EPIC Alert 27.15

1. VICTORY: Court Orders Additional Mueller Report Disclosures in EPIC Case

A federal court, ruling in EPIC v. DOJ, has ordered the Department of Justice to disclose extensive new material from the Mueller Report. The decision marks a major victory in EPIC's 18-month case for disclosure of the unredacted Report.

In a 40-page opinion, Judge Reggie B. Walton rejected the DOJ's argument that it could withhold portions of the Report as "predecisional," noting that the Mueller Report describes "decisions that were already final." Walton, who reviewed the full Mueller Report before issuing his ruling, ordered the DOJ to provide EPIC with a less-redacted version of the Report by November 2. Walton previously rebuked Attorney General Barr in EPIC's case and raised "grave concerns about the objectivity of the process that preceded the public release of the redacted version of the Mueller Report[.]"

EPIC's case has already led the DOJ to release two rounds of previously undisclosed material from the Mueller Report. In June, the DOJ published additional passages concerning Roger Stone in response to an EPIC court filing. Last month, the DOJ released extensive new material from the Report, including an excerpt from a document that describes the Russian government's goal of "spread[ing] distrust towards the candidates and the political system" leading up to the 2016 election.

EPIC's Freedom of Information Act suit—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810.

2. Following EPIC Demand Letter, TikTok Says Privacy 'Will Remain a Priority' in Oracle Deal

Social media platform TikTok, responding to a recent demand letter from EPIC, said that user privacy "will remain a priority for TikTok" if and when a deal with Oracle is finalized—but stopped short of agreeing to EPIC's full list of demands.

Last month, after Oracle reached a tentative agreement to serve as TikTok's U.S. partner and "independently process TikTok's U.S. data," EPIC sent letters to both companies warning them of their legal obligation to protect the privacy of TikTok users. The deal would pair one of the largest brokers of personal data with a social network of 800 million users, posing grave privacy and legal risks. "Absent strict privacy safeguards, which to our knowledge Oracle has not established, [the] collection, processing, use, and dissemination of TikTok user data would constitute an unlawful trade practice," EPIC wrote.

Although TikTok responded that it was "committed to helping ensure that any transfer and processing of personal data . . . complies with applicable law" and the company's privacy policies, TikTok did not agree to other EPIC demands, such as maintaining strict separation between TikTok and Oracle data and submitting to annual third party audits. Oracle has yet to respond to EPIC.

EPIC's letters to Oracle and TikTok warned that unless they "adequately protect the privacy of TikTok users," EPIC intends to bring a lawsuit against both companies under the D.C. Consumer Protection Procedures Act. EPIC previously used the same law to force AccuWeather to stop deceptively gathering users' location data.

EPIC and a coalition of consumer groups recently filed a Federal Trade Commission complaint against TikTok for violating the Children's Online Privacy Protection Act.

3. EPIC Urges AI Commission to Recommend Robust AI Regulation, Prioritize Protection of Rights

In comments to the National Security Commission on Artificial Intelligence, EPIC called on the Commission to "advise Congress, as the nation's highest policymaking authority, to establish government-wide principles and safeguards for the use and development of AI." The Commission, which is tasked with developing U.S. AI policy, is due to issue its final set of recommendations to Congress by March 2021.

"AI systems—particularly those used in defense and national security settings—present profound risks to privacy, safety, and human rights," EPIC wrote. "Unless express, binding limits on the use of AI are established now, the technology will quickly outpace our collective ability to regulate it. The Commission cannot simply kick the can down the road, particularly when governments, civil society, and private sector actors have already laid extensive groundwork for the regulation of AI."

EPIC also urged the Commission to rely on the Universal Guidelines for Artificial Intelligence and the OECD AI Principles as a foundation for AI policymaking. The UGAI are a human rights framework for AI endorsed by more than 250 experts and 60 organizations around the world, while the OECD AI Principles are backed by the U.S. and more than 40 other countries.

