Previous Top News: 2017


  • In a statement to the Senate Judiciary committee, EPIC urged lawmakers to consider consumer privacy at a hearing on "The Consumer Welfare Standard in Antitrust." EPIC emphasized the privacy risks of mergers, stating that "when companies merge, they combine not only their products, services, and finances, but also their vast troves of personal data." EPIC reminded Congress that the United States is experiencing an epidemic of data breaches, and large databases of personal data are more vulnerable to attack. EPIC testified before the Senate Judiciary Committee in 2007 about the growing risks to competition and privacy of mergers in the online advertising industry. EPIC also warned the FTC about the consumer privacy risks of high profile mergers. In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. And in 2014 EPIC urged the FTC to mandate privacy safeguards for Facebook's acquisition of WhatsApp. (Dec. 12, 2017)

  • A defense authorization bill signed by the President today restores the FAA's drone registration requirement. The registration requirement was struck down by a federal appeals court earlier this year. EPIC supports registration for commercial drones because of the unique privacy risks they pose. In 2015, EPIC submitted extensive comments to the FAA, proposing that commercial drones also routinely broadcast location, course, speed over ground, as well as owner identifying information, similar to the Automated Identification System for commercial vessels. Earlier this year, EPIC also submitted statements to the House Transportation Committee and the Senate Commerce Committee emphasizing the privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to establish privacy safeguards. EPIC v. FAA is before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018. (Dec. 12, 2017)

  • EPIC has sent a statement to the House Judiciary Committee ahead of Wednesday's DOJ Oversight hearing. EPIC urged the Committee to question Deputy Attorney General Rosenstein about the FBI's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity). (Dec. 12, 2017)

  • Senators Maria Cantwell (D-WA) and Brian Schatz (D-HI) are planning legislation to establish new oversight committees for the use of AI. Cantwell's bill—Future of Artificial Intelligence Act of 2017—is cosponsored by Senators Ed Markey (D-MA) and Todd Young (R-IN) and would establish an AI committee at the Commerce Department. A companion bill in the House is sponsored by Representatives John Delaney (D-MD) and Pete Olson (R-TX), co-chairs of the Artificial Intelligence Caucus. Schatz has announced his intent to introduce a bill creating an independent AI commission. In 2015, EPIC launched an international campaign in support of Algorithmic Transparency and has warned Congress about the use of opaque technique in automated decision-making. (Dec. 12, 2017)

  • In advance of a hearing on "Digital Decision-Making: The Building Blocks of Machine Learning and Artificial Intelligence," EPIC warned a Senate committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable." (Dec. 12, 2017)

  • EPIC has filed an amicus brief in Dahda v. United States, a case concerning the federal Wiretap Act and the suppression of evidence obtained following an invalid wiretap order. The Wiretap Act requires exclusion of evidence obtained as a result of an invalid order. However, the lower court denied suppression even though the order was invalid. EPIC wrote that “it is not for the courts to create atextual exceptions” to federal privacy laws. EPIC explained that Congress enacted broad and unambiguous privacy provisions in the Wiretap Act. “If the government wishes a different outcome,” EPIC wrote, “then it should go to Congress to revise the statute.” EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Byrd v. United States (suspicionless searches of rental cars) and Carpenter v. United States (warrantless searches of cellphone location records).] (Dec. 7, 2017)

  • The Presidential Election Commission is ignoring inquiries from state election officials about the transfer of sensitive voter data sought by the Commission, according to the New Hampshire Union-Leader. The Commission previously promised—in a filing from an EPIC lawsuit—that it would tell states how to “securely” submit voter data. But New Hampshire election officials say they have been unable to reach the Commission or obtain instructions for over a month. Other posts at the Commission website suggests the agency is no longer responding to email. EPIC filed suit in July to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the voter information that was unlawfully obtained. Many states and over 150 members of Congress have opposed the Commission’s efforts to collect state voter data. EPIC’s case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Dec. 7, 2017)

  • Senators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn) wrote to Facebook CEO Mark Zuckerberg with questions about Facebook’s Messenger Kids app, aimed at children 6-12. The Senators said, “we remain concerned about where sensitive information collected through this app could end up and for what purpose it could be used.” The Children’s Online Privacy Protection Act specifically limits the collection and use of data on children under the age of 13. Concerns about the misuse of children data remains high. EPIC and several consumer privacy organizations filed a complaint with the FTC in 2016 alleging that the Internet-connected doll Cayla spied on children. EPIC also backed a L6 recent campaign to recall Mattel’s Aristotle, a device that collected data from young children. The campaign led Mattel to cancel the sale of Aristotle. (Dec. 7, 2017)

  • Congressman and former Presidential candidate John Anderson has passed at age 95. Among his many activities, John Anderson helped launch the Electronic Privacy Information Center in 1994 and served on the EPIC Advisory Board for more than 20 years. John Anderson was one of the early advocates for the freedom to use encryption and drafted a privacy platform for the 2008 Presidential candidates. He joined EPIC's campaign to oppose secret watch lists and served as EPIC's first chair. He also wrote the forward to the Electronic Privacy Papers by Bruce Schneier and Dave Banisar. (Dec. 6, 2017)

  • The Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect student privacy including a 2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the FTC Safeguards Rule by failing to protect students' financial information. EPIC also urged Congress to strengthen student privacy protections following a FAFSA data breach. In 2012 EPIC sued the Department of Education for weakening student privacy protections. EPIC has proposed a Student Privacy Bill of Rights. (Dec. 6, 2017)

  • EPIC has submitted 10 recommendations for the Federal Trade Commission's "Draft Strategic Plan" for 2018-2022. EPIC explained how the FTC can protect consumers, promote competition, and encourage innovation. Among the several proposals, EPIC urged the FTC to enforce consent orders, incorporate public comments into settlements, promote transparency, produce concrete outcomes, and endorse data protection legislation. EPIC and several consumer privacy groups outlined these proposals in a letter to the FTC in February, 2017. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers, and even filed a lawsuit in 2012 to get the FTC to enforce an existing consent order against Google. EPIC has also filed several consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Dec. 5, 2017)

  • The Article 29 Working Party, a group of European privacy experts, is calling for a reexamination of the Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a new report, the Working Party said that "significant concerns" should be resolved by May 25, 2018 when the GDPR goes into force. If not "the members of WP29 will take appropriate action," including litigation. The Working Party cited the US failure to appoint an Ombudsperson to review complaints, vacancies at the Privacy and Civil Liberties Oversight Board, and continued mass surveillance practices by U.S. intelligence agencies. The report follows an earlier review of the EU-US agreement which found "sufficient" protection of EU personal data to the United States. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice. In a related development, the Working Party also established a task force which will coordinate national investigations of the Uber data breach now underway in Europe. (Dec. 5, 2017)

  • EPIC has sent a statement to the House Judiciary Committee ahead of Thursday's FBI Oversight hearing. EPIC urged the Committee to question FBI Director Wray about the agency's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity). (Dec. 5, 2017)

  • In the case of Antović and Mirković v. Montenegro, the European Court of Human Rights held that camera surveillance in lecture halls at the University of Montenegro's School of Mathematics violated Article 8 of the European Convention on Human Rights (the right to respect one's "private and family life"). The decision follows earlier cases of the Court which recognize privacy rights in the workplace. Some U.S. law schools have deemed all classrooms and meetings rooms as "recordable spaces" and state that voluntary participation therefore constitutes a waiver of legal claims. EPIC has protected the human right to privacy through third-party intervention in the European Court of Human Rights as well as documented the spread of CCTV surveillance technology across American cities. EPIC's Privacy Law Sourcebook provides background on US and international privacy law. The Privacy Law and Society website provides more information about international privacy law. (Nov. 29, 2017)

  • The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Nov. 29, 2017)

  • EPIC sent a statement to a House Committee on Transportation ahead of a hearing on drone deployment in the United States. EPIC said that "privacy rules and identification requirements" are vital for the safe integration of commercial drones in the national air space. EPIC explained that the FAA has failed to establish necessary safeguards and has purposefully ignored privacy and public safety risks. In 2015, EPIC sued the FAA, arguing that the agency failed to comply with a Congressional mandate and a petition from leading experts. EPIC also told Congress that the FAA has excluded privacy experts from the agency task force on drone policy. In October 2017, CNN reported the first drone strike on a commercial aircraft. (Nov. 28, 2017)

  • In a letter to FBI director Christopher Wray, Rep. Ted Lieu (D-CA) asked the FBI to brief Congress on the agency's failure to notify victims targeted by the Russian hacking group Fancy Bear. Lieu's letter follows an Associated Press's (AP) investigation which found that the FBI did not notify U.S. officials that their accounts were compromised even though the FBI knew of the targeted cyber attacks and had primary responsibility in the federal government for notification. EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit (EPIC v. FBI) filed earlier this year. The FBI policy calls for notifying victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity). (Nov. 28, 2017)

  • In advance of a hearing on "Algorithms: How Companies' Decisions About Data and Content Impact Consumers," EPIC warned a Congressional committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable." (Nov. 28, 2017)

  • Senator Mark Warner sent a letter to the Uber CEO, Dara Khosrowshahi, questioning him about why the company covered up a data breach that affected 57 million consumers last year. Uber recently admitted that it hid a massive data breach from the public and paid the hackers $100,000 to delete the data. The stolen data included names, e-mail addresses, phone numbers, and drivers' licenses. Senator Warner told the Uber CEO that he had "grave concerns about your handling of a breach," including the fact that the company disclosed the breach to investors but not the public. Senator Warner has co-sponsored bipartisan legislation that would provide consumers with one free credit freeze per year and protect the credit ratings of veterans wrongly penalized by medical bills. EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other ride-sharing companies. (Nov. 28, 2017)

  • EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy to the International Working Group on Data Protection in Telecommunications. The Berlin-based Working Group includes Data Protection Authorities and experts, from around the world, who work together to address emerging privacy challenges. The EPIC report details legislative proposals to address privacy and security risks of automated vehicles, pending Supreme Court case concerning cell phone location tracking Carpenter v. United States, U.S. investigation of the Russian interference in the 2016 election, the Equifax data breach, and more. The 62nd meeting to the IWG will take place in Paris, France on November 27-28. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Nov. 27, 2017)

  • EPIC filed an amicus with a federal appeals court urging the court to reject a proposed class action settlement in a consumer privacy case. The case involved Google tracking internet users in violation of the users' privacy settings. EPIC said the settlement resulted in no change in business practices and wrongly awarded cy pres funds to organizations that Google would otherwise support. The settlement was also opposed by the Attorneys General of thirteen states. EPIC, the Center for Digital Democracy, and US PIRG were the groups that warned the FTC in 2007 that the Google-DoubleClick merger would lead to the internet tracking practices at issue in the settlement. EPIC's 2010 FTC complaint regarding Google Buzz also led to the FTC's Consent Order with Google that enabled the Commission to pursue related charges against Google. EPIC has proposed an objective basis for courts to make determinations in consumer privacy cases that protect the interests of class members and avoid the risk of collusion between the parties in settlement. (Nov. 22, 2017)

  • Uber just admitted that hackers stole the personal data of 57 million Uber customers and drivers in October 2016. The data included names, e-mail addresses, phone numbers, and the license numbers of 600,000 drivers. Rather than disclose the data breach to the public, as required by law, Uber paid the hackers $100,000 to delete the information. Uber has a well-documented history of abusing consumer privacy. EPIC recently testified in the Senate for strong data breach legislation that would require companies to immediately notify affected consumers of data breaches. EPIC filed a complaint with the FTC in 2015 regarding Uber's egregious misuse of personal data. That complaint led to an FTC settlement with Uber in August, 2017. In 2015, EPIC also proposed a privacy law for Uber and other ride-sharing companies. (Nov. 21, 2017)

  • The U.S. Court of Appeals for the D.C. Circuit hears arguments today in EPIC’s case against the Presidential Election Commission concerning the unlawful collection of state voter data. Live audio of the arguments will be streamed from this link beginning at 9:30 a.m. ET. EPIC filed suit to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the state voter data that was unlawfully obtained. Many states have opposed the Commission’s efforts to obtain state voter data. More than 150 members of Congress have urged the Commission to end the collection of voter data. The Government Accountability Office has opened an investigation to determine whether the Commission has engaged in unlawful action. And one Member of the Commission recently filed suit against the Commission. EPIC’s case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Nov. 21, 2017)

  • Senator Patrick Leahy (D-VT) and Senator Mike Lee (R-UT) have introduced the USA Liberty Act to reform surveillance under Section 702 of the Foreign Intelligence Surveillance Act. The Leahy-Lee bill would close the "backdoor search" loophole by requiring a probable cause court order before the government can review the contents of Americans' communications. The Leahy-Lee bill also codifies the ban on collecting "about" communications, mandates the appointment of amicus curiae for review of the surveillance programs, and establishes new reporting requirements. In a Freedom of Information Act lawsuit, EPIC v. NSD, EPIC is seeking the release of a Foreign Intelligence Surveillance Court report detailing the FBI’s use of section 702 data for domestic criminal purposes. (Nov. 20, 2017)

  • EPIC has filed an amicus brief in Byrd v. United States, a case about warrantless searches of rental vehicles. EPIC urged the Supreme Court to recognize that a modern car collects vast troves of personal data. EPIC explained cars today "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC pointed to the routine collection of cell phone contents with a Bluetooth connection, data which is stored in the car even after "deletion." EPIC also emphasized that the status of the driver has no bearing on Fourth Amendment privacy interests. The lower court held that because the driver was not an authorized renter, he was not entitled to privacy protection. EPIC has filed extensive comments with the National Highway Traffic Safety Administration, the Federal Trade Commission and the Department of Transportation, and testified before the U.S. Congress regarding the privacy and consumer safety risks posed by connected vehicles. EPIC also routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Jones, Riley v. California, and Florida v. Harris. (Nov. 20, 2017)

  • In the Freedom of Information Act lawsuit EPIC v. FBI, EPIC has filed a motion contending the FBI must release records detailing the Russian interference in the 2016 election. EPIC explained that "a year after the election the full extent of Russian interference remains unknown to the public." EPIC also said the the FBI's failure to release documents "is contrary to law and leave at risk the security of future U.S. elections." The FBI must now file a reply to EPIC's motion. EPIC v. FBI is a part of the new EPIC Democracy and Cybersecurity Project focused on preserving democratic institutions. EPIC has filed related FOIA lawsuits against the DHS, ODNI, and IRS. EPIC also recently pressed the Federal Election Commission to establish transparency for online ads. The FEC voted unanimously to adopt new rules. (Nov. 20, 2017)

  • After receiving over 150,000 public comments, the Federal Election Commission voted unanimously to make new rules governing online political ad disclosures. EPIC, numerous other organizations, and lawmakers pressed the FEC to require transparency for online ads to combat foreign interference in U.S. elections. The FEC had solicited public comments on its internet disclosure rules three times in six years before finally taking action. A group of 15 Senators wrote, "The FEC must close loopholes that have allowed foreign adversaries to sow discord and misinform the American electorate." And a group of 18 members of Congress urged the FEC to "address head-on the topic of illicit foreign activity in U.S. elections." EPIC suggested the FEC go a step beyond simple disclosures and require "algorithmic transparency" for online platforms that deliver targeted ads to voters. Several senators have also introduced a bipartisan bill that would require the same disclosures for online ads as for television and radio. EPIC is fully engaged in protecting the integrity of elections with its Project on Democracy and Cybersecurity. (Nov. 16, 2017)

  • EPIC and a coalition of civil rights organizations have sent a letter to the Acting Secretary of Homeland Security strongly opposing the Extreme Vetting Initiative. A similar letter was sent by technical experts. The government's 'Extreme Vetting' initiative uses opaque procedures, secret profiles, and obscure data including social media post, to review visa applicants and make final determinations. EPIC has warned against both the government's use of social media data and secret algorithms to profile individuals for decision making purposes. EPIC is also pursuing a FOIA request for details on the relationship between the Immigration and Customs Enforcement agency and Palantir, a company that provides software to analyze large amounts of data. (Nov. 16, 2017)

  • The Consumer Financial Protection Bureau recently set out guidance for financial services that aggregate consumer data. The Bureau outlined Consumer Protection Principles that "express the Bureau's vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value." The Consumer Protection Principles for aggregated consumer data services are: (1) consumer access to information, (2) usability and limited scope of access by third parties, (3) consumer control and informed consent, (4) authorizing payments, (5) security (6) access transparency, (7) accuracy, (8) ability to dispute and resolve unauthorized access, and (9) efficient and effective accountability mechanisms. EPIC has urged Congress to establish privacy and data security standards for consumer services and has championed algorithmic transparency. In testimony before Congress, EPIC Board member Professor Frank Pasquale explained that the use of secret algorithms often have adverse consequences for consumers. (Nov. 16, 2017)

  • In advance of a hearing on "Cyber Threat Information Sharing," EPIC has sent a statement to the House Homeland Security Committee. EPIC urged the Committee to determine whether there are sufficient protections for personal data sent to government agencies. Private companies now have legal authority to transfer data to government agencies outside traditional privacy procedures following passage of the Cybersecurity Information Sharing Act. EPIC and a broad coalition warned that the law will increase monitoring of Internet users and government secrecy. EPIC urged the Congressional committee to carefully examine the "scrubbing" techniques that are intended to remove personally identifiable information before data is transferred to federal agencies. (Nov. 15, 2017)

  • The White House has released the "Vulnerabilities Equities Policy and Process," describing how the U.S. Government will make decisions regarding disclosure of "Zero-day vulnerabilities." At issue are vulnerabilities in software and consumer products that can be exploited by intelligence agencies and malicious hackers. If the VEP review board — comprised of agency representatives such as the DHS, ODNI, CIA, FBI, OMB, Commerce Department, and NSA — votes for disclosure, the tech company will be notified "when possible" within 7 business days. The charter requires the NSA, serving as the board's secretariat, to produce an annual public report on VEP decisions. In extensive comments on surveillance reform, EPIC supported the recommendations of the Obama Review Group, which included a recommendation for an interagency process to review "Zero-day vulnerabilities." In a letter to the Senate Committee on Homeland Security earlier this year, EPIC stated that "data protection and privacy should remain a central focus of the cyber security policy of the United States." (Nov. 15, 2017)

  • The opinion of a key adviser to the European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a "consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers," citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems received the EPIC International Champion of Freedom Award. (Nov. 15, 2017)

  • In comments to the National Highway Traffic Safety Administration, EPIC warned that the agency's proposed voluntary guidelines for autonomous vehicles would not protect auto passengers. EPIC explained that the privacy and security are paramount safety concerns and stated that "strong encryption in autonomous vehicles will be essential to driver safety." EPIC urged NHTSA to issue mandatory guidelines to protect consumers. EPIC also warned that the FTC lacks authority and expertise to protect driver privacy and security. EPIC made comments to NHTSA earlier this year, and has also brought this issue to attention of a House committee on consumer protection and the Senate Committee on Commerce. (Nov. 15, 2017)

  • Senator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review. (Nov. 15, 2017)

  • The U.S. Court of Appeals for the D.C. Circuit will hear arguments next week in EPIC’s case against the Presidential Election Commission concerning the unlawful collection of state voter data. EPIC filed suit to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the state voter data that was unlawfully obtained. Many states have opposed the Commission’s efforts to obtain state voter data. More than 150 members of Congress have urged the Commission to end the collection of voter data. The Government Accountability Office has opened an investigation to determine whether the Commission has engaged in unlawful action. And one Member of the Commission recently filed suit against the Commission. Arguments in EPIC v. Commission are set for next Tuesday, November 21 at 9:30 a.m. and will be streamed live through the D.C. Circuit’s website. (Nov. 15, 2017)

  • A group of Senators has requested information from Social Security Administration about the Presidential Election Commission's controversial plan to compare state voter rolls to the SSA's master database. Vice Chair Kris Kobach announced at the Commission's first meeting that the Commission staff would seek personal data from numerous federal agencies, including the SSA. EPIC filed a FOIA request with the SSA in September seeking records of the Commission's attempts to collect SSA data. "The public must know whether, how, and for what purpose a federal Commission is seeking new personal data from SSA, and how the federal agency has responded to any attempt to collect this data," EPIC wrote. EPIC filed similar FOIA requests with the Department of Justice and Department of Homeland Security. EPIC's case challenging the Commission's collection of state voter data will be argued next Tuesday, November 21 at 9:30 a.m. before the U.S. Court of Appeals for the D.C. Circuit. (Nov. 14, 2017)

  • Following a hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the House Judiciary Committee. EPIC urged the Committee to explore whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election. (Nov. 14, 2017)

  • A group of 15 Senators led by Mark Warner (D-VA), Amy Klobuchar, (D-MN) and Claire McCaskell, (D-MO) have urged the Federal Election Commission to improve transparency for online political ads. The Senators stated that, "the FEC can and should take immediate and decisive action to ensure parity between ads seen on the internet and those on television and radio." The Senators emphasized how "Russian operatives used advertisements on social media platforms to sow division and discord" during the 2016 election. EPIC provided comments to the FEC calling for "algorithmic transparency" and the disclosure of who paid for online ads. Senators Klobuchar, Warner, and McCain (R-AZ) have also introduced a bipartisan bill that would require the same disclosures for online political advertisements as for those on television and radio. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to promote election integrity and safeguard democratic institutions from various forms of cyber attack. (Nov. 13, 2017)

  • Missouri Attorney General Josh Hawley has announced an investigation into Google's business practices concerning Internet privacy. The investigation also examines whether Google misappropriated content from competitors' websites and manipulated search results to preference Google sites. The Missouri AG stated, "when a company has access to as much consumer information as Google does, it's my duty to ensure they are using it appropriately." The announcement highlighted EPIC's recent FTC Complaint against Google regarding the company's tracking of in-store purchases as well as the record fine by the European Union for monopolistic search practices. Under the leadership of then Connecticut Attorney General Richard Blumenthal, the state Attorneys General previously investigated Google for the unlawful interception of private communications by means of the Google "Street View" vehicles. That state AGs fined Google $7,000,000 when it was found that the company "casually scooped up passwords, e-mail and other personal information from unsuspecting computer users." (Nov. 13, 2017)

  • A defense authorization bill released today in the House would restore an FAA drone regulation that was struck down by a federal appeals court earlier this year. The D.C. Circuit had previously ruled that a regulation requiring hobbyists to register their drones violated the FAA Modernization Act, which forbids regulations for "model aircraft." EPIC strongly supports registration for commercial drones but recognizes an exception for hobbyists. EPIC submitted statements to the House Transportation Committee and the Senate Commerce Committee earlier this year emphasizing the unique privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to protect the public from aerial surveillance by commercial drones in federal court. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018. (Nov. 9, 2017)

  • A member of the Presidential Election Commission has sued the Commission, arguing that the Commission has violated the Federal Advisory Committee Act. According to Maine Secretary of State Matthew Dunlap, the Commission violated FACA by "excluding certain members of the Commission from substantively participating in its work" and by "preventing certain members of the Commission from accessing documents made available to some Commission members." EPIC filed the first lawsuit against the Commission, charging that it had violated federal law when it failed to conduct and publish a Privacy Impact Assessment prior to the collection of state voter. EPIC v. Presidential Commission is now before the federal appeals court for the D.C. Circuit. Oral argument is scheduled for November 21, 2017. (Nov. 9, 2017)

  • The FTC released a draft of the FTC 2018-2022 strategic plan for public comment. The plan broadly summarizes the FTC's role in protecting consumers and promoting competition. Federal agencies are required by law to publish a strategic plan every four years. EPIC has stated that the Commission needs to "step up its efforts to protect the privacy interests of American consumers." EPIC wrote to Senate Commerce Committee in advance of a recent hearing on reform proposals for the FTC, stating "the FTC must do more to safeguard American consumers." EPIC also urged the FTC to re-focus an upcoming "workshop on informational injury" on the unprecedented levels of data breach and identity theft in the United States. Earlier this year, EPIC and a coalition of consumer privacy organizations set out "10 Steps for the FTC to Protect Consumers." Comments on the Strategic Plan are due to the FTC by December 5, 2017. (Nov. 9, 2017)

  • The Senate Commerce Committee heard testimony this week from Equifax, Yahoo, and Verizon executives in a hearing on "Protecting Consumers in the Era of Major Data Breaches." A witness for a company selling identification systems recommended an "identity framework," with fingerprints and facial recognition to replace the Social Security Number. EPIC President Marc Rotenberg recently warned against replacing the SSN with a national biometric identifier in testimony before the Senate Banking Committee. Rotenberg has detailed how the credit reporting industry is broken and the steps Congress should take to give consumers greater control over their personal data. EPIC has urged the Senate Judiciary Committee, the House Financial Services Committee, and the House Energy Committee to establish new safeguards for consumers following the Equifax data breach. (Nov. 9, 2017)

  • Today Congress considered the nomination of Kirstjen M. Nielsen as Secretary at the Department of Homeland Security. Ms. Nielsen opposes a border wall but suggested an expansion of border surveillance. "Technology, as you know, plays a key part, and we can't forget it," she said. EPIC is pursuing a FOIA request regarding the use of DHS drones for border surveillance. Earlier EPIC cases - including EPIC v. DHS which led to the removal of x-ray body scanners in US airports - revealed that technologies for border surveillance invariably impact the privacy rights of Americans. Ms. Nielsen views on the use of DACA applicant data for enforcement remains unclear. EPIC recently warned that 800,000 DACA applicants face privacy risks as a result of the decision to end the Deferred Action for Childhood Arrivals. (Nov. 9, 2017)

  • European Court of Human Rights has heard 10 Human Rights Organizations v. UK, a legal challenge which will impact surveillance practices around the world. The organizations who brought the case argue that surveillance by UK and US intelligence services violated their fundamental rights. In today's hearing, the groups' legal representative characterized the government's position as "trust us and we will keep you safe." Instead, she called for a "framework to ensure...public authorities are doing no more than is truly proportionate and are only using these very intrusive powers when they're necessary." EPIC filed a brief in the case explaining that the NSA's "technological capacities" enable "wide scale surveillance" and that U.S. statutes do not restrict surveillance of non-U.S. persons abroad. EPIC casebook Privacy Law and Society explores a wide range of privacy issues, including recent decisions of the European Court of Human Rights. (Nov. 7, 2017)

  • A federal court, ruling in an EPIC FOIA lawsuit, has ordered the Department of Justice to defend the agency's refusal to release portions of its Foreign Intelligence Surveillance Act (FISA) reports. The semiannual reports, prepared for Congressional oversight committees, summarize significant FISA Court decisions and include the total number of FISA applications filed by the government and the number of U.S. persons targeted for surveillance. Though the court ruled that the DOJ can withhold some of the material requested by EPIC, the court found multiple "inconsistencies in the redactions that the government must address." Previously, EPIC's FOIA request and lawsuit led to the release of secret documents about the government's use of pen registers to collect records of private communications. (Nov. 7, 2017)

  • In comments to the Federal Election Commission, EPIC urged new rules to require transparency for online political ads. EPIC said voters should "know as much about advertisers as advertisers know about voters." EPIC called for algorithmic transparency which would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment. The FEC reopened a comment period on proposed rules "in light of developments." This week representatives from Facebook, Twitter and Google testified at two Senate hearings on the role that social media played in Russian meddling in the 2016 election. Senators Klobuchar (D-MN), Warner (D-VA), and McCain (R-AZ) have also introduced a bipartisan bill that would require increased disclosures for online political advertisements. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack. (Nov. 3, 2017)

  • The Trump administration has set aside a proposed rule by the National Highway Transit Safety Association to regulate vehicle-to-vehicle (V2V) technology for all new cars and light trucks. V2V technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA and safety advocates have touted V2V technology as life-saving, noting that traffic fatalities have surged over the past two years with the increased use of cellphones. The rule was also supported by automakers to establish baseline safety standards. EPIC commented on the proposed rule and urged NHTSA to adopt stronger privacy protections. EPIC also submitted comments to the FTC and NHTSA for a workshop on connected vehicles, recommending that the agencies do more to protect consumer data. Security researchers have provided numerous examples of remote hacking of vehicles. The administration has denied that it has made any final decision on the rule, but it was removed from an OMB list of upcoming regulatory actions. (Nov. 1, 2017)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice National Security Division for a report detailing the FBI's warrantless searches for information about U.S. citizens. Section 702 of the Foreign Intelligence Surveillance Act allows conduct warrantless searches of non-U.S. persons in foreign intelligence investigations. But there are concerns that the FBI uses this authority to conduct "backdoor searches" on Americans. In EPIC v. NSD, EPIC seeks the release of a report ordered by the Foreign Intelligence Surveillance Court detailing the FBI's use of section 702 data for domestic criminal purposes. EPIC also recently joined coalition of over 50 organizations calling on lawmakers to establish a warrant requirement before the government can search 702 databases for information about U.S. citizens and residents. The USA Rights Act, now pending in Congress, would end backdoor searches by all federal agencies. (Nov. 1, 2017)

