EPIC v. FBI (Russian Hacking)
- EPIC Urges House Committee to Protect Consumers, Democratic Institutions with Strong Cyber Security Measures: In advance of a hearing on "Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities," EPIC has sent a letter to the House Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Feb. 28, 2017)
- FBI Responds to EPIC FOIA Suit for Details of Russian Interference with 2016 Election: The FBI has filed an answer to EPIC's Freedom of Information Act lawsuit for records pertaining to the Russian interference with the 2016 Presidential election. In the answer, the FBI acknowledged receipt of EPIC's FOIA request. EPIC filed suit against the FBI in federal district court after the agency failed to make a timely decision concerning EPIC's request for expedited processing of the FOIA request. The parties will next confer to set a schedule for production of documents and briefing, if necessary. EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Feb. 23, 2017) More top news »
- EPIC Seeks Public Release of Secret Directive on Cybersecurity » (Jan. 28, 2017) EPIC has filed an urgent FOIA request with the DHS, the Department of Justice, and the NSA, seeking the expedited release of NSPD-1. The National Security Presidential Directive sets out procedures for cybersecurity "policy coordination, guidance, dispute resolution, and periodic in-progress review." EPIC has previously litigated, and successfully obtained, NSPD-54, a Presidential Directive concerning the NSA's authority to conduct surveillance within the United States.
- EPIC Sues for Release of Complete Report on Russian Interference with 2016 Election » (Jan. 26, 2017) EPIC has filed a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence in federal district court in Washington, DC. The case is designated EPIC v. ODNI, No. 17-163 (D.D.C. filed Jan. 25, 2017). As EPIC makes clear in the complaint, "there is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks in democratic institutions." More details in the press release. Last week EPIC sued the FBI to uncover details of the Bureau's response to Russian interference.
- NEWS UPDATE - EPIC Sues FBI for Details of Russian Interference with 2016 Election » (Jan. 18, 2017) EPIC today filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation in federal district court in Washington, DC. The case is designated EPIC v. FBI, No. 17-127 (D.D.C. filed Jan. 18, 2017). The complaint states “EPIC challenges the FBI’s failure to make a timely decision concerning EPIC’s request for expedited processing of the FOIA request for records about the Russian interference with the 2016 Presidential Election.” A press conference will be held at the Fund for Constitutional Government on Capitol Hill on Thursday, January 19, 2017 at 1 pm. Media Advisory
- Senate Intelligence Committee Presses FBI to Reveal Russia Investigation » (Jan. 16, 2017) Senator Richard Burr (R-NC) and Senator Mark Warner (D-VA), the Chairman and Ranking Member of the Senate Intelligence Committee, have announced a bipartisan inquiry into the Russian interference with the 2016 Presidential Election. Democratic members of the House Judiciary Committee have also pressed the FBI to confirm its investigation of President-elect Trump's ties to Russia. In a letter to FBI Director James Comey, Committee Members requested "all documentation relevant to this investigation" be provided to the Committee "as soon as possible." EPIC has filed two urgent Freedom of Information Act requests concerning Russian interference: one for records about the FBI's lax response to the foreign cyber threat, the other for the report "Russian Activities and Intentions in Recent US Elections". This week EPIC also urged the Senate Armed Services Committee to pursue an investigation.
- EPIC, Technology Experts Urge Senate Committee to Monitor President’s Homeland Security Advisor » (Jan. 10, 2017) In a letter to the Senate Committee on Homeland Security, EPIC and leading experts urged Congress to keep a close eye on the White House Homeland Security Advisor. EPIC explained that the position, equal in power to the National Security Advisor, carries "significant implications for the safety and security of the American people." EPIC said that the Homeland Security Advisor should ensure "the Russian government poses no further threats to the United States electoral system or to other democratic governments." EPIC also said that "data protection and privacy should remain a central focus" of U.S. cyber security policy. The EPIC letter was signed by distinguished experts in cyber security, information technology, encryption, and human rights law.
- EPIC Seeks Expedited Release of Report on Russian Interference in 2016 Election » (Jan. 10, 2017) EPIC has submitted an urgent Freedom of Information Act request to the Office of the Director of National Intelligence (ODNI) seeking the complete report on the Russian interference in the 2016 Presidential Election. On January 6, the ODNI released a public summary on the Russian interference, but withheld important information. EPIC is seeking expedited release of the complete, unreacted report. EPIC is also seeking records from the FBI about the agency's lax response to the foreign cyber threat. EPIC submitted a statement to the Senate Armed Services Committee hearing on Russian interference. Congress will hold a second hearing today, and a bill initiating new sanctions against Russia is expected this week. EPIC will continue to press the ODNI for prompt release of the report.
- Senate Armed Services Committee to Examine Foreign Cyber Threats » (Jan. 4, 2017) The Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote “we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States.”“Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify.
- Obama Orders Review of Hacking During 2016 Election » (Dec. 9, 2016) President Obama's top homeland security advisor Lisa Monaco announced today that the Administration has asked the intelligence community to conduct a "full review" of cyber activity during the 2016 election. In 2016, EPIC urged candidates for office to focus on data protection, calling it "the most important, least well understood issue" of the 2016 election. EPIC also published a report on the importance of the secret ballot for democratic decision making. EPIC's Freedom of Information Act litigation uncovered flaws in online voting reported by the Department of Defense just prior to the 2012 election.
- EPIC Prevails in Internet Surveillance Case » (Nov. 21, 2016) A federal judge in Washington, DC has granted EPIC attorney's fees in a long-running case against the Department of Homeland Security. In 2012 EPIC sued the DHS for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but a 2012 Executive Order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPICs lawsuit produced the release of several thousand pages on the program. In today's extensive opinion, Judge Gladys Kessler concluded that EPIC "substantially prevailed in this litigation" and that EPIC had added "to the fund of information that citizens may use in making vital political choices." The Court awarded EPIC substantial attorneys fees for its work in the case.
- EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public » (Aug. 5, 2016) EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights.
- EPIC Presses House Leaders on "Data Protection" » (Jun. 10, 2016) At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016.
- New Congressional Report Explores Legal Issues Regarding Compelled Decryption » (Mar. 8, 2016) "Encryption: Selected Legal Issues," a new report from the Congressional Research Service, explores two important legal questions that arise from government requests for compelled decryption: the Fifth Amendment right agains self-incrimination and the scope of the All Writs Act, the federal statute at issue in Apple v. FBI. EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case, pointing to the increased risk of cell phone theft and financial fraud that would result from compelled encryption.
- EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case » (Mar. 3, 2016) Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment.
