EPIC Alert 27.19

1. EPIC Files D.C. Consumer Protection Complaint Against Online Test Proctoring Firms

EPIC has filed a complaint with the D.C. Attorney General alleging that five providers of online test proctoring tools have routinely violated students' privacy and engaged in unfair and deceptive trade practices.

EPIC's complaint charges that Respondus, ProctorU, Proctorio, Examity, and Honorlock have collected excessive personal data from proctored students; have relied on opaque and unreliable AI tools to flag alleged signs of cheating; and have made deceptive statements about their products.

"The rapid growth of online test proctoring has all but forced many students to trade away their privacy rights in order to meet their academic obligations," EPIC explained. "These systems routinely collect sensitive data from students that is not necessary to administer an exam and subject test-takers to secret, unproven algorithms that can effectively accuse them of cheating with no legitimate basis."

EPIC's complaint calls on the D.C. Attorney General to halt the companies' unfair trade practices and to impose transparency, data minimization, and algorithmic fairness requirements. EPIC also warned each company that it is prepared to file suit under D.C.'s consumer protection law if they fail to correct their unlawful privacy practices.

EPIC has long advocated for greater accountability in the use of automated decision-making systems, including the adoption of the Universal Guidelines for Artificial Intelligence and requirements for algorithmic transparency. EPIC has also highlighted the privacy risks posed by the adoption of online tools in the COVID-19 era and has previously used D.C.'s consumer protection law to force changes to Accuweather's collection of personal data.

2. EPIC Urges NJ Supreme Court to Protect Privacy of Personal Information in Government Records

EPIC has filed an amicus brief in Bozzi v. City of Jersey City urging the New Jersey Supreme Court to protect the privacy of personal information in government records. The case concerns a business owner's request under New Jersey's open records law for names and home addresses that residents were required to provide the city to obtain dog licenses.

EPIC urged the court to interpret New Jersey's law in line with the federal open government law, which generally protects names and addresses contained in government records. EPIC also urged the Court to prevent public disclosure of personal information for purely commercial purposes.

"The names and addresses of individuals, along with specific traits or characteristics about the individuals reflected in the requested records, are private and deserve protection," EPIC explained. "In this case, disclosure of names and addresses of dog owners would lead directly to unwanted solicitations and other unwarranted invasions of privacy."

"Other courts have already acknowledged that attempts to extract commercial value from personal information, such as lists of names and addresses, pose acute threats to individual privacy," EPIC added. "This Court should follow suit." EPIC stressed that the purpose of open government laws "is to shed light on the workings of the government——not to transform the government into a lead generator for commercial ventures."

EPIC has filed numerous amicus briefs concerning the right to informational privacy. EPIC also has extensive experience litigating federal open government cases.

3. EPIC to Massachusetts Supreme Court: Facebook Needs to Disclose Apps that Violated User Privacy

EPIC has filed an amicus brief in Massachusetts Attorney General v. Facebook urging the Massachusetts Supreme Judicial Court to require Facebook to disclose information about third-party apps that violated user privacy protections. The Attorney General requested the information as part of an investigation into the 2018 Cambridge Analytica scandal.

EPIC explained that Facebook has been obligated to collect information about user privacy abuses for more than a decade but failed to do so in this case until threatened with litigation. If the company is allowed to keep this information secret, EPIC wrote, "Facebook will continue to evade accountability and the harmful effects of Facebook's business practices could go undetected."

EPIC argued that Facebook has had a long pattern of secrecy, and that Facebook now "knows a shocking amount about each of its users, but its users know shockingly little about Facebook. This information asymmetry threatens the public interest."

EPIC has long sought accountability for Facebook's broken privacy promises. EPIC filed the original FTC complaint in 2009 that led to the FTC's 2012 consent order with the company, subsequently filed several complaints alleging violations of the order, urged the FTC to investigate the Cambridge Analytica incident, and moved to intervene in and filed an amicus brief challenging the FTC's 2019 settlement with Facebook.

4. 48 States and FTC Sue Facebook Over Illegal Monopoly, Echo EPIC's Warnings on Instagram & WhatsApp Mergers

Forty-eight states and the Federal Trade Commission have filed landmark lawsuits in federal court alleging that Facebook has stifled competition to illegally maintain its social networking monopoly.

EPIC has long urged the FTC to unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires and that WhatsApp users objected to the acquisition.

The new complaint from state Attorneys General echoes EPIC's concern, explaining that "Facebook's conduct deprives users of product improvements and, as a result, users have suffered, and continue to suffer, reductions in the quality and variety of privacy options and content available to them."

