Commercial Drones and Privacy

In 2012 Congress passed the FAA Modernization and Reform Act, which requires the FAA to integrate drones into the national airspace. Soon after this Act was passed, EPIC led a coalition of over 100 experts and organizations in petitioning...


How Would You Know if the Feds Searched Your E-mail? -- ECPA's Missing Notice Requirement

Alan Butler imageEPIC recently filed comments on proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure, which would authorize judges to issue "remote access" search warrants in certain cases. As EPIC outlined, the surreptitious computer searches conducted under these remote access warrants would run afoul of an important Fourth Amendment protection -- the requirement of prior notice. But the issue of delayed or non-existent notice is not only present with remote access searches; it is an issue with all electronic search authorities and especially with searches conducted under the Stored Communications Act, 18 U.S.C. § 2703.

The U.S. Government issues tens of thousands of e-mail search warrants each year, and yet users are rarely given notice when their accounts have been searched. Some providers have been ordered not to notify their subscribers, but the Electronic Communications Privacy Act gag order provisions are quite narrow. The recent release of warrants issued to Google for e-mails of Wikileaks staff members and the battle over the Lavabit warrant raise significant questions about the legality of the Government's gag order process. Under ECPA, users should be notified when a search warrant is issued to obtain the contents of their e-mail accounts and in many cases the government should not be able to prohibit a service provider from notifying their customers.


DoD Claim that NSA in Compliance with Privacy Act Ring Hollow

Jeramie Scott image In August of 2013, the Department of Defense ("DoD") released a notice of proposed rulemaking ("NPRM"). The proposed rule "update[d] the established policies, guidance, and assigned responsibilities of the DoD Privacy Program pursuant to The Privacy Act . . . ." When an agency publishes a proposed rule, it has to take public comments on the rule and then consider those comments prior to releasing the final rule. EPIC, joined by a coalition of public interest organizations, filed comments for DoD's consideration.

At the time that the DoD's proposed rule was released, the Snowden revelations were just a few months old. Those revelations provided unparalleled insight into NSA's mass surveillance activity. The NSA is a DoD component subject to the proposed rule and, of course, to the Privacy Act of 1974. Through the review of the documents and news stories associated with the revelations, EPIC's coalition comments identified three NSA databases subject to the Privacy Act. And per the Privacy Act, these databases (known as "systems of records" in the Privacy Act) require a Systems of Record Notice (SORN) to the public. EPIC's coalition comments argued that there was no SORN for, at minimal, the following three databases:


Police Body Cameras: Accountability or Public Surveillance?

Jeramie Scott image After the public protests following the decision in Ferguson not to indict Darren Wilson, President Obama announced a plan to spend $75 million dollars on police body cameras. If approved by Congress, the federal government will match state and local funding in an effort to add 50,000 cameras over the next three years. Many believe that the cameras will improve police accountability, but there are other issues to consider.

According to a Justice Department report, body cameras could improve officer professionalism, identify officers that abuse their authority, and help correct questionable police behavior. Recent studies of several police departments, including the Phoenix Police Department, suggest body cameras reduce complaints against the police and significantly lessen the use of force by officers. Body cameras can also help train and evaluate officer performance as well as ensure accurate evidence collection.


FBI Oversight Hearing - Will we get some answers?

Jeramie Scott image The Senate Judiciary Committee is holding an oversight hearing of the FBI on Wednesday, May 21. There are plenty of things to oversee with respect to FBI's programs, but here are a couple questions that interest me.

What's the status of the various privacy assessments the FBI has committed to performing?

In a previous post, I detailed how documents obtained by EPIC through a Freedom of Information Act ("FOIA") request showed how the FBI was told in early 2012 that the agency needed to do a privacy assessment of its use of License Plate Readers ("LPRs"). The FOIA documents even showed that a rough draft of a privacy assessment had been created. There is no indication that the FBI ever finished its assessment of LPRs.


NSA Reforms Move Forward in Congress - With a Clear Prohibition on Bulk Collection But Still Missing Important Transparency and Oversight Provisions

Alan Butler imageWe have focused a lot on NSA reform since the disclosure of sweeping surveillance last summer, and now Congress is finally taking steps to move the reform process forward. The House Judiciary Committee voted unanimously to pass the USA Freedom Act last week and the House Intelligence Committee followed suit shortly after, paving the way for the bill's consideration by all members of the House with strong bipartisan support. The surveillance reform bill was first introduced back in October following the disclosures of bulk surveillance on Americans.

