EPIC Alert 28.01

EPIC Alert logo

1. HireVue, Facing FTC Complaint From EPIC, Halts Use of Facial Recognition

HireVue, a major vendor of AI-based hiring tools, announced recently that it will stop relying on "facial analysis" to assess job candidates. The move comes a year after EPIC filed a Federal Trade Commission complaint targeting HireVue's use of opaque algorithms and facial recognition.

In its 2019 complaint, EPIC argued that HireVue's AI tools—which the company claimed could measure the "cognitive ability," "psychological traits," "emotional intelligence," and "social aptitudes" of job candidates—were unproven, invasive, and prone to bias. EPIC also highlighted HireVue's deceptive claim that it did not use facial recognition in its assessments.

In announcing the change, HireVue acknowledged the public outcry over its use of facial analysis and said the technology "wasn't worth the concern." However, HireVue will continue to analyze biometric data from job applicants including speech, intonation, and behavior—all of which present similar privacy and discrimination risks.

EPIC advocates for a moratorium on facial recognition and recently filed a complaint with the D.C. Attorney General explaining how online test proctoring companies use opaque, unreliable AI tools to monitor students.

2. EPIC to Maryland Legislators: Enact Biometric Privacy Law

EPIC Senior Counsel Jeramie Scott testified this week to Senate and House Committees of the Maryland General Assembly in support of legislation protecting biometric information privacy.

The two bills, HB218 and SB16, are modeled after the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA has been referred to as one of the most effective and important privacy laws in America.

"Unlike a password or account number, a person's biometrics cannot be changed if they are compromised," EPIC's Scott told Maryland legislators. Scott stressed the importance of strong enforcement measures in privacy laws, particularly a private right of action. EPIC also submitted a recent case study on the Illinois law written by EPIC Advisory Board member Woody Hartzog.

EPIC previously filed an amicus brief in Rosenbach v. Six Flags, a case in which the Illinois Supreme Court unanimously ruled that consumers can sue companies that violate the state's biometric privacy law.

3. EPIC Urges DHS to Suspend New Counterintelligence Records System

EPIC recently submitted comments to the Department of Homeland Security in response to a system of records notice and proposed exemptions from Privacy Act requirements for a new counterintelligence records system.

DHS's proposed records system would permit nearly limitless collection of sensitive personal information and unchecked disclosure of that information to state, local, and international agencies and to private companies. DHS's proposed exemptions would also eliminate all individual rights under the Privacy Act and exempt DHS from basic Privacy Act requirements, including limiting data collection to necessary information.

"Such broad authority flies in the face of the Privacy Act which sought to limit the information federal agencies could collect and provide individuals with meaningful remedies when agencies overstepped and caused harm, EPIC wrote. "It is inconceivable that the drafters of the Privacy Act would have permitted a federal agency to maintain a database on U.S. citizens containing vast reserves of personal information and simultaneously claim broad exemptions from Privacy Act obligations."

EPIC recently called on the DHS to rescind a proposed expansion of the use of biometrics, including facial recognition, across the agency.

4. WhatsApp Policy Change Highlights Privacy Risks EPIC Warned of in Facebook Acquisition

Recently unveiled changes to WhatsApp's terms of service highlight the privacy and legal objections has EPIC long raised to Facebook's 2014 acquisition of the messaging platform.

In early January, WhatsApp introduced a revision to its privacy policy that seemed to require app users to share extensive personal data with Facebook—an apparent violation of the privacy protections that originally fueled WhatsApp's growth. The policy change drove many WhatsApp users to turn to other secure messaging platforms including Signal and Telegram.

WhatsApp later delayed the revision of its terms of service by several months and argued that the change only affected "business communication," but the episode underscores the dangers of a company built on the exploitation of personal data acquiring a company that has made explicit privacy commitments to its users.

In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook routinely incorporates user data from companies it acquires and that WhatsApp users objected to the acquisition. The FTC approved the merger but told EPIC and CDD that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook."