"We applaud the state Attorneys General for focusing on the ways Facebook's monopolistic behavior harmed users' privacy and reduced privacy-protective options in the market," Caitriona Fitzgerald, EPIC Policy Director said.

5. Justices Concerned for Privacy of Personal Information if Insiders Can Abuse Access Privileges

During the U.S. Supreme Court's recent oral argument in Van Buren v. United States, a case concerning the scope of the Computer Fraud & Abuse Act, several Justices emphasized the need to protect sensitive personal data from both hackers and insiders who could abuse their access privileges. EPIC filed an amicus brief in the case, arguing that the CFAA was enacted "to protect personal information stored in recordkeeping systems" and the scope of the law "should be co-extensive with its data protection purpose."

Van Buren, a police officer, was prosecuted under the CFAA for improperly accessing personal data in a government system for financial gain. Van Buren argues that he did not violate the CFAA because he had credentials to access the system.

At oral argument, many of the justices questioned Van Buren's attorney about the impact of his interpretation on the privacy of sensitive personal information, and a majority seemed to agree that the conduct at issue in this case was criminal. Justice Alito said that insiders who abuse their access can do "enormous damage" to personal privacy and referenced EPIC's amicus brief.

In its brief, EPIC explained that government databases "hold vast quantities of some of the most sensitive personal data imaginable" and that "we need the CFAA, now more than ever, to be an extra check against abuse by the people entrusted to access sensitive data and systems." EPIC also argued that the Court need not limit CFAA liability to those who bypass a login system to avoid criminalizing the activity of ordinary internet users.

During argument, several justices were interested in alternative ways to limit the statute to better align the law with its data protection purpose. EPIC has also participated as amicus in another CFAA case before the Court, LinkedIn v. hiQ Labs. The petition for review in LinkedIn is currently pending.

News in Brief

EPIC, Coalition Urge FTC to Address Privacy in Zoom Settlement

EPIC, the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, the Parent Coalition for Student Privacy, and Consumer Federation of America sent comments this week to the FTC urging the agency to address privacy in its proposed Consent Order with Zoom. The groups recommended that the FTC modify the Order to require Zoom to (1) implement a comprehensive privacy program; (2) obtain regular independent privacy assessments and make those assessments available to the public; (3) provide meaningful redress for victims of Zoom's unfair and deceptive trade practices; and (4) ensure the adequate protection and limits on the collection of children's data. In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency.

EPIC Urges Advisory Council to Address Privacy Risks of DHS's Use of Biometrics

In response to a report by the Homeland Security Advisory Council's Biometric Subcommittee, EPIC urged the Council to table the report until they can address the privacy and civil liberties implications of the Department of Homeland Security's collection and use of biometrics in full. The Biometric Subcommittee was tasked with examining DHS use and collection of biometrics. The Subcommittee's report failed to address a rule proposed in September that would broadly expand DHS use of biometrics. EPIC previously argued that the proposed rule, giving DHS broad authorization for biometric collection, was incompatible with the department's Fair Information Practice Principles.

EPIC Urges California Supreme Court to Decide Case About Proprietary Google Algorithm

EPIC has filed an amicus letter urging the California Supreme Court to decide whether the government's reliance on evidence Google automatically reported to authorities using a proprietary algorithm violates the Fourth Amendment. EPIC warned that the government has not presented any evidence about the accuracy or reliability of the algorithm, which are essential elements of the Fourth Amendment analysis. EPIC told the California Supreme Court that the "Government must present evidence about Google's algorithm, not other, unrelated" algorithms. EPIC has filed amicus briefs in the federal case against the defendant, currently before the Ninth Circuit, and in a similar Sixth Circuit case. Recently, the Sixth Circuit followed other federal courts in erroneously equating Google's algorithm with non-proprietary and well tested methods for authenticating files. In contrast, a judge on the Ninth Circuit panel told the government attorney during oral argument that he "would like to hear your defense of the evidentiary record" because the record only contained "this declaration from the Google person," and he "would need far more explanation of how reliable the hash matching technology is before I could validate this search." EPIC routinely files amicus briefs in cases concerning the Fourth Amendment and new technology.

FTC Announces Investigation Into Privacy Practices of Major Tech Platforms

The FTC has launched a new inquiry into the privacy policies, procedures and practices of several Social Media and Video Streaming Service providers: Amazon, ByteDance, TikTok, Discord, Facebook, Reddit, Snap, Twitter, WhatsApp, and YouTube. Specifically, the FTC is seeking information relating to how the companies collect, use, track, estimate, or derive personal information and determine which ads to show consumers; whether the companies apply algorithms to personal information; how they measure and promote user engagement; and how their practices affect children and teenagers. In a joint statement, Commissioners Chopra, Slaughter, and Wilson wrote, "Policymakers and the public are in the dark about what social media and video streaming services do to capture and sell users' data and attention. It is alarming that we still know so little about companies that know so much about us." In September 2020, EPIC joined 27 groups urging the FTC to study data-driven bias and discrimination in all forthcoming 6(b) investigations.