- Bill to Establish Digital Security Commission Introduced in House » (Mar. 2, 2016) Rep. Lieu (D-CA) has cosponsored bipartisan legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple opposes a court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
- Apple Opposes FBI Decryption Order » (Feb. 25, 2016) Today Apple filed a "motion to vacate" a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. In its brief, Apple asserts that this case is about "the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe." Apple argued that the FBI's requested court order violates the First and Fifth Amendments. Consumer Reports found that more than 3.1 million cellphones were stolen in 2013, and noted that "efforts by the telecom industry to reduce thefts don't seem to be helping matters." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
- Writers Side with Apple in Encryption Fight with FBI » (Feb. 24, 2016) In a letter to the Attorney General, leading writers and artists protested the FBI's "efforts to force Apple to create software that could effectively enable the U.S. government to unlock any iPhone." The letter from the PEN America Center highlights how "intrusions on privacy damage creative expression and free speech." EPIC has long supported strong encryption as key to the future of privacy and security. EPIC recently gave the 2015 Champion of Freedom Award to Apple CEO Tim Cook for his work in promoting encryption and protecting privacy and security. The 2016 EPIC Awards dinner will be held on June 6th in Washington, DC.
- President Announces $19 billion Cybersecurity Plan » (Feb. 23, 2016) President Obama has proposed a $19 billion Cybersecurity National Action Plan that aims to modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has repeatedly urged federal agencies to uphold Privacy Act protections.
- Apple Opposes FBI Decryption Order » (Feb. 17, 2016) Apple has opposed a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. The order followed an FBI application under the All Writs Act, a law from 1789. Apple CEO Tim Cook wrote in response that the government's action "would undermine the very freedoms and liberty our government is meant to protect." In 2015, EPIC gave the Champion of Freedom Award to Mr. Cook for his work protecting privacy and promoting encryption. The EPIC 2016 Awards dinner will be held June 6 in Washington, DC.
- House Adds Cyber Surveillance to Budget Bill » (Dec. 16, 2015) Today, the House added the Cybersecurity Act of 2015 to an expansive appropriations bill. The Cybersecurity Act was negotiated behind closed doors and represents a new version of the Cybersecurity Information Sharing Act (CISA). Previous versions of CISA have been opposed by a broad coalition of organizations. The current bill, like previous ones, would allow the government to obtain personal information from private companies without judicial oversight. The Act would also expand government secrecy. EPIC previously won a five-year court battle to obtain NSPD 54, a foundational legal document for U.S. cybersecurity policies that revealed the government's interest in enlisting the private sector to monitor user activity.
- Senator Leahy Opposes FOIA Exemptions in Cyber Security Bill » (Oct. 27, 2015) Senator Patrick Leahy (D-VT) urged fellow Senators to remove a proposed open government exemption in a pending cybersecurity bill. The Cybersecurity Information Sharing Act (CISA), said Sen. Leahy, "contains an overly broad new FOIA exemption that is both unnecessary and harmful." Sen. Leahy called the FOIA "our nation's premier transparency law," and said that any modifications must go through the Senate Judiciary Committee. "The Senate must have an open and honest debate about the Senate Intelligence Committee's bill and its implications for Americans' privacy and government transparency," remarked the Senator. Last year, EPIC won a five-year court battle against the NSA for NSPD 54, the foundational legal document for U.S. cybersecurity policies. EPIC has also set out recommendations for FOIA reform.
- Obama Drops Plan to Regulate Crypto » (Oct. 11, 2015) According to the New York Times, President Obama has concluded that "it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit." Earlier this year Apple CEO Tim Cook said at the EPIC Champions of Freedom dinner, "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it." EPIC launched the public campaign for the freedom to use encryption in 1994 and several of the world's leading cryptographers are members of the EPIC Advisory Board. Tim Cook received the 2015 EPIC Champion of Freedom Award. Past recipients include Max Schrems and Edward Snowden.
- California Rejects Warrantless Surveillance, Enacts "CalECPA" » (Oct. 9, 2015) California Governor Jerry Brown has signed the California Electronic Communications Privacy Act (CalECPA). CalECPA requires law enforcement to obtain a warrant before accessing digital data including metadata, location data, emails, and text messages. The warrant requirement applies to searches of electronic devices themselves and to content stored by an online service provider. In response to requests from the US Congress, EPIC has made several recommendations regarding updates to the federal ECPA. EPIC has also obtained documents from the FBI concerning Stingray surveillance technology, which is now prohibited under the California bill.
- OECD Finalizes Risk Management Guidelines » (Oct. 9, 2015) The OECD has published the new Recommendation on Digital Security Risk Management a revision of the 2002 OECD Security Guidelines. Science, Technology and Innovation Director Andrew Wyckoff said that "a totally secure digital environment is impossible". EPIC supports the Recommendations which emphasize digital security risk management "in a transparent manner and consistently with human rights and fundamental values." EPIC has long been engaged with the work of OECD and supports civil society participation at the 2016 OECD Ministerial Meeting on the Digital Economy.
- Federal Appeals Court Recognizes "Substantial Risk of Future Harm" » (Jul. 29, 2015) In a landmark opinion, the Seventh Circuit Court of Appeals has ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission, identity theft remains the top concern of American consumers.
- Congress to Hold Hearing on Encryption and Privacy » (Jul. 8, 2015) Today the Senate is holding a hearing on "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy." FBI Director Comey, testifying today, has advocated for broken encryption to enable law enforcement access to private communications. Despite claims of "going dark" because of new encryption technologies, law enforcement encountered encryption in only 25 wiretap cases in 2014. Of those cases, non-encrypted text was obtained in all but four cases. EPIC has advocated for strong encryption and urged President Obama to reject proposals to weaken encryption. EPIC published the first comprehensive survey of encryption use around the world. And earlier this year, EPIC gave a Champion of Freedom Award to Apple CEO Tim Cook, who warned that "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it."
- Leading Security Experts Oppose Government Encryption Plan » (Jul. 7, 2015) Several members of the EPIC Advisory Board, leading experts in security technology, have warned that a government plan to weaken encryption threatens the nation's critical infrastructure and puts at risk confidential personal information. Recalling a similar report from 1997, the researchers concluded that "the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. Recent reports from the US courts, available from EPIC, show that encryption has not been an obstacle to law enforcement investigations. A 1994 Internet petition led to the demise of "Clipper," the original government plan for escrowed encryption.
- Massive Government Data Breach Even Worse than Reported » (Jun. 25, 2015) A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data.
- Senate Rejects User Surveillance Proposal » (Jun. 17, 2015) The Senate has rejected an amendment to the National Defense Authorization Act for 2016 that would transfer user data from private companies to government agencies without judicial oversight. Senator Patrick Leahy (D-Vt) urged Senators to oppose the amendment, stating "we need a cyber-security bill, not a cyber-surveillance bill." Last year, EPIC won a five-year court battle against the NSA for NSPD 54-the foundational legal document for U.S. cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States.
- Massive Breach Impacts Millions of Government Employees » (Jun. 10, 2015) The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information.
- EPIC, Coalition to President: No Encryption Backdoors » (May. 20, 2015) EPIC and a coalition of civil society organizations and security experts urged President Obama to reject proposal to weaken encryption used in U.S. products. Administration officials, including FBI Director Comey, have advocated for broken encryption to enable law enforcement access to private communications. The letter details how weakened encryption undermines cybersecurity and economic security. EPIC previously led the effort to oppose the "Clipper Chip," the NSA's proposal for key escrow encryption that would have severely crippled the privacy and security of online communication. EPIC also recently expressed support for encryption and anonymity in a letter to a UN Rapporteur.