  • EPIC has just received new documents in a FOIA case against the Department of Justice, however the agency is refusing to release reports about the use of "risk assessment" tools in the criminal justice system. In 2014, the Attorney General called on the U.S. Sentencing Commission to review the use of "risk assessments" in criminal sentencing, expressing the concern about potential bias. EPIC requested that document and filed suit against the DOJ to obtain it, but the agency failed to release the report by a court-ordered deadline. EPIC did obtain emails confirming the existence of a 2014 DOJ report about "predictive policing" algorithms, but the agency also withheld that report. "Risk assessments" are secret techniques used to set bail, to determine criminal sentences, and even decide guilt or innocence. EPIC has pursued several FOIA cases to promote algorithmic transparency, including cases on passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. (Nov. 1, 2017)

  • This week the Senate is holding two hearings to investigate Russians' use of social media platforms to influence the 2016 U.S. presidential election. Today, the Senate Committee on the Judiciary's Subcommittee on Crime and Terrorism is holding a hearing on "Extremist Content and Russian Disinformation Online: Working with Tech to Find Solutions." Representatives from Facebook, Twitter, and Google as well as foreign policy experts will testify. Tomorrow the Senate Select Committee on Intelligence will hold a hearing on "Social Media Influence in the 2016 U.S. Elections." In 2017, EPIC launched the Democracy and Cybersecurity project to preserve the integrity of democratic institutions. EPIC is currently pursuing several Freedom of Information Act cases to learn more about Russian interference in the 2016 Presidential election, including: EPIC v. ODNI (Russian hacking), EPIC v. FBI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity). (Oct. 31, 2017)

  • EPIC joined a coalition of open government groups to urge government agencies to implement the "Release to One, Release to All" policy for Freedom of Information Act requests. This policy would require federal agencies to post all Freedom of Information Act disclosures online after the information is released to a particular requester. Despite overwhelming positive public comments, the Office of Information Policy at the Department of Justice has failed to finalize the policy. EPIC supports FOIA reforms to promote government transparency and files lawsuits to force disclosure of agency records. Most recently the EPIC Democracy and Cybersecurity Project is pursuing FOIA requests concerning Russian interference with the 2016 Presidential election. (Oct. 31, 2017)

  • EPIC has sent a letter to the FTC expressing concerns regarding their upcoming workshop on "Informational Injury." In advance of the workshop, the FTC has asked, "how to best characterize" privacy injuries. EPIC stated, "the injuries consumers face are obvious," in particular the unprecedented levels of data breach and identity theft. EPIC urged the FTC to re-focus the workshop on the questions of why data breach, identity theft, and financial fraud continue to rise in the United States, and how the FTC can do more to address these issues. EPIC recently testified before Congress on consumer data security and the credit bureaus, and has called on the FTC to step up its enforcement to protect consumer privacy. (Oct. 31, 2017)

  • In comments filed with the Open Government Partnership's Independent Reporting Mechanism, EPIC assessed the government's progress toward the transparency commitments it made in the National Action Plan on Open Government. EPIC advised the government to incorporate findings of the Commission on Evidence Based Policymaking including the use of Privacy Enhancing Techniques, called for the Privacy and Civil Liberties Oversight Board (PCLOB) be restored to full strength, and warned about the federal government's ongoing failure to create Privacy Impact Assessments required by law. EPIC and a coalition of civil society groups had issued recommendations for the Third National Action Plan, and, in response, the administration pledged to modernize implementation of the FOIA, streamline record declassification, and increase transparency of the intelligence community. The Plan is an initiative pursued by countries and NGOs participating in the Open Government Partnership. (Oct. 30, 2017)

  • EPIC submitted a statement to the House Homeland Security Committee in advance of a hearing on "Examining Physical Security and Cybersecurity at Our Nation's Ports." The Committee recently reported favorably "The Border Security for America Act," which would dramatically expand U.S. border surveillance, including a biometric exit data system at U.S. seaports. EPIC has expertise regarding maritime surveillance. EPIC pursued a Freedom of Information Act lawsuit against the Department of Homeland Security concerning the Nationwide Automatic Identification System, a system designed with the support the U.S. Coast Guard to promote boating safety that the DHS has transformed into a surveillance surveillance for monitoring vessels, including recreational vessels operated by U.S. citizens. In the letter to the House Committee, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens." (Oct. 30, 2017)

  • Speaking at the OECD conference "Intelligent Machines, Smart Policies," EPIC President Marc Rotenberg urged support for Algorithmic Transparency. "We must establish this principle of accountability as the cornerstone of AI policy," said Mr. Rotenberg. Rotenberg spoke in support of Algorithmic Transparency at the 2014 OECD Global Forum for the Knowledge Economy in Tokyo. EPIC is now working with OECD member states, NGOs, business groups, and technology exports on the development of an AI policy framework, similar to earlier OECD policy frameworks on privacy, cryptography, and critical infrastructure protection. (Oct. 27, 2017)

  • The Government Accountability Office announced this week that it will conduct an investigation into the activities of the Presidential Election Commission. The decision follows a letter by three senators urging the GAO to launch a probe and warning that the Commission’s lack of transparency will “unnecessarily diminish confidence in our democratic process.” Among the issues raised in the letter from the Senators are: “The steps the PACEI has taken to protect any voter information that is has collected” and “The steps the PACEI took to adhere to regulations governing its activity.” EPIC sued the Commission in July for failing to conduct a Privacy Impact Assessment prior to establishing a database of personal voter data. Last week, EPIC urged Congress and the General Services Administration to block the Commission from collecting voter information. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.), and the related appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir.). The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017. (Oct. 27, 2017)

  • The Article 29 Working Party, a group of European privacy experts, warned WhatsApp that it is still not complying with data protection law. Following Facebook's acquisition of WhatsApp, WhatsApp transferred users' personal data to Facebook, violating past privacy promises. In a letter to WhatsApp, Article 29 said "the information presented to users was seriously deficient as a means to inform their consent," and a WhatsApp must promptly establish "clear, comprehensive resolution." Backed by over a dozen US consumer groups, in 2016 EPIC filed a complaint with the FTC urging the agency to block Facebook's acquisition of WhatsApp if privacy safeguards were not put in place. The FTC wrote to both companies, explaining that their failure to honor privacy obligations could violate U.S. law. (Oct. 27, 2017)

  • A Presidential Memorandum on "Unmanned Aircraft Systems Integration Pilot Program" seeks to promote local state involvement in "development and enforcement" of Federal regulations as well as "inform the development of future Federal guidelines and regulatory decisions" on drone operations nationwide. As the FAA has failed to establish national standards for privacy, many local governments have passed laws to regulate the use of drones. According to the National Conference on Site Legislation, at least 38 states are considering legislation related to drones in the 2017 legislative session. In 2016, EPIC renewed its suit against the FAA, arguing the agency failed to protect the public from aerial surveillance. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals. Argument will likely take place this fall. (Oct. 26, 2017)

  • According to a Washington Post article, the FAA's Drone Advisory Committee hosted secret meetings and asked participants to sign confidentiality agreements. Documents obtained earlier by EPIC uncovered similar secret meetings leading to the FAA policy on drones that ignored privacy safeguards. The closed-door meetings appear to violate the Federal Advisory Committee Act. EPIC has also sued the FAA to obtain the meeting documents of the FAA's Drone Registration Task Force. EPIC's case to establish national privacy regulations, EPIC v. FAA is currently pending before the D.C. Circuit Court of Appeals. (Oct. 26, 2017)

  • The Senate voted 51-50 (with Vice President Pence breaking the tie) to repeal the CFPB rule that prevented financial companies from forcing consumers into individual arbitration. Fine-print arbitration clauses in consumer contracts have proliferated ever since a pair of Supreme Court rulings held that courts must enforce these clauses. Equifax generated public outrage after its breach when it lured consumers into signing away their rights to sue the company. As the CFPB found, arbitration clauses that ban class actions inhibit consumers from obtaining meaningful relief and holding financial institutions like Equifax and Wells Fargo accountable when they break the law. Senators Franken (D-MN) and Leahy (D-VT) have introduced legislation that would prohibit companies from denying individuals their right to go to court. EPIC President recently testified before the Senate Banking Committee on the Equifax data breach. Rotenberg said, the "company tried to trick consumer into an arbitration agreement, guaranteeing that there would be few legal remedies for consumers following the breach." (Oct. 26, 2017)

  • The opinion of a key adviser to the European Court of Justice holds that local European data protection authorities can directly enforce privacy laws against Facebook. The case involves a German data protection authority's order to deactivate a local Facebook fan page for illegally tracking users. The opinion from Advocate General Bot said regional data protection authorities can intervene to stop unlawful data practices. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. (Oct. 24, 2017)

  • Eleven senators introduced bipartisan legislation to reauthorize the Foreign Intelligence Surveillance Act with significant new civil liberties protections. Among other reforms, the USA Rights Act codifies the ban on collecting "about" communications, prohibits collection of domestic communications, expands the powers of the Civil Liberties Oversight Board, and requires independent amicus review during the FISC's annual authorization. The bill does not establish certain protections sought by Europeans during the recent Privacy Shield review. Senate Intelligence Committee Chair Richard Burr bill would expand 702 surveillance authorities. EPIC and a coalition of organizations recently urged the markup hearing on the proposal be opened to the public. (Oct. 24, 2017)

  • EPIC has sent a letter to the Senate Finance Committee with questions for the next Commissioner of U.S. Customs and Border Protection. The Committee will consider the nomination of Kevin McAleenan to head the CBP at a hearing this week. EPIC raised questions regarding (1) whether Kevin McAleenan would use DACA data for purposes unrelated to DACA eligibility; (2) CBP's use of facial recognition technology; (3) CBP's collection of social media information; (4) CBP's proposed exemption of Privacy Act safeguards for a new agency database; and (5) CBP's use of drones to conduct aerial surveillance on American citizens. EPIC asked "How will CBP ensure that the collection and use of biometric data will not expand beyond the original purpose?" and "Will CBP link images collected by drones with facial biometrics in CBP or DHS databases?" EPIC has submitted comments to DHS and CBP concerning their collection of social media information. EPIC has also filed a FOIA lawsuit seeking documents on CBP's biometric tracking programs and EPIC's Jeramie Scott has written an op-ed for The Hill about CBP's use of facial recognition technology. (Oct. 24, 2017)

  • The Federal Trade Commission has clarified how the Children's Online Privacy Protection Act applies to toys that make voice recordings of children. The Commission's enforcement policy statement stated that an audio file may only be used "as a replacement for written words," and may only be maintained "for the brief time necessary for that purpose." Additionally, "the operator may not make any other use of the audio file in the brief period before the file is destroyed — for example, for behavioral targeting or profiling purposes." EPIC has supported efforts by consumer groups to warn of the risks smart toys pose to childhood development. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of children. The complaint spurred a Congressional investigation and the toy was recalled in Europe. (Oct. 24, 2017)

  • In comments to Custom and Border Protection, EPIC opposed the federal agency's proposal to collect social media information, including metadata, for a new intelligence database. CBP also proposed to exempt the database from protections of the Privacy Act and to create numerous "routine uses" for the information. EPIC said that CBP should narrow the Privacy Act exemptions and limit the number of routine uses. In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently pursuing a FOIA request about a revised DHS plan to require disclosure of social media passwords before allowing entry into the country. (Oct. 24, 2017)

  • European Parliament Committee on Civil Liberties, Justice and Home Affairs - or LIBE Committee - has approved an update to EU communications privacy law in a key step toward finalizing the regulation. The proposed e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Members recommended "privacy by default" settings be standardized, strong encryption by providers, and that users' consent obtained before the use of any personal data. In the U.S., EPIC has urged the Federal Communication Commission to bring U.S. law up to date with a similar, comprehensive approach to communications privacy. Next, the full European Parliament will vote on the legislation this week. (Oct. 23, 2017)

  • In the largest study to date of police body cameras, a new report concluded that the cameras had no impact on police use of force and civilian complaints. The report is a result of a project in Washington, D.C. to assess the benefits of the body cameras worn by the Metropolitan Police Department. EPIC previously testified before the D.C. City Council, warning of the risks of mass public surveillance and arguing that police body cameras were "an intrusive and ineffective technology that does not address underlying problems with police accountability." (Oct. 20, 2017)

  • The Pew Research Center released a report on how to address the spread of digital misinformation in the coming decade. The report's respondents were evenly divided on whether technological advances in the coming decade will fix the problem of misinformation, or only compound it. EPIC President Marc Rotenberg told Pew, "The problem with online news is structural: There are too few gatekeepers, and the internet business model does not sustain quality journalism. The reason is simply that advertising revenue has been untethered from news production." The prevalence of "fake news" was one of the most significant issues in the 2016 presidential election. EPIC's Democracy and Cybersecurity Project seeks to restore integrity in democratic elections. EPIC is also pursuing details of the Russian election interference in FOIA cases against the FBI, the Office of Director in National Intelligence, and the IRS. This week several senators introduced bipartisan legislation to strengthen disclosure requirements for online political ads. (Oct. 20, 2017)

  • EPIC joined a coalition of privacy and civil liberty organizations urging the Senate Intelligence Committee to open to the public any markup hearing on proposals to reauthorize Section 702 of the Foreign Intelligence Surveillance Act, which authorizes the surveillance of foreigners located abroad. "To the greatest degree possible, the consideration of legislation pertaining to Section 702...Should take place in public," the groups made clear in the letter to Senate Intelligence Committee leaders. EPIC has previously backed open public hearing on important security matters, include consideration of the Cyber Intelligence Sharing and Protection Act of 2013. (Oct. 20, 2017)

  • In comments to the Department of Homeland Security, EPIC opposed a plan to add social media information to the official files of all immigrants. EPIC said the DHS proposal threatens First Amendment rights, risked abuse, and would disproportionately impact minority groups. A coalition of organizations also submitted comments to express concern about the proposal. EPIC previously opposed a Customs and Border Protection proposal to collect social media identifiers from visa applicants. In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently pursuing a FOIA request about a revised DHS plan to require disclosure of social media passwords before allowing entry into the country. (Oct. 19, 2017)

  • In a letter to a Senate oversight committee, EPIC urged Congress and the incoming Administrator of the General Services Administration to block the Presidential Election Commission from collecting state voter data. As EPIC recently explained in a case before a federal judge in Washington, DC, the Commission is part of the GSA and must comply with that agency’s requirement to conduct a Privacy Impact Assessment prior to the collection of personal data. In the letter to the Senate Committee, EPIC wrote that "the very last thing that the Senate Committee or the incoming GSA Administrator should tolerate is a federal entity that seeks to avoid legal obligations to protect the privacy of Americans." The Commission was previously forced to suspend the collection of voter data in response to EPIC's lawsuit, but it later resumed that process. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.), and the related appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir.). The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017. (Oct. 19, 2017)

  • Several senators announced a bipartisan bill to make online political advertisements more transparent. The Honest Ads Act is a direct response to Russian interference in the 2016 election, which included political ads on Facebook, Google and Twitter. The bill, co-sponsored by Senators Klobuchar (D-MN), Warner (D-VA), and McCain (R-AZ), would impose the same disclosure requirements for online ads as for TV and radio ads. "First and foremost this is an issue of national security — Russia attacked us and will continue to use different tactics to undermine our democracy," Senator Klobuchar said. The FEC also announced on October 10 that "in light of developments" it would reopen for public comment its disclosure rules for online political ads. EPIC is fully engaged in the challenge of protecting democracy by promoting cybersecurity and election integrity. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records). (Oct. 19, 2017)

  • Following the first annual review of the pact, the European Commission has approved the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. However, the Commission urged the U.S. to appoint a permanent Ombudsperson to review complaints, to restore the Privacy and Civil Liberties Oversight Board, and to pass the Obama-era Presidential Policy Directive-28 into law. In a recent letter to Congress, EPIC emphasized the need to update U.S. privacy laws. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice. (Oct. 18, 2017)

  • The Presidential Election Commission is coming under increasing scrutiny from lawmakers and even its own members. On Tuesday, Commissioner Matthew Dunlap charged that the Commission had given him "utterly no information" about the Commission's activities. Dunlap involved the public records statute to demand documents about the Commission he sits on. Members of the Senate Judiciary Committee are also demanding records from the Department of Justice about the Department's possibly unlawful coordination with the Commission. Questions have also been raised about the Commission's hiring practices. The Commission was previously forced to suspend the collection of voter data in response to EPIC's lawsuit, but it recently resumed that process. EPIC has urged state election officials not to release any voter information until the Commission conducts a Privacy Impact Assessment. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.), and the related appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir.). The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017. (Oct. 18, 2017)

  • EPIC's President Marc Rotenberg will testify this week before the Senate Banking Committee on reform of the credit reporting industry following the Equifax breach. The hearing, "Consumer Data Security and the Credit Bureaus," follows several Congressional hearings with Equifax CEO Richard Smith. Rotenberg will emphasize the need to limit the use of the Social Security number in the private sector and to give consumers control over their personal data. EPIC will recommend a national credit "freeze" and free life-term credit monitoring services for all U.S. consumers. Rotenberg detailed how the credit reporting industry is broken in a recent article in the Harvard Business Review. He also warned that the failure to update U.S. privacy law has placed the digital economy at risk and may lead to the suspension of trans-border data flows. EPIC has previously testified before the House and Senate on the need for Congress to address data breach and identity theft. (Oct. 16, 2017)

  • The Supreme Court has agreed to review United States v. Microsoft, a landmark case about whether the U.S. government can force email providers to turn over users’ private messages that are stored outside of the United States. The government claims that the Electronic Communications Privacy Act allows investigators to demand emails from all over the world, in violation of national privacy laws. A federal appeals court rejected the government’s arguments last year and ruled that Microsoft was not required to hand over emails that the company stores in Ireland. The Supreme Court has also agreed to review Dahda v. United States, a related case about whether the Fourth Amendment allows the government to use evidence obtained through an unlawful court order. Both cases are expected to be argued in early 2018. EPIC regularly files amicus briefs in privacy cases before the Supreme Court, including recently in Carpenter v. United States, Packingham v. North Carolina, and Utah v. Strieff. (Oct. 16, 2017)

  • EPIC and a coalition of leading consumer groups have asked the Consumer Product Safety Commission to recall the Google Home Mini "smart speaker." The touchpad on the Google device is permanently set to "on" so that it records all conversations without a consumer's knowledge or consent. The consumer groups said that "as new risks to consumers arise in consumer products, it is the responsibility of the Consumer Product Safety Commission to respond." The groups also urged the Safety Commission to enforce the Duty to Report to CPSC against manufacturers of "IoT" devices. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of young children. The Cayla complaint spurred a Congressional investigation and toy stores across Europe removed the doll from their shelves. (Oct. 13, 2017)

  • EPIC has filed a revised complaint against the Presidential Election Commission, charging that the Commission has violated federal law by collecting state voter data without a required Privacy Impact Assessment and misrepresented its legal status. The Commission has claimed that, unlike every other federal agency, it can collect sensitive personal data without a privacy assessment. But EPIC's new complaint, following revelations by the Commission itself, makes clear that the Commission is part of the General Services Administration, which must complete Privacy Impact Assessments. EPIC also highlighted to the court misrepresentations made by the Commission in earlier proceedings. EPIC's original lawsuit forced the Commission to suspend the collection of voter data in July. The case is EPIC v. Commission, No. 17-1320, and the related appeal is EPIC v. Commission, No. 17-5171. The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017. (Oct. 12, 2017)

  • The Senate Banking Committee has asked EPIC President Marc Rotenberg to testify before the Committee on Tuesday, October 17, 2017 regarding the Equifax data breach. The Senate hearing will explore "Consumer Data Security and the Credit Bureaus." In the Harvard Business Review, Rotenberg recently urged comprehensive reform of the credit reporting industry. The Senate hearing follows a recent hearing on the "Equifax Cybersecurity Breach" with former Equifax CEO Richard Smith. (Oct. 12, 2017)

  • EPIC sent a letter to a House committee on Digital Commerce and Consumer Protection for the hearing "21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy's Impact on U.S. Jobs." EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the Schrems II decision calls into question the viability of "Privacy Shield," the current data transfer scheme between the US and EU. (Oct. 12, 2017)

  • EPIC and a coalition of leading open government organizations have urged the Joint Committee on Taxation and the IRS Commissioner to release Donald Trump's tax returns to correct numerous misstatements of fact concerning the President's financial ties to Russia, such as "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." These statements have been directly contradicted by his attorneys, members of his family, and various news reports. The IRS Commissioner, with the approval of the Joint Committee on Taxation, is authorized to release tax records to "correct misstatements of fact," and the agency exercised the authority ten times in one year. EPIC is also pursuing a lawsuit against the IRS after the agency failed to release Trump's tax records in response to a FOIA request. EPIC v. IRS is now pending before the D.C. Circuit Court of Appeals. (Oct. 11, 2017)

  • EPIC has filed an amicus brief in hiQ Labs, Inc. v. LinkedIn Corp., a case concerning the use of personal data provided by Internet users to LinkedIn. A lower court ordered LinkedIn to provide LinkedIn user data to hiQ Labs, a data analytics firm that scores employees and provides secret intelligence to employers about "flight risk." EPIC argued that, "the lower court has undermined the fiduciary relationship between LinkedIn and its users." EPIC also said the order is "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." Siding with neither party, EPIC urged reversal to protect online privacy. EPIC routinely participates as amicus curiae in cases concerning consumer privacy. (Oct. 11, 2017)

  • The House Homeland Security Committee passed H.R. 4548, the "Border Security for America Act," which would dramatically expand surveillance capabilities along the northern and southern borders of the U.S. The bill seeks “to achieve situational awareness and operational control of the border,” with unmanned aerial vehicles (drones), radar surveillance systems, license plate readers, and biometric databases. The Border Security Act would establish a biometric exit data system at US airports, seaports, and land ports. Biometric data would be combined with other Federal databases. The Privacy Act normally limits the government’s ability to collect personal data, but this bill would exempt the Department of Homeland Security from compliance with the Privacy Act. Previous EPIC FOIA lawsuits have revealed that border surveillance by drones would capture imagery, data, and wifi data of US citizens, (Oct. 5, 2017)

  • Mattel will scrap its plans to sell Aristotle, an Amazon Echo-type device that collects and stores data from young children. The Campaign for a Commercial-Free Childhood sent a letter and 15,000 petition signatures to the toymaker, warning of privacy and childhood development concerns. CFCC said that "young children shouldn't be encouraged to form bonds and friendships with data-collecting devices." Senator Markey (D-MA) and Representative Barton (R-TX) also chimed in, demanding to know how Mattel would protect families' privacy. EPIC backed the CFCC campaign and urged the FTC in 2015 to regulate "always-on" Internet devices. A pending EPIC complaint at the FTC concerns the secret scoring of young athletes. (Oct. 5, 2017)

  • Today the Senate Commerce Committee favorably reported the "AV START Act," a bill that aims to facilitate the deployment of connected vehicles. The Committee adopted Senator Edward Markey's (D-MA) amendment that directs the National Highway Traffic Safety Administration to create a publicly accessible database to determine the personal data collected by connected cars, how that information is used, data minimization and retention practices, security measures, and privacy policies of car manufacturers. EPIC has long supported privacy protections for automated vehicles. (Oct. 4, 2017)

  • A Department of Homeland Security official told the Senate Judiciary Committee today that the agency has no "plans to target any Dreamers based on any information [they] have received." James McCament Acting Director of Immigration Services said that DHS will adhere to the 2012 Privacy Impact Assessment, which limits the use of personal data obtained from DACA applicants. EPIC earlier recommended that DHS comply with the Privacy Impact Assessment and the federal Privacy Act. (Oct. 4, 2017)

  • EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain records related to Russian interference in the 2016 U.S. Presidential Election. Earlier this year, the DHS has designated state election systems as critical infrastructure and published a Joint Analysis Report acknowledging Russian interference with U.S. election systems. However, DHS has not provided any significant new information to the American public about the extent of the Russian interference. EPIC now seeks disclosure of the agency's "research, integration, analysis" related to the scope of Russian interference. EPIC's FOIA lawsuit follows H.Res. 235, a bill sponsored by Rep. Thompson (D-MS) that would have directed the DHS to provide this information to Congress, but was blocked by the House Homeland Security Committee. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records). (Oct. 4, 2017)

  • Today the Senate Commerce Committee considers the "AV START Act," a bill that aims to facilitate deployment of automated vehicles in the United States. The bill sets out voluntary cybersecurity measures and lacks consumer privacy standards. Senator Markey (D-MA) has proposed privacy amendments. Privacy safeguards for connected vehicles is now a global concern. Last week Privacy Officials from more than 40 countries adopted a resolution on Data Protection in Automated and Connected Vehicles urging all parties to "fully respect the users' rights to the protection of their personal data and privacy." (Oct. 4, 2017)

  • EPIC sent a letter to the Senate Committee on Aging in advance of a hearing on robocalls and fraud against seniors. EPIC explained that "criminals target senior citizens, believing they are wealthy and will be unable to detect crime or report that a crime has occurred." In comments to the FCC earlier this year, EPIC expressed support for regulations that would allow block unsolicited calls from invalid numbers. EPIC told the Committee that the FCC rule could protect seniors and other consumers from predatory robocalls. (Oct. 4, 2017)

  • EPIC has sent statements to Congress ahead of hearings in the House and Senate on the Equifax data breach. EPIC underscored the risk to American consumers of data breaches which are increasingly severe. EPIC urged Congress to require prompt data breach notification, data minimization, and privacy enhancing techniques. In 2011 EPIC testified in the House and Senate on data breaches in the financial services sector. EPIC President Marc Rotenberg recently outlined in the Harvard Business Review steps Congress should now take to protect American consumers. (Oct. 3, 2017)

  • EPIC warned the Senate Judiciary Committee that 800,000 DACA applicants face privacy risks as a result of the decision to end the Deferred Action for Childhood Arrivals. According to EPIC, the Department of Homeland Security has failed to ensure that DACA applicant's information will be used exclusively for the purpose it was disclosed, as set out in the 2012 privacy impact assessment. EPIC urged the Committee to uphold Privacy Act safeguards for DACA applicants. (Oct. 3, 2017)

  • EPIC and a coalition of over 50 organizations called on lawmakers to require federal agencies to obtain a probable cause warrant before searching foreign intelligence databases for information about U.S. citizens and residents. Section 702 of the Foreign Intelligence Surveillance Act allows agencies - without a warrant and in a broad range of circumstances - to search for information about Americans among communications collected for foreign intelligence purposes. In a letter to leaders of the House Judiciary Committee, the groups explained that this practice "undermine[s] constitutional protections create an unacceptable loophole to access Americans' communications in criminal and foreign intelligence investigations alike." EPIC and a coalition also recently urged Director of National Intelligence Dan Coates to uphold a promise to give a public estimate of how many Americans are caught up in NSA surveillance of foreign targets. EPIC is currently pursuing a Freedom of Information Act request for a government report to the Foreign Intelligence Surveillance Court about FBI search of Section 702 data for domestic criminal investigations. (Oct. 3, 2017)

  • The European Court of Justice will now hear a second case on legal protections for personal data sent from Europe to the United States. Data Protection Commissioner v. Facebook considers whether Facebook’s transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The Irish High Court ruled this week that there are “well-founded concerns that there is an absence of an effective legal remedy in U.S. law” and referred the matter to the high court of Europe. The case in Ireland follows the landmark 2015 decision Schrems v. DPC, which found insufficient legal protections for the transfer of data to the United States. In the Irish case, Max Schrems, an Austrian privacy advocate, challenged Facebook’s transfer of personal data to the U.S. under “standard contractual clauses.” EPIC was designated the US NGO amicus curiae in DPC v. Facebook, and provided a detailed assessment of US privacy law. EPIC was represented before the Irish court by FLAC (Free Advice Legal Centres), an independent human rights organization, based in Dublin. (Oct. 3, 2017)

  • EPIC has received documents about the Defense Advanced Research Projects Agency's (DARPA) Brandeis Program, following a 2015 FOIA request. According to the agency, the program is intended to "research and develop tools for online privacy." EPIC obtained over 1,100 pages of documents about the Program. The documents include email communications (parts 1, 2, 3), budget appropriation justifications for fiscal year’s 2015 (parts 1, 2) and 2016 (parts 1, 2), as well as the names of contract awardees. According to the documents obtained by EPIC, the $75 million program provided $75 million over 4.5 years. Contract recipients include UC Berkley, UC Irvine, MIT, Carnegie Mellon University, Raytheon, SRI International, Stealth Software Technologies, and Galois. (Oct. 2, 2017)

  • A federal court has ruled that a New York state ban on the posting of "ballot selfies" is constitutional. "New York has a compelling interest in preventing vote buying and voter coercion," the court wrote. "The State's interest in the integrity of its elections is paramount." Ballot selfies allow campaigns, employers, unions, and others to find out how an individual voted. But as EPIC explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy," the secret ballot—the inability to link particular voters to particular votes—is a cornerstone of modern democracies. The secret ballot reduces the threat of coercion, vote buying and selling, and tampering. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote. (Sep. 29, 2017)

  • EPIC has filed a letter brief in a video privacy case concerning ESPN’s collection of viewer data. The court in Eichenberger v. ESPN, Inc. is trying to determine whether consumers can bring lawsuits based on a violation of federal privacy law after the Supreme Court’s decision in Spokeo v. Robins, a case about “standing” to sue. EPIC filed a brief in support of Eichenberger, arguing that "the history and judgement of Congress leaves little doubt that Congress believed a violation of the Act would be a concrete injury." EPIC also explained "a court is not empowered to override congressional judgments as to which injuries should be legally protected.” EPIC testified before the Senate about the history and purpose of the Video Privacy Protection Act. EPIC has also filed several amicus briefs on standing to sue in consumer privacy cases.