FCC Says Government Contractors Subject to Robocall Restrictions

A new FCC ruling recognizes that government contractors and local governments are subject to the Telephone Consumer Protection Act, the law that restricts robocalls. The new ruling reverses a 2016 ruling that excluded federal contractors from the TCPA's requirements. The FCC reasoned in 2016 that, because the federal government is not subject to the law, its contractors also are not. Following the 2016 ruling, the National Consumer Law Center petitioned the FCC to reconsider. EPIC joined the petition. The new FCC ruling follows the recommendation of consumer groups and holds that Congress never intended to exclude government contractors and local governments from the law. The Commission concluded that including government contractors in the law increases the "effectiveness of TCPA privacy right protections." The FCC also noted that the TCPA is a consumer protection statute, and any ambiguity should be interpreted "to the benefit of the consumer." The Supreme Court is currently considering another ambiguity in the TCPA: the definition of an automatic telephone dialing system. The Court heard oral arguments in the case last week. A decision is expected next spring.

President Issues Executive Order Regulating Some Government Uses of AI

President Trump recently signed an Executive Order on "Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government," which establishes principles for certain federal government uses of AI. The principles state that AI systems must be lawful, purposeful, accurate, reliable, effective, safe, understandable, responsible, traceable, regularly monitored, transparent, and accountable. The order instructs applicable agencies to create public inventories of AI use and identify AI uses that are inconsistent with the principles. However, the principles do not apply to AI used in defense or national security systems or other "common commercial products." The Office of Management and Budget published similar principles in January, and the new order instructs the OMB to develop guidance for agencies to comply with the AI principles. In March, EPIC urged the OMB to follow the Universal Guidelines for Artificial Intelligence as a basis for AI policy.

FTC Settlement Over Tenant Screening Algorithm Lacks Safeguards, Redress for Victims

The Federal Trade Commission has reached a settlement with AppFolio which requires the company to fix its faulty and unlawful tenant screening algorithm—but which fails to compensate victims and lacks adequate safeguards to ensure AppFolio's compliance. AppFolio included inaccurate information in tenant background reports in violation of the Fair Credit Reporting Act, which "directly resulted in qualified tenants being turned away from potential homes." The settlement requires AppFolio to pay a $4.25 million fine, comply with FCRA in the future, and submit regular compliance paperwork to the FTC. But Commissioner Rohit Chopra dissented, arguing that the Commission should provide victims redress, impose stronger accountability measures, and refer the case to the Justice Department over possible housing discrimination. "Sloppy, inaccurate credit reporting practices are not mild inconveniences for American families," Chopra wrote. "They can be deeply harmful, reinforcing discrimination and foreclosing opportunities for individuals to seek a better home, job, and life." In February 2020, EPIC filed a complaint against Airbnb asking the FTC to investigate whether the company's customer screening algorithm violates the Fair Credit Reporting Act.

Supreme Court Hears Arguments in Case Concerning Scope of Federal Robocall Ban

The Supreme Court heard arguments this month in Facebook v. Duguid, a case concerning the scope of the federal ban on robocall systems, or "autodialers," under the Telephone Consumer Protection Act. EPIC filed an amicus brief in the case urging the Court to preserve the law's broad restriction on robocalls. EPIC described how the problem of unwanted robocalls "has grown exponentially in recent years as new systems have made it easier and cheaper than ever" to send calls to millions of cell phone users without their consent. EPIC in its brief pushed back on Facebook's argument that the robocall ban should not apply to automated systems that dial from lists of numbers. EPIC emphasized that Congress was concerned "above all else with protecting the privacy of cell phone users from the scourge of robocalls." EPIC routinely files amicus briefs on the TCPA, including in Gadelhak v. AT&T Services which also concerned the scope of the robocall ban.

Vendor of School-Based Face Surveillance Systems Lied About Bias, Accuracy

Documents obtained by Motherboard show that a key vendor of school-based facial recognition tools lied to school officials about the accuracy rate and racial bias of its surveillance product. The records reveal that SN Technologies' AEGIS system misidentifies black students at alarmingly high rates and mistakes objects like broom handles for guns. Despite these errors, at least one New York school district has the system configured to automatically alert police when it detects a weapon or an individual on the district's watchlist. The use of face surveillance systems in schools increases unnecessary interactions between police and students and can accelerate the school-to-prison pipeline. SN Technologies' algorithm was included in the 2019 NIST study that showed extensive racial bias in face surveillance systems. EPIC advocates for a moratorium on facial recognition technologies and urges policymakers to increase algorithmic accountability and transparency around the adoption and use of these tools.