5. EPIC Gives International Privacy Award to Justice K.S. Puttaswamy and Senior Advocate Shyam Divan

EPIC presented the 2021 International Privacy Champion Awards this week to Justice K.S. Puttaswamy, retired Justice of the High Court of Karnataka, and Senior Advocate Shyam Divan.

Justice Puttaswamy was the plaintiff in the case that established the constitutional right to privacy in India and challenged the country's mandatory biometric data collection program, Aadhaar. Mr. Divan was the lead attorney on the case.

EPIC Interim Executive Director Alan Butler emphasized the significance of the Puttaswamy case, noting that it "was groundbreaking in ways that will reverberate for decades to come." The decision supports the recognition of privacy as a fundamental human right, and the case forced limits on the collection of biometric data in the world's second largest country.

The awards ceremony took place online at the annual conference on Computers, Privacy, and Data Protection (CPDP). EPIC staff also moderated a CPDP panel this week on automated test proctoring, participated in panels on the Schrems II decision and algorithmic criminal justice, and hosted a panel on Algorithmic Impact Assessments the day before the conference as part of Privacy Camp.

News in Brief

EPIC Urges NIST to Adopt Privacy-Protective Standards for Federal ID Cards

In comments responding to the National Institute of Standards and Technology's draft Federal Information Processing Standards for personal identity verification (ID cards and digital identity verification), EPIC urged the agency to adopt more privacy protective technology for federal employees and contractors. EPIC drew upon expertise from the Advisory Board for these comments. EPIC recently urged the Department of Homeland Security to suspend a new counterintelligence system of records which will collect biometric information. EPIC previously urged the Department of Transportation to provide more privacy protections for federal employees in the Insider Threat database.

EPIC to Washington Legislature: Pass Commonsense AI Regulation

EPIC Equal Justice Works Fellow Ben Winters testified recently before the Washington Legislature in support of a bill to establish transparency and accountability around state automated decision-making and to ban certain dangerous applications of AI. Under SB5116, public and regularly updated algorithmic accountability reports of state uses of automated decision-making systems will be completed, AI-enabled profiling that produces significant legal effects will be prohibited, and other baseline protections will be enacted. EPIC has long advocated for algorithmic transparency, has issued calls to ban face surveillance, and tracks use of AI in the Criminal Justice System.

EPIC Obtains Internal AI Commission Emails From Schmidt, Others

EPIC, as part of the open government case EPIC v. AI Commission, has obtained additional records from the National Security Commission on Artificial Intelligence. The documents include emails from Commission chair and former Google CEO Eric Schmidt illustrating Schmidt's close relationship with members of Congress. The records also reveal that the ethics disclosure form Schmidt filed with the Commission—a document that usually tops out at a dozen pages—was 38 pages long. EPIC's FOIA request was recently highlighted in an American Prospect article on Schmidt's role in Rebellion Defense, "a shadowy defense startup" that markets AI systems to the Defense Department. EPIC has twice prevailed in its open government case against the AI Commission, forcing the Commission to hold public meetings and disclose thousands of pages of records. In recent comments, EPIC called on the AI Commission to "advise Congress, as the nation's highest policymaking authority, to establish government-wide principles and safeguards for the use and development of AI." The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

Civil Society Groups Urge EU to Prohibit Certain Red-Line Uses of AI

European Digital Rights (EDRi), along with 61 civil society groups including EPIC, recently sent a letter calling for the EU to introduce certain red lines in their upcoming European Commission proposal on Artificial Intelligence. The letter calls on the EU to prohibit the use of biometric mass surveillance, AI at the border, AI with social scoring, and predictive policing and other AI criminal risk assessment tools. "Without regulatory limits on the use of AI-based technologies," the letter reads, "we face the risk of violations of our rights and freedoms by government and companies alike." EPIC has called for a moratorium on the use of face surveillance, and maintains resources on AI in the criminal justice system.