In EPIC v. AI Commission, EPIC successfully sued the AI Commission in order to enforce its transparency obligations. The court twice ruled in EPIC's favor, leading the Commission to open its meetings and disclose thousands of pages of records to EPIC. The Commission is set to hold a virtual public meeting on October 8, 2020 at 1:30 p.m. ET.

4. EPIC to Senate Commerce: The U.S. Needs a Data Protection Agency

In a statement to the Senate Commerce Committee before a hearing on the need for federal privacy legislation, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency.

EPIC laid out the FTC's typical privacy playbook: consent decrees, infrequent penalties, and no meaningful changes in business practices. "The FTC does not have the motivation or the tools necessary to enforce meaningful privacy and data protection rights in 2020," EPIC said, pointing to settlements the FTC had reached with Facebook, Google, YouTube, Uber, and Equifax.

EPIC also noted the FTC's failure to use its existing authority to regulate privacy, including its rulemaking authority under Section 5 to establish stronger data security standards. "If the FTC fails to use these authorities, then the Commission is not capable of protecting Americans' privacy, and the Commission should no longer be trusted to do so," EPIC stated. "As the data breach epidemic reaches unprecedented levels and the FTC fails to act again and again, the need for an effective, independent data protection agency has never been greater."

EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency.

5. Report on Trump Tax Records Reinforces EPIC's Calls for Presidential Tax Return Disclosure

A blockbuster report from the New York Times revealing details of President Trump's tax history underscores the need for transparency of presidential tax returns, which EPIC has repeatedly advocated.

According to the Times report, President Trump paid little or no federal income tax in many recent years; is due to repay hundreds of millions of dollars in loans in the near term; and has "received more money from foreign sources and U.S. interest groups than previously known."

The Times also reports that Trump and the Internal Revenue Service reached a tentative agreement in 2014 over a disputed $70 million tax refund—a deal that may have been struck under the IRS's offer in compromise procedures. In EPIC v. IRS II, EPIC is currently litigating for the release of offer in compromise records involving the President and his associated businesses. By law, these records "shall be disclosed to members of the general public."

In March, EPIC filed an amicus brief in Trump v. Vance urging the Supreme Court to allow the release of President Trump's tax returns to a New York grand jury. EPIC wrote that the "longstanding practice of disclosing presidential tax returns reflects a central principle of modern democracies: privacy must sometimes yield to accountability." The Court ultimately rejected the President's effort to categorically shield his tax returns from state prosecutors.

EPIC also sought public release of President Trump's tax returns in EPIC v. IRS I, arguing that disclosure was necessary to correct numerous factual misstatements made by the President.

News in Brief

EPIC Urges FCC to Adopt AI Principles, Support Robust Regulation of AI

In comments to the Federal Communication Commission's Technological Advisory Council, EPIC urged the FCC to "support the establishment of a strong regulatory framework to ensure AI transparency and accountability within the agency and the private sector." EPIC's comments are directed to the TAC's AI Working Group, which analyzes the role of AI in telecommunications networks and services. EPIC recently submitted comments to the EU urging the European Commission to enact comprehensive AI legislation. In February, EPIC filed a petition with the FTC calling for a rulemaking on the use of AI in commerce. EPIC recommends that governments rely on the Universal Guidelines for AI and the OECD AI Principles as a baseline for AI policy.