Microsoft Developing Workplace Surveillance System to 'Score' Meeting Productivity

A recent patent application reveals Microsoft is developing a "meeting insight computing system" that would monitor body language, facial expressions, and other features of participants in order to assign a "quality score" to workplace meetings. According to the filing, the system could be applied both to in-person and remote meetings. Microsoft also introduced a "Productivity Score" last month which would have allowed organizations to monitor employees' use of Microsoft products. The company quickly backtracked in response to public outcry and eliminated the individualized tracking feature. Worker surveillance has rapidly increased with the transition to remote work due to COVID-19, and many organizations with on-site workers are instituting surveillance systems with the stated goal of protecting public health. EPIC advocates against social scoring and has filed a complaint with the FTC about HireVue, which similarly evaluates facial expressions and vocal patterns in the context of hiring.

Bipartisan Internet of Things Security Bill Passes Congress

Both branches of Congress have now passed a bill governing the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. The bipartisan measure is sponsored by Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.) in the House and Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate. "While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security," said Sen. Warner. The bill now heads to the President's desk for signature. EPIC recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of of mandatory privacy and security standards.

LAPD Bans Use of Clearview AI Facial Recognition

The Los Angeles Police Department (LAPD) issued a moratorium on the use of third-party commercial facial recognition systems including Clearview AI. However, the LAPD will continue to use a Los Angeles County system which searches booking images. LAPD officers have used Clearview AI at least 475 times since 2019. Clearview AI is a particularly dangerous facial recognition system because it queries a database of over 3 billion images scraped from social media sites, compromising the privacy of more individuals than smaller-scale systems. EPIC recently filed a Freedom of Information Act lawsuit seeking information on Immigrations and Customs Enforcement's (ICE) use of Clearview AI. EPIC leads a campaign to Ban Face Surveillance.

EPIC in the News

• 2,000 Parents Petition McGraw-Hill to Stop Using Remote Proctoring Tools, EdSurge, Dec. 18, 2020
• How teachers are sacrificing student privacy to stop cheating, Vox/Recode, Dec. 18, 2020
• Privacy Advocates Denounce FTC's 'Unacceptable' Settlement With Zoom, MediaPost, Dec. 17, 2020
• DHS must table self-serving biometrics report — EPIC, Biometric Update, Dec. 14, 2020
• D.C. Attorney General Urged to Probe Proctors' Privacy Methods, Bloomberg Law, Dec. 10, 2020
• A major privacy group filed a complaint against providers of online test proctoring tools with the D.C. attorney general, Washington Post Technology 202, Dec. 10, 2020
• Study finds crime-predicting judicial tool exhibits gender bias, Venture Beat, Dec. 10, 2020
• Privacy Group Asks for Investigation Into Software That Spies on Students, Vice, Dec. 9, 2020
• EPIC files complaint against five online test-proctoring services, The Verge, Dec. 9, 2020
• Justices Unsure If 'Dangerously Vague' CFAA May Do Harm, Law360, Dec. 1, 2020
• 33 groups urge Biden to hold Big Tech accountable and keep industry allies out of his administration, Salon, Dec. 1, 2020
• Supreme Court scrutinizes Computer Fraud and Abuse Act in case closely watched by hacker, SC Magazine, Dec. 1, 2020
• The FBI Has Released A Final Batch Of Memos From The Mueller Probe, Buzzfeed News, Dec. 1, 2020
• College Students Are Learning Hard Lessons About Anti-Cheating Software, Voice of San Diego, Nov. 30, 2020
• Cybercrime law goes to SCOTUS, POLITICO Morning Cybersecurity, Nov. 30, 2020
• Van Buren v. United States: The SCOTUS case splitting the privacy world in two, Protocol, Nov. 30, 2020
• Next Step in Government Data Tracking Is the Internet of Things, Wall Street Journal, Nov. 27, 2020
• FTC's Zoom Deal Signals New Data Security Plan Under Dems, Law360, Nov. 25, 2020
• New York City wants to restrict artificial intelligence in hiring, CBS News, Nov. 24, 2020
• Delta launches contactless TSA PreCheck in Detroit, Atlanta Business Chronicle, Nov. 24, 2020
• Lawmakers, Experts Split on CBP's Proposed Biometric System Advancement, NextGov, Nov. 24, 2020
• Column: Do you really want Amazon's new drugstore knowing your medical condition?, Los Angeles Times, Nov. 19, 2020

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.