- Senate Committee Approves Cyber Surveillance Bill » (Mar. 14, 2015) In a closed-door meeting, the Senate Select Committee on Intelligence approved the "Cyber Information Sharing Act of 2015". The bill would allow the government to obtain user information from private companies without judicial oversight. Companies would receive immunity for their disregard of existing privacy law. Senator Wyden, who opposed the measure, stated, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name." Last year, EPIC won a five-year court battle against the NSA for NSPD 54—the foundational legal document for U.S. cybersecurity policies. The Directive reveals the government's long-standing interest in enlisting private sector companies to monitor user activity.
- Executive Order Calls for More Cybersecurity Info "Sharing" » (Feb. 13, 2015) President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security.
- President Obama Announces New Cybersecurity Initiatives » (Jan. 13, 2015) Today the President announced several cybersecurity initiatives, including a proposal to facilitate private sector threat information disclosures. The White House proposal requires the removal of personal information prior to data transfers but privacy concerns remain. The President threatened to veto a previous bill that lacked privacy and civil liberties safeguards. A 2013 expert report set out 46 proposals for strengthening cyber security that the White House said it would adopt. EPIC supported these recommendations and has also recommended civilian leadership on cybersecurity.
- Senate Cybersecurity Information Sharing Bill Proposed » (Jun. 20, 2014) Senators Dianne Feinstein and Saxby Chambliss have proposed the Cybersecurity Information Sharing Act of 2014. The Senate bill is similar to the House Cyber Intelligence Sharing and Protection Act (CISPA), which was opposed by civil liberties organizations and would have been vetoed by the White House if enacted. Like CISPA, the Senate bill allows companies to monitor private communications on their networks and to disclose user activity to the government. The bill would also exempt companies from liability for monitoring communications or disclosing user information. However, the Senate bill makes some attempt to limit the collection of personally identifiable information. EPIC recently won a five-year court battle with the NSA and obtained National Security Presidential Directive 54. The directive was issued by President Bush in 2008 and is the foundational legal document for U.S. cybersecurity policies. The Presidential Directive reveals the government’s long-standing interest in enlisting private sector companies to monitor user activity. For more information, see EPIC: Cybersecurity.
- EPIC v. NSA: EPIC Obtains Presidential Directive for Cybersecurity » (Jun. 6, 2014) After almost five years, EPIC has obtained National Security Presidential Directive 54. The previously classified Presidential Directive contains the full text of the Comprehensive National Cybersecurity Initiative and "establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace." This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability. EPIC first sought public release of NSPD-54 with a Freedom of Information Act request, submitted to NSA in June 2009. After the agency failed to disclose the document, EPIC filed suit. When a federal district court ruled in 2013 that the Presidential Directive was not subject to the Freedom of Information Act, EPIC then filed an appeal with the DC Circuit Court of Appeals. The document has now been disclosed to EPIC. The case is EPIC v. NSA, a Freedom of Information Act lawsuit in D.C. Circuit Court. EPIC has several related FOIA cases with the NSA pending in federal court. For more information see EPIC - EPIC v. NSA (Cybersecurity Authority).
- New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air » (May. 12, 2014) New e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on sharing "cyber threat information with the private sector." EPIC previously sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously urged Google to routinely encrypt cloud-based services. PBS Frontline begins a two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see EPIC v. NSA: Google/NSA Relationship and EPIC: Cybersecurity.
- DHS Releases Cybersecurity Report, NSA Role Remains Murky » (Apr. 25, 2014) The Department of Homeland Security had published the first Privacy and Civil Liberties Assessment Report. The report examined several federal agencies, including the Department of Defense and the Office of the Director of National Intelligence, regarding cybersecurity activities. Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," requires the reports as well as the creation of a cybersecurity framework. Last year, EPIC recommended civilian control of domestic Cybersecurity and clarification of the NSA's involvement. The Privacy and Civil Liberties Assessment Report and the cybersecurity framework both fail to clarify the NSA's role in cybersecurity. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
- EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive » (Apr. 1, 2014) EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal.
- EPIC Accepts NSA's Settlement Offer, Receives Attorneys Fees » (Feb. 11, 2014) EPIC has accepted the NSA's offer to settle a Freedom of Information Act case EPIC v. NSA. EPIC sought both National Security Presidential Directive 54, a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States, as well as documents related to NSPD 54. EPIC received some of the documents as a result of the lawsuit, "substantially prevailing" under the FOIA, and prompting the NSA to make a settlement offer to EPIC. As a consequence, EPIC will receive attorneys fees from the NSA. EPIC is simultaneously appealing the lower court's determination that NSPD-54 is not an "agency record" subject to the FOIA. It was the first time a federal court has ruled that a Presidential Directive is not subject to the Freedom of Information Act. For the appeal, EPIC has already filed a Statement of the Issue, and the parties are waiting for the D.C. Circuit Court of Appeals to set a briefing schedule. For more information, see EPIC v. NSA - Cybersecurity Authority.
- EPIC Files Appeal, Challenging Secrecy of Presidential Directives » (Jan. 22, 2014) EPIC has filed a Statement of the Issue Presented with the D.C. Circuit Court of Appeals. EPIC is appealing a lower court decision that NSPD 54 -- a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States -- is not subject to disclosure under the Freedom of Information Act. EPIC sought the Presidential Directive, signed by President Bush in January 2008, from the National Security Agency after the White House disclosed the existence of the Directive but not the substance. After the agency failed to respond to EPIC's FOIA request, EPIC filed an administrative appeal, and then a lawsuit. The lower court ruled in EPIC v. NSA that the Presidential Directive is not subject to the FOIA because it was not under "the control" of the NSA. It was the first time a federal court has ruled that an Presidential Directive is not subject to the Freedom of Information Act. EPIC is now asking the Court of Appeals to determine, "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA." For more information, see EPIC v. NSA: Cybersecurity Authority.
- Federal Appeals Court Rules that Legal Policy Memos Can Be Withheld From the Public » (Jan. 3, 2014) The Court of Appeals for the D.C. Circuit has ruled that the FBI may withhold a memo prepared by the Office of Legal Counsel concerning the law governing "exigent letter" requests to telephone companies for call records. The decision affirmed an earlier opinion that the memo was privileged advice, and exempt from disclosure under the Freedom information Act. The Electronic Frontier Foundation argued that the memo was "working law" and not simply advice from government lawyers. However, the Court of Appeals found that the FBI had not itself adopted the advice of government lawyers. In a different case where the Department of State followed the guidance of Justice Department lawyers, EPIC filed a "friend" of the court brief in support of the New York Times and the ACLU and argued for the release of opinions of the Office of Legal Counsel. For more information, see EPIC v. NSA: Cybersecurity Authority and EPIC: New York Times v. DOJ.