European Parliament Guidelines Call for Moratorium on Facial Recognition

In a report released recently, the European Parliament outlines the need for new legal frameworks for artificial intelligence and biometric surveillance. The report raises objections to both civilian and military uses of artificial intelligence, mass surveillance, and deepfakes. The European Parliament was particularly concerned with facial recognition technology, proposing a moratorium on its use in public and semi-public spaces. EPIC leads a campaign to Ban Face Surveillance through the Public Voice coalition.

Hamburg DPA Deems Clearview AI's Biometric Photo Database Illegal, Orders Partial Deletion of Profile

The Hamburg Data Protection Authority has ruled that Clearview AI's searchable database of biometric profiles is illegal under the EU's GDPR and ordered the U.S. company to delete the claimant's biometric profile. Clearview AI scrapes photos from websites to create a searchable database of biometric profiles. The database, which is marketed to private companies and U.S. law enforcement, contains over 3 billion images gathered from websites and social media. The claimant submitted a complaint to the Hamburg DPA after discovering that Clearview AI had added his biometric profile to the searchable database without his knowledge or consent. The DPA ordered Clearview to delete the mathematical hash values representing his profile but did not order Clearview to delete his captured photos. The DPA's narrow order protects only the individual complainant because it is not a pan-European order banning the collection of any EU resident's photos. The DPA decided that Clearview AI must comply with the GDPR, yet this narrow order places a burden on Europeans to have their profiles removed from the database. EPIC has long opposed systems like Clearview AI, filing an amicus brief before the 9th Circuit defending an individual's right to sue companies who violate BIPA and other privacy laws, submitting FOIA requests with several government agencies that use Clearview AI technology, and urgingthe Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.

FAA Publishes Final Rule for Operating Drones Over People

The Federal Aviation Administration published the final rule for the operation of drones over people. The rule allows drones to operate over people without first obtaining a waiver to do so. The drone must meet certain requirements (e.g. the drone can't have exposed rotating blades), and the rule doesn't generally allow sustained flight over large gatherings of people outside. EPIC, in comments to the agency, argued that all drones operating over people should broadcast identifying information. In response to comments by EPIC and others, the FAA's final rule prohibits the operation of drones over "open-air assemblies" unless the drone meets the broadcast ID requirement that takes effect in September 2023. Through lawsuits and previous comments to the FAA, EPIC has repeatedly argued the FAA has an obligation to implement privacy safeguards for drones before they operate regularly over people.

New Massachusetts Law Protects Personal Transit Data From Warrantless Searches

The Massachusetts Legislature has enacted a new law that prevents Massachusetts transit authorities from disclosing personal information related to individuals' transit system use for non-transit purposes and requires police obtain a search warrant before accessing personal data collected by the authorities. The law resolves many of the issues raised in Commonwealth v. Zachery, a case pending before the Massachusetts Supreme Judicial Court in which the government obtained, without a warrant, location data generated by the defendant's use of a Massachusetts Bay Transit Authority transit card. EPIC filed an amicus brief in the case. EPIC argued that disclosure of data collected by the transit authority should be limited to the purposes for which it was collected. EPIC further stated that "if the government seeks to access Charlie Card data for investigative purposes, it must do so with a warrant." The new law adopts both the disclosure limitation and warrant requirement that EPIC advocated for in its amicus brief to the Court.

Google Closes Fitbit Acquisition While DOJ's Review of Merger Continues

Google recently announced that it "completed its acquisition of Fitbit" in a $2.1 billion deal, even though the Department of Justice has not yet approved the merger. DOJ said that its investigation into the deal remains ongoing, and "[a]lthough the division has not reached a final decision about whether to pursue an enforcement action, the division continues to investigate whether Google's acquisition of Fitbit may harm competition and consumers in the United States." The announcement comes after Google gained EU antitrust approval for its Fitbit bid late last year subject to limits on how it will use consumers' data, including pledging to not use Fitbit data for advertising purposes in Europe. EPIC has long opposed Google's acquisition of Fitbit, citing concerns about Google's history of data protection and privacy violations. In November 2019, EPIC told the House Judiciary Committee that the FTC should block the acquisition. EPIC brought the 2012 case against the FTC for the agency's failure to enforce the 2011 consent order against Google after the company consolidated user data across multiple services.