New Housing Regulation Limits Disparate Impact Housing Claims Based on Algorithms

Individuals alleging that a landlord discriminated against them by using a tenant-screening algorithm will face a higher burden of proof under a new rule that went into effect recently. The rule creates a defense to a discrimination claim under the Fair Housing Act when the "predictive analysis" tools used were not "overly restrictive on a protected class" or where they "accurately assessed risk." Last October, EPIC and several others warned that providing such a safe harbor for the use of algorithms in housing without imposing transparency, accountability, or data protection regulations would exacerbate harms to individuals subject to discrimination. The agency did modify its rule following EPIC's comments, removing a complete defense based on use of an "industry standard" algorithm or in cases where the algorithm was not the "actual cause" of the disparate impact. But the final rule simply replaces the word "algorithm" with "predictive analysis" and includes vague "overly restrictive" and "accurate assessment" standards. The Alliance for Housing Justice called the rule "a vague, ambiguous exemption for predictive models that appears to confuse the concepts of disparate impact and intentional discrimination." EPIC has called for greater accountability in the use of automated decision-making systems, including the adoption of the UGAI principles and requirements for algorithmic transparency.

DOJ Releases New Material from Mueller Report in EPIC Case

The Justice Department, as part of an open government lawsuit brought by EPIC, has released another round of previously unpublished material from the Mueller Report. The newly disclosed passages are listed in the "Redaction" column of a DOJ spreadsheet—though outside of their original context from the Mueller Report. The spreadsheet was originally drafted to answer questions from Judge Reggie B. Walton, who initiated an "in camera" review of the complete Mueller Report after determining that Attorney General Bill Barr's redactions may have been "self-serving." Among the newly disclosed material is an excerpt from an Internet Research Agency document that describes the Russian government's goal of "spread[ing] distrust towards the candidates and the political system in general" and states that "All the primaries are purchasable." The DOJ previously released new passages from the Mueller Report in June. EPIC's Freedom of Information Act case—the first in the nation for the disclosure of the Mueller Report—is EPIC v. DOJ, No. 19-810.

Pennsylvania's Supreme Court Prohibits Election Officials from Counting 'Naked Ballots'; PA Voters Must Use Secrecy Envelopes

Last week, Pennsylvania's State Supreme Court ordered election officials not to count so-called "naked ballots"—mail-in ballots that arrive without an inner secrecy envelope—in the 2020 Election. Pennsylvania's two-envelope ballot system includes a "secrecy envelope" that does not have personally identifiable information. The purpose of the secrecy envelope is to ensure that voter privacy is protected, but the state Supreme Court has now ruled that failure to use the envelope would invalidate a ballot. There is a concern that voters who are submitting their ballots by mail for the first time might not understand the two-envelope system. The state has committed to increasing voter outreach and education to ensure that voters understand the need to use the secrecy envelope. Voters should check the Pennsylvania Mail-in & Absentee Ballots webpage and instructional video for more information on how to properly vote by mail. If Pennsylvania voters provide their email address when registering for a mail-in ballot, they can receive ballot application and processing information. Voters can also track the status of their ballots online. Pennsylvania voters' mail-in ballots must be postmarked or returned to a designated drop off location by 8 p.m. on Election Day. Anyone who is voting by mail or absentee should track the status of their ballots. EPIC recently launched an interactive map to link voters to their state election resources.

Facebook Integrates Instagram and Messenger

Facebook has announced the integration of Facebook Messenger and Instagram. Early last year, Facebook released plans to integrate WhatsApp, Messenger, and Instagram, breaking the promises Facebook made when it acquired WhatsApp. After the announcement, Facebook declined to give a timeline for when WhatsApp integration would occur. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook regularly incorporates user data from companies it acquires and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC noted that "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." The House Judiciary Committee held a hearing this week on proposals to strengthen antitrust laws and restore competition. EPIC has told the Committee that merger review must consider data protection.

Zoom, Twitter Failures Highlight Discriminatory Impact of Facial Recognition

A pair of recent discoveries about Zoom and Twitter's facial recognition algorithms highlights the discriminatory impact of such systems and reinforces EPIC's call for a moratorium on face surveillance. Technologist Colin Madland recently tweeted images showing that Zoom's facial recognition tool failed to recognize a black colleague's face when using a digital background–even though it easily identified Madland's face. In subsequent tweets from the same thread, it became apparent that Twitter's image preview system also had a strong bias toward centering images on white faces over black faces. Twitter said it had previously tested the system for bias, but the company will now "open source [its] work so others can review and replicate." A 2019 study from NIST of a majority of facial recognition vendors found significant rates of racial bias. In addition to calling for a moratorium on facial surveillance, EPIC advocates for algorithmic transparency and a comprehensive federal data privacy law.