- EPIC Appeals Secrecy of Presidential Cybersecurity Directive » (Dec. 17, 2013) EPIC has filed a notice of appeal with the D.C. Circuit Court of Appeals in EPIC v. NSA. In that case, EPIC sought NSPD 54, a presidential policy directive outlining the scope of the NSA's authority over computer networks in the United States. A federal district court ruled that the directive is not subject to the Freedom of Information Act because it was not under "the control" of the federal agencies and officials who received it. It is the only time a federal court has ruled that presidential directives in the possession of federal agencies are not subject to the FOIA. EPIC is appealing the decision. For more information, see EPIC v. NSA: Cybersecurity Authority
- EPIC Urges Clarification of NSA's Role in Cybersecurity » (Dec. 13, 2013) EPIC has submitted comments on the National Institute of Standards and Technology's cybersecurity policy proposal. Pursuant to an Executive Order, the federal agency is charged with defining a "cybersecurity framework" for the federal government. EPIC reiterated previous comments that emphasized civilian control, adherence to the Fair Information Practices, and compliance with the Privacy Act and Freedom of Information Act. In light of revelations that the National Security Agency's has weakened key security standards, EPIC urged NIST to clarify the NSA's involvement in the development of the federal policy. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- NIST Releases Cybersecurity Framework, Silent on NSA's Role » (Nov. 1, 2013) The National Institute for Standards and Technologies has released the Preliminary Cybersecurity Framework. Earlier this year, President Obama directed NIST to develop a Framework for Cybersecurity. In Executive Order 13636, the President said the NIST Framework should protect individual privacy and civil liberties. EPIC submitted comments to the NIST supporting the protections for civil liberties, recommending separate treatment for computer crimes and "cyberterrorism" and official acknowledgement of the 1992 OECD Security Guidelines. In September 2013, the Guardian, the New York Times, and ProPublica reported that the National Security Agency directed NIST to reduce a key security standard. NIST has not commented on any involvement that NSA had in the development of the Framework. For more information see EPIC: Cybersecurity Privacy Practical Implications.
- Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority » (Jun. 8, 2013) Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a post to the Guardian by Glenn Greenwald. For more information, see EPIC: Presidential Directives and Cybersecurity, EPIC: EPIC v. NSA - Cybersecurity Authority and EPIC: Cybersecurity Privacy Practical Implications.
- DHS Releases Revises Privacy Impact Assessment on Internet Monitoring Program » (Apr. 24, 2013) The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority.
- EPIC FOIA Request Reveals Details About Government Cybersecurity Program » (Apr. 24, 2013) New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority.
- White House Releases Unclassified Summary of Presidential Cybersecurity Directive » (Apr. 19, 2013) The White House has released an unclassified summary of Presidential Policy Directive 20. The Policy Directive sets out the cybersecurity authority of the National Security Agency in the United States and has raised concerns about government surveillance of the Internet. The existence of the Directive was detailed in a story in the Washington Post in 2012, and EPIC immediately pursued the public release of the document. According to the White House, PPD-20 "established principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools." EPIC is still pursuing the release of the full document. For more information see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (NSPD 54).
- White House Threatens to Veto CISPA Unless Privacy Protections Improved » (Apr. 16, 2013) In a Statement of Administration Policy, the White House threaten to veto the controversial Cyber Intelligence Sharing and Protection Act (CISPA) unless more robust privacy and civil liberties protections are added and newly authorized information sharing goes through a civilian agency. EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process for CISPA. The markup for CISPA remained closed, and currently as drafted, CISPA would allow companies to disclose vast amounts of customer and client information to other companies and the government, including the National Security Agency, for "cybersecurity purposes." EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
- EPIC Comments on Federal Cybersecurity Framework » (Apr. 12, 2013) In response to a request for comments, EPIC submitted comments on the National Institute of Standards and Technology’s review to develop a cybersecurity framework. Pursuant to Executive Order 13636, the agency is charged with defining a cybersecurity framework for the federal government. EPIC supports civilian control of cybersecurity and privacy protections based on the Fair Information Practices. In the comments to NIST, EPIC emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- EPIC Supports Public Mark Up for Controversial Cyber Security Bill » (Apr. 4, 2013) EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
- White House Issues New Executive Order, Presidential Directive on Cybersecurity » (Feb. 13, 2013) In conjunction with the 2013 State of the Union, President Obama has signed a public Executive Order on cybersecurity and "critical infrastructure." The Order grants new powers to federal agencies to share cybersecurity information with private companies. Affected federal agencies will "conduct regular assessments of privacy and civil liberties impacts." The President also issued Presidential Policy Directive 21, which directs the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a secret directive that grants cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- Obama Talks Cybersecurity at 2013 State of the Union » (Feb. 13, 2013) At the 2013 State of the Union, President Obama announced an Executive Order that grants new authority to federal agencies to share information with private companies. President Obama further urged Congress to act to "pass legislation to give our government a greater capacity to secure our networks and deter attacks." A new Presidential Directive was also published today, directing the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a prior directive that grants additional, secret cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
- EPIC Comments on Federal Cybersecurity Plan » (Dec. 20, 2012) In response to a request for comments, EPIC submitted comments on the Federal Cybersecurity Research and Development Strategic Plan. The cybersecurity strategic plan calls for a coordinated research strategy across federal agencies including the Department of Homeland Security and the National Security Agency. EPIC supported the call for privacy safeguards and anonymous web access, and recommended the further integration of genuine privacy-enhancing techniques. EPIC also emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act as the plan progresses. EPIC previously submitted comments to the Department of Defense regarding Cyber Security and Information Assurance Activities. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA - Cybersecurity Authority.
- UPDATED: EPIC Appeals NSA's Withholding of Cybersecurity Directive » (Nov. 27, 2012) EPIC has appealed a decision by the National Security Agency to deny EPIC's Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cyber security authority. The NSA has ten days to respond to EPIC's appeal. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority.
- NSA Withholds Cybersecurity Directive, EPIC to Appeal » (Nov. 20, 2012) The National Security Agency has responded to a Freedom of Information Act Request from EPIC, seeking the public release of Presidential Policy Directive 20. The Directive, first reported by the Washington Post, is believed to expand the NSA's cybersecurity authority. In response to EPIC, the NSA argued that the Agency does not have to release the document because it is a confidential presidential communication and it is classified by the NSA. EPIC is litigating similar claims against the NSA, including the release of NSPD 54, a 2008 presidential directive setting out the NSA’s cybersecurity authority. In an official statement to Congress earlier this year, EPIC explained that the NSA was a “black hole for public information about cybersecurity.” EPIC plans to appeal the NSA's determination. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority.