    (Sep. 28, 2017)

  • EPIC has appealed the decision of a federal district court which ruled that the IRS can withhold President Trump's tax records sought by EPIC under the Freedom of Information Act. EPIC had argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning the President's financial ties to Russia, such as "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." In response to a FOIA request from EPIC, the IRS recently acknowledged that it has used this authority 10 times in one year. But the district court said the power was a "rare bird" and concluded that "until President Trump or Congress authorizes release of the tax returns, EPIC (and the rest of the American public) will remain in the dark." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attack. (Sep. 28, 2017)

  • EPIC has sent a statement to the Senate Commerce Committee following a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing and regulated use of biometrics in US airports, often targeting US citizens. EPIC previous pursued a significant lawsuit against the TSA to limit the use of body scanners. EPIC is currently seeking records from Customs and Border Protection concerning the agency's use of facial recognition for a biometric entry/exit program at airports. EPIC has also objected to a proposal to increase the collection of biometric data for the TSA Pre-Check program. (Sep. 28, 2017)

  • The Supreme Court has agreed to review two Fourth Amendment car search cases. In Collins v. Virginia, the Court will decide whether police can search a vehicle parked in the driveway of a private home without first obtaining a warrant. In Byrd v. United States, the Court will decide whether a person driving a rental car loses their expectation of privacy in the vehicle solely because they are not the official driver on the rental agreement. The Court is already set to hear Carpenter v. United States this fall, a major Fourth Amendment case about warrantless searches of cell phone location data. EPIC filed a "friend-of-the-court" brief in that case urging the Court to extend Constitutional protection to cell phone data. EPIC regularly files briefs with the Supreme Court arguing for greater Fourth Amendment protections, including in Utah v. Strieff, Los Angeles v. Patel, and Riley v. California. (Sep. 28, 2017)

  • In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders. (Sep. 28, 2017)

  • The International Conference of Data Protection and Privacy Commissioners, meeting in Hong Kong, has adopted three resolutions on emerging privacy issues. The resolution on Data Protection in Automated and Connected Vehicles urges all parties to "fully respect the users' rights to the protection of their personal data and privacy." The resolution on Collaboration between Data Protection and Consumer Protection Authorities calls for joint efforts at the international level to "protect citizens and consumers in the digital economy." And the resolution on "Future Options for International Enforcement" builds on the OECD Recommendations for Cross-Border Cooperation. EPIC and other NGOs convened a Public Voice event in Hong Kong to promote a dialogue on emerging privacy issues with data protection officials and seek progress on the Madrid Privacy Declaration. (Sep. 28, 2017)

  • EPIC has filed a “friend of the court” brief with the Ninth Circuit in Smith v. Facebook concerning Facebook’s tracking of users when they visit healthcare websites, including cancer.net. The lower court dismissed the case, ruling that Facebook users consented to the disclosure of their personal data, based on Facebook's terms and conditions, even when the medical sites said specifically that data would not be disclosed. EPIC argued that, “consent is not an acid rinse that dissolves common sense.” Facebook previously settled charges with the FTC that it routinely changed its privacy settings without user consent. The settlement resulted from complaints brought by several consumer organizations, including EPIC. (Sep. 26, 2017)

  • In a statement to Congress, EPIC expressed support for the findings of the Commission on Evidence-Based Policymaking. Congress established the Commission to study how data across the federal government could be combined to improve public policy while protecting privacy. The Commission's report recommends new privacy safeguards and encourages broader use of statistical data. EPIC submitted comments to the Commission urging the adoption of Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. Several of EPIC's recommendations were incorporated in the Commission report. A report from the National Academies of Science earlier this year examined federal data sources and privacy. (Sep. 26, 2017)

  • Customs and Border Protection has published a system of records notice for the "Intelligence Records System." The agency proposes to exempt the database from many Privacy Act safeguards. The database contains detailed personal data from social media and commercial data services. CBP will use the "Analytical Framework for Intelligence" to secretly profile and evaluate social media users. In the FOIA lawsuit EPIC v. CBP, EPIC uncovered Palantir's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to U.S. travelers. EPIC is now pursuing a FOIA request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir. (Sep. 22, 2017)

  • The D.C. Court of Appeals has ruled that warrantless use of a cell-site simulator or "stingray" violates the Fourth Amendment. The court found that Stingray devices enable "officers who possess a person's telephone number to discover that person's precise location remotely and at will." The court held that the use of a Stingray invaded a reasonable expectation of privacy and thus, was a Fourth Amendment search. EPIC recently filed a brief in a U.S. Supreme Court case arguing that warrantless location tracking violates the Fourth Amendment. EPIC has also promoted oversight of Stingrays by law enforcement agencies. An EPIC FOIA lawsuit in 2012 revealed that the FBI was using stingrays without a warrant, and that the FBI provided Stingrays to other law enforcement agencies. EPIC has also filed amicus briefs in federal and states courts arguing that cell phone location data is protected by the Fourth Amendment. (Sep. 22, 2017)

  • A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm. (Sep. 20, 2017)

  • The recent Department of Homeland Security memo rescinding the Deferred Action for Childhood Arrivals program creates new privacy risks for at least 800,000 individuals. At issue is the personal data provided to DHS by DACA applicants. In the 2012 Privacy Impact Assessment, the DHS stated that personal data would be "protected from disclosure to ICE and CBP for the purpose of immigration enforcement proceedings." Now that the program is set to expire, the personal data provided by DACA applicants is at risk of use for unauthorized purposes, implicating the federal Privacy Act. EPIC has long supported vigorous enforcement of the federal Privacy Act and opposed efforts that target individuals in immigrant communities. (Sep. 20, 2017)

  • The Public Voice will host an event with NGOs and Privacy Commissioners at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. "Emerging Privacy Issues: A Dialogue Between NGOs & DPAs" will address emerging privacy issues, including biometric identification, Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the GDPR. Speakers include Chairman Isabelle Falque-Pterrotin of the CNIL and Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating will be representatives of Access Now, EPIC, GP Digital, Privacy International, and the World Privacy Forum. The Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet. (Sep. 19, 2017)

  • EPIC joined European Digital Rights (EDRI) and a coalition of organizations to advise the Council of Europe about protecting human rights during trans-national criminal investigations. The "Global Civil Submission" states that a proposed update to the Convention on Cybercrime should include compliance with human rights principles and data protection standards for transnational data transfers. Several years ago, EPIC opposed the U.S. ratification of the Convention on Cybercrime, citing its sweeping expansion of law enforcement authority. However, EPIC and the U.S. Privacy Coalition have long campaigned for the United States ratification "Convention 108," the International Privacy Convention. (Sep. 18, 2017)

  • In detailed comments to the Federal Trade Commission, EPIC urged the FTC to strengthen a proposed settlement with Uber. The FTC's investigation and subsequent settlement was prompted by EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. EPIC recommended that the FTC require Uber to end collection of customer data beyond what is necessary to provide the service and to mandate that Uber implement stronger privacy safeguards. As EPIC highlighted in the original complaint, Uber has a history of abusing consumer privacy. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC is obligated to consider public comments before finalizing a proposed settlement. (Sep. 15, 2017)

  • Senator Markey (D-MA) and several other Senators have introduced legislation that would provide consumers with more control over their personal data. The Data Broker Accountability and Transparency Act would allow consumers to access and correct their personal data and stop data brokers from using, disclosing, or selling their information for marketing purposes. The bill also requires data brokers to develop comprehensive privacy and data security measures and provide "reasonable notice" in the event of a breach. For years, EPIC has supported stronger data breach notification laws, and EPIC has testified before the Senate and House in support of a federal law. EPIC supports consumer control over personal data, and EPIC recommends mandatory breach notification procedures to ensure the consumers are aware when their personal data is wrongly obtained by others. Additionally, last year EPIC created http://www.dataprotection2016.org/ to promote the adoption of stronger privacy safeguards in the U.S. (Sep. 15, 2017)

  • The Department of Justice has issued a final rule on the "Insider Threat" database, a program that allows federal agencies to gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. The Department of Justice exempted itself from Privacy Act safeguards that would limit the collection of personal data, and allow individuals access to their information maintained by the federal agency. In detailed comments, EPIC opposed the exemptions sought by the Justice Department. EPIC also questioned whether that information would be adequately protected. The Justice Department responded to EPIC and acknowledged increases in data breaches in both the public and private sectors but stated that the agency had proper safeguards in place to guard against "anticipated threats." (Sep. 15, 2017)

  • EPIC, Privacy International, and other groups called for increased transparency of U.S. intelligence arrangements. The groups explained that secret arrangements circumvent international human rights agreements and domestic law. The coalition asked the Senate and House Intelligence Committees and Judiciary Committees, as well as the Privacy and Civil Liberties Oversight Board for information about their review of these arrangements. Earlier this year, EPIC warned Congress about of secret US-UK agreement for law enforcement access to personal data otherwise protected by law. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit. (Sep. 14, 2017)

  • The National Highway Traffic Safety Administration released revised guidance for automated vehicles. The modified guidance encourages manufacturers to develop best practices to minimize cybersecurity risks. However, the NHTSA guidance lacks mandatory standards and fails to safeguard privacy stating that the Federal Trade Commission is responsible for consumer privacy. Previous NHTSA guidance established privacy standards and required developers to minimize data collection. The Senate Commerce Committee is now considering the "AV START Act" concerning automated vehicles. The draft bill proposes voluntary cybersecurity and also lacks consumer privacy standards. Today the NSTB also released findings that Tesla's autopilot feature contributed to a highway fatality earlier this year. EPIC has long advocated for privacy and cybersecurity safeguards to be a central component of automated vehicle development. (Sep. 12, 2017)

  • The Election Assistance Commission technical committee is meeting today to review standards for voting equipment. Some members of theTechnical Guidelines Development Committee have raised questions about the value of the secret ballot. Last year, EPIC, Verified Voting, and Common Cause explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy" that the secret ballot — the inability to link particular voters to particular votes — is a cornerstone of modern democracies. Most states (44) have constitutional provisions guaranteeing secrecy in voting. The secret ballot also reduces the threat of coercion, vote buying and selling, and tampering. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote. Also today, MIT Professor Ronald Rivest spoke in support of ballot secrecy and election integrity at a meeting of the Presidential Commission on Election Integrity. (Sep. 12, 2017)

  • In advance of a hearing on financial technology, EPIC recommended that the Senate Committee establish privacy standards for financial companies that use social media and secret algorithms to make determinations about consumers. In light of the recent Equifax breach, EPIC proposed that the Committee make privacy and security its top priorities. Earlier this year, EPIC submitted a similar statement to the House Committee on Energy and Commerce. EPIC also recently filed a complaint with the CFPB regarding "starter interrupt devices" deployed by auto lenders to remotely disable cars when individuals are late on their payments. Testimony of Professor Frank Pasquale on "Exploring the Fintech Landscape." (Sep. 11, 2017)

  • Ahead of the Presidential Election Commission's September 12 meeting, EPIC has submitted urgent Freedom of Information Act requests to the Department of Homeland Security, Executive Office for U.S. Attorneys, and Social Security Administration seeking details of the Commission's latest attempts to obtain sensitive, personal data. At the Commission's first meeting, Vice Chair Kobach tasked the Commission staff with "trying to collect whatever data there is that's already in the possession of the federal government that might be helpful to us," including data stored in federal agency record systems that is protected under the Privacy Act. Earlier this summer, the Commission suspended collection of state voter data in response to a lawsuit brought by EPIC. EPIC's case, which calls for the disclosure of a Privacy Impact Assessment prior to the collection, is now on appeal to the D.C. Circuit Court of Appeals. EPIC has also advised state election officials not to provide voter data until the Privacy Impact Assessment is completed. (Sep. 11, 2017)

  • The Federal Trade Commission announced today a settlement with three companies that misrepresented their participation in the Privacy Shield arrangement. The Privacy Shield allows companies to transfer the personal data of European consumers to the United States based on a system of industry self-certification. The FTC settlement prohibits the companies from making future false claims about compliance with Privacy Shield, but does not impose any penalty. The FTC settlement also fails to provide any remedy to the EU consumers whose personal data was wrongfully obtained, nor does it require the companies to disgorge the data they fraudulently obtained. EPIC and consumer organizations in the US and Europe have criticized Privacy Shield for failing to establish basic privacy protection and lacking effective remedies. The FTC is now soliciting public comments on the proposed settlements, and the deadline to file a comment is October 10, 2017. (Sep. 8, 2017)

  • As the result of a Freedom of Information Act request, EPIC has obtained a report on the use of face recognition on travelers entering the United States at Dulles Airport. The report was obtained after EPIC filed a lawsuit against Customs and Border Protection for documents about the agency's biometric entry/exit program, expedited by Executive Order 13769. As the report was heavily redacted, EPIC's FOIA lawsuit is ongoing. In a statement to the House Homeland Security Committee earlier this year, EPIC warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA, concerning airport body screening. (Sep. 8, 2017)

  • In one of the most serious data breaches in U.S. history, the credit records of more than 140 million consumers, maintained by Equifax, have been compromised. Credit reports typically include social security numbers, drivers license infomation, and other personal data that make possible identity theft and financial fraud. Senator Warner said the breach, “represents a real threat to the economic security of Americans." For years, EPIC has urged Congress to strengthen privacy laws and to require Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. In 2011, EPIC testified before the House and the Senate on the specific risk of data breaches in the financial services sector. Equifax has set up www.equifaxsecurity2017.com to help consumers. But last year EPIC created www.dataprotection2016.org to promote the adoption of stronger privacy safeguards in the U.S.

    (Sep. 8, 2017)

  • The Commission on Evidence-Based Policymaking, which was tasked with studying whether and how data across the federal government could be combined for policy research while protecting privacy, has issued its final report. The Commission backs evidence-based policy, recommends new privacy safeguards including Privacy Enhancing Techniques, encourage broader use of statistical data, and recommends the creation of a National Secure Data Service. In testimony before the Commission, EPIC President Marc Rotenberg promoted both innovative privacy safeguards and well informed public policy. EPIC also filed comments with the Commission urging adoption of Privacy Enhancing Techniques, such as anonymization, that minimize or eliminate the collection of personal data. The National Academies of Sciences released a report earlier this year that examined how disparate federal data sources can be used for policy research while protecting privacy. (Sep. 7, 2017)

  • Computers, Privacy, and Data Protection, the leading international conference devoted to privacy and data protection, has opened a call for papers ahead of the 2018 conference. The conference theme is "The Internet of Bodies" and will be held on 24-26 January 2018 in Brussels. The CPDP2018 call for papers is addressed to all researchers who wish to present papers at this year's conference. Papers will be reviewed by the CPDP Scientific Committee. EPIC is one of the founders of CPDP and an annual sponsor of the event. The EPIC International Champion of Freedom Award will be presented at CPDP. (Sep. 7, 2017)

  • The House of Representatives has passed the "SELF DRIVE Act" to encourage the deployment of "automated vehicles" in the United States. Responding to widespread privacy concerns, the bill requires manufacturers to create "privacy plans" and asks the FTC to prepare a privacy study on the automated vehicle industry. The bill supports the development of "Privacy Enhancing Techniques," such as anonymization. But the SELF DRIVE Act lacks essential privacy and safety standards and would preempt stronger state laws. EPIC has repeatedly urged Congress and federal agencies to establish strong public safety standards for automated vehicles. EPIC also backs state efforts to develop privacy and safety safeguards. (Sep. 7, 2017)

  • EPIC is urging the public to comment on the proposed FTC settlement with Uber regarding consumer privacy. (Federal Register Notice). The FTC settlement follows EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. The proposed settlement requires regular privacy audits of Uber by third parties but fails to make substantial changes in the companies business practices or require the company to delete the personal data that was wrongfully obtained. The deadline to file a comment with the FTC is September 15, 2017. The FTC is required to consider public comments before finalizing a proposed settlement. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC also recently filed an FTC complaint to stop Google from tracking in-store purchases. (Sep. 6, 2017)

  • The Presidential Election Commission is seeking public comments in advance of the Commission's September 12 meeting. EPIC encourages commenters to tell the Commission to end the collection of state voter data. "The Commission's actions have placed the privacy of voters at risk and undermined confidence in the integrity of voting in the United State," said EPIC. As EPIC has explained, the Commission failed to complete a required Privacy Impact Assessment and is violating the constitutional right to information privacy. The Commission was forced to suspend the data collection plan in response to EPIC's lawsuit, but it recently resumed activities. EPIC, and many other organizations, continue to contest the legality of the Commission's actions. Public comments, which are due by Friday, September 8 at 5 p.m., may be submitted at this link. (Sep. 6, 2017)

  • Earlier this year, the Center Medicare Services announced that the Social Security Number would be removed from the Medicare benefits card. Senators Susan Collins and Claire McCaskill led the effort in the Senate to remove the SSN, which contributed to identity theft and often targeted seniors. EPIC testified before their Senate Committee in 2015 on "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" EPIC explained that "there is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy." Since its founding, EPIC has sought to limit the use of the Social Security Number on identification documents. (Sep. 5, 2017)

  • The European Court of Human Rights has ruled that a company's dismissal of an employee based on monitored chat logs violates the fundamental right to privacy. In Barbulescu v. Romania, the Court found that the right to private life and correspondence in Article 8 of the European Convention on Human Rights protects workplace communications. As a result, employees are entitled to prior notice about the extent and type of monitoring their employer conducts. Last year, EPIC intervened in a case before the European Court of Human Rights challenging the activities of British and U.S. intelligence organizations. The casebook Privacy Law and Society (West 2016) explores a wide range of privacy issues, including recent decisions of the Court of Human Rights. (Sep. 5, 2017)

  • The California Supreme Court ruled that the mass, indiscriminate collection of license plate data by California police cannot be shielded from public scrutiny. In response to an open records request by EFF and the ACLU of Southern California, Los Angeles area law enforcement attempted to prevent disclosure by claiming all license plate data were "investigative records." The court ruled that the license plate data of millions of law-abiding citizens was not an "investigative record." The Court stated, "It is hard to imagine that the Legislature intended for the records of investigations exemption to reach the large volume of data that plate scanners and other similar technologies now enable agencies to collect indiscriminately." EPIC filed an amicus brief in the public records case stating, "Public scrutiny is essential to counter the unique threats posed by these programs of broad-scale surveillance." Documents obtained by EPIC about the FBI's use of license plate readers showed the agency failed to address the system's privacy implications. (Aug. 31, 2017)

  • EPIC has submitted comments to the Federal Trade Commission recommending the continued use of the CAN-SPAM Rule. The FTC Is reviewing the CAN-SPAM Rule, which regulates the transmission of commercial e-mail messages and prohibit certain unlawful practices, as part of a periodic review of Commission rules. EPIC expressed support for the continuation of the Rule and proposed strengthening the Rule by implementing a domain name based "Do Not E-mail" list and making it easier for consumers to opt-out of have their e-mails included in third-party e-mail lists. EPIC testified before the Senate in 2003 in support of the CAN-SPAM Act. EPIC regularly advocates for rules that protect consumers from harassing and annoying phone calls and e-mails. (Aug. 31, 2017)

  • Donald Trump has nominated Adam Klein to head the Privacy & Civil Liberties Oversight Board (PCLOB). Klein, a senior fellow at the Center for a New American Security, recently testified that Congress should not require agencies to obtain a court order to query data collected under Section 702 of the Foreign Intelligence Surveillance Act, facilitating warrantless surveillance. As Judge Patricia Wald recently stated in remarks at the EPIC Champions of Freedom Dinner, "an agency dedicated to protecting privacy and civil liberties inside the intelligence community with access to classified material is a uniquely valuable asset in the ever difficult search for the right balance between national security and democratic values." EPIC recently urged the Senate Judiciary Committee to restore PCLOB to full strength. (Aug. 31, 2017)

  • A federal judge in Washington, DC expressed disbelief this week at the Presidential Election Commission’s failure to disclose documents from the July 19 inaugural public meeting. The Commission failed to make available to the public the meeting agenda and a 381-page “voter fraud” report prepared by a special interest group that was circulated privately to Commission members. Speaking at a court hearing, the federal judge overseeing the case criticized the Commission for failing “to live up to the government’s representations," about transparency. The Commission is attempting to assemble a nationwide database of voter data over the objections of state election officials. But earlier this summer, the Commission suspended collection of voter data in response to a lawsuit brought by EPIC. EPIC’s case, which calls for the disclosure of a Privacy Impact Assessment prior to the collection, is now on appeal to the D.C. Circuit Court of Appeals. (Aug. 31, 2017)

  • A federal appeals court has ruled that a major data breach case concerning Supervalu can move forward, rejecting the grocery chain's attempt to have the lawsuit dismissed. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. However, the court held that only a consumer who could demonstrate actual financial fraud could proceed with legal claims. EPIC regularly files amicus briefs defending consumers' right to sue companies that violate their privacy, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and Spokeo v. Robins. (Aug. 30, 2017)

  • Uber has ended the practice of tracking customers before and after they are picked up. In 2015, Uber announced the company would track the location of riders from the time they ordered a ride until after they had reached their destination. EPIC promptly filed a complaint with the FTC and stated that "This collection of user's information far exceeds what customers expect from the transportation service." The end to Uber's tracking of riders comes two weeks after Uber entered into a consent agreement with the FTC following a complaint filed EPIC that highlighted Uber's history of misusing customer data. But EPIC said the FTC settlement does not go far enough. "The FTC should have imposed stronger sanctions on Uber, required the company to disgorge the personal data it had unlawfully obtained, and required the company to restore the original privacy settings," said EPIC President Marc Rotenberg. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases. (Aug. 29, 2017)

  • In the proposed intelligence reauthorization for 2018, the Senate has included provisions reflecting widespread concern about the Russian interference in the 2016 election. Among other requirements, S. 1761 mandates a report to Congress detailing the past cyber attacks on election infrastructure and the risk of future attacks, as well as a report assessing the intelligence community response to the attacks. The bill also gives the intelligence community 90 days to develop a strategy to counter the threat of future Russian cyber attacks. And the bill requires the Director of National Intelligence to submit to Congress a report assessing the "threat of Russian money laundering to the United States." EPIC raised similar concerns in a series of leading open government cases concerning the Russian interference. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attacks and has obtained the FBI Notification Procedures that should have been followed after a cyber attack. In EPIC v. ODNI, EPIC is seeking the release of the complete intelligence report on the scope of the Russian attack. And in EPIC v. IRS, EPIC is seeking to obtain the public release of Donald Trump’s tax returns. (Aug. 25, 2017)

  • India's Supreme Court has ruled that privacy is a fundamental right under the Indian Constitution. In a unanimous ruling, the Court explained the "right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution." The Court also recognized that "Informational privacy is a facet of the right to privacy" and modern privacy risks are caused by both the public and private sector. The ruling may impact significant cases pending in India, including a challenge to Aadhaar, India's massive biometric identification system, and WhatsApp's privacy policy change. In 2009 NGOs and privacy experts set out the Madrid Privacy Declaration, which affirmed privacy as a fundamental human right. In 2010, EPIC urged the US Supreme Court to recognize the right of "informational privacy." EPIC explained that the Whalen decision and a famous German census case, "influenced international privacy jurisprudence, resulting in the widespread recognition of the right to informational privacy." EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world. (Aug. 24, 2017)

  • A divided federal appeals court has upheld a decision that allows Google to continue consumer privacy violations by means of a collusive settlement. Though the case concerns Google's illegal disclosure of personal data from 129 million consumers, the settlement fails to compensate those consumers, does nothing to change Google's business practices, and diverts funds to organizations that don’t protect consumer privacy. The dissenting judge wrote that the settlement "raises a red flag" because "47% of the settlement fund is being donated to the alma maters of class counsel." EPIC twice urged the lower court to reject the settlement, arguing that it did nothing for class members and would allow Google to "continue to engage in the privacy-invading practice." EPIC has long urged courts to reject collusive settlements and has proposed objective criteria for courts to follow in class action cases. (Aug. 23, 2017)

  • Facing public outrage, the Department of Justice has rescinded a demand for over 1.3 million IP logs associated with Inauguration Day protests. DreamHost challenged the warrant, which required the web hosting service to turn over practically all records about disruptj20.org, a protest website. The Justice Department warrant could have identified protestors, threatened First Amendment protections, and violated the Fourth Amendment. After widespread opposition, the DOJ narrowed the demand to exclude visitor logs and unpublished content, such as posts and emails. EPIC opposed the DOJ's demand as it had in an earlier case involving Google search histories. EPIC also recently an amicus brief in the Supreme Court urging the Court to safeguard the First Amendment right to access information online free of government surveillance. (Aug. 23, 2017)

  • EPIC has appealed a federal district court ruling that allowed the Presidential Election Commission to move forward with a controversial plan to gather state voter data in a White House database. EPIC told the D.C. Circuit Court of Appeals that the Commission was obligated to undertake a Privacy Impact Assessment before amassing voters’ personal information. EPIC's case, which led the Commission to suspend the collection of voter data in July, after EPIC's lawsuit revealed agency incompetence, is before the D.C. Circuit on an expedited basis. The case is EPIC v. Commission, No. 17-5171 (D.C. Cir. filed July 27, 2017). (Aug. 18, 2017)

  • A federal court in Washington, DC has ruled that the IRS may withhold President Trump's tax records sought by EPIC under the Freedom of Information Act. EPIC had argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning the President's financial ties to Russia. The President, for example, tweeted: "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING!" However, the Court ruled that “until President Trump or Congress authorizes release of the tax returns, EPIC (and the rest of the American public) will remain in the dark." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI’s response to the attack. EPIC will continue to pursue the release of President’s Trump’s tax records and related evidence of financial relations with the Russian government. (Aug. 18, 2017)

  • A federal appeals court has ruled in an open government case with implications for informational privacy. The court concluded that “there may be a basis for redaction” of personal information in government records “where disclosure would likely result in threats, harassment, and violence.” EPIC filed an amicus brief in the case arguing that withholding personal information safeguards open government and is constitutionally required. "Open government laws and privacy laws are complimentary: the aim is to maximize both the public's access to information about the government and to safeguard personal privacy to the greatest extent feasible," EPIC wrote. EPIC has argued for similar privacy protections in ATF v. Chicago, Chicago Tribune v. University of Illinois, Ostergren v. Cuccinelli, NASA v. Nelson, and FCC v. AT&T. (Aug. 15, 2017)

  • Federal prosecutors in Washington, DC are demanding that an internet hosting service turn over vast amounts of personally identifying data from a website used to organize Inauguration Day protests, including a reported 1.3 million IP logs. DreamHost, the hosting service, has refused to comply with the government's warrant. In a court filing DreamHost argued that prosecutors are attempting "to identify the political dissidents of the current administration" and that the government's data demand is far too broad. In 2006, EPIC opposed a similar government demand—later dropped—for week's worth of search queries entered into Google. EPIC recently filed an amicus brief in the Supreme Court urging the Court to safeguard the First Amendment right to read in the digital era. (Aug. 15, 2017)

  • After an EPIC complaint about Uber's privacy practices, Uber has entered into a consent agreement with the FTC. The agreement prohibits Uber from misrepresenting how it monitors or secures consumer information. As with most FTC privacy settlements, the agreement also requires Uber to implement a comprehensive privacy program and obtain periodic independent third-party audits. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases. (Aug. 15, 2017)

  • A federal appeals court ruled today that consumers have the right to file suit when companies report inaccurate credit information about them. Spokeo, the “people search” website, argued that it couldn’t be sued for publishing false information because there was no “concrete" harm. The case went to the Supreme Court, where EPIC filed an amicus brief urging the Court not to "limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." On closer consideration, the Ninth Circuit U.S. Court of Appeals concluded that companies can’t duck the legal consequences when they violate laws that “protect consumers’ concrete interests”—including their right to privacy. “[G]iven the ubiquity and importance of consumer reports in modern life—in employment decisions, in loan applications, in home purchases, and much more—the real-world implications of material inaccuracies in those reports seem patent on their face,” the Court wrote. “[I]t makes sense that Congress might choose to protect against such harms without requiring any additional showing of injury.” EPIC regularly files amicus briefs defending consumer privacy, and filed several amicus briefs after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Aug. 15, 2017)

