPIC request revealed that the TSA failed to complete civil rights and civil liberties impact assessments required by law. The VIPR program ended in 2019. The VIPR program used "risk-based" profiling and "behavior detection" to search and detain individuals. Two GAO reports (2013, 2017) questioned the reliability of TSA's behavioral indicators, which included, for example, "assessing the way an individual swallows or the degree to which an individual's eyes are open."
FTC Publishes Privacy and Data Security Update
The FTC has published "Privacy & Data Security Update for 2019." The FTC report summarizes the enforcement actions the agency pursued last year, including the proposed settlement with Facebook. EPIC challenged the settlement, arguing that the "Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC also uncovered 29,000 complaints against Facebook, currently pending at the FTC. The Court required the FTC and Facebook to respond to EPIC's objections. EPIC and other consumer organizations have many privacy complaints currently pending at the FTC that the Commission has failed to pursue. EPIC recently filed complaints with the FTC on HireVue and Airbnb for unfair and deceptive uses of AI.
Privacy Board Supports End of NSA Call Record Program
The Privacy and Civil Liberties Oversight Board has issued a report emphasizing the minimal value of the NSA's call details records program. The Board recommended the end of the program, which the NSA suspended last year after concerns about compliance with legal standards established in the US Freedom Act. According to the PLCOB report, the government spent $100 million on the program, yet opened only one non-duplicative investigation. EPIC recently joined 44 civil liberties organizations in backing the end of the NSA surveillance program. In 2013, EPIC filed a petition with the U.S. Supreme Court, In re EPIC, challenging the lawfulness of the NSA's bulk collection of American's telephone records.
Supreme Court to Hear Freedom of Information Act Case
The U.S. Supreme Court has announced it will consider a Freedom of Information Act case about the government's attempts to withhold documents from the public under the "deliberative process" exemption. In U.S. Fish and Wildlife Services v. Sierra Club, a federal appeals court ordered a federal agency to produce agency documents about a proposed regulation concerning endangered species. The Ninth Circuit held that the documents were not "predecisional." EPIC frequently litigates Freedom of Information Act cases to challenge the government withhold public records. EPIC is currently litigating for the release of the complete Mueller Report.
FCC Proposes Fines for Wireless Location Data Violations
The FCC has announced proposed fines against T-Mobile, AT&T, Verizon, and Sprint for selling customers' location information. FCC Chairman Ajit Pai said: "This FCC will not tolerate phone companies putting Americans' privacy at risk." The companies are given an an opportunity to respond to the FCC before the Commission makes a final decision. EPIC has long advocated for protection of location privacy. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. And EPIC filed an amicus brief in Carpenter v. US. The Supreme Court held in that case that the Fourth Amendment protects cell site location information.
Poll: Americans Oppose Micro-Targeting in Online Political Ads
A new poll from Gallup and the Knight Foundation found that the majority of Americans do not want political campaigns to micro-target digital ads. Democrats (69%), independents (72%), and Republicans (75%) said that internet companies should not provide information about users to political campaigns for online advertisements. 59% said Internet companies should disclose who paid for political ads, how much they cost, and to whom the ads are targeted. EPIC Consumer Protection Counsel Christine Bannan testified at an FEC hearing in 2018 and urged the Commission to promulgate rules to mandate the source of online political ads, comparable to the rule for print and broadcast publications.
Clearview AI, Face Scanning Company, Loses Customer Database
Hackers have stolen the entire client database of facial recognition company Clearview AI. Clearview AI scraped over three million images from the internet to build its facial recognition database. The company sells facial recognition services to law enforcement agencies. In a statement to Clearview AI CEO Hoan Ton-That, Senator Markey wrote: "Clearview's product appears to pose particularly chilling privacy risks, and I am deeply concerned that it is capable of fundamentally dismantling Americans' expectation that they can move, assemble, or simply appear in public without being identified..." In January, Senator Markey sent a letter to Clearview AI asking about the company's collaboration with law enforcement agencies and for information about privacy protections. EPIC, and more than a hundred organizations, have called for a moratorium on facial recognition technology.