- President Issues Secret Cybersecurity Directive, EPIC Seeks Public Release » (Nov. 14, 2012) Following a Washington Post report of a new cyber security directive, EPIC has filed a Freedom of Information Act request for the release of Presidential Policy Directive 20. The Directive is believed to expand cyber security authority for the National Security Agency. EPIC is pursuing several FOIA cases, including the release of NSPD-54, an earlier Directive that gave NSA authority to conduct surveillance within the United States. EPIC has also sought public release of the technical arrangement between the NSA and Google that was adopted in January 2010. Federal law prevents the National Security Agency, a component of the Department of Defense, from conducting operations within the United States. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority, and EPIC v. NSA: Google / NSA Relationship.
- 2012 Democrat Platform Endorses Internet Privacy » (Sep. 4, 2012) The 2012 Democratic National Platform supports the administration’s Internet Privacy Bill of Rights to protect consumer privacy. Separate provisions in the platform call for privacy protections for broadband deployment, intellectual property enforcement, and cybersecurity laws; the Democratic platform opposes voter identification laws. However, the platform is silent on the Fourth Amendment, and retreats from the 2008 Democratic platform that opposed surveillance of individuals that were not suspected of a crime. In 2008, Candidate Obama promised to "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy.” The 2012 Republican Platform was released last week. The Libertarian and Green Party platforms are also available. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Voter Photo ID and Privacy, EPIC: National Security Letters, and EPIC: Cybersecurity Privacy Practical Implications.
- 2012 Republican Platform Addresses Privacy and Government Surveillance » (Aug. 29, 2012) The 2012 Republican Party Platform calls for strong Constitutional protections for privacy and new safeguards for personal data held by businesses. "We will ensure that personal data receives full constitutional protection from government overreach and that individuals retain the right to control the use of their data by third parties," the platform states. The platform also criticizes TSA screening procedures and calls for warrant requirements for most law enforcement-operated drones. However, other provisions endorse voter identification laws and increased disclosure of personal information to the government for cyber security. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Whole Body Imaging Technology and Body Scanners, EPIC: Unmanned Aerial Vehicles (UAVs) and Drones, EPIC: Voter Photo ID and Privacy, and EPIC: Cybersecurity Privacy Practical Implications.
- Franken Amendment Seeks to Protect Cybersecurity Privacy » (Jul. 30, 2012) The Senate is expected to consider the Cybersecurity Act of 2012 prior to the August recess. Unlike the Secure IT Act, the Cybersecurity Act would avoid the NSA takeover of the Internet. However, privacy concerns remain about the broad authority of Internet companies to monitoring Internet users and turn information to the government. An amendment sponsored by Senator Al Franken (D-Minn) would limit this surveillance. A provision that limits the disclosure of cybersecurity threat information remains in the Act. Earlier this year, EPIC recommended to the Senate that the Freedom of Information Act limitation be removed. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
- EPIC Urges Privacy Safeguards for Defense Department Cybersecurity Program » (Jul. 11, 2012) EPIC has submitted comments to the Department of Defense, urging the agency to protect individual privacy when it obtains detailed information about Internet users from the private sector. Under current Department regulations, companies are encouraged to provide information about Internet users that may relate to "cyber incidents" and cyber "threats."This is similar to a controversial provision in Cyber Intelligence Information Protection Act ("CISPA"). EPIC recommended that the agency revise the regulations for the "Cyber Security and Information Assurance" program so that: (1) the program remain voluntary, (2) "cyber incident" and "threat" are narrowly defined, (3) liability is imposed on private companies for disclosing excess user information, (4) the Attorney General conduct annual audits, and (5) the agency adheres to federal privacy laws. EPIC also warned the agency to fully comply with the Freedom of Information Act, which has provided the public with important information about network security. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relationship).
- Executive Order Grants Authority to Seize Private Communications Facilities » (Jul. 9, 2012) The White House has released a new Executive Order seeking to ensure the continuity of government communications during a national emergency. The Executive Order grants new powers to the Department of Homeland Security, including the ability to collect certain public communications information. Under the Executive Order the White House has also granted the Department the authority to seize private facilities when necessary, effectively shutting down or limiting civilian communications. In 2011, Congress considered similar provisions in cybersecurity legislation, which would have allowed the government to disconnect communications traffic in times of national security. Following public protest, congress abandoned the proposal. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
- LinkedIn Breach Leads to 6.5 Million Stolen Passwords » (Jun. 7, 2012) The professional social network LinkedIn suffered a security breach that exposed the passwords of over 6 million users. A user on a Russian Web forum reported downloading 6 million LinkedIn passwords. LinkedIn later confirmed that some of the passwords corresponded to LinkedIn accounts, deactivated those passwords, and advised all users to update their passwords. EPIC testified about the growing problem of data breaches in 2011 before the House Financial Services Committee and the Senate Banking Committee. For more information, see EPIC: Cybersecurity and Privacy.
- Privacy Board Approved by Judiciary Committee, Vote Moves to Senate » (May. 17, 2012) The Senate Committee on the Judiciary has approved President Obama's five nominees for the Privacy and Civil Liberties Oversight Board. The Board is an independent entity charged with ensuring that fundamental rights are protected in the implementation of government programs, including cybersecurity. Originally convened in 2004, the five seats on the Board have remained vacant for the past five years. Senator Leahy, the Chairman of the Judiciary Committee, said, "When we worked to create this board, we did so to ensure that our fundamental rights and liberties would be preserved…The Senate should move quickly to confirm the nominees to the board so that they can get to their important work." For more information, see EPIC: 9/11 Commission Report and "The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11."
- Flawed Cybersecurity Bill Passes House, Headed for Senate without Privacy, FOIA Safeguards » (Apr. 27, 2012) The House of Representatives passed the Cyber Intelligence Information Protection Act ("CISPA"), a cybersecurity bill that allows the government to obtain detailed information about Internet users from the private sector. The bill preempts established privacy protections in other federal laws and opens the door for increased surveillance of individuals in the United States. The bill also creates a new Freedom of Information Act exemption, which will reduce government transparency and accountability. Earlier this year, EPIC said in a statement to the Senate that the Freedom of Information Act provides the public important information about network security, and warned that the National Security Agency has become a “black hole” for public information about cybersecurity. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relatioship).
- Coalition Urges Congress to Remove Cybersecurity FOIA Limitations » (Apr. 18, 2012) An open government coalition has asked House lawmakers to oppose provisions in "CISPA" that would cut off public access to information held by federal agencies. The Cyber Intelligence Sharing and Protection Act would allow the government to refuse to disclose broad swaths of information, otherwise subject to FOIA, that companies provide to the government. More than three dozen groups have signed the petition - including Openthegovernment.org, the Sunlight Foundation, Project On Government Oversight, and EFF. The groups have asserted that the legislation "constitutes a wholesale attack on public access to information under the Freedom of Information Act" and would impede the public's ability to evaluate whether the government is adequately combating cybersecurity threats. In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information see EPIC: Cybersecurity, EPIC: EPIC v. NSA, Litigation Under the Federal Open Government Laws 2010.