  • EPIC has submitted a Freedom of Information Act request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir. The federal agency contracted with the Peter Thiel company to establish vast databases of personal information, and develop new capabilities for searching, tracking, and profiling. EPIC is seeking the ICE contracts with Palantir, as well as training materials, reports, analysis, and other documents. The ICE Investigative Case Management System and the FALCON system now connect personal data across federal government, oftentimes in violation of the federal Privacy Act. The Intercept reported that FALCON "will eventually give agents access to more than 4 billion 'individual data records.'" In FOIA lawsuit EPIC v. CBP, EPIC uncovered Planter's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers. EPIC continues to advocate for greater transparency in computer-based decision making. (Aug. 15, 2017)

  • EPIC has filed a “friend-of-the-court” brief in Carpenter v. United States concerning the Fourth Amendment and location data. EPIC urged the Supreme Court to reject a 1970s case, Smith v. Maryland (1979), that allows for the warrantless collection of calling data. As EPIC told the Court, that case is from an era “when rotary phones sat on desk tops” and was decided before cell phones and location tracking. EPIC argued that "Cell phones are now as necessary to the life of Americans as they are ubiquitous.” EPIC urged the Court to extend Constitutional protection to cell phone data. Noting that Congress may also pass important privacy laws, EPIC wrote that the Supreme Court “remains the interpreter of the Fourth Amendment in our modern age." EPIC previously argued against warrantless searches of location data in Riley v. California, United States v. Jones, State v. Earls, and Commonwealth v. Connolly. (Aug. 14, 2017)

  • The Pew Research Center has released a report of its survey of experts on "The Fate of Online Trust in the Next Decade." Although nearly half (48%) of the over 1,000 respondents said that they expected trust to increase, 24% predicted that trust would decrease. "Technology is far outpacing security, privacy and reliability," said EPIC President Marc Rotenberg in the survey. "The problem will intensify with the Internet of Things, as the internet connects more machines in the physical world." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. (Aug. 14, 2017)

  • The International Working Group on Data Protection in Telecommunications has adopted new recommendations to improve privacy and security standards for e-learning platforms and government intelligence gathering. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. The Working Paper on "E-Learning Platforms" highlights privacy risks including excessive collection of students' personal data. "Towards International Principles or Instruments to Govern Intelligence Gathering" recmmendsthat DPAs participate in developing an international instrument governing intelligence activities and recommends authorities promote principles concerning "Legitimacy," "Rule of Law," and "Oversight." In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute. (Aug. 14, 2017)

  • The House Committee on Energy & Commerce recently approved text for a bill on automated vehicles. The bill prevents the states from issuing any rule or regulation that is not identical to a Federal Motor Vehicle Safety Standard, preventing states from issuing their own safety and privacy regulations to safeguard consumers. The bill also calls for automated vehicle manufacturers to have cybersecurity and privacy plans, however it does not address who owns the data collected by automated vehicles or how consumers can access or delete their data. EPIC has opposed federal preemption for automated vehicle regulation and has repeatedly urged federal agencies and Congress to allow states to craft their own privacy and security regulations to protect public safety. EPIC has also recommended that consumers control the personal information that is created and stored by the vehicles they operate, rent, and own. (Aug. 10, 2017)

  • The UK has released a statement of intent describing a forthcoming bill that would make major revisions to the the country's data protection law. The new rules would follow the EU's General Data Protection Regulation by strengthening rules for obtaining consent, making it easier for consumers to withdraw consent, and improving consumers' ability to access, move, and remove data about themselves. The bill would also expand the definition of "personal data" to include DNA and IP addresses and would make it a crime to re-identify individuals from anonymized data. EPIC supported the GDPR and the right to be forgotten, has explained that IP addresses are personal data, and has warned of the risks of improperly "de-identified" data. EPIC recently filed a complaint asking the FTC to investigate Google's use of a proprietary, secret algorithm Google claims can "de-identify" consumers while tracking their purchases. (Aug. 10, 2017)

  • The State Department filed a notice this week seeking comment on the agency's plan to make permanent the collection of social media identifiers from individuals applying for visas to enter the U.S. The public comment period is open until October 2, 2017. The State Department previously requested emergency approval for the plan. EPIC opposed the State Department initiative, and in comments earlier this year, urged the agency to drop the plan. EPIC argued that the proposal threatens privacy, First Amendment rights, risked abuse, and would disproportionately impact minority groups. (Aug. 4, 2017)

  • The FBI has released a final rule claiming several Privacy Act Exemptions for the Next Generation Identification System, a database that contains the biometric data of millions of Americans, much of which is unrelated to law enforcement. EPIC had criticized the FBI's proposal to remove Privacy Act safeguards and urged the FBI to limit the scope of data collection and reduce the retention of data. However, in issuing the final rule the FBI repeatedly stated that exemptions would be used responsibly and in accordance with FBI policies and procedures. Through a FOIA lawsuit, EPIC obtained documents that revealed the NGI database contained an error rate of up to 20% on facial recognition searches. EPIC has identified several problems with the NGI database in statements to Congress oversight Committees, which have indicated strong concern about the FBI's facial recognition program. (Aug. 1, 2017)

  • A federal appeals court in Washington, D.C. has ruled that consumers may sue companies that fail to safeguard their personal data. Consumers sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. "No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm," the Court wrote. EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges. (Aug. 1, 2017)

  • A bipartisan group of Senators, including Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT), have introduced legislation to improve security of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require "Internet of Things" devices purchased by the U.S. government to meet minimum security standards. IoT device manufacturers who sell products to the federal government must commit that their IoT devices: (1) are patchable; (2) do not contain known vulnerabilities; (3) rely on standard protocols; and (4) do not contain hard-coded passwords. "The proliferation of insecure Internet-connected devices presents an enormous security challenge," said EPIC Advisory Board member Bruce Schneier, "The risks are no longer solely about data; they affect flesh and steel." EPIC has been at the forefront of policy efforts to establish safeguards for IoT devices, connected cars, "smart homes," consumer products, and "always on" devices. A 2015 report from the Aspen Institute also explores "Policies for the Internet of Things." (Aug. 1, 2017)

  • EPIC has filed a complaint with the FTC asking the Commission to investigate Google's tracking of in-store purchases. According to EPIC, Google collects billions of credit and debit card transactions and then links that personal data to the activities of Internet users. Google claims that it protects online privacy but refuses to reveal details of the algorithm that "deidentifies" consumers while tracking their purchases. EPIC's complaint asks the FTC to stop Google's tracking of in-store purchases and determine whether Google adequately protects consumer privacy. EPIC has filed several successful FTC complaints that led to FTC investigations, including complaints about changes to Facebook's privacy preferences and the launch of Google Buzz. EPIC has also focused on the adequacy of privacy techniques, with complaints against AskEraser (search histories that are not deleted) and Snapchat (images that do not "vanish"). EPIC's recent complaint against Google notes that the company is seeking to extend its dominance of online advertising to the physical world. (Jul. 31, 2017)

  • A new report from the FOIA Project shows a "dramatic rise" in the number Freedom of Information Act lawsuits filed by nonprofit and advocacy groups. According to TRAC, these organizations now account for more FOIA suits than "any other single class." EPIC was the fifth most frequent litigator among nonprofit and advocacy groups nationwide. In 2017, EPIC has filed five FOIA lawsuits. EPIC is currently litigating EPIC v. ODNI, EPIC v. FBI, and EPIC v. IRS, three of the leading open government cases concerning Russian interference with the 2016 Presidential election. Last week, EPIC filed a new FOIA lawsuit against Customs and Border Protection for information about the agency's deployment of a biometric entry/exit tracking system, including at US airports. For more information about EPIC's latest open government work, visit: https://epic.org/open_gov/. (Jul. 27, 2017)

  • EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to affirm the FCC's role in protecting online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections. (Jul. 27, 2017)

  • EPIC has sent an Advisory to state election officials, urging opposition to the renewed request for state voter data. The EPIC Advisory follows a letter from the Presidential Election Commission to state election officials. Following EPIC’s lawsuit, seeking a temporary restraining order, the Commission suspended collection of the data. The court ruled on the TRO motion, which EPIC has now appealed. The recent letter falsely claims that the Commission is only seeking “publicly available information.” In fact, the Commission’s June 28 letter called for the release of social security numbers, criminal records, military statuses, and other personal information protected by state laws. California Secretary of State Alex Padilla, and many state election officials, have reaffirmed their opposition to the Commission's effort to gather state voter data.

    (Jul. 27, 2017)

  • Following a hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the Senate Judiciary Committee. EPIC urged the Committee to explore whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election. (Jul. 27, 2017)

  • The top EU Court has struck down an EU-Canada agreement on the processing of airline passenger records. The Passenger Name Record agreement mandated data retention and permitted the bulk transfer of personal data provided by passengers booking a flight. The Court of Justice of the EU explained "the PNR agreement may not be concluded in its current form because several of its provisions are incompatible with the fundamental rights recognised by the EU." The data can reveal "a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health." The European Digital Rights Initiative praised the outcome. The EU and US have a similar agreement that permits retention of personal data for 15 years. EPIC has criticized overbroad passenger data transfers, and argued the EU-US agreement violates the EU data protection directive. (Jul. 26, 2017)

  • EPIC has opposed the Director of National Intelligence’s refusal to release a critical government report about Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC seeks the public release of the agency’s report on the Russian interference. EPIC filed suit after the ODNI published only a limited, declassified version of the report. In filings in federal district court, EPIC explained that the ODNI’s failure to provide EPIC partial information cannot satisfy the Agency’s obligations under the FOIA. EPIC stated that release is “necessary for the public to evaluate the Intelligence Community response to the Russian interference, assess threats to democratic institutions, and ensure that agencies are taking appropriate measures to protect U.S. electoral institutions against future attack.” Long after the attack on U.S. democratic institutions, “significant information asymmetry between the public and its government remains,” EPIC said. EPIC v. ODNI is a part of the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Jul. 25, 2017)

  • EPIC has appealed the decision of a federal district court which declined to block the collection of sensitive voter data by the Presidential Election Commission. EPIC had argued that the Commission failed to complete a Privacy Impact Assessment before collecting voter data and violated the constitutional right to information privacy. Though the district court agreed that EPIC had standing to bring the lawsuit, the court concluded that it couldn't halt the data collection because, according to the court's opinion, the Commission is exempt from the obligation to undertake a privacy assessment. EPIC's case, which led the Commission to suspend the collection of voter data two weeks ago, will now be reviewed on an expedited basis by the U.S. Court of Appeals for the District of Columbia. "Absent expedited review," EPIC warned, "the Commission will be allowed to systematically amass the sensitive, personal information of the nation's voters without establishing any procedures to protect voter privacy or the security and integrity of the data." The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 25, 2017)

  • EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on "Technology's Role on Securing the Border." EPIC alerted the Committee to EPIC's recent FOIA lawsuit about the federal government's deployment of a biometric "entry/exit tracking system," including at US airports. A recent Executive Order on immigration will push forward the biometric identification system, and will include citizens returning to the U.S. EPIC has warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC noted that the federal agency pursuing the border identification program is also deploying drones, and should comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance. (Jul. 24, 2017)

  • A federal district court in Washington, DC has denied EPIC’s motion for an injunction against the Presidential Election Commission and declined to block the Commission’s nationwide collection of voter data. As EPIC told the court last week, the Commission failed to undertake and publish a Privacy Impact Assessment before collecting voter data and violated the constitutional right to information privacy. The court agreed that EPIC had “standing” to bring the case because the Commission had “an obligation to disclose information” and because the Commission’s actions “required [EPIC] to expend resources” in order to obtain a Privacy Impact Assessment. But the court concluded that it could not halt the Commission’s plan to aggregate millions of voter records because the Commission is exempt from statutes that govern the conduct of federal “agencies.” The court noted, however, that “this determination may need to be revisited” at a later time. The court also warned the Commission must “strictly abide” by promises to only collect information that is “already publicly available” and to “de-identif[y]” voter data “to the extent it is made public.” EPIC intends to press forward with the lawsuit, which led the Commission to suspend the collection of voter data two weeks ago. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). [Press Release] (Jul. 24, 2017)

  • The Texas NAACP and the League of Women Voters of Texas have filed suit against state election officials to prevent the transfer of personal voter data to the Presidential Election Commission. "The information sought by the Commission is not widely available in Texas, but instead may be released only under certain circumstances and conditions imposed by Texas's voting laws," the complaint reads. The suit notes that the state's disclosure of election records to the Commission, "even if cabined to information generally available to candidates or other organizations who are entitled to request voter information under Texas law, would undermine, and run afoul of, the State's carefully-crafted regulation of the use of voter data." The Texas case joins at least two other lawsuits—one in Florida and one in New Hampshire—seeking to block state officials from providing voter data to the Election Commission. In Washington DC, EPIC has filed suit against the Commission and is urging a federal court to issue a preliminary injunction. The Commission suspended the collection of personal voter data last week in response to EPIC's lawsuit. The Court is expected to rule on EPIC's motion shortly. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 21, 2017)

  • EPIC has filed a FOIA lawsuit against Customs and Border Protection for information about the agency’s deployment of a biometric entry/exit tracking system, including at US airports. Trump's recent Executive Order regarding immigration ordered the expedited implementation of a biometric entry/exit tracking system, which will include U.S. citizens. Biometric techniques, including facial recognition, lack proper privacy safeguards. EPIC previously sued the FBI over the Bureau’s Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate. (Jul. 20, 2017)

  • A group of more than 70 U.S. Representatives sent a letter to the Presidential Election Commission on Tuesday urging the Commission to "immediately" withdraw a nationwide request for state voter data. "The federal government has an obligation to protect the personally identifiable information of the American people," the letter reads. "We believe your June 28 request to the States would do the opposite by ignoring the critical need for robust security protocols when transmitting and storing sensitive personally identifiable information and by centralizing it in one place." As the letter notes, the Commission suspended the collection of personal voter data last week in response to EPIC's lawsuit. EPIC has asked a federal court in Washington, DC to issue an injunction against the Commission and indefinitely block the transfer of election records. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 19, 2017)

  • The FBI released a Public Service Announcement warning consumers about the privacy risks of internet-connected toys. "Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions," the FBI wrote in the PSA, adding that the toys "could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed." Last year, EPIC and several consumer organizations filed a complaint with the Federal Trade Commission alleging that the "My Friend Cayla" doll violates U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves. (Jul. 18, 2017)

  • In a statement today for a Forum organized by the House Judiciary Committee and the Congressional Black Caucus, EPIC President Marc Rotenberg called for an end to the efforts of the Presidential Commission on Election Integrity to gather state voter records. Rotenberg said the program was "ill-conceived, poorly executed, and most likely unconstitutional." EPIC brought suit against the Commission, charging violations of federal laws and the federal constitution, and noting also that the Commission's plan to gather data on a military site that returned error messages was pure incompetence. The Commission has since suspended the program, pending a decision by the federal court in EPIC's case. But the Commission meets this week in Washington to discuss next steps. In the prepared statement, Rotenberg said, "I hope the Commission will simply announce the termination of the program. But if it does not, EPIC will pursue its case until we obtain a favorable outcome. And we welcome the many organizations across the country that have also filed lawsuits." The case is EPIC v. Commission, No. 17-1320 (D.D.C. July 3, 2017). (Jul. 18, 2017)

  • In a brief filed this afternoon in Washington, DC, EPIC urged a federal court to issue a temporary restraining order and prevent the collection of state voter records by the Presidential Election Commission. Calling the Commission’s plans to “collect the nation’s voting records” “outside of the privacy laws” that protect personal data “alarming and absurd,” EPIC asked the Court to block this "ill-conceived, poorly executed, and unlawful plan.” EPIC warned that the Commission has “already revealed personally identifiable information” from those who have expressed opposition to the plan. In the original motion, EPIC argued that the Commission had failed to undertake and publish a Privacy Impact Assessment, failed to issue a Federal Advisory Committee Act notice, and violated the constitutional right to information privacy. The Commission, which temporarily suspended the program last week in response to EPIC’s lawsuit, filed an opposition brief earlier on Monday. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 17, 2017)

  • EPIC has established a new web site in response to the request from the Presidential Commission on Election Integrity for state voter records. "51 Reasons to End the Collection of State Voter Records by the Presidential Election Commission" includes comments from state election officials, specialists in election integrity, news organizations, voters, and public officials across the country, who have described the Commission's plan as "unlawful," "politicized," "unprecedented," "naive," "crazy," "ill-conceived," "poorly executed," "outrageous," and "a breach of trust with voters." In EPIC v. Commission, EPIC is seeking to end the Commission's collection of personal data of registered voters. (Jul. 17, 2017)

  • In a statement to Congress, EPIC told members of the Senate Judiciary Committee to press the nominee for FBI Director, Christopher Wray, on his views of FBI databases and domestic surveillance programs. EPIC again expressed concern about the size and scope of the FBI's Next Generation Identification system which stores personal and biometric information on millions of individuals. EPIC also expressed concern over the FBI's failure to issue timely privacy impact assessments, lack of transparency on drone use, and plans to monitor social media. EPIC urged the Committee to obtain the nominee's views on these matters and to ensure his commitment to protect privacy and ensure transparency at the FBI. (Jul. 14, 2017)

  • The Ninth Circuit U.S. Court of Appeals heard oral arguments today in an open government case with implications for informational privacy. A group of anonymous medical employees challenged the release of personal information sought under a state public records act. EPIC filed a "friend-of-the-court" brief in the case arguing that withholding personal information is consistent with open government and constitutionally required. "Open government laws and privacy laws are complimentary: the aim is to maximize both the public's access to information about the government and to safeguard personal privacy to the greatest extent feasible," EPIC wrote. EPIC has argued for similar privacy protections in ATF v. Chicago, Chicago Tribune v. University of Illinois, Ostergren v. Cuccinelli, NASA v. Nelson, and FCC v. AT&T. (Jul. 13, 2017)

  • In a motion filed today, EPIC urged a federal court to issue a preliminary injunction to block the collection of state voter records by the Presidential Election Commission. The Commission suspended collection of personal voter data earlier this week in response to EPIC's lawsuit. But as EPIC told the court, "the threat to voter privacy and democratic institutions remains. The Commission intends to move forward, pending this Court's determination. It has established a new server within the White House to receive the voter data. It has advised state election officials that further communications regarding this undertaking are forthcoming." A response from the Commission is due Monday, July 17. The Commission is scheduled to hold its first public meeting on July 19, in Washington, DC. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 13, 2017)

  • EPIC has submitted urgent FOIA requests to the General Services Administration, the Election Commission, and the Arkansas Secretary of State for information about the State of Arkansas's production of voter data to the federal Commission. The request follows EPIC's lawsuit to block the transfer of state voter records to the Commission. In a hearing in federal court on July 7th, the Department of Justice revealed that Arkansas had transferred voter histories to the Commission, contradicting an July 5th statement by Vice Chair Kobach that no such transfers had occurred. EPIC is now seeking records of the Commission's compliance with Arkansas procedures for obtaining voter registration data, including designation of appropriate data elements, payment of fees, compliance with security requirements, and completion of necessary forms. In EPIC v. Commission, EPIC has argued that "As a matter of law, there is no 'publicly available' voter data that may be transferred to the Commission." (Jul. 12, 2017)

  • Both the Senate and House are considering bi-partisan drone bills to protect the ability of states and local government to safeguard privacy. The House's Drone Innovation Act, sponsored by Rep. Jason Lewis (R-MN) and the Senate's Drone Federalism Act, sponsored by Sen. Diane Feinstein (D-CA), would ensure that FAA regulations do not preempt legitimate interests of local governments to protect personal privacy. Earlier this year, EPIC submitted a statement to the House Transportation Committee and a statement to the Senate Commerce Committee to emphasize the unique privacy risks of drones. EPIC explained that the FAA has failed to establish necessary privacy safeguards and that the states must be free to protect privacy interests. In 2015, EPIC sued the agency, arguing the FAA failed to protect the public from aerial surveillance. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals. Argument will likely take place this fall. (Jul. 12, 2017)

  • Twenty-four Senators have sent a letter to the Presidential Election Commission demanding that the Commission abandon its attempt to collect nationwide voter data. "This request is unprecedented in scope and raises serious privacy concerns," the Senators wrote. "The requested data is highly sensitive and after recent data breaches and cyber-attacks targeting our election infrastructure, we are deeply concerned about how the Commission will maintain the security and privacy of the data." The Senators also wrote that "the Commission's lack of focus on legitimate threats, such as foreign cyber-attacks on our election infrastructure," was "troubling." In EPIC v. Commission, EPIC is seeking to block the Commission from obtaining state voter records. (Jul. 11, 2017)

  • A federal court has ordered additional briefing in EPIC's lawsuit to block the collection of state voter records by the Presidential Election Commission. The court asked EPIC to file an amended motion by Thursday, July 13. The Commission would then respond to EPIC by Monday, July 17. A ruling will likely follow. The court noted that "no additional voter roll information will be collected until this Court issues a ruling, and that information that has already been collected will be purged." Earlier this week, the Commission suspended collection of voter data in response to EPIC's lawsuit. The Commission is scheduled to hold its first public meeting on July 19, in Washington, DC. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 11, 2017)

  • EPIC has sued the White House IT Director as part of EPIC's ongoing case to block the transfer of sensitive voter data to the Presidential Election Commission. The White House IT Director, as well as the Commission, are required by law to publish a Privacy Impact Assessment before collecting any personal information. As EPIC explained to the Court earlier today, "The Commission may not play 'hide the ball' with the nation's voter records. With such vast demands for personal information come commensurate responsibilities to provide security and privacy, and to comply with all legal obligations." The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 11, 2017)

  • The EPIC legal team for EPIC v. Commission includes EPIC President Marc Rotenberg (lead counsel), EPIC Senior Counsel Alan Butler, EPIC Policy Director Caitriona Fitzgerald, EPIC National Security Counsel Jeramie Scott, and EPIC Appellate Advocacy Fellow John Davisson. In EPIC v. Commission, EPIC is seeking to block the efforts of the President's Election Commission from obtaining state voter records. (Jul. 11, 2017)

  • In a court filing on Tuesday, EPIC urged a federal court to issue a temporary restraining order to block the collection of voter data by the Presidential Election Commission. "The Commission may not play 'hide the ball' with the nation's voter records," EPIC wrote. "With such vast demands for personal information come commensurate responsibilities to provide security and privacy, and to comply with all legal obligations. Surely that is fundamental for an organization charged with promoting 'election integrity.'" On Monday, the Commission suspended the collection of voter data in response to EPIC's suit. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 11, 2017)

  • Several civil rights organizations have filed lawsuits challenging the Presidential Election Commission, which EPIC sued last week. The groups include the American Civil Liberties Union, the Lawyers Committee for Civil Rights Under Law, and Public Citizen. The organizations raised several challenges similar to those in EPIC v. Commission. In response to the EPIC lawsuit, the Commission has suspended the collection of voter data from the states. (Jul. 11, 2017)

  • The President’s Election Commission announced today it would suspend the collection of state voter data in response to a lawsuit filed by EPIC last week in Washington, DC. EPIC had challenged the Commission’s use of a Department of Defense website to collect millions of state voter records—an unsecure system that is not approved for storing the public’s personal data. EPIC also charged that the Commission lacked authority to gather state voter data and said that the Commission had violated the right to information privacy. The Commission said it would not use the “SAFE” system to collect personal data. The Commission also told states “not to submit any data until this Court rules” on EPIC’s motion. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 10, 2017)

  • As the result of a Freedom of Information Act request to the IRS, EPIC has obtained hundreds of documents detailing procedures that bind private debt collectors dealing with U.S. taxpayers. Following a Congressional mandate, the IRS outsourced debt collection for some U.S. taxpayers to private debt collection agencies. Transfer of personal and financial data to private entities raises data security and privacy concerns, and also makes scams and threatening phone collection tactics easier to perpetrate. A group of U.S. senators has already accused one of the four companies of engaging in abusive and illegal phone contacts. The documents obtained by EPIC show how the IRS monitors the companies and the procedures companies must follow when contacting taxpayers. EPIC also obtained the privacy and data security requirements imposed on the debt collectors, details of how they must handle complaints, and the IRS contracts for all four companies. In FOIA lawsuit EPIC v. IRS, EPIC is also seeking therelease of President Trump's Tax records from the agency. (Jul. 10, 2017)

  • EPIC, and over 60 organizations urged the governments of Australia, Canada, New Zealand, the United Kingdom, and the United States to respect and defend strong encryption. These five nations, which make up a surveillance partnership of intelligence agencies, met recently to discuss national security and the challenge of encryption. The Coalition letter called for the rejection of "policies that would prevent or undermine the use of strong encryption." EPIC has advocated for strong encryption since its founding in 1994 and published the first comprehensive survey of encryption use around the world. EPIC also maintains a page on Privacy and Public Opinion. (Jul. 10, 2017)

  • A federal court set a Monday, 4 p.m. deadline for the government to file a brief in EPIC v. Commission. The court is expected to rule shortly in EPIC's lawsuit to block the President's Election Commission from collecting state voter records from across the country. In a series of filings with the court, EPIC explained that the Commission failed to prepare a Privacy Impact Assessment as required by Federal law. EPIC also charged that the Commission's demand for detailed voter histories violated the Constitutional right to privacy. And EPIC explained that the Commission has already committed multiple egregious security blunders, including directing state election officials to send voter records to an unsecure website that is not approved for storing the public's personal data. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 10, 2017)

  • The federal District Court in Washington, DC has scheduled a hearing on Friday, July 7, 2017 at 4:00 pm, to consider EPIC's motion for a Temporary Restraining Order. EPIC is seeking to block the transfer of sensitive voter data to a Presidential Commission on Election Integrity. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 6, 2017)

  • In a reply filed today in federal district court, EPIC charged that the President's Election Commission "has conceded the obvious: the privacy implications of this unprecedented demand for voter roll data from across the country are staggering." EPIC rebutted every point in the government's response, noting that the Commission often failed to cite any support for its extraordinary claims to gather personal data outside of federal privacy law. Members of the EPIC Advisory Board, experts in computer technology, contributed affidavits that underscored the vulnerabilities of the Commission's plan to aggregate personal voter data. EPIC also called Vice Chair Kobach's statements "alternately misleading or meritless." EPIC said the Commission's actions "places at risk the privacy interests of registered voters across the country." In EPIC v. Commission, EPIC is seeking to block the transfer of sensitive voter data to a Presidential Commission on Election Integrity. EPIC explained to the Court that it has "a clear likelihood of success on the merits." (Jul. 6, 2017)

  • EPIC has sent comments to the Department of Justice criticizing a proposed "insider threat" database. This database replaces a similar database that was proposed and later rescinded by the FBI last fall and would allow the DOJ to collect virtually unlimited amounts of personal data from employees, contractors, interns, and visitors to DOJ facilities. Citing the size and scope of the database combined with recent government data breaches, EPIC warned that the database was putting federal employees and contractors at risk. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. (Jul. 5, 2017)

  • EPIC has sent a statement to Congress ahead of a hearing to discuss proposed self-driving vehicle legislation. The House Energy & Commerce Committee drafted several bills related to the development and deployment of "self-driving" vehicles. EPIC urged the Committee not to pre-empt states from issuing their own self-driving vehicle regulations, to encourage developers to be transparent in the development of autonomous vehicles, and to urge that advocacy groups be included in connected car advisory councils. EPIC has been a leading advocate for privacy and safety in the development of connected and autonomous vehicle and has participated in workshops, written to NHTSA, and actively informed Congress of privacy and safety related developments in connected and autonomous vehicles. (Jul. 5, 2017)

  • In comments to the Transportation Security Administration, EPIC urged the agency to consider alternatives to expanding the collection of biometric identifiers for the TSA Pre-Check application. EPIC explained the potential for biometric identifiers to be used for purposes other than determining eligibility for Pre-Check and the substantial personal privacy risks for applicants if the databases associated with Pre-Check were compromised. EPIC also proposed privacy enhancing alternatives, such as limiting the storage of biometric identifiers or providing information on how to have information removed from databases associated with Pre-Check. EPIC routinely highlights the risks of large, overbroad government databases and the privacy risks inherent in the collection of biometric information. (Jul. 5, 2017)

  • In a declaration filed in federal court in Washington, DC, Kris Kobach, Kansas Secretary of State and Vice Chair of the Presidential Advisory Commission on Election Integrity, said that he “intended” that the voter data he requested from the states not be sent by email (the letter to the states indicated otherwise). Kobach also said that “the Commission intends to maintain the data on the White House computer systems.” Kobach acknowledged that “numerous states have indicated that they will decline to provide all or some portion of the information, in some cases because state law prohibits such transfer of information.” Kobach also said, “As of July 5, 2017, no Secretary of State had yet provided to the Commission any of the information requested in my letter.” There is no indication that the Commission has completed a Privacy Impact Assessment or complied with the requirements of the Federal Advisory Committee Act. EPIC filed an emergency motion earlier this week to block the disclosure of state voter information to the Commission, calling the data demand a violation of the Constitutional right to privacy. The Department of Justice has filed an opposition. (Jul. 5, 2017)