CBP Failed to Protect Sensitive Biometric Information in Test of Facial Recognition Program

In a new report, the Inspector General for the Department of Homeland Security found that Customs and Border Protection failed to safeguard pictures of travelers obtained for a facial recognition pilot program, the Biometric Entry-Exit Program. The pictures were exposed in a data breach of a CBP subcontractor, Perceptics, LLC. OIG found that the CBP failed to undertake sufficient information security practices to prevent Perceptics from obtaining the data. At least 17 of the images were ultimately released on the dark web. EPIC leads an ongoing campaign to Ban Face Surveillance. In 2018, EPIC urged CBP to suspend its Biometric Entry-Exit Program. EPIC previously obtained documents on that program through a FOIA lawsuit.

Senate Republicans Introduce Weak 'SAFE DATA Act'

Senators Roger Wicker, John Thune, Marsha Blackburn, and Deb Fischer have introduced the "SAFE DATA Act," which relies on an outdated notice-and-choice model that allows companies to diminish the rights of consumers and use personal data to benefit the company but not the individual. "Senator Wicker's SAFE DATA Act allows companies to collect any personal data it pleases as long as it discloses it in its privacy policy," said EPIC Policy Director Caitriona Fitzgerald. "And it prohibits states from adopting or enforcing any data privacy or data security laws. The SAFE DATA Act is very weak compared to Senator Gillibrand's Data Protection Act, Senator Brown's discussion draft, and the Online Privacy Act introduced in the House." EPIC's recent report on federal privacy legislation, Grading on a Curve: Privacy Legislation in the 116th Congress, evaluates federal privacy bills. EPIC has called for comprehensive baseline, federal legislation and the creation of a data protection agency.

EPIC in the News

• A Judge Has Ordered The Justice Department To Release More Portions Of The Mueller Report Before Election Day, BuzzFeed News, Oct. 1, 2020

• Federal Judge Orders DOJ to Release Redacted Sections of Mueller Report before Election, National Review, Oct. 1, 2020

• Judge orders DOJ to release less-redacted version of Mueller report, Washington Times, Oct. 1, 2020
• Judge Rules Donald Trump Admin Failed to Justify Robert Mueller Report Redactions, Orders DOJ to Publish, Newsweek, Oct. 1, 2020
• A Federal Judge Just Opened a Door to Releasing New Details From the Mueller Report, National Law Journal, Oct. 1, 2020
• DOJ Must Reveal More Mueller Report Materials By Nov. 2, Law360, Oct. 1, 2020
• Too Smart: 'Alexa' Can Now Act Without Commands, KTRH, Sep. 30, 2020
• Secretive, never profitable Palantir makes its market debut, Star Tribune, Sep. 30, 2020
• Judge orders DOJ to publish info redacted as privileged from Mueller report, The Hill, Sep. 30, 2020
• Peter Thiel's secretive Palantir surges 38% in debut, valuation at nearly $22B, NY Post, Sep. 30, 2020
• How A High Court Textualist Could Help Limit Anti-Hack Law, Law360, Sep. 25, 2020
• Public Interest in Tech Scrutiny From Presidential Candidates Has Grown Since Last Year, Morning Consult, Sep. 23, 2020
• The last mile for TikTok-Oracle, POLITICO Morning Tech, Sep. 21, 2020
• EPIC Intends to Litigate Against Both TikTok and Oracle, POLITICO Morning Cybersecurity, Sep. 21, 2020
• Privacy group promises legal action if TikTok doesn't protect user privacy, Daily Dot, Sep. 21, 2020

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.