- Open Government Groups Oppose Cyber Security FOIA Exemption » (Mar. 14, 2012) Open government organizations have sent a letter to Senator John McCain, opposing specific provisions in a cybersecurity bill he introduced. The SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. FOIA exemptions limit public access to government information. The organizations stated, "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information, see EPIC: Cybersecurity.
- EPIC Urges Senate to Safeguard FOIA for Cybersecurity » (Mar. 12, 2012) In a detailed statement to the Senate for a hearing on the "Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see EPIC: Cybersecurity.
- EPIC Warns Congress of Cybersecurity Risks to Consumers » (Sep. 14, 2011) EPIC Executive Director Marc Rotenberg testified today before the House Subcommittee on Financial Institutions and Consumer Credit. EPIC highlighted several recent high-profile data breaches, including those involving the digital security certificates used to authenticate websites, that have compromised the private data of thousands of consumers. Citing reports from the Privacy Rights Clearinghouse, EPIC's Rotenberg said "These attacks on financial institutions produce both direct and indirect costs for consumers who must contend with the risk of identity theft and financial fraud." EPIC previously testified before the Senate Banking Committee on cybersecurity in the financial sector and the growing threat to consumer data. For more information, see EPIC: Cybersecurity and Privacy. Webcast.
- Commerce Department Releases Cybersecurity Report, Seeks Comments » (Jun. 8, 2011) The U.S. Department of Commerce has released a green paper on "Cybersecurity, Innovation, and the Internet Economy." The paper is the latest deliverable published by Secretary Locke's Internet Policy Task Force, established in April 2010 as collaboration between technical, policy, trade, and legal experts. The Department’s goal is to provide voluntary standards and incentives for Internet stakeholders who fall outside of the scope of "critical infrastructure." The White House released draft cybersecurity legislation in May 2011 that would designate the Department of Homeland Security as the lead administrative agency for critical infrastructures. The Department of Commerce poses several questions in the green paper, and is encouraging stakeholders to submit comments, which are due in 45 days. For more information, see EPIC: Cybersecurity and Privacy.
- House Examines White House Cybersecurity Proposal » (May. 26, 2011) The House of Representatives has held two hearings on the White House legislative plan for cybersecurity. The House Oversight and House Judiciary Committees questioned government officials and members of private industry on the proposal. Committee members showed particular interest in provisions that pre-empted stronger state laws and those that offered immunity to private industry for complying with government requests for information on data breaches. Rep. Watt (D-NC) asked how the proposal was unlike the controversial telecom immunity contained in the Patriot Act. The White House proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC has called for cybersecurity legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. For more information, see EPIC: Cybersecurity and Privacy and EPIC: National Strategy for Trusted Identities in Cyberspace.
- White Houses Releases International Cyberspace Plan » (May. 17, 2011) Following the release of proposed cyber security legislation last week, the White House today unveiled "International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World." The Strategy is ambitious and far-reaching, covering economic policy, foreign affairs, homeland security, and defense. The Strategy also emphasizes the need to safeguard fundamental freedom and privacy rights. To address growing concerns about online privacy, EPIC has recommended that the United States begin the process of ratifying the International Privacy Convention, which has been adopted by more than 40 countries. For more information see, EPIC - Privacy Convention.
- White House Sets Out Cyber Security Plan » (May. 13, 2011) The White House has announced a far-reaching legislative proposal for cyber security. The plan proposal would standardize data breach reporting requirements, clarify penalties for computer crime, and create a regulatory framework for critical infrastructure. However, the plan also enables greater data collection across the federal government and expanded electronic surveillance. EPIC has previously called for cyber security legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. EPIC has several pending FOIA lawsuits concerning the Administration's cyber security programs, including the Google/NSA collaboration. For more information, see EPIC: Cybersecurity and Privacy.
- Senate Commerce Committee to Explore Internet Privacy, Airport Screening, Cybersecurity » (Jan. 21, 2011) Chairman Rockefeller's (D-WV) priorities for the Senate Commerce Committee in the new Congress will include consumer privacy, oversight of the Federal Trade Commission, airport screening, and cybersecurity, according a recent statement. Senator Rockefeller has specifically called for strong Internet privacy laws. "There are no baseline privacy protections for most consumer online activity," he stated. "Industry self-regulation has largely failed, and I hope that the Department of Commerce . . .will reach the conclusion that legislation is necessary to protect consumers." EPIC has testified previously before the Committee on the Childrens' Online Privacy Protection Act (COPPA), protecting consumers' phone records, and spam e-mail. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Cybersecurity Privacy Practical Implications.
- EPIC, Joined by 13 Organizations, Sends Statement on NSTIC » (Oct. 1, 2010) EPIC, joined by the American Library Association, Liberty Coalition, Bill of Rights Defense Committee, and the Center for Media and Democracy, among others, sent a statement to the Department of Homeland Security responding to the Administration's call for comments regarding its National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy (NSTIC) draft policy. The coalition's comments press the Administration for a clearer definition of the problems that the policy intends to solve. The coalition further advocates for the maintenance of a free and open Internet that protects the creative content of users, assures privacy, and creates accountability and oversight of government activity, especially as it relates to law enforcement and surveillance. For more, see EPIC's Cybersecurity and Privacy.
- EPIC Seeks Details on New Government Crypto Regulations » (Sep. 29, 2010) EPIC has sent Freedom of Information Act (FOIA) requests to the Department of Justice, the Federal Bureau of Investigation, and the National Security Agency for information about a proposal to expand Internet surveillance and deploy weakened security standards. The proposal would require Internet companies to develop network services to enable government access to private communications, including those on peer-to-peer networks. In 1996, the National Resource Council concluded that such technical standards make network communications more vulnerable to cyber attack. For more information, see EPIC: Cryptography Policy.
- DHS Privacy Office Releases 2010 Annual Report » (Sep. 24, 2010) The Department of Homeland Security has released the Privacy Office 2010 Annual Report. The Agency's Chief Privacy Officer must prepare an annual report to Congress that details activities of the Department that affect privacy, including complaints of privacy violations, and DHS compliance with the Privacy Act of 1974. This year’s report details the establishment of privacy officers within each component of the Agency. The report also provides updates on Fusion Centers, Cybersecurity, and Cloud Computing activities of the agency. For more information, see EPIC: DHS Privacy Office.
- EPIC FOIAs NSA for Details of "Perfect Citizen" » (Jul. 16, 2010) EPIC has filed a Freedom of Information Act request with the National Security Agency regarding the new secret cybersecurity program known as "Perfect Citizen." According to the Wall Street Journal, the program "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack," although the agency has claimed that there "is no monitoring activity involved, and no sensors are employed in this endeavor" but has refused to release the details of the program. In its request, EPIC has sought contracts, memoranda, and other records relating to "Perfect Citizen." For more information, see EPIC Cybersecurity and Privacy.
- EPIC Testifies in Congress on Cybersecurity and Privacy » (Jul. 15, 2010) EPIC Executive Director Marc Rotenberg testified today before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies. For more information, see EPIC Cybersecurity and Privacy.