  • EPIC has submitted an urgent FOIA request for details of the Election Commission's attempt to gather voter records from state election officials. The Commission requested dates of birth, party affiliation, partial SSNs, voter history, and felony convictions and military service status. EPIC wants the Commission to turn over records about compliance with the Federal Advisory Committee Act, the Privacy Act, and the E-Government Act. EPIC is also seeking communications among Commission officials as well as information about the failure to conduct a Privacy Impact Assessment. Over 40 states now partially or fully oppose the request for voter records. In a related lawsuit, EPIC v. Commission, EPIC has filed for a Temporary Restraining Order to block the Commission's efforts. (Jul. 5, 2017)

  • EPIC today filed for a Temporary Restraining Order to block a demand from a Presidential Commission for millions of state voter records. In papers filed in federal district court in Washington, D.C., EPIC explained that the Commission failed to produce and publish a Privacy Impact Assessment, required by Federal law. EPIC also charged that the Commission’s demand for detailed voter histories violated the Constitutional right to privacy. And EPIC explained that the Commission had already committed two egregious security blunders—(1) directing state election officials to send voter records to an unsecure web site and (2) proposing to publish partial SSNs that would enable identity theft and financial fraud. The Court gave the government until Wednesday, July 5 to file an opposition. EPIC will then file a reply. A ruling is expected by the end of the week. The EPIC lawsuit follows a letter from 50 voting experts and 20 privacy organizations urging state election officials to oppose the Commission’s demand. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 3, 2017)

  • In a letter to state election officials, more than 50 experts and 20 privacy organizations have urged the states to oppose a request from a Presidential Advisory Commission for voter records. The recently formed Commission is seeking comprehensive voter data from all 50 states, including dates of birth, political party, partial SSNs, voter history, and information regarding felony convictions and military services. The letter from the voting experts and privacy organizations says, “This is sensitive personal information that individuals are typically required to provide to be eligible to vote. There is no indication how the information will be used, who will have access to it, or what safeguards will be established.” The letter also notes that the Presidential Commission may have failed to complete a Privacy Impact Assessment, required by federal law, prior to the collection of personal data. California, among other states, has said it will oppose the request. (Jun. 30, 2017)

  • In comments to the FCC, EPIC has proposed that telephone service providers take steps to block unlawful robocalls. The FCC is considering a new rule that would allow phone companies to block calls from numbers they know are invalid, such as numbers that have not been assigned to a subscriber. Illegal robocalls cause substantial harm to consumers and often result in identity theft and financial fraud. EPIC supports robust telephone privacy protections and recently filed an amicus brief in support of the FCC's 2015 order that strengthened consumer protections under the TCPA. (Jun. 30, 2017)

  • EPIC has submitted an urgent Freedom of Information Act request about the Justice Department's attempts to obtain state voter procedures. In a June 28th letter to the forty-four states, the DOJ requested detailed information about state voter registration maintenance requirements within 30 days. The DOJ request to the states was sent the same day a new Presidential Commission demanded extensive voter registration data from all the states. Both he DOJ request and the request of the Presidential Commission are without precedent. EPIC has a long history of defending voter privacy and election integrity. EPIC has testified before the Election Assistance Commission on Voting System Guidelines, and published a joint report The Secret Ballot at Risk: Recommendations for Protecting Democracy, highlighting how Internet voting threatens voter privacy. For more information, visit: https://epic.org/privacy/voting/. (Jun. 30, 2017)

  • In remarks today to a joint workshop of the FTC and NHTSA, EPIC President Marc Rotenberg called for the establishment of national safety standards prior to the deployment of "self-driving" vehicles on the nation's highways. "Given the current vulnerabilities of networked communications, self-driving vehicles are simply unsafe at any speed," said Mr. Rotenberg. EPIC has participate in numerous NHTSA rule makings on auto safety, proposed stronger data protection standards for connected vehicles, and sided with consumers in a case concerning the risks of autonomous vehicles. In extensive comments for the FTC/NHTSA workshop, EPIC pointed to known vulnerabilities with bluetooth communications, auto hacking, "level 3" control, malware and ransomware, auto repossession remote deactivation, and safety defects. EPIC urged the FTC and NHTSA to focus on "data protection, vehicle safety, consumer protection, and privacy." EPIC also said that the ability of states to develop safety standards must be maintained. EPIC warned that the failure to establish robust safety standards could be "catastrophic." (Jun. 28, 2017)

  • European antitrust officials have imposed a $2.7 billion fine on Google for favoring its own services over competitors on Google search, which now dominates 90% of the market in Europe. It is the largest antitrust fine in European history. European Commissioner Margrethe Vestager stated "Google has abused its market dominance in search by promoting its own services and demoting its competitors. What Google has done is illegal under EU antitrust rules. It has denied other companies the chance to compete on the merits and to innovate. And most importantly, it has denied European consumers the benefits of competition, genuine choice, and innovation." Google competitors and news organizations, based in the United States, favored the outcome. Over many years, EPIC had urged the US government to take a closer look at Google's anti-competitive practices. In testimony before the Senate Judiciary Committee in 2007, EPIC warned that Google's growing dominance of online advertising would diminish user privacy and market competition. In a statement to the FTC in 2011, EPIC explained that Google altered the search rankings of YouTube after it acquired the company to preference Google's content over that of competitors and NGOs, including EPIC. In 2012, EPIC told the FTC that "Google's business practices raise concerns related to both competition and the implementation of the Commission's consent order." EPIC later sued the FTC for its failure to enforce the consent order. (Jun. 27, 2017)

  • EPIC President Marc Rotenberg was elected by members of the Civil Society Information Society Advisory Committee to a two-year term on the CSISAC Steering Committee. CSISC is "the voice of Civil Society at the OECD" on the future of the digital economy. CSISAC facilitates the exchange of information between the OECD and civil society. CSISAC follows the Seoul Declaration set out at the OECD Ministerial in South Korea in 2008. CSISAC recently hosted a forum, "Toward an Inclusive, Equitable, and Sustainable Digital Economy," in conjunction with the 2016 OECD Ministerial conference in Mexico. (Jun. 27, 2017)

  • The Federal Trade Commission has updated its guidance for businesses on complying with the Children's Online Privacy Protection Act. The new guidance clarifies that connected toys, Internet of Things devices, and other products intended for children must comply with the Act. "When companies surreptitiously collect and share children's information, the risk of harm is very real," FTC acting Chair Maureen Ohlhausen recently wrote. An EPIC-led coalition filed a complaint with the FTC in 2016 alleging that Intenet-connected dolls violate U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves. The FTC acknowledged EPIC's complaint but has yet to act on it. (Jun. 27, 2017)

  • In a motion filed in EPIC v. ODNI, the government contends that it is not obligated to review a critical government report for even partial release under the Freedom of Information Act. EPIC filed the lawsuit for the release of the complete report on the Russian interference with the 2016 election after the ODNI published a limited, declassified version. "The ODNI should release the complete report to EPIC so that the public and the Congress can understand the full extent of the Russian interference with the 2016 Presidential election," EPIC President Marc Rotenberg told POLITICO. "It is already clear that government secrecy is frustrating meaningful oversight. The FBI, for example, will not even identify the states that were targeted by Russia." EPIC will challenge the agency's response as the litigation continues in federal district court in Washington, DC. EPIC v. ODNI is one of several FOIA suites EPIC is pursuing under the new EPIC Democracy and Cybersecurity Project focused on preserving democratic institutions. In EPIC v. IRS EPIC seeks release of President Trump's Tax records. In EPIC v. FBI, EPIC has already obtained the Bureau's procedures for notifying organizations that are the target of a cyber attack. (Jun. 27, 2017)

  • The TSA is considering a requirement to remove books from carry-on luggage for inspection during security screenings. The procedure raises concerns that individuals may be singled out for their religious and political beliefs, implicating core First Amendment values. In 2015 a college student won a $25,000 settlement after he was detained by the TSA for carrying Arabic flash cards. EPIC has pursued litigation against invasive airport screening techniques. In EPIC v. DHS, EPIC successfully sued to require the Department of Homeland Security to obtain public comment on the use of body scanners in U.S. airports. The litigation also led to the removal the backscatter x-ray devices from airports. EPIC recently filed a FOIA request to determine why US travelers returning to the United States are subject to biometric identification. In numerous cases, including a recent case before the US Supreme Court, EPIC has argued for the freedom to without government surveillance. (Jun. 27, 2017)

  • EPIC filed a court brief Monday opposing an attempt by the Internal Revenue Service to dismiss EPIC's FOIA lawsuit for President Trump's tax returns. EPIC filed the suit for the tax records on April 15 after the IRS refused to process EPIC's FOIA Request for the President's returns. The IRS responded by asking the court to dismiss the case, insisting that the agency did not have to process EPIC's request because the President's consent had not been obtained. As EPIC told the court on Monday, the IRS focused on the wrong law, ignoring a provision that gives EPIC a right to access the President's tax records without consent. EPIC explained that the agency's argument "is irrelevant to the processing of this particular FOIA request." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI’s response to the attack. (Jun. 27, 2017)

  • The Supreme Court has declined to review the ruling of a state court that upheld the use of a secret algorithm to determine a criminal sentence. The petitioner Loomis argued that he was not able to assess the fairness or accuracy of the legal judgement, and that the secret "risk assessment" algorithm therefore violated fundamental Due Process right. EPIC has pursued several related cases to establish the principle of algorithmic transparency in the United States. In EPIC v. DHS, EPIC obtained documents about secret behavioral algorithms that purportedly determine an individual's likelihood of committing a crime. In a series of state FOI cases, EPIC obtained records from state agencies about the use of propriety DNA analysis tools to determine guilt or innocence. EPIC is currently litigating EPIC v. CBP before the DC Circuit Court of Appeals, a case concerning the secret scoring of airline passengers by the federal government. (Jun. 26, 2017)

  • In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a statement to the Senate Judiciary Committee urging increased public reporting of the government's surveillance activities under section 702. EPIC also highlighted the need to restore the Privacy and Civil Liberties Board (PCLOB) to full strength. As Judge Patricia Wald recently stated in remarks at the EPIC Champions of Freedom Dinner, "an agency dedicated to protecting privacy and civil liberties inside the intelligence community with access to classified material is a uniquely valuable asset in the ever difficult search for the right balance between national security and democratic values." EPIC testified before the House Judiciary Committee in support of increased transparency during the 2012 FISA reauthorization hearings. Analysis of 702 reform by Prof. Laura Donohue. (Jun. 23, 2017)

  • After a decade of controversy, Google announced that it will stop scanning the content of all Gmail. Google stopped scanning e-mails for education in 2014 after a lawsuit charged that it violated wiretap laws. Google faced similar allegations in many other cases in the United States and around the world. EPIC warned about Google's e-mail scanning practices back in 2005 and filed a complaint with the FTC in 2009 over the privacy risks in Google's insecure cloud computing services, including Gmail. In 2014, EPIC led a successful campaign to stop Google from scanning student emails for commercial advertising. Last year, EPIC filed a friend-of-the-court brief in a Massachusetts case, again objecting to Google's Gmail scanning. EPIC explained in 2005 that Google's email service undermined online privacy and prevented the adoption of important security methods, such as end-to-end encryption. (Jun. 23, 2017)

  • In advance of the hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged the Committee to ask the FBI witness whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election. EPIC sent a similar letter to the House Intelligence Committee. (Jun. 20, 2017)

  • EPIC has sent a statement to the House Appropriations Committee in advance of a hearing on the FBI's budget. EPIC urged the Committee to examine the FBI's Next Generation Identification program. EPIC explained that the program "raises far-reaching privacy issues that implicate the rights of Americans all across the country." The FBI biometric database is one of the largest in the world, but the Bureau proposed to exempt the database from Privacy Act protections. EPIC and others supported strong safeguards for the program. In an early FOIA case against the FBI, EPIC obtained documents which revealed high error levels in the biometric database. EPIC has recently filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense. (Jun. 20, 2017)

  • In advance of a White House / OSTP meeting on "emerging technologies," EPIC has sent a statement to the Office of Science and Technology Policy. EPIC urged the Administration to focus on consumer protection and address the numerous privacy and security risks related to the "Internet of Broken Things." EPIC recommended recommended Privacy Enhancing Technologies, data minimization, and security measures for Internet-connected devices. EPIC also urged the Administration to issue regulations on drone privacy as mandated by Congress and to establish minimum safety standards for connected cars. EPIC warned that "The unregulated collection of personal data and the growth of the Internet of Things has led to staggering increases in identity theft, security breaches, and financial fraud in the United States." (Jun. 20, 2017)

  • In a statement to the Senate Committee on Appropriationst, EPIC asked Congress to obtain assurances from the FCC Chair to repeal the FCC regulation that requires telephone companies to keep customer's phone records for 18 months. EPIC warned that the regulation "places at risk the privacy of users of network services." Two years ago, EPIC, joined by consumer privacy organizations, technical experts, and legal scholars, submitted a formal petition to the FCC, calling for the repeal of the data retention ruie. The FCC recently docketed the petition and accepted public comments on the matter. All of the commentators favored the EPIC petition to end the mandate. The next step will be for the FCC to begin a Rulemaking to Repeal 47 C.F.R.§42.6 ("Retention of Telephone Records"). (Jun. 20, 2017)

  • The U.S. Supreme Court ruled today in Packingham v. North Carolina, striking down a state law that barred people listed on a sex offender registry from accessing commercial websites that allow minors to register and communicate. The North Carolina ban covered major news sites such as the Washington Post and CNN. "[T]o foreclose access to social media altogether is to prevent the user from engaging in the legitimate exercise of First Amendment rights," the Court wrote. "Even convicted criminals—and in some instances especially convicted criminals—might receive legitimate benefits from these means for access to the world of ideas, in particular if they seek to reform and to pursue lawful and rewarding lives." EPIC filed an amicus brief in the case, joined by 30 technical experts and legal scholars, explaining that the state law violated the right to receive information, censored vast amounts of speech unrelated to protecting minors, and encouraged widespread government monitoring of all internet users. Justice Ginsburg quoted EPIC's brief at oral argument, and the justices' written opinions noted policies and studies cited in the EPIC brief. EPIC frequently files amicus briefs on emerging privacy and civil liberties issues. (Jun. 19, 2017)

  • The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs has released a draft report on regulations for privacy and electronic communications. The draft contains several proposals to strengthen online privacy, including end-to-end encryption in all electronic communications and a ban on encryption backdoors. Protecting the privacy of communications is "an essential condition for the respect of other related fundamental rights and freedoms," according to the report. EPIC has urged the FCC to follow developments with the ePrivacy Directive and has recommended the use of end-to-end encryption in applications including commercial e-mail and connected cars. (Jun. 19, 2017)

  • EPIC has filed an urgent Freedom of Information Act request for the "long standing" DOJ policy for withholding from Congress communications between the Attorney General and the President. On June 13, 2017 Attorney General Sessions testified before the Senate Select Committee on Intelligence regarding the Russian interference in the 2016 Presidential election. The Attorney General refused to answer many questions, citing a "long standing" DOJ practice not to share "communications" between the AG and the President or "comment on [such] conversations" for "confidential reasons." EPIC has filed a formal FOIA request with the Department of Justice seeking public release of the DOJ policy, described by the Attorney General. (Jun. 16, 2017)

  • According to news reports, the FTC is pursuing EPIC's privacy complaint regarding Uber. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. The FTC complaints typically lead to settlements following a change in business practices. EPIC has also recommended comprehensive privacy legislation for Uber. (Jun. 15, 2017)

  • EPIC has sent a statement to the House Judiciary Committee for a hearing on "Data Stored Abroad." According to news reports, the United States and the United Kingdom are drafting a secret agreement for transnational access to personal data that would bypass legal and judicial safeguards. In November 2016, EPIC filed a FOIA Request for the draft US-UK agreement. The Justice Department recently informed EPIC that responsive documents had been located and would be referred to the State Department for additional processing. EPIC has long pursued public release of international agreements. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit. (Jun. 14, 2017)

  • The Internal Revenue Service has asked a court to dismiss EPIC's FOIA lawsuit for President Donald Trump's tax records. EPIC filed the suit on April 15 after the IRS refused to consider a FOIA request for the President's returns. As EPIC told the court, "There has never been a more compelling FOIA request presented to the IRS." EPIC also explained that IRS Commissioner is empowered to release tax returns to "correct misstatements of fact" and to ensure the "integrity and fairness" of the tax system. In yesterday's filing, the IRS conceded that "the FOIA provides an adequate remedy in this case" but insisted that the agency did not have to process EPIC's request or release any records. (Jun. 13, 2017)

  • During a Senate Appropriations budget hearing today, Deputy Attorney General Rosenstein said that the use of unbreakable encryption "severely impairs our ability to conduct investigations." The Department of Justice is requesting $21.6 million to "counter the treat of Going Dark." Last year, EPIC filed an amicus brief in Apple v. FBI in support of encryption. EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. (Jun. 13, 2017)

  • A federal district court has held that firing public school teachers based on the results of a secret algorithm is unconstitutional. The case, Houston Federation of Teachers vs. Houston Independent School District, concerned a commercial software company's proprietary appraisal system that was used to score teachers. Teachers could not correct their scores, independently reproduce their scores, or learn more than basic information about how the algorithm worked. "When a public agency adopts a policy of making high stakes employment decisions based on secret algorithms incompatible with minimum due process, the proper remedy is to overturn the policy," the court wrote. EPIC recently filed a complaint asking the FTC to stop the secret scoring of young tennis players. EPIC has pursued several cases on "Algorithmic Transparency," including one for rating travelers and another for assessing guilt or innocence. (Jun. 13, 2017)

  • EPIC and over 30 organizations urged the Director of National Intelligence Dan Coates to uphold a promise to provide a public estimate of how many Americans are caught up in NSA surveillance of foreign targets. The coalition, including EPIC, previously pushed for the estimate. Americans' communications are "incidentally" collected under section 702 of the Foreign Intelligence Surveillance Act, and the FBI searches this data without a warrant or judicial oversight. EPIC, in testimony before Congress and comments to the Privacy and Civil Liberties Oversight Board, has repeatedly called for greater oversight and transparency of surveillance authorities. (Jun. 13, 2017)

  • The Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the Privacy and Civil Liberties Oversight Board and the Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations urged the US and the EU to strengthen privacy protections following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in DPC v. Facebook, highlighting weaknesses in US privacy law. (Jun. 13, 2017)

  • EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on "IOT Opportunities and Challenges." EPIC raised the "significant privacy and security risks" of the Internet of Things. A recent report from the Pew Research Center on the Internet of Things underscores the need to develop new safeguards for what some call "The Internet of Broken Things." EPIC has been at the forefront of policy efforts to establish safeguards for connected cars, "smart homes," consumer products, and "always on" devices. (Jun. 13, 2017)

  • EPIC launched the "My Calls, My Data" campaign today, urging the public to support a proposal to end the FCC's data retention mandate. The 1986 regulation requires telephone companies to keep the telephone numbers dialed, date, time, and call length of all U.S. telephone customers for an 18-month period. An EPIC-led coalition filed a petition in 2015 calling for repeal of the rule, saying that the FCC's mandate "violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition." The FCC is now seeking comments. "There is hardly a better regulation to end than the FCC's data retention mandate," said EPIC President Marc Rotenberg. "It is ineffective, burdensome, and costly." Comments may be filed online and are due by June 16, 2017. (Jun. 13, 2017)

  • EPIC has sent a statement to the House Appropriations Committee in advance of a budget hearing for Immigrations and Customs Enforcement and Customs and Border Patrol. EPIC urged the Committee to ask whether ICE is complying with FOIA "when it receives requests for immigration data." EPIC and a coalition recently sent a letter to DHS Secretary Kelly calling on ICE to "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." EPIC also said the Committee should ensure that CBP, which is now deploying drones, will comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance. (Jun. 12, 2017)

  • EPIC has sent a statement to the House Judiciary Committee in advance of the hearing on "Lawsuit Abuse and the Telephone Consumer Protection Act." The telemarketing law bars telemarketers and robocallers from contacting consumers by phone fax, or text without prior consent. EPIC acknowledged that class action settlements often fail to provide direct financial benefits to consumers, but explained that "TCPA cases are among the most effective privacy class actions because they typically require companies to change their business practices to comply with the law." Last year, EPIC filed an amicus brief in support of TCPA protections for consumers. EPIC has also testified before Congress about the telemarketing law and submitted many comments concerning its implementation. (Jun. 12, 2017)

  • EPIC sent a statement to the House Committee on Transportation & Infrastructure ahead of a hearing on FAA Reauthorization. Emphasizing the unique privacy risks of drones, EPIC explained that the FAA has failed to establish necessary safeguards. In 2015, EPIC sued the agency, arguing that it failed to comply with Congressional directives. Following a petition by EPIC, the agency received hundreds of comments in support of privacy rules. EPIC also told Congress that the FAA has excluded privacy experts from the agency task force on drone policy. (Jun. 9, 2017)

  • Senator Dianne Feinstein, the former chair of the Senate Intelligence Committee, today outlined reforms to Section 702 surveillance authority. The law, which allows the NSA "PRISM" and "Upstream" surveillance programs, is set to expire at the end of this year. Senator Feinstein would end permanently the NSA's "about" searches, expand the amicus role at the intelligence court, and require the continued sunsetting of FISA authorities created in the The FISA Amendments Act of 2008. In 2012, EPIC testified before Congress on the need to establish better oversight for Section 702 prior to renewal. (Jun. 9, 2017)

  • The Irish High Court has reviewed recent decisions by the U.S. surveillance court and a federal appeals court for a case on the legality of Facebook's transfers of personal data from the EU to the United States. EPIC explained that the modifications to the NSA's "Upstream" program were significant, but emphasized that the scathing rebuke of the NSA's prior violations and "institutional lack of candor" show that there are not adequate limitations in the US on mass surveillance. And Congress has been unwilling so far to modify the Section 702 collection authority. EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. (Jun. 9, 2017)

  • EPIC submitted a statement to a House Committee hearing on financial technologies on the risks with new financial services. Companies now use social media data and secret algorithms to make determinations about consumers. They are also reaching out, through the "Internet of Things," to control consumers. EPIC's recently filed a complaint with the CFPB about "starter interrupt devices," deployed by auto lenders to remotely disable cars when individuals are late on their payments. (Jun. 9, 2017)

  • In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions. The FALCON database contains detailed personal information on ICE and CBP employees, and individuals associated with ICE investigations including victims and witnesses. For this government database, DHS has proposed to exempt itself from several Privacy Act protections including ensuring that the records are accurate, timely, and complete. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. The FBI recently postponed an "Insider Threat" database that also lacked adequate Privacy Act safeguards. (Jun. 8, 2017)

  • The FCC is seeking comments on an EPIC's petition to revoke the FCC's rule requiring mandatory retention of phone records. Current FCC regulations require phone companies to retain sensitive information on all telephone customer calling activity for 18 months, including telephone numbers dialed, date, time, and call length. The petition, filed in August 2015, states that the FCC's mandate "violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition. It is outdated and ineffective. It should end." The EPIC petition is supported by a broad coalition of civil liberties organizations, technical experts, and legal scholars. The FCC docket number is 17-130. Comments are due on June 16, 2017. (Jun. 7, 2017)

  • As the result of a FOIA Request, EPIC has obtained nearly two hundred pages of reports about the Army surveillance blimp that broke free and crash landed in Pennsylvania. In 2015 the blimp roamed the East Coast before its crash and caused blackouts across the Pennsylvania countryside as it downed power lines. The documents obtained by EPIC include technical reports, a field investigation, and maintenance worksheets. The reports reveal the tail of the blimp failed, raising questions about the government's maintenance of the controversial and very expensive surveillance program. Through an earlier FOIA lawsuit, EPIC uncovered details about the plan to deploy the surveillance blimp over Washington, DC. The Runaway Blimp launched an Internet meme. (Jun. 7, 2017)

  • In advance of the hearing with former FBI Director James Comey, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged the Committee to ask Comey whether FBI Victim Notification procedures were followed in notifying the DNC and the RNC once the FBI became aware of the Russian cyberattack on US political organizations. In Freedom of Information Act lawsuit EPIC v. FBI, EPIC has obtained the FBI notification procedures that would have applied to the Russian cyberattacks during the 2016 Presidential election. The documents obtained by EPIC establish that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community.” The obvious question at this point is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. (Jun. 7, 2017)

  • A National Security Agency document leaked to The Intercept details Russian attempts to interfere in the 2016 Presidential Election via cyber attacks. The document concludes that the attacks were carried out by Russian military intelligence and involved spear-phishing emails and a cyber attack on a private manufacturer of devices that maintain and verify the voter rolls. EPIC Is currently litigating EPIC v. ODNI, EPIC v. FBI, and EPIC v. IRS, three of the leading open government cases concerning Russian interference with the 2016 Presidential election. (Jun. 6, 2017)

  • In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a Statement to the Senate Select Committee on Intelligence urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted several legal challenges to an NSA bulk surveillance program abroad. The bulk surveillance program for the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the House Judiciary Committee during the 2012 FISA reauthorization hearings, recommended improved public reporting, and warned pre-Snowden that the extent of mass surveillance was much greater than was known to the public. (Jun. 6, 2017)

  • The Pew Research Center has released a report surveying experts about the security implications of the Internet of Things. The survey found a broad consensus that growth in the IoT will bring with it an increased risk of real-world physical harm. "The essential problem is that it will be impractical for people to disconnect," said EPIC President Marc Rotenberg in the survey. "Cars and homes will become increasingly dependent on internet connectivity. The likely consequence will be more catastrophic events." The ACM recently released a Statement of IoT Privacy and Security, which lists principles for protecting privacy and security in IoT devices. EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. (Jun. 6, 2017)

  • At the National Press Club in Washington, DC, EPIC presented the 2017 EPIC Lifetime Achievement Award to computer scientist Ron Rivest, the 2017 EPIC Privacy Champion Award to privacy attorney Carrie Goldberg, and the 2017 EPIC Champion of Freedom Awards to judge Patricia Wald and human rights advocate Garry Kasparov. The EPIC awards are presented annually to those who protect privacy, open government, and democratic institutions with courage and integrity. Manoush Zomorodi, podcaster of Note to Self, and Bruce Schneier, security technologist, cohosted. Remarks of Judge Wald. (Jun. 5, 2017)

  • A federal judge in Washington, DC has issued a final order granting EPIC substantial attorney's fees in a long-running case against the Department of Homeland Security. EPIC sued the DHS in 2012 for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but an executive order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPIC's lawsuit produced the release of several thousand pages on the program. EPIC sought attorneys fees for the successful litigation, which the DHS opposed. In November, Judge Gladys Kessler ruled that EPIC was entitled to attorney's fees because it "substantially prevailed in [the] litigation" and added "to the fund of information that citizens may use in making vital political choices." On Monday, Judge Kessler confirmed that decision and awarded EPIC nearly $100,000 in fees—the largest such award in EPIC's history. (Jun. 5, 2017)

  • The U.S. Supreme Court has granted review in Carpenter v. United States, a case concerning the privacy of cell phone location data. At issue is data that can be used to track cell phone users and whether police are required to obtain warrants to conduct these searches. A lower court ruled that the Fourth Amendment does not require officers to get a warrant before they obtain location records from a cell phone provider. In State v. Earls, EPIC successfully argued that a warrant is required under the New Jersey constitution. EPIC will file an amicus in Carpenter supporting the application of the warrant standard to obtain location data. (Jun. 5, 2017)

  • On Monday, June 5th, EPIC will host a policy panel at the National Press Club to discuss "Democracy & Cybersecurity: Preserving Democratic Institutions." EPIC Is currently litigating three of the leading open government cases concerning Russian interference with the 2016 Presidential election. Speakers include Steven Aftergood of the Federation of American Scientists, Alan Butler, Senior Counsel at EPIC, Professor Jennifer Daskal, and renowned security expert Bruce Schneier. The panel will be hosted by Manoush Zomorodi of WNYC's "Note to Self." Register at https://epic.org/events/cybersecurity/. (Jun. 1, 2017)

  • A new report from The FOIA Project tracks many of the Freedom of Information Act lawsuits filed by media organizations and journalists in 2017. According to TRAC, forty-five new FOIA lawsuits were filed by thirty-nine news organizations and reporters. The New York Times, with six FOIA suits, filed suit most frequently. In second place is EPIC, which has already filed four FOIA lawsuits in 2017, including a suite of lawsuits under the new EPIC Democracy and Cybersecurity Project focused on preserving democratic institutions. In EPIC v. ODNI EPIC seeks public release of the January 2017 report of the intelligence community on Russian hacking, and in EPIC v. IRS EPIC seeks release of President Trump's Tax records. In EPIC v. FBI, EPIC has already obtained the Bureau's procedures for notifying organizations that are the target of a cyber attack. EPIC has asked Congress to determine whether the FBI did enough to notify US political organizations about Russian cyber attacks during he 2016 Presidential election. (May. 31, 2017)