So far civil liberties advocates have provided mixed reviews of the bill (see examples here, here, here, here, here, and here). Any progress is good, but the newly amended version of the Freedom Act is weaker in terms of its reform of National Security Letter authorities, its protection against back-door searches of Americans' communications collected under Section 702, its creation of a public interest advocate at the FISA Court, and its mandate of greater transparency. Still I think that the amended bill would provide significant protections that do not currently exist in FISA, and would be a step forward for privacy and transparency.

What follows is an in-depth analysis of the major differences between the original USA FREEDOM Act and the current amended bill that will be considered by the U.S. House of Representatives.


Argument Recap: Justices Look to Limit Warrantless Cell Phone Searches

Alan Butler imageToday the U.S. Supreme Court heard oral argument in Riley v. California and United States v. Wurie, two cases involving the warrantless search of an individual's cell phone incident to arrest. These cases present an important and fundamental Fourth Amendment question, namely, whether the police can search the entire contents of an individual's cell phone incident to any lawful arrest. As others have noted today, the Justices seemed to recognize that cell phones and other digital devices create a "new world" that justifies a modified search incident to arrest rule. But the Justices struggled throughout the arguments in both cases to identify a workable rule.

One important practical insight from Orin Kerr is that, given the short time frame for a decision (the case will be decided by mid-June), it is possible that the Justices will seek a unified majority view / author for both the Riley and Wurie opinions. Given that consideration, and the facts and arguments in Wurie, it is possible that an unexpected "middle ground" compromise will emerge focused on the plain view doctrine. But regardless of the particular rule, it seems very unlikely that the Justices will endorse the broad categorical rule that all individuals cell phones are subject to limitless search incident to arrest. And if the Court can't agree on a compromise solution, Justice Kagan might have enough votes for a categorical ban on warrantless cell phone searches.


White Hat, Black Hat, Bleeding Heart

Julia Horwitz imageLet's start with the Heartbleed bug.

Since the announcement of Heartbleed last week, everyone has been paying attention to security vulnerabilities - a typically niche technical subject. Most internet users are, rightfully, concerned. What can they can do to protect themselves in the short term? What can Internet providers and government agencies do to help protect them in the long run? In a series of posts, I will identify and discuss the technology and policy issues involved in this important question: how can we keep the Internet secure and protect user privacy?


There Are No OLC Opinions About PRISM or 215, So Who Decided It Was Legal?

Alan Butler imageIn light of the President's recent announcement that the NSA's bulk collection of telephone metadata will end, there is a renewed interest in Congress to revise U.S. surveillance laws. At the same time, the Privacy and Civil Liberties Oversight board is conducting its review of the bulk collection of international communications under the Section 702 / PRISM program. While these oversight and reform efforts are underway, it is important to consider the policy-making process that authorized these programs in the first place.

Two Freedom of Information Act cases, one brought by EPIC following the disclosures last summer and another brought by the ACLU several years before, attempt to get to the heart of this question. Both cases lead to the same shocking conclusion - that the Department of Justice Office of Legal Counsel, which played a central role in the initial decision to implement the warrantless wiretapping program, was not involved in the decision to transition those surveillance programs to new FISA authorities.


The FBI is "Working" on an Updated Privacy Statement for Facial Recognition

Jeramie Scott imageFacial recognition technology presents a serious risk to privacy and civil liberties because it can so easily be deployed covertly, from a distance, and on a mass scale. There is little to no precautions that can be taken to prevent collection of one's image. Participation in society inevitably involves exposing one's face, whether it's on the public streets or through social media. Ubiquitous and near-effortless identification eliminates an individual's ability to control their identity and poses special risk to the First Amendment rights of free association and free expression, particularly for those who engage in lawful protests. The FBI's ever expanding use of facial recognition technology could render anonymous free speech virtually impossible.

For at least 10 years, the FBI has been testing and using facial recognition. This is evidenced by a February 19, 2004 Privacy Impact Assessment ("PIA") conducted by the FBI for the "Computer Aided Facial Recognition Project." The project sought to assist the University of Sheffield in its testing of a particular method of facial recognition. The PIA makes clear that the FBI wanted "to develop a semi-automated tool enabling FBI examiners to extract facial landmark measurements from question images (such as, bank Surveillance photos) and conduct one-on-one comparisons with known images of a suspect in custody."

More recently, the FBI has been working on incorporating facial recognition technology into its Next Generation Identification ("NGI") program.