- Cybersecurity Legislation Moves Forward in Congress » (Jun. 25, 2010) The Senate Homeland Security Committee voted unanimously to report favorably the Protecting Cyberspace as a National Asset Act of 2010 to the Senate at a markup session (video) on June 24th. An earlier version of the bill was introduced on June 10th and a hearing (video) was held on June 15th. The bill would establish a National Center for Cybersecurity and Communications at the Department of Homeland Security. Critics' had said that the bill would also give the President an "internet kill switch" to take over private networks. Before committee passage, the bill was amended to include limitations on the proposed Presidential powers to declare a "cybersecurity emergency" and to better define what parts of critical infrastructure are covered by the bill. For more information, see EPIC Cybersecurity and Privacy.
- EPIC's Coney Leads Cybersecurity Panel at Computers, Freedom, Privacy Conference » (Jun. 18, 2010) EPIC Associate Director Lillie Coney leads a panel discussion today on "Cybersecurity Policy and the Role of .Orgs" at the annual conference on Computers, Freedom, and Privacy. The panel features top government decision makers and leading experts in cybersecurity. The panel will be cybercast June 18 at 2 pm ET. The discussion builds on a letter to White House Cyber Security Director Howard Schmidt, organized by EPIC and endorsed by 30 organizations, which states that US cybersecurity policy "must incorporate protections of our basic freedoms and constitutional rights." Ms. Coney will co-chair the 2011 CFP Conference, which will be held in Washington DC. For more information, see EPIC-Cybersecurity Privacy Practical Implications.
- Senate Committee Holds Hearing on Cybersecurity Bill » (Jun. 16, 2010) The Senate Homeland Security Committee held a first hearing on the recently introduced cybersecurity bill, the Protecting Cyberspace as a National Asset Act of 2010. The hearing (video) featured testimony from Philip Reitinger at the Department of Homeland Security, as well as several industry representatives. Many of the committee's questions focused on whether authority over civilian cybersecurity should be concentrated in the Department of Homeland Security or in the Department of Defense, a question on which EPIC has repeatedly sought information. For more information, see EPIC Cybersecurity and Privacy.
- New Cybersecurity Legislation Introduced » (Jun. 11, 2010) Senators Lieberman, Collins, and Carper of the Senate Homeland Security & Governmental Affairs Committee have introduced the Protecting Cyberspace as a National Asset Act of 2010. The bill would establish a White House Office of Cyberspace Policy and a National Center for Cybersecurity and Communications. The bill would allow the President to declare a "national cyber emergency" and implement emergency measures, although it would not allow these measures to set aside requirements of the Wiretap Act, the Electronic Communications Privacy Act, or the Foreign Intelligence Surveillance Act. The bill would also make certain changes to the Federal Information Security Management Act. The Committee released a summary of the bill. EPIC is currently seeking to make public the NSA's authority for cyber security. For more information, see EPIC Cybersecurity and Privacy.
- Coalition Letter Results in Meeting with White House Cybersecurity Coordinator » (May. 12, 2010) EPIC, joined by over 30 organizations, launched a campaign to obtain a meeting with Howard Schmidt, the White House Cybersecurity Coordinator. Groups joining the letter included the ACLU, American Library Association, Bill of Rights Defense Committee, Liberty Coalition, NAACP, OpenTheGovernment.org, and the Lawyers Committee for Civil Rights Under Law. The White House has agreed to the meeting, which follows Senate confirmation of Keith B. Alexander, director of the National Security Agency, to lead the U.S Cyber Command. Civil society organizations have expressed concern about the growing role of the NSA in cyber security. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see EPIC Sues NSA to Force Disclosure of Cybersecurity Authority, and EPIC - Cybersecurity Privacy: Practical Implications.
- White House Issues Rules for Security Reporting » (Apr. 26, 2010) A new White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance. For more information, see EPIC's Cybersecurity page.
- EPIC Demands Release of Classified Answers on Privacy and Internet Standards from Cyber Command Nominee » (Apr. 19, 2010) EPIC has filed a Freedom of Information Act (FOIA) request with the National Security Agency (NSA) seeking the "classified supplement" that Director Lt. Gen. Keith Alexander filed with his answers to questions from the Senate Armed Services Committee regarding his nomination to be the Commander of the newly formed United States Cyber Command. Several of Lt. Gen. Alexander's classified responses were to questions regarding the privacy of Americans' communications, and EPIC's request urges the Agency to make the full responses public. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see EPIC Sues NSA to Force Disclosure of Cybersecurity Authority.
- Congress Considers Nomination of NSA Director to US Cyber Command, Concerns Remain » (Apr. 15, 2010) The Senate Armed Services Committee will hold a hearing on April 15, to consider the nomination NSA Director Lt. Gen Keith B. Alexander to be the Commander of the US Cyber Command. EPIC has expressed concern about the expanded authority of the NSA within the United States and has specifically requested the public release of NSPD-54, the secret Presidential Directive that allows the NSA to conduct electronic surveillance against US citizens within the United States, prior to the confirmation of Lt. Gen. Alexander. EPIC is seeking this and related document in a Freedom of Information Act lawsuit. For more information, see EPIC Sues NSA to Force Disclosure of Cyber Security Authority.
- Congressional Leaders Press Obama on Privacy Board » (Mar. 30, 2010) Chairman Bennie Thompson and twenty members of the House of Representatives sent a letter to President Obama seeking the immediate nomination of members to the Privacy and Civil Liberties Oversight Board. The Privacy Board was active during the Bush Administration, but the Obama administration has moved slowly to reconstitute the advisory body. No hearings have been held and no reports have been issued. The board is intended to provide advice on the civil liberty implications of programs that effect the rights of citizens, such as the use of Whole Body Scanners by the TSA, biometic identifiers, and cyber security policy.
- White House Publishes Outline of Cyber Security Policies » (Mar. 2, 2010) The White House announced today that it has made a description of the Comprehensive National Cybersecurity Initiative (CNCI) available online for public viewing. The12 CNCI initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains secret. EPIC has been involved in ongoing litigation regarding a Freedom of Information Act request for the text of the critical cybersecurity document NSPD 54 that President Bush signed in 2008. For more information, see EPIC: EPIC Sues NSA to Force Disclosure of Cyber Security Authority and EPIC: EPIC Seeks Records on Google-NSA Relationship.
- EPIC Statement to Congress on Google, NSA, and Cybersecurity » (Feb. 9, 2010) EPIC has submitted a statement for the record for a House Foreign Affairs Committee hearing on Google and U.S. Cyberspace Policy. EPIC's statement recommends investigation into the newly-announced partnership between Google and the National Security Agency and the public release of the secret document that grants the NSA broad surveillance authority in cyberspace. The EPIC statement also urges the Congressional Committee to support US ratification of the Council of Europe privacy convention. For more information, see EPIC Critical Infrastructure Protection, Experts' Letter to Secretary Clinton on the Council of Europe Convention.