  • The FBI has postponed a plan to establish an "insider threat database" of FBI employees that would have included vast amounts of personal data, such as medical diagnostics and biometric data, on FBI employees, family members, dependents, relatives, and other personal associations. EPIC submitted comments critical of the agency plan that would have also removed important Privacy Act safeguards. The Department of Justice suggested that the delay is temporary and that a similar database may still be established for Department of Justice components. EPIC has consistently warned against inaccurate, insecure, and overly intrusive government databases. (May. 31, 2017)

  • In comments to Customs and Border Protection, EPIC opposed a plan to obtain social media information from visa applicants. EPIC said the CBP proposal threatens First Amendment rights, risked abuse, and would disproportionately impact minority groups. EPIC has previously opposed proposals to collect social media information from individuals seeking to enter the United States. In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently pursuing a FOIA request about a revised DHS plan to require disclosure of social media passwords before allowing entry into the country. (May. 31, 2017)

  • In a cursory per curium opinion, the D.C. Circuit denied EPIC's petition for review of the TSA's final rule mandating body scanners in U.S. airports. EPIC argued in EPIC v. DHS II that the TSA had failed to justify body scanners as compared with less invasive, more effective screening techniques, such as magnometers combined with explosive trace detection. Public comments overwhelmingly favored EPIC's recommendations to the federal agency. EPIC also argued that the TSA's decision to end the opt-out was contrary to the DC Circuit's earlier opinion EPIC v. DHS I which held that passengers could opt-out of the invasive screening technique. As Judge Ginsburg explained in the earlier case, "Despite the precautions taken by the TSA, it is clear that by producing an image of the unclothed passenger, an AIT scanner intrudes upon his or her personal privacy in a way a magnetometer does not." Judge Ginsburg further said, "any passenger may opt-out of AIT screening in favor of a patdown, which allows him to decide which of the two options for detecting a concealed, nonmetallic weapon or explosive is least invasive." (May. 30, 2017)

  • Senator Mark Warner has sent a letter to the Federal Trade Commission expressing his concern about connected toys that spy on children. "I worry that protections for children are not keeping pace with consumer and technology trends shaping the market for these products," Senator Warner said in the letter. Senator Warner asked FTC Acting Chairwoman Maureen Ohlhausen to respond to several questions, including whether the FTC has "taken any action with respect to 'My Friend Cayla' or other products manufactured by Genesis Toys." EPIC filed a complaint with the FTC in December, 2016, alleging that toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy laws. The complaint spurred international efforts to ban the toys from the marketplace and a congressional investigation into the toy makers' data practices. (May. 23, 2017)

  • EPIC has sent a statement to the House Ways & Means Committee and House Committee on Oversight and Government Reform in advance of a hearing on "Protecting Americans' Identities: Examining Efforts to Limit the Use of Social Security Numbers." EPIC warned about the danger of SSN-related identity theft. "Given the growing risk of identity theft coupled to the SSN and the ease of alternative systems, there is simply no excuse for the use of SSNs in either the public or private sector," said EPIC. EPIC has long urged Congress and state legislators to limit use of the SSN. (May. 22, 2017)

  • In advance of an IRS Oversight hearing, EPIC has sent a statement to the House Appropriations Committee regarding EPIC v. IRS, the case in which EPIC is seeking release of President Trump's tax records. According to EPIC, "There has never been a more compelling FOIA request presented to the IRS." In the request to the IRS, EPIC explained that the IRS Commissioner may release tax returns to "correct misstatements of fact" and to ensure the "integrity and fairness" of the tax system. EPIC is currently pursuing several high level FOIA cases, including EPIC v. FBI and EPIC v. ODNI, to determine the scope of Russian interference with the 2016 Presidential election. (May. 22, 2017)

  • The FBI is opposing EPIC's emergency motion to preserve records in a Freedom of Information Act case for records of the Russian Interference with the 2016 Presidential Election. Following Donald Trump's abrupt firing of FBI Director James Comey, EPIC asked a federal court to issue a preservation order for records at issue in EPIC v. FBI and to impose sanctions if the order is violated. EPIC cited irregular circumstances surrounding the firing of the FBI Director, as well as concerns expressed by members of Congress and Senators regarding the possible destruction of FBI records. In the filing today, the FBI suggested that EPIC would have to provide actual evidence of destruction of records before a court could issue a preservation order to prevent destruction of records. (May. 19, 2017)

  • Rep. Marsha Blackburn (R-TN) has introduced the The Browser Act, H.R. 2520, aimed at protecting online privacy. The Browser Act would apply to Internet ISPs as well as Internet companies, such, as Google and Facebook, and would generally require "opt-in" consent before sensitive information could be collected or disclosed. However, the bill lacks a private right of action or a remedy for violations. The bill gives enforcement authority to the FTC which has mostly failed to protect consumers online privacy. The bill lacks data breach notification, and would overwrite stronger state privacy laws that protect consumers. In comments to the FCC and elsewhere, EPIC has set out a comprehensive framework for online privacy. (May. 19, 2017)

  • A federal appeals court has struck down the FAA's rule requiring hobbyists to register their drones. The D.C. Circuit ruled that a registration requirement violated the FAA Modernization Act which forbade regulations for "model aircraft," including unmanned drones "flown for hobby or recreational purposes." EPIC is currently challenging the FAA's failure to establish privacy rules for "small, commercial" drones. Congress required a "comprehensive plan" for drone deployment in the United States, and more than 100 experts and organizations petitioned the agency for privacy safeguards. EPIC v. FAA is full briefed and arguments before the D.C. Circuit are anticipated this fall. (May. 19, 2017)

  • In comments to the State Department, EPIC urged the agency to drop a plan to obtain the social media identifiers of individuals applying for visas to enter the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked, abuse, and would disproportionately impact certain minority groups. EPIC has previously opposed DHS proposals to collect social media information and recently submitted a FOIA request following statements made by the Homeland Security Secretary, indicating DHS planned to ask individuals for social media passwords before allowing entry into the U.S. (May. 19, 2017)

  • The EU has fined Facebook $122 million for misleading the European Commission during the investigation of the Facebook-WhatsApp Merger. Following Facebook's acquisition of WhatsApp, WhatsApp transferred users' personal data to Facebook and violated the company's privacy promises. Facebook had downplayed the risks of the merger, saying that WhatsApp users' personal data could not be linked with their Facebook accounts. "U.S. antitrust law has failed to keep up with the digital economy and the emergence of monopoly services," EPIC president Marc Rotenberg told the New York Times. "There is far too much 'lock in' with a dominant provider, and far too much consolidation of personal data." The head of BEUC, the European consumer association, said "It is very disappointing that the Commission decided not to revise its original decision on the Facebook merger with WhatsApp." EPIC recently urged the Senate Judiciary Committee to consider the role of consumer privacy and data protection in merger reviews and highlighted the FTC's failure to block the Facebook-WhatsApp merger. (May. 18, 2017)

  • EPIC has filed an urgent Freedom of Information Act request with the Federal Bureau of Investigation for former Director James Comey's memos concerning his communications with President Trump. On May 16th, 2017, the New York Times reported Mr. Comey documented "every phone call and meeting he had with the president." The memos tracked "what he perceived as the president's improper efforts to influence a continuing investigation," the Times said. EPIC has filed a formal FOIA request for the public release of all of Director Comey's memos, including a memo describing his meeting with President Trump concerning National Security Advisor Flynn's resignation. Leaders of the Senate Intelligence Committee and House Oversight Committee both requested the FBI to turn over the memos to Congress. EPIC also recently filed an emergency motion to preserve records in EPIC v. FBI, a FOIA lawsuit for records concerning the Russian Interference with the 2016 Presidential Election. (May. 17, 2017)

  • EPIC has filed a complaint with the Federal Trade Commission to stop the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating", a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. "The UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens," according to EPIC. EPIC urged the FTC to “find that a secret, unprovable, proprietary algorithm to evaluate children is an unfair and deceptive trade practice.” In 2015, EPIC launched a campaign on "Algorithmic Transparency" and has pursued several cases, including one for rating travelers and another for assessing guilt or innocence, that draw attention to the social risks of secret algorithms. (May. 17, 2017)

  • In Freedom of Information Act lawsuit EPIC v. FBI, EPIC has obtained the FBI notification procedures that would have applied to the Russian cyberattacks during the 2016 Presidential election. The documents obtained by EPIC establish that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The Cyber Division specifically notifies the "individual, organization, or corporation that is the owner or operator of the computer at the point of compromise or intrusion." The analysis to determine whether or not to notify the victim, as well as FBI procedures for approval or deferral of notification, the timing of notification, the method of notification, and more were all redacted by the agency. EPIC intends to challenge theses withholdings. The FBI's response raises questions about whether the agency fulfilled the obligation to properly notify the victims of the Russian cyberattacks.The Intelligence Community assessed that both major US political parties were attacked. The FBI also produced notification procedures for threats to life or serious bodily injury, and certain procedures under the Foreign Intelligence Surveillance Act. Next in the case, EPIC anticipates the release, on May 26, of FBI communications with political organizations and federal agencies concerning the Russian interference. (May. 15, 2017)

  • The Ninth Circuit Court of Appeals has granted rehearing of a decision that stripped the FTC of its authority over companies engaged in "common carrier" activities. The grant of rehearing vacates the court's earlier holding that the common carrier exemption to FTC authority is status-based, not activity-based. EPIC and a coalition of consumer advocates had filed a friend-of-the-court brief urging reconsideration of the court's decision, warning that the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (May. 15, 2017)

  • EPIC has filed an emergency motion today in EPIC v. FBI, a Freedom of Information Act case for records concerning the Russian Interference with the 2016 Presidential Election. In papers filed with a federal district court in Washington, DC, EPIC cited Donald Trump's abrupt firing of the FBI Director, and concerns expressed by Members of the House and Senate regarding the possible destruction of FBI records related to the investigation. EPIC asked the Court to issue a preservation order and to impose sanctions if the order is violated. Today, the FBI also released records to EPIC, including the agency's procedures for notifying the victims of cyberattacks. The case is EPIC v. FBI, No. 17-121, before Judge Royce C. Lamberth. [Press Release] (May. 12, 2017)

  • A long delayed Executive Order on cybersecurity was released this week. The Order continues many of the cybersecurity policies of the Obama and Bush administrations. The Executive Order requires agency heads to use the NIST Framework to manage cybersecurity risk, and to provide a risk management report. The Order also requires Cabinet officials to devise a strategy for international cooperation in cybersecurity. However, the Order does not address Russia's cyber interference with the 2016 Presidential Election. EPIC, and a group of forty leading experts in law and technology, had urged the White House to strengthen privacy and data protection, and support strong encryption. The EPIC Cybersecurity and Democracy Project focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 12, 2017)

  • EPIC has filed a reply brief in EPIC v. FAA, a lawsuit concerning the FAA's failure to establish privacy rules for small commercial drones. EPIC sued the FAA after the agency refused to issue drone privacy rules. Congress had required a "comprehensive plan" for drone deployment in the United States, and more than 100 experts and organizations petitioned the agency for privacy safeguards. In a brief filed last month, the FAA acknowledged "that cameras and other sensors attached to [drones] may pose a risk to privacy interests" but continued to deny the agency's responsibility to set privacy rules. EPIC wrote in reply, "It is not possible to address the hazards associated with drone operations without addressing privacy in the final rule for small commercial drone." EPIC also explained that the FAA "profoundly mischaracterizes the aviation technology at issue" by suggesting that cameras are simply add-ons. "Drone cameras are an integral component of drone operations," EPIC explained. "Without a camera, it would be almost impossible to operate a commercial drone." (May. 12, 2017)

  • The D.C. Circuit Court of Appeals has ruled that information about a government project to manage water in the California is exempt from disclosure under the Freedom of Information Act. The Court found that Exemption 9, which covers "geological and geophysical information…concerning wells," permitted the Bureau of Reclamation to withhold information about well location and depth information. "Congress enacted FOIA to 'permit access to official information long shielded unnecessarily from public view,'" the Court said. However, the D.C. Circuit rejected the arguments of environmental group AquAlliance that the legislative history indicated the exemption only applied to oil and gas wells; the Court said it should "assume that Congress meant what it said, and said what it meant." EPIC frequently fights overbroad agency withholding of public records. In EPIC v. FBI, a FOIA lawsuit seeking release of FBI privacy assessments, a court sided with EPIC and agreed that the agency did not justify withholding records under a FOIA exemption for law enforcement procedures and techniques. (May. 11, 2017)

  • EPIC has sent a statement to the Senate Judiciary Committee ahead of a hearing on the new Antitrust Chief. EPIC urged the Committee to consider the role of consumer privacy and data protection in merger reviews. EPIC warned that "monopoly platforms" are reducing competition, stifling innovation, and undermining privacy. EPIC pointed to the FTC's failure to block the Google/DoubleClick merger which accelerated Google's dominance of Internet advertising and the WhatsApp/Facebook merger which paved the way for Facebook to access confidential WhatsApp user data. EPIC also suggested that "algorithmic transparency" would become increasingly important for merger analysis. EPIC is a leading consumer privacy advocate and regularly submits complaints urging investigations and changes to unfair business practices. (May. 9, 2017)

  • EPIC joined a coalition of civil society organizations to urge the House Committee on Financial Services to rescind guidance declaring communications between the Department of Treasury and the Committee are exempt from public access. In the letter to Chairman Jeb Hensarling (R-TX), the coalition stated the move represented "a troubling precedent" that "improperly restrict[s] the ability of the public to use FOIA." Records in the possession of federal agencies are presumptively available to the public under the Freedom of Information Act. EPIC and a coalition also recently urged the Immigration and Customs Enforcement to comply with the FOIA and "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." For more information about EPIC's latest open government work, visit: https://epic.org/open_gov/. (May. 9, 2017)

  • EPIC has sent a statement to the Senate Judiciary Committee for a hearing on "Law Enforcement Access to Data Stored Across Borders." According to news reports, the United States and the United Kingdom are seeking to establish an agreement for direct access to personal data outside their legal jurisdictions. A secret agreement is under negotiation. In November 2016, EPIC filed a FOIA Request related to the US-UK agreement. Last week, the Justice Department alerted EPIC that responsive documents had been located and would be referred to the State Department for additional processing. EPIC has long advocated for transparency concerning international agreements. In 2016, EPIC obtained the "Umbrella Agreement" after a successful Freedom of Information Act lawsuit. (May. 9, 2017)

  • In a hearing before a Senate Judiciary Subcommittee, former Acting Attorney General Sally Yates said she warned the White House that General Michael Flynn "could be blackmailed by the Russians" who knew he had lied about his Russian contacts. Yates also said the DOJ came forward out of concern that both administration officials and the American people "had been misled." As a part of the Democracy and Cybersecurity Project, EPIC is pursuing a Freedom of Information Act request for records of DOJ's investigation of Russian interference, EPIC explained to the Senate committee that "the public has 'the right to know' the extent of Russian interference with democratic elections and the steps that are being taken to prevent future attacks." (May. 9, 2017)

  • In advance of a hearing on "Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape," EPIC has sent a statement to a Senate Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 8, 2017)

  • EPIC has announced the recipients of the 2017 Champions of Freedom Awards. They are privacy attorney Carrie Goldberg, human rights advocate Garry Kasparov, and Judge Patricia Wald. Computer scientist Ron Rivest will receive the 2017 EPIC Lifetime Achievement Award. Event hosts include Danielle Citron, John Podesta, Marc Rotenberg, Bruce Schneier, and Manoush Zomorodi. The 2017 EPIC Awards dinner will be held at the National Press Club in Washington, DC on Monday, June 5, 2017. Tickets are available. (May. 7, 2017)

  • EPIC has sent a statement to the Senate Judiciary Committee for a hearing on "Russian Interference in the 2016 United States Election." EPIC described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC is also pursuing the release of any FISA orders for Trump Tower, as well as Donald Trump's tax returns. EPIC wrote the "need to understand Russian efforts to influence democratic elections cannot be overstated.” (May. 5, 2017)

  • The spending measure recently approved by Congress allocates $313 million to the FTC for fiscal 2017. According to the Senate summary, the allocation is for the FTC "to detect and eliminate illegal collusion, prevent anticompetitive mergers, combat consumer fraud, fight identity theft and promote consumer privacy." The amount is an increase of $6 million, or about 2 percent, over 2016 levels. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers and has filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." Earlier this year, an EPIC-led coalition detailed 10 steps for the FTC to protect consumers in 2017. (May. 4, 2017)

  • Senators Steve Daines (R-MT) and Gary Peters (D-MI) have introduced a bill that would remove personally identifiable information from shipping manifest sheets that are released to the public. According to the bill's sponsors, the Moving Americans Privacy Protection Act seeks to protect people who make international moves from "identity theft, credit card fraud and unwanted solicitations." EPIC maintains a page on identity theft and launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election. (May. 4, 2017)

  • The Director of National Intelligence has failed to provide a sufficient response in EPIC v. ODNI, concerning release of the report on the Russian interference in the 2016 Presidential election. The intelligence agency was required to release all “non-exempt portions" of the report to EPIC on May 3, 2017. However the agency withheld the entire document, refusing to provide even partial information that should have been released to EPIC under the Freedom of Information Act. As EPIC made clear in the complaint, “There is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks on democratic institutions.” EPIC will challenge the agency’s response as the litigation continues in federal district court in Washington, DC. EPIC v. ODNI is a part of the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 3, 2017)

  • EPIC has sent a statement to the House Committee on Oversight for the upcoming hearing on the FAFSA ("Free Application for Federal Student Aid") data breach, which compromised more than 100,000 taxpayer records. EPIC urged the Committee to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Congress adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. (May. 2, 2017)

  • In a Freedom of Information Act lawsuit EPIC v. ODNI, EPIC anticipates the May 3 release of the Complete Assessment of the Russian interference in the 2016 presidential election. In January 2017, the Director of National Intelligence released a limited, declassified version report about the "multi-pronged attack" on democratic institutions. EPIC filed a FOIA suit for public release of the Complete Assessment of Russian interference. As EPIC explained in an op-ed in The Hill and statements to Congress, the "public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election." In accordance with the briefing schedule in the case, the ODNI must release all non-exempt portions of the Complete Assessment on May 3, 2017 to EPIC. EPIC is also pursuing two related FOIA cases as part of the Democracy and Cybersecurity Project. In EPIC v. FBI, EPIC is seeking records concerning the FBI's investigation of Russian interference. In EPIC v. IRS, EPIC is seeking release of President Trump’s Tax records. (May. 2, 2017)

  • In comments to the FTC and NHTSA ahead of a June workshop, EPIC underscored the need to safeguard consumers and improve vehicle security. EPIC also defended the role of states that are developing new safeguards for connected vehicles. For more than a decade, EPIC has been a leading advocate for privacy and security measure for connected vehicles. EPIC routinely submits comments to federal agencies regarding the unique challenges that these vehicles present. EPIC has also testified before Congress, filed amicus briefs, and submitted statements on the risks of autonomous vehicles. (May. 2, 2017)

  • The ODNI 2016 Transparency Report provides new details about government surveillance activities. According to the ODNI, there was a 10% increase in the use of “backdoor searches” under Section 702. These searches occur when a government search targets a U.S. person under a law intended to permit only surveillance of non-US persons. This controversial practice is one of the reasons lawmakers oppose renewal of Section 702. (May. 2, 2017)

  • EPIC has sent a statement to the Senate Judiciary Committee for an upcoming FBI oversight hearing. EPIC urged the Committee to investigate the FBI's Next Generation Identification system, a massive biometric database. EPIC has sought to ensure that the FBI database complies fully with the federal Privacy Act which the Bureau has opposed. EPIC explained to the Senate Committee that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." In a leading FOIA lawsuit, EPIC v. FBI, EPIC also uncovered documents which revealed high error rates in the biometric system. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense. (May. 1, 2017)

  • European Data Protection Supervisor Giovanni Buttarelli, one of Europe's top privacy officials, published an opinion backing a key update to EU privacy law. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The EDPS welcomed the "ambitious attempt to provide for the comprehensive protection of electronic communications." However, the EDPS opinion also emphasized the need to strengthen privacy protections, raising concern about the proposal's complexity and failure to cover data processing beyond communications services providers. The EDPS's statement follows a supportive opinion from the Article 29 Working Party, an expert group of European privacy officials. EPIC recently hosted Mr. Buttarelli in Washington, DC to speak before the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy issues between civil society organizations and policy leaders. (May. 1, 2017)

  • Following EPIC’s appeal of a decision to “neither confirm nor deny” the existence of a FISA application to monitor Trump Tower, the Justice Department took the unusual step of submitting the matter for declassification review. After the President tweeted allegations that President Obama “had [his] wires tapped in Trump Tower,” EPIC filed an urgent FOIA request for any FISA applications concerning Trump Tower. The Justice denied the request, but on appeal stated it was referring this matter “so that it may determine if the existence or nonexistence of any responsive records should remain classified.” The Justice Departement issued a similar response to EPIC’s related request concerning alleged surveillance of the Trump team. EPIC had explained in the appeal that “the agency may not hide behind the ‘neither confirm nor deny’ response” after FBI Director James Comey stated before Congress that the FBI and the Justice Department had “no information” to support the President’s tweets.

    (Apr. 28, 2017)

  • The Federal Aviation Administration has filed a brief in response to EPIC's lawsuit, EPIC v. FAA, concerning the FAA's failure to establish privacy rules for commercial drones. EPIC sued the FAA after Congress required a "comprehensive plan" for drone deployment in the United States and the FAA denied EPIC's petition calling for privacy safeguards. In the opposition brief, the FAA acknowledged "that cameras and other sensors attached to [drones] may pose a risk to privacy interests." The FAA claims that the agency is not ignoring drone privacy risks, but documents from a previous Freedom of Information Act request by EPIC showed the agency also failed to complete a drone privacy report required by Congress. (Apr. 28, 2017)

  • The National Security Agency announced that it will no longer acquire upstream “about” communications under Section 702 surveillance authority. The Foreign Intelligence Surveillance Court previously questioned these searches, but permitted them to continue after the NSA claimed that ending the program would be technologically infeasible. According to PCLOB, the NSA collects more than 25 million Internet communications every year. EPIC recently challenged the “about” searches in an amicus brief for the Irish DPC v. Facebook case. The broader Section 702 authority is set to expire in December. (Apr. 28, 2017)

  • Senators Richard Blumental (D-CT) and Tom Udall (D-NM) have introduced the Managing Your Data Against Telecom Abuses (MY DATA) Act. The MY DATA Act would grant the FTC jurisdiction over broadband providers, as well the authority to establish rules for privacy and data security online. "In the 21st century, internet access is a basic necessity. And signing up for a basic necessity should never mean you have to sign away your rights to privacy," said Senator Blumenthal. EPIC has previously told Congress that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. EPIC has also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. (Apr. 27, 2017)

  • A Federal Court of Appeals has ruled in Perry v. CNN, a case concerning the disclosure of video viewing records. EPIC filed an amicus brief and explained that the Video Privacy Protection Act applies to all companies that collect video records, including app companies. The Appeals Court held that the plaintiff, a mobile app user, wasn't a "subscriber" under the video privacy law, following an earlier similar decision by the same court. However, the appeals court made clear that federal privacy laws, such as the Video Privacy Protection Act, provide a sufficient basis for a lawsuit without the need to show additional harm. (Apr. 27, 2017)

  • A German court has upheld an order requiring Facebook to suspend the import of users' personal data from WhatsApp. Following Facebook's acquisition of WhatsApp, WhatsApp announced that it would transfer users' personal data to Facebook, violating the company's privacy promises. A Data Protection Commissioner in Germany ordered Facebook to halt the data transfer. This week a German court refused Facebook's attempt to block the order, ruling that Facebook had no legal basis for the transfer and no effective consent from WhatsApp users. The transfer is also under investigation by the Article 29 Working party, a group of European privacy officials. EPIC filed a complaint with the FTC in 2014, backed by over a dozen US consumer groups, urging the US agency to block the acquisition of WhatsApp if privacy safeguards were not established. As EPIC explained, "WhatsApp built a user base based on its commitment not to collect user data for advertising revenue. Acting in reliance on WhatsApp representations, Internet users provided detailed personal information to the company including private text to close friends." (Apr. 27, 2017)

  • EPIC has sent a statement to the House Committee on Homeland Security for an oversight hearing on the Transportation Security Administration. EPIC has objected to the TSA's refusal to release information the agency designated as "sensitive security information" that is pertinent to EPIC's ongoing case against TSA regarding airport body scanners. EPIC said that the TSA is "seeking to hide its decision making behind this cloak of secrecy." Congress also criticized the TSA's use of the SSI designation in an extensive report on "Pseudo Classification." In the statement for the Committee, EPIC also objected to the eye scanning of US travelers at US airports. (Apr. 26, 2017)

  • A statement from EPIC to the House Oversight Committee for a hearing on border security warns that enhanced surveillance will impact citizens' rights. "The use of drones in border security will place U.S. citizens living on the border under ceaseless surveillance by the government." said EPIC. EPIC noted that Customs and Border Protection is already deploying drones with facial recognition technology on U.S. communities. In 2013, EPIC obtained records under the Freedom of Information Act which revealed that CBP drones could also intercept electronic communications in the United States. State laws in some border states prohibit warrantless aerial surveillance but the United States has failed to enact laws to limit drone surveillance. EPIC has sued the FAA for the agency's failure to create drone privacy safegruards as required by Congress. (Apr. 26, 2017)

  • This week EPIC hosted the 61st meeting of the International Working Group on Data Protection in Telecommunications in Washington, D.C. Twice a year, the Berlin-based Working Group convenes data protection authorities and privacy experts from around the world to develop recommendations on emerging privacy challenges. The IWG recently issued recommendations on topics including Biometrics in Online Authentication, Location Tracking, and Intelligent Video Analytics. The IWG meeting was held at the Goethe-Institut, Germany's cultural institute. Through June 2016 the Institut is presenting the "Plurality of Privacy Project," a transatlantic theater project focused on the value of privacy. EPIC previously hosted a meeting of the IWG in Washington, DC in the spring of 2004. (Apr. 25, 2017)

  • EPIC joined a coalition of civil society organizations to urge the Immigration and Customs Enforcement to comply with the Freedom of Information Act. The letter to DHS Secretary Kelly calls upon the federal agency to "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." EPIC previously received documents through a Freedom of Information Act Request about DHS's immigration enforcement practices. The documents obtained by EPIC detail the "Priorities Enforcement Program," a controversial program that relied on biometric data collection for immigration enforcement. (Apr. 25, 2017)

  • EPIC and a coalition of leading civil society organizations have sent a letter to the Federal Communications Commission urging the Commission to act immediately upon a petition submitted by an EPIC-led coalition almost two years ago. The petition called for an end to the FCC rule requiring the mass retention of phone records. The privacy organizations said that the FCC regulation was "unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers." The FCC requires phone companies to retain sensitive information on all telephone customer calling activity for 18 months, including telephone numbers dialed, date, time, and length. The coalition letter states that "the time has come to give the public the opportunity to comment on whether the data retention mandate should continue." (Apr. 23, 2017)

  • European Data Protection Supervisor Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the E-Privacy Regulation, the Privacy Shield, the U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani. (Apr. 21, 2017)

  • The Administrative Office of the U.S. Courts has issued the 2016 report on activities of the Foreign Intelligence Surveillance Court. The 2016 FISA report reveals that there were 1,752 FISA applications in 2016, of which 1,378 were granted, 339 were modified, 26 were denied in part, and 9 were denied in full. Scrutiny of FISA applications increased substantially in 2016. The FISA court denied more applications in 2016 than it had during the previous 36 years. In testimony before Congress in 2012, EPIC urged increased public reporting of the use of FISA authority to prevent abuse. Several of EPIC’s recommendations are reflected in the revised reporting requirements, following passage of the USA FREEDOM Act in June 2015.