California AG Opposes Federal Preemption
In a statement to Congressional leaders, California Attorney General Xaviar Becerra called for strong baseline, federal privacy legislation. Becerra wrote, "I am optimistic Congress will be able to craft a proposal that guarantees new privacy rights for consumers, includes a meaningful enforcement regime, and respects the good work undertaken by states across the country." The California Attorney General also made clear the importance of meaningful enforcement. "Congress should make clear in any legislative proposal that state attorneys general have parallel enforcement authority and that consumers also have the opportunity to protect their rights directly through a private right of action," Becerra said. EPIC has endorsed H.R. 4978, the Online Privacy Act, sponsored by Representatives Eshoo and Lofgren and S. 3300, the Data Protection Act, sponsored by Senator Gillibrand. Neither bill preempts stronger state law.
House Judiciary Committee to Consider Surveillance Reform
The House Judiciary Committee is considering the USA FREEDOM Reauthorization Act of 2020, a bill that will repeal authority to access call detail records, declassify opinions of the FISA court, and improve the Privacy and Civil Liberties Oversight Board. EPIC has joined 44 civil liberties organizations in support of similar legislation. But the bill does not address surveillance conducted under Section 702, concerning non-US persons. EPIC recently advised Congress to reform Section 702 and to end Section 215 surveillance of Americans.
Intelligence Agencies Report Russian Interference in the 2020 Presidential Election
According to the New York Times, U.S. intelligence agencies have briefed Congress about ongoing efforts by Russia to interfere in the 2020 Presidential election. Following the briefing, the President replaced the acting Director of National Intelligence with Richard Grenell, a person with no background in intelligence or the management of federal agencies. The Senate Intelligence Committee, the U.S. Intelligence Community, and Special Counsel Robert Mueller previously confirmed Russian interference in the 2016 election. However, the full extent of Russian interference in 2016 has not yet been revealed. EPIC is seeking the disclosure of the complete and unredacted Mueller Report in the FOIA lawsuit EPIC v. DOJ. EPIC's case could provide further information about the scope and techniques of Russian election interference. A ruling is expected soon.
EU Hearing on AI in Criminal Justice Highlights Concerns
The European Parliament heard testimony recently on AI in Criminal Law amidst a widespread push towards robust AI regulation in the EU. The panelists before the committee responsible for civil liberties, justice, and home affair focused on facial recognition, risk assessments, and predictive policing. The hearing explored regulation and law enforcement use, and also transparency, explainability, and accountability. The hearing in Parliament followed the release of a European Commission White Paper on AI. EPIC has called for a moratorium on face surveillance and maintains a resource about the use of risk assessments in the U.S. Criminal Justice system.
American Bar Association Adopts New Drone Privacy and Election Security Resolutions
Report Reviews AI in Federal Agencies
A report released by the Administrative Conference of the US with Stanford and NYU explores the use of Artificial Intelligence techniques by 142 Federal Agencies. According to the report, law enforcement agencies are most likely to use AI. The report "Government by Algorithm: Artificial Intelligence in Federal Administrative Agencies" cites documents obtained by EPIC in the FOIA lawsuit EPIC v. CBP. In that case, EPIC obtained document from the federal agent that revealed problems with biometric identification. EPIC has recommended the Universal Guidelines for AI to guide the government's use of AI and EPIC recently petitioned the Federal Trade Commission to establish regulations for the use of AI in commerce.