- FCC Commits to Protecting Consumers in FY 2011 Performance Plan » (Feb. 4, 2010) The Federal Communications Commission (FCC) released its FY 2011 budget request and performance plan. The FCC requests funding for furthering cybersecurity, implementing the National Broadband Plan, revamping the FCC's data systems and processes, and modernizing the agency's communications tools and expertise. The FCC prioritizes implementation of the National Broadband Plan and protection of consumers in the agency's performance goals. Objectives with respect to consumers include addressing 100% of complaints filed with the Commission alleging violations of the Communications Act and taking appropriate action within 15 months, rigorously enforcing the Telephone Consumer Protection Act, and ensuring "through litigation where necessary, that consumers are protected from anticompetitive practices."
- EPIC Sues NSA to Force Disclosure of Cyber Security Authority » (Feb. 4, 2010) EPIC has filed a lawsuit against the National Security Agency and the National Security Council, seeking a key document governing national cybersecurity policy. The document, National Security Presidential Directive 54 grants the NSA broad authority over the security of American computer networks. The agencies violated the Freedom of Information Act by failing to make public the Directive and related records in response to EPIC's request. EPIC's suit asks a federal judge to require the release of the documents. Congress is currently debating cyber security policy. For more information, see EPIC FOIA Litigation, EPIC Critical Infrastructure Protection.
- New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009) Senator Patrick Leahy (D-Vt) introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and establishes an Office of Federal Identity Protection within the FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see EPIC Identity Theft, EPIC Personal Data and Privacy Protection, and EPIC Preemption Page.
EPIC is seeking records pertaining to the FBI’s investigation of Russian interference in the 2016 U.S. Presidential election. This interference, by a foreign government in the democratic processes of the United States, is under investigation by the U.S. Intelligence community and is of widespread concern to the American public. The activities of the Russian government also pose a risk to democratic institutions in other countries.
During the 2016 election season, there were numerous cyberattacks on both the Democratic National Committee and the Republican National Committee. News reports indicate that the FBI first contacted the DNC about potential cyber threats in September 2015. However, until the FBI met with party officials in March 2016, the FBI’s response was limited to one telephone call to an I.T. contractor and several voicemail messages. The head of the cybersecurity firm hired by the DNC in April 2016 said “he was baffled that the F.B.I. did not call a more senior official at the D.N.C. or send an agent in person to the party headquarters to try to force a more vigorous response.”
Fallout from the disclosures mired congressional candidates in accusations of scandal,8 and led to the resignation of a DNC leader. The New York Times reported that the RNC’s computer systems were also attacked. News outlets report that hackers attempted to penetrate the RNC’s computer network “using the same techniques that allowed them to infiltrate its Democratic counterpart.”11 “Once inside, [hackers] reportedly were able to access a trove of DNC opposition research on Mr. Trump, then a candidate.”
In October 2016, prior to the outcome of the election, the Obama administration accused the Russian government of perpetrating the attacks on the U.S. election process. “The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of emails from US persons and institutions,” said the Department of Homeland Security and Office of the Director of National Intelligence in a joint statement, which “intended to interfere with the US election process.” The DHS and ODNI concluded “We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.”
The U.S. Intelligence Community recently reaffirmed its assessment that the Russian government was responsible for interference in the 2016 Presidential elections. Press reports indicate that FBI Director Comey agreed with this assessment. “Earlier this week, I met separately with FBI [Director] James Comey and [Director of National Intelligence] Jim Clapper, and there is strong consensus among us on the scope, nature, and intent of Russian interference in our presidential election,” said CIA Director John Brennan. President Obama “has ordered a full review of foreign-based digital attacks that U.S. intelligence agencies say were aimed at influencing this year’s presidential election.”
Investigations undertaken by private security firms, apart from the FBI, indicate that the attacks on the 2016 U.S. Presidential election also threaten democratic institutions in other countries. The private cybersecurity firm hired by the DNC to investigate the hacks has published evidence pointing to the Russian military’s involvement. CrowdStrike “linked malware used in the DNC intrusion to malware used to hack and track an Android phone app used by the Ukrainian army in its battle against pro-Russia separatists in eastern Ukraine from late 2014 through 2016.” CrowdStrike co-founder Dmitri Alperovitch concluded, “we have high confidence” it was a unit of the GRU, Russia’s military intelligence agency.
The FBI has recognized that the nation’s “critical infrastructure, including both private and public sector networks, are targeted by adversaries.” Among the various federal agencies tasked with ensuring the nation’s cybersecurity, “the FBI is the lead federal agency for investigating cyber attacks by criminals, overseas adversaries, and terrorists.” The FBI has also acknowledged threats to our electoral system. “Although individual states have primary responsibility for conducting fair and impartial elections, the FBI becomes involved when paramount federal interests are affected or electoral abuse occurs,” testified FBI Director James Comey.
EPIC has filed this lawsuit to determine the FBI’s response to knowledge of the Russian interference with the 2016 Presidential Election. The Congress is in the midst of a critical debate about Russia and the 2016 Presidential Election. But very little information has been provided to the public and very little is known about how the FBI protected US democratic institutions against foreign attack. That is why the FBI should provide this information to EPIC and the public as expeditiously as possible.
As EPIC notes in the Complaint against the FBI, “[T]here is a profound and urgent public interest in the release of the FBI records sought by EPIC, concerning the Russian interference with the 2016 Presidential Election. The release of these records is necessary for the public to evaluate the FBI response to the Russian interference, assess threats to American democratic institutions, and to ensure the accountability of the federal agency with the legal authority to safeguard the American people against foreign cyber attacks.”
EPIC has filed several Freedom of Information Act requests concerning Russian interference in the 2016 Presidential Election. The first is the request at issue in the case, and the other is a request for the full report on "Russian Activities and Intentions in Recent US Elections."
EPIC has also urged the Senate Armed Services Committee to pursue an investigation.
U.S. District Court for the District of Columbia (No. 17-121)
- Complaint (Jan. 18, 2017)
- FBI Answer (Feb. 23, 2017)
- Order (Mar. 10, 2017)
- FBI Motion to Modify (Mar. 20, 2017)
- EPIC FOIA Request (Dec. 22, 2016)
- Media Advisory
- Press Release
- Audio of Press Conference
- EPIC Letter to Senate Armed Services Committee (Jan. 4, 2017)
- Judge Calls Strike One on Heavy FBI Redactions, Courthouse News Service, February 23, 2017
- EPIC notches win over FBI in FOIA fight, POLITICO, February 22, 2017
- Civil liberties group sues FBI to release Russia response, The Hill, January 19, 2017
- EPIC files FOIA suit over records of Russia hacking, Politico Pro, January 19, 2017
- FBI sued to release info on probe of Russia role in election, Washington Times, January 19, 2017
- Privacy Group Presses FBI On Russia's Election Hacking, Law360, January 19, 2017
- Transparency Group Sues for FBI Records on Russian Hacking, NextGov, January 19, 2017
- Federal intelligence agencies sued over Russian Interference in U.S., SC Magazine, December 28, 2016
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.