    (Apr. 21, 2017)

  • The Office of the Director of National Intelligence has released a report on the controversial Section 702 "PRISM" program, which is set to expire on December 31, 2017. The report argues for renewal, but significant questions remain about the PRISM program. Despite repeated requests from Congress, the ODNI has refused to reveal the number of U.S. persons who are swept up in PRISM surveillance every year. EPIC sent a letter to the House Judiciary Committee urging public reporting of the Government's surveillance activities. EPIC also warned that the Section 702 legal controversy could block international data transfers. (Apr. 20, 2017)

  • The Department of Homeland Security has released the 2016 Annual Data Mining Report. The report describes several of the agency's profiling systems that assign secret "risk assessments" to U.S. citizens. According to the DHS report, the Analytical Framework for Intelligence is accessible to several agency components, including the Citizenship and Immigration Services, the Coast Guard, and the Transportation Security Administration. Through a Freedom of information Act lawsuit, EPIC previously obtained important documents about the secretive scoring program. EPIC is now appealing EPIC v. CBP to the D.C. Circuit Court of Appeals to compel the release of additional documents. (Apr. 20, 2017)

  • EPIC has joined the Fly Don't Spy! campaign to urge DHS Secretary Kelly to reject plans to require to hand over passwords to the federal government. Such a requirement would undermine privacy and human rights, chill freedom of speech and association, and create greater security risks for travelers. Earlier this year, Secretary Kelly testified before Congress about collecting social media passwords. In response, EPIC immediately filed a Freedom of Information Act request regarding all DHS plans to use individuals' internet and social media information to vet potential entrants to the U.S. (Apr. 18, 2017)

  • Today EPIC filed a FOIA lawsuit against the IRS after the agency failed to release Donald J. Trump’s tax records. According to EPIC, "There has never been a more compelling FOIA request presented to the IRS.” In the request to the IRS, EPIC explained that the IRS Commissioner may release tax returns to "correct misstatements of fact" and to ensure the “integrity and fairness" of the tax system. EPIC cited an earlier statement of Senator Charles Grassley (R-IA), a member of the Joint Committee on Taxation, in support of the release. The case is captioned EPIC v. IRS, 17-670 (D.D.C. filed Apr. 15, 2017). For more information, see the Press Release about EPIC v. IRS. EPIC is currently pursuing several high level FOIA cases, including EPIC v. FBI and EPIC v. ODNI, to determine the scope of Russian interference with the 2016 Presidential election. (Apr. 15, 2017)

  • In comments to the National Highway Traffic Safety Administration, EPIC recommended stronger privacy protections for vehicle-to-vehicle communications. EPIC urged the agency to allow consumers to turn off pre-installed V2V communications and to required automobile manufacturers to be transparent about the collection of personal data. EPIC also urged that agency to establish basic cybersecurity safeguards and require encryption for all vehicle networks and ensure data minimization techniques. EPIC has previously submitted comments to NHTSA on connected cars and has submitted several statements to Congress. (Apr. 14, 2017)

  • The Article 29 Working Party, an expert group of European privacy officials, has issued an opinion supporting a key proposal to modernize EU privacy law for electronic communications. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Working Party welcomed the harmonization of privacy standards across the European Union, but cautioned that the Privacy Directive must offer protections at least as strong as the recently adopted General Data Protection Regulation. EPIC had urged the US Federal Communication Commission to adopt a similar, comprehensive approach to communications privacy. A narrow FCC rule covering only ISPs was recently rescinded by Congress, folding under attacks that it unreasonably singled out a sector of the communications industry. (Apr. 12, 2017)

  • A federal district court has ruled that a Texas voter ID law violates the Voting Rights Act because the state legislature intended the law to be discriminatory. The ruling effectively halts enforcement of the law, which poses a significant threat to voter privacy and could discourage legal voters. Last summer, the Fifth Circuit Court Appeals held that the Texas law had a "discriminatory effect" on minorities' voting rights and sent the case back to the district court to reexamine whether the law was passed with “discriminatory purpose.” EPIC filed an amicus brief with the appeals court arguing that that the Texas law places an unconstitutional burden on voters' rights to informational privacy because of the excessive collection of personal data. Such bills "disenfranchise individuals who seek to protect their personal information from data breach, cybercrime, and commercial exploitation," EPIC wrote. The Supreme Court recently declined to review the Fifth Circuit’s ruling. (Apr. 12, 2017)

  • A judge ruled this week that New York City may destroy the application materials of those who applied for an NYC identification card. The IDNYC program allows any New York City resident, regardless of immigration status, to obtain an identity document to access city services and to open a bank account. The IDNYC program was intended to assist vulnerable populations, including homeless, victims of domestic violence and undocumented immigrants. More than one million cards were issued and fewer than 2% of applications were denied. Under initial implementation, the application documentation was to be retained for two years, but critics of the program sought to obtain the personal information of applicants with the state FOI law. The judge rejected the claim. EPIC has long warned that the retention of identity document enrollment materials pose a significant privacy risk. (Apr. 11, 2017)

  • According to a POLITICO / Morning Consult poll, Americans trust Google and Facebook less than ISPs to protect personal data. Only 43% of respondents trusted broadband companies with personal information "a great deal" or "a fair amount." But trust in internet companies was much lower: 31% said they trust Facebook, 21% trust Twitter, 39% trust Google, and 35% trust other websites they visit regularly. The poll also shows public opposition to web tracking, with 70% respondents saying they were "somewhat uncomfortable" or "very uncomfortable" with companies tracking the web sites people visit and 77% being uncomfortable with companies selling people's data for advertising purposes. EPIC had urged the FCC to adopt a comprehensive approach to privacy protection and maintains an extensive page on Privacy and Public Opinion. (Apr. 11, 2017)

  • Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have reintroduced the "Protecting Student Privacy Act." The Act would strengthen the Family Educational Rights and Privacy Act, a federal student privacy law. The Student Privacy Act would also implement several of the recommendations EPIC set out in the Student Privacy Bill of Rights, including data security safeguards, student access to personal information held by companies, prohibiting the use of personal data for marketing purposes, and minimizing the personal information schools transfer to third parties. (Apr. 7, 2017)

  • The Senate has confirmed Neil Gorsuch as the next Associate Justice of the U.S. Supreme Court. The final vote was 54 yeas to 45 nays. During Justice Gorsuch’s confirmation hearing, EPIC urged the Senate Judiciary Committee to scrutinize Gorsuch’s positions on a wide range of privacy, First Amendment, open government, and consumer protection issues. Gorsuch’s views on these subjects could have "far-reaching implications" for “the future of privacy in the digital era," EPIC wrote. Committee members ultimately questioned Gorsuch extensively on the constitutional right to privacy, the application of the Fourth Amendment to new technologies, and the right to anonymous speech. EPIC regularly shares its views with the Senate concerning nominees to the Supreme Court, including Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts. (Apr. 7, 2017)

  • EPIC has appealed the ruling in EPIC v. CBP, case involving a controversial passenger screening program that combines detailed personal information with secret algorithms to assign "risk assessments" to travelers—including US citizens. EPIC sued the agency for information about the "Analytic Framework for Intelligence" under the Freedom of Information Act. As a consequence of the EPIC FOIA lawsuit, EPIC obtained important documents and prevailed in an earlier phase of the case. However, the federal court in Washington, DC declined last month to order the release of certain additional materials. EPIC is now asking the DC Circuit Court of Appeals to overrule the lower court's decision and compel the release of documents sought by EPIC. (Apr. 7, 2017)

  • As a result of a Freedom of Information Act request, EPIC has obtained the FBI's first annual summary report on drone operations. The annual reports are required by an Obama Presidential Memorandum regarding the domestic use of drones by federal agencies. EPIC also obtained related documents about FBI drone operations that were heavily redacted. Additionally, EPIC requested the FBI's drone policies and procedures related to privacy, civil liberties, and civil rights. The FBI has not yet released these documents to EPIC. EPIC will appeal the FBI's failure to release these documents and will also challenge the redactions in the documents that were released. (Apr. 6, 2017)

  • In a resolution passed today, the European Parliament expressed alarm over the rollback of U.S. privacy safeguards necessary for Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. The Parliament cited several recent developments including procedures that allow the NSA to disseminate raw data across the US government, vacancies at the Federal Trade Commission and the Privacy and Civil Liberties Oversight Board, the repeal of an FCC privacy rule, and the absence of effective redress for violations of Privacy Shield. The resolution of Parliament called on the European Commission to rigorously analyze these matters and to "take all necessary measures" to ensure the agreement respects EU privacy rights. In 2015, EPIC a coalition of privacy organizations had urged the US and the EU to strengthen privacy protections, following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. (Apr. 6, 2017)

  • A recent Reuters survey found that a majority of Americans are not willing to give up their privacy even to help the government fight terrorism. About 3 in 4 participants in the online survey answered that they would not give up the privacy of their e-mail, text messages, or phone records to help the US fight foreign or domestic terrorism plots or counter hacking of US networks by foreign powers. The poll of 3,307 people showed strong support for privacy among both Democrats and Republicans. EPIC has advocated for strong encryption since its founding and published the first comprehensive survey of encryption use around the world. EPIC also maintains a page on Privacy and Public Opinion. (Apr. 6, 2017)

  • EPIC has sent a letter to the House Energy and Commerce Committee about cybersecurity in the health care sector EPIC noted that in 2016, approximately 300 health care sector data breaches compromised the health data of over 4 million patients. EPIC recommended specific privacy-enhancing technologies that should be required to be implemented in health care IT systems, including secure e-mail communications systems and the ability for patients to hold back sensitive information. (Apr. 5, 2017)

  • In a letter to the House Financial Services committee about the Consumer Financial Protection Bureau, EPIC highlighted its complaint about automobile "starter interrupt devices." EPIC alleges that companies use these devices to monitor borrowers' location and disable vehicles in violation of the Consumer Financial Protection Act. EPIC has asked the Bureau "to enjoin their unfair and abusive practices." In testimony, detailed comments, and letters, EPIC has urged Congress to establish safety standards for connected vehicles. EPIC has also submitted comments to the CFPB on debt collection practices and publication of consumer complaint narratives. (Apr. 5, 2017)

  • In a letter to the House Judiciary Committee for an oversight hearing, EPIC highlighted civil liberties problems with DEA programs. In 2014, EPIC sued the DEA for information about the agency's Hemisphere program, a massive telephone record database. More recently, EPIC prevailed in a FOIA lawsuit that revealed the DEA's failure to conduct privacy assessments required by law, for the agency's license plate scanning program. In the letter EPIC urged the Committee to investigate the Hemisphere program and determine whether the agency will complete privacy impact statements for agency programs as required by law. (Apr. 4, 2017)

  • Donald Trump signed a congressional resolution rescinding the FCC's broadband privacy rules. The rules required internet service providers to obtain consumers' consent before accessing sensitive information and to notify consumers of data breaches. The resolution nullifies the FCC's rules and blocks the FCC from enacting similar rules in the future. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, and also explained to Congress that the FTC does not effectively safeguard consumer privacy. EPIC also has a petition pending before the FCC to end the mandatory retention of private customer telephone records. (Apr. 4, 2017)

  • EPIC has filed an urgent Freedom of Information Act request for documents concerning a recent meeting between Attorney General Jeff Sessions and EU Commissioner Věra Jourová. The two reportedly discussed "a proposal [on] how to 'solve this problem'" of encryption. EPIC said in the FOIA request that "strong encryption is the cornerstone of the modern internet economy" and that encryption "is critical to preserving human rights and information security around the world." A proposal on encryption policy may be taken up at a June 2017 meeting between the United States and the European Union. EPIC has advocated for strong encryption since its founding and published the first comprehensive survey of encryption use around the world. In the FOIA request, EPIC also noted the growing risk to users of Internet-connected devices. (Apr. 3, 2017)

  • EPIC has submitted an urgent Freedom of Information Act request for DHS's review of the Russian Interference with the presidential election. The EPIC FOIA request follows House Resolution 235, sponsored by Rep. Bennie Thompson (D-MS), which would direct the Secretary of Homeland Security to transmit DHS's documents related to Russian interference to the House of Representative. EPIC is now pursuing public release of the same records, and has notified Chairman Jason Chaffetz (R-UT) and Ranking Member Cummings (D-MD), of the House Oversight Committee of the pending FOIA request. Earlier this week, EPIC argued "the public has the right to know" about the extent of Russian interference with the 2016 election. (Mar. 31, 2017)

  • A federal appeals court in Washington, D.C. heard arguments today in a major data breach suit. The faulty security practices of Carefirst, a health insurer, allowed hackers to obtain the personal information of more than 1,100,000 customers. But a lower court dismissed the case because the judge believed that consumers must suffer actual identity theft before before filing a lawsuit. EPIC's amicus brief explained that the judge misunderstood the law and confused the harm consumers eventually suffer with the failure of companies to uphold obligations to safeguard the data they choose to collect. The appellate judges today voiced similar doubts about the lower court's decision, suggesting that consumers don't have to wait until their identity is stolen to bring a lawsuit. One judge compared the case to a person putting down her driver's license to rent a Segway, only to have it stolen from the rental company. EPIC regularly files briefs defending the privacy rights of consumers. (Mar. 31, 2017)

  • EPIC has sent a letter to the Senate Intelligence Committee for a hearing on "Disinformation: A Primer in Russian Active Measures and Influence Campaigns." EPIC described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC is also pursuing the release of any FISA orders for Trump Tower, as well as Donald Trump's tax returns. EPIC wrote the "need to understand Russian efforts to influence democratic elections cannot be overstated." EPIC President Marc Rotenberg summarized EPIC's FOIA efforts in an op-ed in The Hill earlier this week. (Mar. 29, 2017)

  • EPIC has renewed its Freedom of Information Act request for Donald Trump's tax returns after FBI Director Comey confirmed an FBI investigation into financial ties between the Trump campaign and the Russian government. The Senate Intelligence Committee is also investigating Russian interference in the 2016 presidential election and the role of Trump advisors. Former National Security Advisor Mike Flynn resigned after evidence emerged that he received more than $30,000 to celebrate the Russian propaganda outlet RT. As EPIC stated, "At no time in American history has a stronger claim been presented to the IRS for the public release of tax records." EPIC explained that the IRS has the authority to release tax records to correct "misstatements of fact." EPIC cited contradictory statements made by the President, advisers, and family members, including Jared Kusher, who stated "Russians make up a pretty disproportionate cross-section of a lot of our assets. We see a lot of money pouring in from Russia." The President later tweeted that he "has ZERO investments in Russia" and that he has "NOTHING TO DO WITH RUSSIA-NO DEALS, NO LOANS, NO NOTHING." (Mar. 29, 2017)

  • EPIC has sent a letter to a House Judiciary committee concerning “the state of forensic science in the United States.” Citing the work of EPIC Advisory Board members Erin Murphy and Jennifer Mnookin EPIC said that oversight of forensic techniques, such as DNA and algorithms, is needed to ensure confidence in the criminal justice system. Last year, EPIC filed public records requests with six states to obtain the source code of DNA forensic software. EPIC has previously warned the US Supreme Court to carefully assess the reliability of investigative techniques. EPIC also argued a federal appeals case against DNA dragnet surveillance. (Mar. 28, 2017)

  • EPIC has submitted a series of urgent Freedom of Information Act requests for records concerning three witnesses who were scheduled to testify at an oversight hearing next week — Former Director of National Intelligence James Clapper, former Central Intelligence Agency Director John Brennan, and former Deputy Attorney General Sally Yates. Chairman Devon Nunes (R-CA), abruptly cancelled the hearing on the Russian interference in the 2016 Presidential Election, a move Ranking Member Adam Schiff (D-CA) called "an attempt to choke off public info." In today's FOIA requests, EPIC seeks to make public the information known to the witnesses about the Russian interference that would have presented to Committee members. EPIC is also pursuing related FOIA lawsuits against the FBI and ODNI. For more information about EPIC's latest open government work, visit: https://epic.org/open_gov/. (Mar. 24, 2017)

  • A federal court in Washington, DC has issued a ruling in EPIC v. DHS, case involving a controversial passenger screening program operated by Customs and Border Protection. Under the program, CBP combines detailed personal information with secret algorithms to assign "risk assessments" to travelers—including US citizens. EPIC sued the DHS for information about the "Analytic Framework for Intelligence" program, and argued that the agency unlawfully withheld records under the Freedom of Information Act. As a consequence of the EPIC FOIA lawsuit, EPIC obtained important documents and prevailed in an earlier phase of the case. However, the Court declined to order the further release of certain training materials for the profiling system EPIC sought. EPIC is currently deciding whether to pursue further a legal challenge to the agency's withholding. (Mar. 24, 2017)

  • The European Parliament has adopted a resolution on the fundamental rights implications of big data. The resolution stresses that "the prospects and opportunities of big data" can only be realized "when public trust in these technologies is ensured by a strong enforcement of fundamental rights and compliance with current EU data protection law." The resolution discusses the importance of data protection, accountability, transparency, data security, and privacy by design. EPIC has warned about the risks of big data and launched campaigns on "Algorithmic Transparency" and data protection. (Mar. 24, 2017)

  • Today the Senate voted to roll back the FCC's broadband privacy rules which require internet service providers to obtain consumers' consent for accessing sensitive information and required consumers to be notified of any data breaches. Senator Edward Markey (D-MA) blasted the vote stating that it is "Now easier for American's sensitive information about their health, finances and families to be used, shared, and sold to the highest bidder without their permission." EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy. (Mar. 24, 2017)

  • A a letter from EPIC to the House Oversight Committee for a hearing on "Legislative Proposals for Fostering Transparency" highlighted the Freedom of Information Act. EPIC routinely pursues FOIA case on issues of public concern. Previously, EPIC uncovered evidence that airport body scanners are ineffective, that DHS monitors social media, and that the FBI's biometric database is filled with inaccuracies. EPIC is now seeking the Complete Assessment of Russian interference in the 2016 election as well information on "risk assessment" tools in the criminal justice system. In celebration of Sunshine Week, EPIC recently published the 2017 FOIA Gallery which showcases EPIC's work in 2016 to further government transparency. (Mar. 24, 2017)

  • The Pew Research Center has released a report on "What the Public Knows About Cybersecurity." According to the Pew survey, 75% of respondents could identify the strongest password out of four options. About half of the people who took the survey could identify a phishing attack; a similar number knew what ransomware is. Only 16% answered that "a group of computers that is networked together and used by hackers to steal information" is called a "botnet." EPIC maintains an Online Guide to Practical Privacy Tools and resources on Public Opinion and Privacy. (Mar. 22, 2017)

  • EPIC has sent a letter to the Senate Commerce Committee concerning "The Promises and Perils of Emerging Technologies for Cybersecurity." EPIC urged the Committee to support "Algorithmic Transparency," an essential strategy to make accountable automated decisions. EPIC also pointed out the "significant privacy and security risks" of the Internet of Things. EPIC has been at the forefront of policy work on the Internet of Things and Artificial Intelligence, opposing government use of "risk-based" profiling, and recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. (Mar. 22, 2017)

  • Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2017." The SPY Car Act would establish cybersecurity and privacy standards for new passenger vehicles, and establish a privacy rating system. A 2014 report from Senator Markey "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prevent the use of driver data for marketing purposes without consent. In 2015 EPIC testified before Congress on the need for privacy and safety safeguards for connected vehicles. In 2016 EPIC filed an amicus brief in federal appeals court to protect consumers in cases involving connect vehicles. (Mar. 22, 2017)

  • EPIC has submitted a Freedom of Information Act request to the TSA seeking information on the recently announced ban on electronics on flights bound for the United States. The ban applies to ten airports in eight majority Muslim countries. EPIC is seeking documents related to the reasons for implementing the ban as well as documentation on TSA policies and procedures for searching electronics in checked luggage. EPIC regularly submits FOIA requests to government agencies and is also seeking information on eye scans conducted at US airports on US travelers. In EPIC v. DHS, EPIC is challenging the TSA's efforts to mandate airport body scanners. (Mar. 22, 2017)

  • In a letter to DHS Secretary Kelly and Attorney General Sessions, EPIC and a coalition of 25 open government organizations expressed concerns about the lawfulness and objectivity of data practices under several recent immigration Executive Orders. Official memos reveal the Orders are being implemented in "manner that is unlawful and inconsistent with federal information quality guidelines, raising serious privacy, transparency, and accountability concerns." The coalition urged Secretary Kelly and the Attorney General to align data practices with privacy safeguards, open data, and data quality requirements. "Public data allows the public to hold its government accountable - but that is only possible if government information is released in a complete, consistent, unbiased, and open manner," the group stated. Earlier this year, EPIC also collaborated with other open government advocates to push for greater transparency in federal dispute resolution services and to preserve access to government information online. (Mar. 22, 2017)

  • EPIC has sent a letter to the House Committee on Oversight concerning "Law Enforcement's Use of Facial Recognition Technology." EPIC urged the Committee to investigate the FBI's Next Generation Identification program. EPIC explained that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." The FBI biometric database is one of the largest in the world, but the FBI has opposed privacy safeguards that EPIC supported. The Bureau proposed to exempt the database from Privacy Act protections. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense. (Mar. 21, 2017)

  • Following Director James Comey's confirmation of the FBI investigation into ties between Russia and Trump's presidential campaign, the FBI asked to delay EPIC's FOIA lawsuit against the agency. In EPIC v. FBI, EPIC seeks public release of records pertaining to the Russian interference with the 2016 Presidential election. Yesterday, in an open hearing before the House Select Intelligence Committee, Comey acknowledged for first time that the FBI is investigating possible coordination between the Trump campaign and Russia's interference in the election. Following the testimony, the FBI immediately asked the court for more time file a schedule for processing the FOIA request in EPIC's case against the FBI. EPIC is simultaneously pursuing a FOIA appeal with the DOJ, pressing the agency to reveal the existence of any applications to wiretap Trump Tower. EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election, and a new EPIC project, the EPIC Cybersecurity and Democracy Project, will focus on US cyber policies. (Mar. 21, 2017)

  • EPIC has filed a complaint with the Consumer Financial Protection Bureau over the use of automobile "starter interrupt devices." The EPIC complaint alleges that companies use these devices to "monitor borrowers' real-time location, limit borrowers' movements to prescribed boundaries via geo-fencing technology, and disable vehicles in remote or dangerous locations" in violation of the Consumer Financial Protection Act. EPIC has asked the Bureau "to enjoin their unfair and abusive practices." In testimony, and detailed comments, and letters. EPIC has urged Congress to adopt privacy and safety standards for connected vehicles. EPIC has also submitted comments to the CFPB on debt collection practices and publication of consumer complaint narratives. (Mar. 21, 2017)

  • EPIC has appealed the DOJ’s decision to “neither confirm nor deny" the existence of a FISA application to monitor Trump Tower. Following tweets by the President alleging that President Obama "had [his] wires tapped in Trump Tower,” EPIC submitted an urgent FOIA request with the DOJ’s National Security Division for public release of any FISA applications for wiretapping Trump Tower. In response, the DOJ stated on Friday that "we can neither confirm nor deny the existence of records in these files responsive to your request." Yet, in today’s hearing before the House Select Committee on Intelligence, FBI Director James Comey stated that both the FBI and the DOJ had “no information to support those tweets.” EPIC has appealed the agency's response to the FOIA request, stating "Based on the FBI Director’s statement today... the agency may not hide behind the “neither confirm nor deny" response," and the "agency should immediately process EPIC’s FOIA Request." The heads of the Senate and House Intelligence committees have also publicly rejected the allegations, along with House Speaker Paul Ryan. EPIC will continue to press the DOJ for release of the information. (Mar. 20, 2017)

  • EPIC has sent a letter to the House Intelligence Committee for a hearing on "Russian Active Measures Investigation," during which FBI Director James Comes will testify. EPIC described a FOIA request with the Department of Justice for the public release of any applications filed under "FISA" for wiretapping Trump Tower. This past Friday, DOJ responded to EPIC stating it can neither "confirm nor deny" the existence of a FISA application to monitor Trump Tower. EPIC also described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC explained that upcoming federal elections in Europe underscore the need to assess the threat to democratic elections. EPIC told the Committee the "need to understand Russian efforts to influence democratic elections cannot be overstated." (Mar. 20, 2017)

  • In a letter to the Senate Judiciary Committee, EPIC has urged Senators to question Supreme Court nominee Neil Gorsuch on a wide range of privacy, First Amendment, open government, and consumer protection issues. Judge Gorsuch’s views on these subjects could have "far-reaching implications" for “the future of privacy in the digital era," EPIC wrote. The letter from EPIC emphasized that "[t]hese issues could not be more timely” given recent allegations by the President “that he was the target of government surveillance"—a claim that is the target of an EPIC freedom of information request. EPIC regularly shares its views with the Senate concerning nominees to the Supreme Court, including Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts. The Senate hearing will be webcast on C-SPAN Monday at 11:00 am EDT. (Mar. 20, 2017)

  • In a letter to EPIC, the Department of Justice’s National Security Division stated it will neither "confirm nor deny" the existence of a FISA application to monitor Trump Tower. After the President has charged that President Obama "had [his] wires tapped in Trump Tower,” EPIC filed an urgent FOIA request with the DOJ for the public release of any applications filed under "FISA" for wiretapping Trump Tower. In response to EPIC’s FOIA request, the DOJ has stated, "we can neither confirm nor deny the existence of records in these files responsive to your request." EPIC will challenge the agency's determination. The Senate Select Committee on Intelligence released a bipartisan statement rejecting the allegations, and House Speaker Paul Ryan stated on Thursday they have "seen no evidence" of wiretapping. EPIC also filed a related request for five categories of FISA applications related to the alleged surveillance of the Trump team. The DOJ provided the same response to EPIC to that request. (Mar. 18, 2017)

  • President Trump’s proposed budget reveals a $61 million increase in FBI funds dedicated to fighting encryption. The newly released budget for Fiscal Year 2018 directs the FBI to invest “$61 million more to fight terrorism and combat foreign intelligence and cyber threats and address public safety and national security risks that result from malicious actors’ use of encrypted products and services.” The FY2017 budget set aside $38 million to FBI anti-encryption technology and research. EPIC has advocated for strong encryption since its founding, and consistently pushed back against efforts to weaken the technology. EPIC also published the first comprehensive survey of encryption use around the world. (Mar. 17, 2017)

  • The International Working Group on Data Protection in Telecommunications adopted new recommendations to improve the privacy and security of biometric identification online. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. The "Working Paper on Biometrics in Online Authentication )" explains that “biometrics in online authentication offers one possibility to address some of the shortcomings” of conventional online passwords, but the “data protection and privacy risks” must be considered. Among their recommendations, the experts urge policymakers to support for “[p]roactive privacy tools,” and contend biometric authentication should “remai[n] an active choice by the user and not a condition of use.” EPIC will host the 61st meeting of the International Working Group in Washington DC in April 2017. (Mar. 17, 2017)

  • EPIC has filed a "friend-of-the-court" brief in an open government case with implications for informational privacy. A group of anonymous medical employees challenged the release of personal information sought under a state public records act. EPIC argued that withholding personal information is consistent with open government and constitutionally required. "Open government laws and privacy laws are complimentary: the aim is to maximize both the public's access to information about the government and to safeguard personal privacy to the greatest extent feasible," EPIC wrote. EPIC has argued for similar privacy protections in ATF v. Chicago, Chicago Tribune v. University of Illinois, Ostergren v. Cuccinelli, NASA v. Nelson, and FCC v. AT&T. (Mar. 16, 2017)

  • The Colorado General Assembly recently passed a bill that allows "ballot selfies," threatening voter privacy. Ballot selfies allow campaigns, employers, unions, and others to verify how an individual voted. But EPIC explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy" that the secret ballot — the inability to link particular voters to particular votes — is a cornerstone of modern democracies. The secret ballot reduces the threat of coercion, vote buying and selling, and tampering. The secret ballot allows people to vote without fear of intimidation or retaliation. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote. (Mar. 16, 2017)

  • Senator Markey and Representative Welch today introduced the Drone Aircraft Privacy and Transparency Act of 2017. The Act would establish privacy safeguards to protect individuals from drone surveillance. The Drone Privacy Act requires publicly available data collection statements from operators and warrants for drone surveillance by law enforcement. "Drones flying overhead could collect very sensitive and personally identifiable information about millions of Americans, but right now, we don't have sufficient safeguards in place to protect our privacy," said Senator Markey. The Act includes privacy protections EPIC has proposed in statements to Congress and comments to federal agencies. In EPIC v. FAA, EPIC is challenging the failure of the FAA to protect the public from aerial surveillance. (Mar. 15, 2017)

  • EPIC has sent a letter to the Senate Judiciary Committee for a hearing on "The Modus Operandi and Toolbox of Russia and Other Autocracies for Undermining Democracies Throughout the World." EPIC described two of its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions, as well as a pending FOIA request regarding the "wiretapping of Trump Tower." EPIC explained that upcoming federal elections in Europe underscore the need to assess the threat to democratic elections. EPIC told the Committee the "need to understand Russian efforts to influence democratic elections cannot be overstated." (Mar. 15, 2017)

  • EPIC sent a detailed letter to the Senate Commerce Committee ahead of a hearing on drone deployment in the United States. Emphasizing the unique privacy risks of drones, EPIC explained that the FAA has failed to establish necessary safeguard. EPIC has sued the agency, arguing that is has failed to comply with Congressional directives, following a petition by EPIC hundreds of comments the agency receivedin support of privacy rules. EPIC also pointed out that the FAA has excluded privacy experts from the agency task force on drone policy. (Mar. 14, 2017)

  • EPIC has announced the newest members of the EPIC Advisory Board. They are Jennifer Daskal, Robert Groves, Cathy O'Neil, Jennifer Mnookin, Erin Murphy, and James Waldo. The EPIC Advisory Board is a distinguished group of experts in law, technology, and public policy who contribute to EPIC's work on privacy and civil liberties issues. Professor Danielle Citron, author of "Hate Crimes in Cyberspace," was recently named Chair of the EPIC Board of Directors. Sherry Turkle and Shoshana Zuboff joined the Board of Directors. (Mar. 13, 2017)