FTC Orders Photo App to Delete Algorithms Built on Personal Data

The Federal Trade Commission has reached a settlement with Everalbum, Inc., a California-based developer of a photo storage app, over allegations that it deceived consumers about its use of facial recognition technology and its retention of the photos and videos of users who deactivated their accounts. The proposed order requires the company to delete the facial recognition technologies it illegally developed using user photos and videos. According to the FTC complaint, Everalbum represented that it would not apply facial recognition technology to users' content unless users affirmatively chose to activate the feature. But the company allowed some Ever app users—those located in Illinois, Texas, and Washington state —to choose whether to turn on the face recognition feature, even though it was automatically active for all other users and could not be turned off. Commissioner Rohit Chopra noted in an accompanying statement that residents of those states were afforded stronger protections because their legislatures had passed laws regulating facial recognition and biometric identifiers. Everalbum's differential treatment of users illustrates why Congress must ensure that any proposed federal privacy law sets a baseline for the country while protecting the ability of states to enact stronger privacy laws.

New Petition Urges Supreme Court to Ensure Fifth Amendment Protections for Cell Phone Passcodes

The American Civil Liberties Union and the Electronic Frontier Foundation have asked the U.S. Supreme Court to reverse the New Jersey Supreme Court's decision in State v. Andrews, which allows the government to compel an individual to disclose their cell phone passcode. EPIC filed an amicus brief in Andrews and presented oral argument to the New Jersey Supreme Court arguing that the vast troves of data stored in a cell phone require strong constitutional protections. State supreme courts have disagreed about the extent to which individuals are protected from compelled disclosure of their cell phone passcode. Some courts, like New Jersey and Massachusetts, have applied the "foregone conclusion" exception to require individuals to divulge their passcodes. Others, like Pennsylvania and Indiana, have refused to apply that exception and found that the Constitution protects against compelled disclosure of cell phone passcodes.

Supreme Court to Decide Whether the First Amendment Protects Donor Privacy

The Supreme Court has granted review in Americans for Prosperity v. Becerra to decide whether the First Amendment protects donors to charities from compulsory disclosure of their identifying information. A California law requires charitable organizations to identify donors who contribute above a certain amount annually in a form filed with the state. Americans for Prosperity and other charitable organizations challenged the law, arguing that the reporting requirement violates First Amendment rights to speech and association. The Ninth Circuit ruled that the law did not violate the First Amendment. EPIC filed an amicus brief in the Ninth Circuit, arguing that donor privacy is an important tradition and that, contrary to California's assurances, the data was at risk of public disclosure. EPIC frequently files briefs in First Amendment cases, including several before the Supreme Court.

FAA Announces Final Rule for Remote Drone ID

The Federal Aviation Administration posted the agency's final rule for remote drone identification. The final rule will require all drones to broadcast drone ID information in real-time, eliminating the option in the proposed rule to forgo real-time broadcast and only submit drone ID information for retention by a third party. EPIC previously commented on the FAA's proposed rule, urging the FAA to require all drones to provide real-time public access to drone ID information. In 2015, EPIC argued that drones should be required to broadcast relevant information to the public while in operation.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Upcoming Conferences and Events

American University Law Review's Annual Symposium: "Privacy in the Age of Emergency." Feb. 4, 2021. Alan Butler, EPIC Interim Executive Director.

Webinar: "Does the EU need to urgently adopt the Interim Regulation on the processing of personal and other data for the purpose of combatting child sexual abuse online?" Feb. 8, 2021. Brussels Privacy Hub. Alan Butler, EPIC Interim Executive Director.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security