- 'TRUSTWORTHINESS' RATINGS SPARK FTC COMPLAINT, POLITICO, Mar. 28, 2020
- Here's the File Clearview AI Has Been Keeping on Me, and Probably on You Too, VICE News, Mar. 28, 2020
- Court Upholds Facebook Privacy Settlement Over Message Scanning, MediaPost, Mar. 4, 2020
- Airbnb Gives Renters Secret Risk Assessments And Personality Tests, Activist Post, Mar. 4, 2020
- A Privacy Violation Is a Concrete Injury, Ninth Circuit Underlines in Facebook Settlement Over Private Message Probes, Law.com, Mar. 3, 2020
- This breast cancer advocate says she discovered a Facebook flaw that put the health data of millions at risk, FOX4KC, Mar. 2, 2020
- Can I Opt Out of Facial Scans at the Airport?, The Markup, Mar. 2, 2020
- Lawmakers Back TCPA In High Court Constitutionality Fight, Law360, Mar. 2, 2020
- This breast cancer advocate says she discovered a Facebook flaw that put the health data of millions at risk, CNN, Mar. 1, 2020
- Emotion analytics used in AI recruitment tools are not only unethical but incorrect, The Sociable , Feb. 27, 2020
- Airbnb 'trustworthiness' ratings lead to FTC complaint, POLITICO Pro, Feb. 27, 2020
- Airbnb Has Secret 'Trustworthy Scores' and This Privacy Group Is Demanding to See Them, VICE, Feb. 27, 2020
- Senator proposes new digital privacy agency with sweeping powers, Biometric Companies, Feb. 27, 2020
- How is facial recognition technology being used across Central Florida?, WESH2, Feb. 26, 2020
- Millions of Americans who have driver's licenses still haven't upgraded to a Real ID., Vox, Feb. 25, 2020
- Data privacy protection at forefront of new proposed federal law, ABC 7 Denver, Feb. 24, 2020
- New Legislation in U.S. Proposes Federal Data Protection Agency, Broad Range of New Enforcement Actions, CPO Magazine, Feb. 24, 2020
- Trump's latest healthcare push would be a massive gift to Silicon Valley — and could destroy your privacy rights, Raw Story, Feb. 24, 2020
- Senators Propose Differing Approaches to Federal Governance of Data Protection Rules, LexBlog, Feb. 24, 2020
- Gillibrand seeks creation of agency to protect Americans' online privacy, Newsday, Feb. 23, 2020
- An algorithm that grants freedom, or takes it away, Seattle Times, Feb. 22, 2020
- App helps firms snoop on workers' sleep habits, The Times, Feb. 22, 2020
- Now is the time for a US data protection agency, The Hill, Feb. 21, 2020
- Many Tech Experts Say Digital Disruption Will Hurt Democracy, Pew Research Center, Feb. 21, 2020
- AI and Facial Recognition: Challenges and Opportunities, European Data Protection Supervisor, Feb. 21, 2020
- Businesses turning to AI for job interviews, CBS News, Feb. 20, 2020
- Kirsten Gillibrand wants a new privacy agency, Washington Examiner, Feb. 20, 2020
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:
EU Law in Populist Times: Crises and Prospects (Francesca Bignami ed., 2020).
Authored by leading academics and policymakers, EU Law in Populist Times provides a comprehensive and cutting-edge analysis of the fields of European Union law at the heart of contemporary political debates—economic policy, human migration, internal security, and constitutional fundamentals at the national level.
Recent EPIC Publications
The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).
The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.
The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).
The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.
EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).
EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.
Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2016).
This teachable casebook provides an introduction to the law andEPIC Report Finds Privacy Bills in Congress Lacking Basic Elements In Amicus Brief, EPIC Urges Supreme Court to Limit Traffic Stops Based Solely on Owner's License Status Following EPIC's 2011 Recommendation, Facebook Changes Default Setting on Facial Recognition EPIC Appeals Decision Allowing FAA Drone Committee to Operate in Secret Federal Court Rules FBI Watchlist Unconstitutional policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.
Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD, and Marc Rotenberg, JD, LLM. West Academic (West Academic 2015).
The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.
Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott (The New Press 2015).
The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.
The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.
Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.
Yale CEO Conference. Mar. 17, 2020. Washington, DC. Marc Rotenberg, EPIC President.
OECD AI Expert Group. Apr. 22–24, 2020. Paris, France. Marc Rotenberg, EPIC President.
AI World Society, Harvard University. Apr. 28, 2020. Harvard University, Cambridge, MA. Marc Rotenberg, EPIC President.
EPIC Champion of Freedom Awards Dinner. June 3, 2020. Washington, DC.
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.