  • The House Committee on Education and the Workforce gave approval last week to a bill that would undermine the privacy protections guaranteed by the Genetic Information Nondiscrimination Act (GINA). The bill would condition health insurance discounts for wellness programs on whether an employee agrees to participate in genetic testing. Under GINA, employers may not penalize employees for keeping their genetic data private. DNA profiles and other genetic records contain particularly sensitive personal information that can impact employment decisions, insurance availability, and even criminal justice outcomes. EPIC supported GINA and has backed the right of individuals to control the use of their genetic data in numerous comments and cases. (Mar. 13, 2017)

  • In celebration of Sunshine Week, a national recognition of public access to information, EPIC has unveiled the 2017 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases. In 2016, EPIC obtained records detailing a Customs and Border Protection data mining program used to build "risk" profiles on travelers, unveiled two years' worth of statistical data showing the FBI's growing biometric identification program, and revealed the DEA's failure to conduct legally mandated privacy assessments in EPIC v. DEA. In the latest FOIA Gallery, EPIC also highlights two new FOIA lawsuits to uncover details of the Russian interference in the 2016 election case concerning electronic surveillance report, and the launch of EPIC's new course teaching the basics of the federal FOIA. (Mar. 10, 2017)

  • The Justice Department's Office of Information Policy has released the 2016 Freedom of Information Act Litigation and Compliance Report. The report describes the DOJ's efforts in 2016 to ensure compliance with the open government law across the federal government, from issuing policy guidance to holding FOIA trainings. The agency also issued a list of FOIA cases where a court decision was rendered in 2016 and the amount of fees awarded by the court. EPIC tied for second (with the ACLU), behind the Public Employees for Environmental Responsibility, as the most successful FOIA litigator in the country, receiving court-ordered fee awards in three cases in 2016. In 2017, EPIC has already prevailed in a FOIA case against the FBI for public release of the agency's privacy assessments. Fees are anticipated in that case. For more information about EPIC's open government work, visit: https://epic.org/open_gov/. (Mar. 9, 2017)

  • EPIC has asked the House Committee on Foreign Affairs to examine the risk to democratic institutions of cyber attack. EPIC described two recent Freedom of Information Act cases against the FBI and the ODNI to obtain records about the Russian interference with the 2016 US Presidential election. EPIC pointed to the upcoming federal elections in Europe and the need to safeguard democratic elections. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems, and foreign attempts to influence American policymaking. (Mar. 9, 2017)

  • EPIC has filed an urgent FOIA request with the FCC for information on the recent meeting between FCC Chairman Ajit Pai and President Donald Trump. EPIC is seeking memos, briefing papers, emails, and talking points relating to the White House meeting that took place on March 6, 2017. EPIC said in the FOIA request that public disclosure of this is critical as President Trump has described the media, which is subject to FCC regulation, as the "enemy of the people." FCC Chair Pai also recently suspended parts of a broadband privacy order that protects Internet users from invasive tracking and profiling. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also has a long-standing petition before the FCC to end the mandatory retention of customer telephone records. (Mar. 9, 2017)

  • EPIC has filed a FOIA lawsuit against the Department of Justice for information about the use of "risk assessment" tools in the criminal justice system. These proprietary techniques are used to set bail, determine criminal sentences, and even contribute to determinations about guilt or innocence. Many criminal justice experts oppose their use. EPIC has pursued several FOIA cases to promote "algorithmic transparency." The EPIC cases include passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. The Supreme Court is now considering whether to take a case on the use of a secretive technique to predict possible recidivism. (Mar. 7, 2017)

  • EPIC has sent a letter to the Senate Commerce Committee ahead of an FCC oversight hearing. EPIC urged the Committee to examine the FCC's role in online privacy. EPIC supports the FCC's broadband privacy rule. In fact, EPIC had urged the FCC to adopt a comprehensive privacy rule for all communications services, as suggested by FCC Chairman Pai. EPIC also brought to the Committee's attention an outdated FCC regulation that requires the bulk collection of telephone data of American consumers. In 2015, EPIC and many consumer privacy groups petitioned the FCC to repeal, but the Commission has yet to take any action. In the letter to the Senate, EPIC said the FCC should withdraw the anti-privacy, data retention regulation. (Mar. 7, 2017)

  • EPIC has filed an urgent FOIA request with the Department of Justice for the release of the warrant for wiretapping the Trump Tower in New York city. The President has charged that President Obama "had [his] wires tapped in Trump Tower." EPIC has filed a formal Freedom of Information request of the public release of any applications filed under "FISA" for wiretapping in Trump Tower. Such an order would have been filed by the National Security Division of the Justice Department and approved by the Foreign Intelligence Surveillance Court. The complete text of the Foreign Intelligence Surveillance Act is available in the Privacy Law Sourcebook (EPIC 2016) at the EPIC Bookstore. (Mar. 6, 2017)

  • EPIC and a coalition of children's advocates have filed a comment opposing petitions that ask the FCC to revoke its broadband privacy rules. The coalition urged the FCC to retain rules that treat children's data, web browsing histories, and app usage data as sensitive and to retain opt-in requirements for all categories of sensitive information. EPIC previously urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Mar. 6, 2017)

  • In comments to the National Science Foundation on "Smart Cities and Communities Federal Strategic Plan", EPIC warned that they there were considerable risks to public safety and personal privacy. EPIC urged the NSF to prioritize cybersecurity, protect individual privacy, and minimize the collection of personally identifiable information. EPIC regularly submits comments to federal agencies on emerging civil liberties issues, including cybersecurity, consumer protection, and other privacy issues. (Mar. 3, 2017)

  • EPIC has sent a letter to the House Committee on Oversight for a hearing on the Transportation Security Administration. EPIC has objected to the TSA's refusal to release information designated as "sensitive security information" that is pertinent to EPIC's ongoing case against TSA regarding airport body scanners. EPIC said that "seeking to hide its decision making behind this cloak of secrecy." The House Committee has also criticized the agency's use of the SSI designation. EPIC also raised concerns about the eye scanning of US travelers at US airports as well as the TSA's statement that they will no longer accept drivers licenses from states that oppose "REAL ID". (Mar. 2, 2017)

  • In advance of a hearing on "Cyber Strategy and Policy," EPIC has sent a letter to the Senate Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Mar. 2, 2017)

  • In March 2016, EPIC and more than 20 civil society organizations urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs wrote that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups urged the US to make changes in domestic laws and international commitments to permit transfers of personal data to the US. The ACLU and Human Rights Watch have now also sent a letter asking Europe to reexamine Privacy Shield. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler has made submissions in DPC v. Facebook highlighting weaknesses in US privacy law. (Mar. 2, 2017)

  • EPIC has filed an urgent FOIA request with U.S. Customs and Border Protection for details of eye scans conducted on U.S. citizens traveling internationally. The CBP has long been testing biometric identification of travelers, including U.S. citizens, and a recent report indicates U.S. citizens were subject to eye scans before traveling abroad. EPIC seeks public disclosure of the details of CBP policies for scanning U.S. citizen irises and retinas upon entry or exit to the U.S. EPIC makes frequent use of the Freedom of Information Act. As the result of a FOIA lawsuit, EPIC recently obtained several memorandum of understanding regarding the transfer of biometric identifiers between the FBI and DOD. Last month, EPIC also prevailed in EPIC v. FBI, a FOIA lawsuit public release of the FBI's privacy assessments. (Mar. 2, 2017)

  • In advance of a hearing on Section 702 of the Foreign Intelligence Surveillance Act, EPIC has sent a letter to the House Judiciary Committee urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted that Section 702 is the central focus of multiple current legal challenges to international data transfer agreements occurring abroad. Section 702, which authorizes the bulk surveillance on the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the Committee during the 2012 FISA reauthorization hearings. (Mar. 1, 2017)

  • Today EPIC made submissions before the Irish High Court in Data Protection Commissioner v. Facebook, concerning privacy protections for transAtlantic data transfers. EPIC explained that "U.S. privacy law is characterized by particularly narrow conceptions of privacy and personal data, which in turn limit the scope of relevant constitutional, statutory, and regulatory privacy protections." EPIC also stated, "many of the privacy safeguards under U.S. law in fact operate to the exclusion of E.U. citizens" and that the "standing" doctrine is an overarching barrier to legal redress. EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. [Press Release] (Mar. 1, 2017)

  • In advance of a hearing on "Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities," EPIC has sent a letter to the House Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Feb. 28, 2017)

  • EPIC has sent a statement to the Senate Select Committee on Intelligence outlining the key government transparency and cybersecurity challenges the next Director of National Intelligence will confront. The Committee meets today to consider the nomination of Sen. Dan Coats for the position. EPIC commended former Director Clapper's progress on oversight and transparency and urged the Committee to seek assurance from Sen. Coats that his office will continue that work. EPIC also warned that over classification remains an issue that frustrates government accountability. EPIC informed the Committee that EPIC has filed suit against the ODNI for public release of the Complete Assessment of the Russian interference in the 2016 election. In the unclassified report, former Director Clapper said that the Russians conducted a "multi-faceted" attack on the 2016 election. (Feb. 28, 2017)

  • EPIC has filed the opening brief in a lawsuit against the Federal Aviation Administration concerning drone surveillance. EPIC charged that the FAA's failure to establish privacy rules for commercial drones is a violation of law. The EPIC lawsuit is based on an Act of Congress requiring a "comprehensive plan" for drone deployment in the United States and a petition, backed by more than one hundred organizations and privacy experts, calling for privacy safeguards. EPIC stated that “As the FAA has refused to issue any privacy-related rules and refused to conduct a comprehensive rulemaking, contrary to the FAA Modernization Act and to EPIC's Rulemaking Petition, the Court must now order the agency to do so.” The case is EPIC v. FAA, No. 16-1297. (Feb. 28, 2017)

  • Congressman Frank Pallone has asked the U.S. Government Accounting Office to study the harms of eliminating rules that protect consumer privacy. "With the near universal use of the internet, and the rapid expansion of connected devices, corporations now have more information about American consumers than ever before," Pallone wrote in his letter. "It is, therefore, more important than ever that Americans' privacy and security be protected online." Pallone asked the GAO to report on whether the "notice and choice" approach to privacy regulation works, what challenges consumers face in protecting their information, and how the FCC, FTC, and other agencies approach privacy regulation. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" is insufficient to protect consumer privacy. (Feb. 27, 2017)

  • Yahoo has responded to a letter from Senators John Thune (R-SD) and Jerry Moran (R-KS) inquiring into data breaches that exposed over a billion user records in 2013 and 2014. Yahoo said in its response that it has notified users affected by the breaches, required users who had not changed their passwords since 2014 to do so, and encouraged all users to review their passwords and security questions. Yahoo's letter also discussed the steps the company has taken to improve its security program. EPIC testified in support of strong data breach notification laws in 2009 and 2011, launched "Data Protection 2016" to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information. (Feb. 24, 2017)

  • In comments to Office of Government Information Services, EPIC and a coalition of open government groups urged greater transparency for dispute resolutions. The coalition wrote that a proposed rule "would impose restrictive confidentiality requirements." The coalition proposed revisions that "do not place restrictive confidentiality requirements on requesters" who use dispute resolution services. EPIC routinely advocates on behalf of open government and transparency. Earlier this month, EPIC and a coalition called on the Office of Management and Budget to preserve public access to online government information. EPIC also recently prevailed in EPIC v. FBI, a Freedom of Information Act lawsuit for public release of the FBI's privacy assessments. (Feb. 24, 2017)

  • The International Conference of Data Protection & Privacy Commissioners is seeking submissions by April 21, 2017 for the inaugural Global Privacy and Data Protection Awards. Entries are invited for research, dispute resolution, education and advocacy, and use of online tools. Winning entries will be announced at the 39th annual Privacy Commissioners conference in Hong Kong in September 2017. EPIC has organized more than a dozen Public Voice events in conjunction with the annual meetings of the Privacy Commissioners to encourage civil society participation in decisions concerning the future of the Internet. EPIC also gives out the Champion of Freedom Awards at the Computers, Privacy and Data Protection Conference in Brussels and the EPIC Awards Dinner in Washington, DC. (Feb. 24, 2017)

  • The U.S. Supreme Court will hear arguments Monday in Packingham v. North Carolina. At issue is a state law that bars people listed in a sex offender registry from accessing any commercial website that allows users under 18 to create profiles and communicate online. The North Carolina ban covers major news sites such as the New York Times and CNN. Packingham was convicted for posting "Good is God" on Facebook after a traffic ticket was dismissed. EPIC filed a "friend-of-the-court" brief joined by thirty-five technical experts, legal scholars, and civil liberties organizations, EPIC explained that the law violates the First Amendment right to receive information, censors vast amounts of speech unrelated to protecting minors, and will lead to widespread government monitoring of all internet users. "The state can no more criminalize what an individual chooses to read on a personal electronic device than it can restrict the contents of a home library: the privacy of both is sacrosanct," EPIC wrote. EPIC regularly files amicus briefs with the US Supreme Court on emerging privacy and civil liberties issues. EPIC previously argued for First Amendment privacy protections in Doe v. Reed, Watchtower Bible v. Stratton, and Los Angeles v. Patel. (Feb. 24, 2017)

  • The FBI has filed an answer to EPIC's Freedom of Information Act lawsuit for records pertaining to the Russian interference with the 2016 Presidential election. In the answer, the FBI acknowledged receipt of EPIC's FOIA request. EPIC filed suit against the FBI in federal district court after the agency failed to make a timely decision concerning EPIC's request for expedited processing of the FOIA request. The parties will next confer to set a schedule for production of documents and briefing, if necessary. EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Feb. 23, 2017)

  • As a result of a Freedom of Information Act request, EPIC has obtained over 650 pages about DHS's immigration enforcement priorities. The documents detail the "Priorities Enforcement Program," a controversial program that relied on biometric data collection for immigration enforcement. EPIC recently submitted two new urgent FOIA requests to DHS, the first about DHS plans to step up social media monitoring and a second to reveal the agency's compliance with recent immigration court orders. This week, EPIC also prevailed in a FOIA lawsuit for public release of privacy assessments the FBI is required to prepare. (Feb. 23, 2017)

  • The Article 29 Working Party, an expert group of European privacy officials, has raised concerns over a provision in the immigration Executive Order that would limit Privacy Act protections. The Working Party is seeking assurance from the US that the change will not threaten the privacy rights of non-US citizens established in the "Privacy Shield" and the Umbrella Agreement. EPIC is currently participating in Data Protection Commissioner v. Facebook, a case following a landmark decision that found insufficient legal protections for the transfer of European consumer data to the US. (Feb. 22, 2017)

  • EPIC has prevailed in EPIC v. FBI, a case involving a Freedom of Information Act request for privacy assessments the FBI is required to prepare. EPIC sued the Federal Bureau of Investigation after the agency failed to respond to EPIC's FOIA request for the assessments. EPIC subsequently challenged the adequacy of the agency's search for responsive documents and the FBI's claim that record could be withheld pursuant to "Exemption 7(E)," which concerns law enforcement "techniques and procedures." Today, the federal judge concluded that "the FBI neither adequately described its search nor properly justified its withholdings of information under FOIA exemption 7(E)." The Court ordered the FBI to supplement the record to address the inadequacy of the agency's search and the basis for the Exemption 7(E) claims. (Feb. 21, 2017)

  • Sen. Ron Wyden (D-OR) has asked the Department of Homeland Security to explain reports of Customs and Border Patrol agents demanding access to Americans' locked phones at U.S. borders. Wyden said that "These digital dragnet border search practices weaken our national and economic security." EPIC awarded Sen. Wyden the EPIC Champion of Freedom Award in 2013. EPIC's 2017 awards dinner will be held on June 5, 2017 honoring Carrie Goldberg, Garry Kasparov, and Judge Patricia Wald. EPIC has also submitted FOIA requests to the DHS regarding the agency's policies for searches of social media. (Feb. 21, 2017)

  • The German Federal Network Agency has told parents to destroy the "My Friend Cayla" doll, an internet-connected doll that spies on young children. The toy is illegal under German privacy law because it is a "concealed listening device," according to the agency. EPIC and several consumer organizations filed a complaint with the Federal Trade Commission alleging that the doll violates U.S. privacy law. EPIC's complaint spurred a congressional investigation, and toy stores across Europe have removed Cayla from their shelves and are offering refunds to parents who purchased the toys. However, the Federal Trade Commission has failed to act on the complaint and U.S. families continue to purchase the doll that surreptitiously monitors children's communications. (Feb. 17, 2017)

  • A coalition of human rights groups is urging the UN to investigate reports that the US is demanding entrants provide access to their cell phones and social media accounts. "These practices persist in violation of the United States human rights treaty obligations and your action is needed to hold the government accountable," the group stated in a letter to the the UN High Commissioner on Human rights and other UN offices. EPIC recently submitted an urgent request for disclosure of DHS plans to step up social media monitoring, and previously prevailed in a lawsuit against the agency to reveal records of its monitoring programs. EPIC's Privacy Law Sourcebook 2016, available in the EPIC bookstore, provides an overview of privacy frameworks around the world and tracks emerging privacy challenges. (Feb. 16, 2017)

  • EPIC and a coalition of consumer groups sent a letter to the Federal Trade Commission recommending 10 steps the agency should take to protect consumers and promote competition in 2017. "American consumers today are at great risk of identity theft, financial fraud, and data breaches," the coalition wrote, arguing that "proactive efforts to strengthen data protection will spur innovation and support business models that are sustainable over time." The letter asks the FTC to increase its enforcement efforts, promote transparency, and pursue actions based on unfairness instead of relying on "notice and choice." EPIC has consistently urged the FTC to exercise its full authority in protecting consumers. EPIC has also filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Feb. 16, 2017)

  • EPIC has sent a letter to a House committee on Digital Commerce and Consumer Protection for a hearing on "Self-Driving Cars: Road to Deployment," urging the establishment of privacy and safety measures for connected cars. EPIC warned that connected vehicles raise substantial risks for consumers. EPIC explained that voluntary guidance and self-regulation do not provide meaningful protection. EPIC has testified before Congress and submitted detailed comments on the need for privacy and safety standards for connected vehicles. (Feb. 15, 2017)

  • EPIC has sent letters to two Senate Committees investigating Russian interference with the 2016 Presidential Election. In letters to the Senate Judiciary Committee and Senate Foreign Relations Committee EPIC described two Freedom of Information Act cases against the FBI and the ODNI to obtain records about the scope of activities aimed at undermining democratic institutions. EPIC explained that upcoming federal elections in Europe underscore the need to understand the cyber threat to democratic elections. (Feb. 13, 2017)

  • EPIC and a coalition of over sixty organizations urged the Office of Management and Budget to preserve access to government information online. In a letter, the coalition called on OMB to ensure agencies give the public notice required by law before removing information. The coalition warned that agencies have begun removing information on topics "such as animal welfare, individuals with disabilities, climate change, and more from their websites." EPIC routinely advocates on behalf of open government and transparency. EPIC is currently pursuing two Freedom of Information Act lawsuits for records related to the Russian interference in the 2016 Presidential election. (Feb. 13, 2017)

  • In advance of a hearing on "Strengthening U.S. Cybersecurity Capabilities," EPIC has sent a letter to the House Science Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. (Feb. 13, 2017)

  • Several states across the U.S., including Michigan, Montana, North Carolina, and Ohio, recognized international Data Privacy Day, held annually on January 28 to commemorate the first international treaty for privacy and data protection. State efforts to raise awareness about privacy and other consumer protection issues are published monthly in The State Center Consumer Protection Report. The Report also noted that Mississippi is pursuing legal action against Google over student data collected from public schools. The lawsuit accuses Google of collecting students' personal information and search history for its own business interests in violation of the Mississippi Consumer Protection Act. (Feb. 10, 2017)

  • In a letter to DHS Secretary Kelly, Senator Markey (D-MA) and five other Senators pressed DHS about the impact of an Executive Order limiting federal Privacy Act protections. "These Privacy Act exclusions could have a devastating impact on immigrant communities and would be inconsistent with the commitments made when the government collected much of this information," the Senators contended. The Senators also called on Secretary Kelly to explain the Order's impact on international commitments that permit U.S. firms to obtain access to the data of European consumers. EPIC is participating in Data Protection Commissioner v. Facebook, a case which follows a landmark decision that found insufficient legal protections for the transfer of European consumer data to the United States. (Feb. 9, 2017)

  • EPIC has submitted an urgent FOIA request to the Department of Homeland Security about aerial surveillance, social media monitoring and ID theft following statements made by DHS Secretary John Kelly in a Congressional hearing on Homeland Security. The Secretary described plans to expand the use of "aerostats" (surveillance blimps) and monitoring of social media. The Secretary also stated that he has been a victim of data breach. The EPIC FOIA request follows earlier cases brought by EPIC which revealed efforts by the DHS to expand aerial surveillance within the United States, develop techniques for "pre-crime" detection, interrupt Internet service, as well as the impermissible monitoring of social media services and news organizations. (Feb. 8, 2017)

  • The Pew Research Center has released a report, "Code-Dependent: Pros and Cons of the Algorithm Age." The Pew report discusses the impact that experts expect algorithms to have on individuals and society. Among the themes in the report are the biases and lack of human judgment in algorithmic decisionmaking and the need for "algorithmic literacy, transparency, and oversight." EPIC has promoted "Algorithmic Transparency" for many years and has proposed two amendments to Asimov's Laws of Robotics that would require autonomous devices to reveal the basis of their decisions and their actual identity. (Feb. 8, 2017)

  • In a recent speech, Acting Federal Trade Commission Chairwoman Maureen Ohlhausen outlined her priorities for consumer protection. Ohlhausen recognized that "a notice-and-choice approach to privacy may not adequately protect consumers" but advocated a market-focused "harms-based approach" to privacy. She pointed to recent settlements with Ashley Madison and Eli Lilly as cases involving significant non-financial harm to consumers. Ohlhausen also proposed making the results of all FTC data security investigations public, not only those that result in enforcement actions. EPIC supports increased transparency in FTC actions but has explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" and "harms based" approaches are insufficient to protect consumer privacy. (Feb. 6, 2017)

  • The Federal Trade Commission has reached a $2.2 million settlement with smart TV manufacturer VIZIO over the company's tracking of consumers' viewing habits without their knowledge or consent. The FTC's complaint alleged that VIZIO's collection and sale of viewing data was unfair and deceptive, and the settlement agreement requires the company to delete all viewing data. EPIC previously filed a complaint with the FTC over Samsung's smart TV data collection practices, including surveillance of consumers' private conversations. EPIC has also defended the privacy of consumers' TV viewing habits in a federal court case involving the Video Privacy Protection Act. (Feb. 6, 2017)

  • This week the case Data Protection Commissioner v. Facebook, concerning privacy protection for transAtlantic data transfers, begins in Ireland. The case follows a landmark decision which found insufficient legal protections for the transfer of European consumer data to the United States. Mr. Schrems, an Austrian privacy advocate, now challenges Facebook's "standard contractual clauses" as failing to protect privacy. The Irish High Court designated EPIC as the US NGO amicus curiae in the case. EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. (Feb. 6, 2017)

  • EPIC has filed an urgent FOIA request with the Department for Homeland Security for further information about a DHS press release on "Compliance With Court Orders And The President's Executive Order." The DHS Press Release follows an Executive Order on entry to the United States and a series of court decisions suspending the Order. EPIC is now seeking details about the DHS's activities, including communications with other agencies, communications with airlines, and legal memos supporting the agency's actions. The Inspector General of DHS also announced an investigation to review "allegations of individual misconduct on the part of DHS personnel." EPIC cited both an "urgency to inform the public" and "exceptional media interest" in questions about the "government's integrity" in support of the request for expedited processing. EPIC will continue to press the DHS for prompt release of the documents sought. More information about EPIC's FOIA work is available on the FOIA Case page. (Feb. 3, 2017)

  • Congress is scheduled to consider the "Email Privacy Act" (H.R. 387) next week. The bill passed the House 419-0 last session. The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Feb. 3, 2017)

  • EPIC sent a letter to a House Subcommittee on Communications and Technology in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing recent examples of hacks of devices, including home locks and cars, connected to the internet. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices. (Feb. 2, 2017)

  • As a result of a Freedom of Information Act request, EPIC obtained documents detailing a DOJ and White House meeting with top industry representatives to help combat ISIL's online influence. The February 2016 meeting, called the "Madison Valleywood Project," convened a range of industry members to "collaborate in generating and amplifying compelling content that would undermine ISIL's online messaging and recruitment efforts." A series of slides set the stage for the project, proposing counter strategies like "disrupting their digital landscape" and encouraging use of data metrics to track success. EPIC routinely pursues FOIA requests and lawsuits to improve government oversight and accountability. In 2012, EPIC prevailed in a lawsuit against DHS revealing the agency's social media monitoring policies, including instructions to analysts to monitor criticism of the agency. More information about EPIC's FOIA work is available on the FOIA Case page. (Jan. 31, 2017)

  • The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance. (Jan. 31, 2017)

  • Through a Freedom of Information Act lawsuit, EPIC has obtained several memorandum of understanding regarding the transfer of biometric identifiers between the Federal Bureau of Investigation and the Department of Defense. One of the agreements, which includes the State Department, calls for "a direct conduit for the parties to access databases storing biometric information." Last year, EPIC filed extensive comments scrutinizing the FBI's proposal to remove Privacy Act safeguards from the Bureau's massive biometric database known as "Next Generation Identification." EPIC also lead a coalition effort urging Congress to hold an oversight hearing on the FBI database. The case is EPIC v. FBI, No. 16-2237 (D.D.C. filed Nov. 10, 2016) (Biometric Data Transfer Agreements). (Jan. 30, 2017)

  • The Aspen institute released a report on the Artificial Intelligence workshop on connected cars, healthcare, and journalism. "Artificial Intelligence Comes of Age" explored issues at "the intersection of AI technologies, society, economy, ethics and regulation." The Aspen report notes that "malicious hacks are likely to be an ongoing risk of self-driving cars" and that "because self-driving cars will generate and store vast quantities of data about driving behavior, control over this data will become a major issue." The Aspen report discusses the tension between privacy and diagnostic benefits in healthcare AI and describes "some of the alarming possible uses of AI in news media." EPIC has promoted Algorithmic Transparency and has been at the forefront of vehicle privacy through testimony before Congress, amicus briefs, and comments to the NHTSA. (Jan. 30, 2017)

  • On January 28, EPIC celebrates International Privacy Day, which commemorates Convention 108, the first international treaty for privacy and data protection. EPIC and consumer organizations have urged the United States to ratify the International Privacy Convention. NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. The complete text of the Privacy Convention is contained in the Privacy Law Sourcebook, available at the EPIC Bookstore. (Jan. 28, 2017)

  • EPIC has filed an urgent FOIA request with the DHS, the Department of Justice, and the NSA, seeking the expedited release of NSPD-1. The National Security Presidential Directive sets out procedures for cybersecurity "policy coordination, guidance, dispute resolution, and periodic in-progress review." EPIC has previously litigated, and successfully obtained, NSPD-54, a Presidential Directive concerning the NSA's authority to conduct surveillance within the United States. (Jan. 28, 2017)

  • The Department of Health and Human Services, along with fifteen other federal agencies, released a final revision for the Common Rule which establishes privacy rights for personal information collected from human subjects in federally funded research. EPIC submitted extensive comments, urging the agencies to adopt strong privacy protections for personal data for the revised Common Rule. However, the federal agency deferred new safegaurds, as well as privacy guidance for internal review boards, claiming that current privacy laws were adequate. (Jan. 27, 2017)

  • EPIC has filed a "friend-of-the-court" brief in a donor privacy case before the Ninth Circuit Court of Appeals. Under California law, nonprofit organizations are required to send the state each year a list of donors and their donations. EPIC said this reporting requirement "infringes on several First Amendment interests, including the free exercise of religion, the freedom to express views without attribution, and the freedom to join in association with others without government monitoring." EPIC traced the history of anonymous giving in Christianity, Islam, and Judaism. EPIC also explained that California has "failed to implement basic data protection standards" for donor information. In amicus briefs for the U.S. Supreme Court, EPIC has argued for similar Constitutional privacy rights in Packingham v. North Carolina, Doe v. Reed, Watchtower Bible v. Stratton, and Patel v. Los Angeles. (Jan. 27, 2017)

  • According to a new public opinion study from the Pew Research Center, 64% of Americans have personally experienced a major data breach, and 49% feel that their personal information is less secure than it was 5 years ago. Pew also found that 41% of Americans have dealt with fraudulent charges on their credit card, and 15% have received notice that their Social Security number had been compromised. Pew found that a substantial majority (70%) of Americans anticipate major cyberattacks in the next five years on our nation's public infrastructure. The EPIC Data Protection campaign highlights the need to improve privacy safeguards in the United States. (Jan. 26, 2017)

  • The Federal Trade Commission has issued Cross-Device Tracking: An FTC Staff Report, which describes online tracking technology used to link a consumer's activity across smartphones, laptops, tablets, and other internet-connected devices. The report follows from an FTC workshop on this emerging practice. EPIC filed comments with the Commission urging limits on cross-device tracking, which presents significant privacy challenges due to the "lack of transparency and control in this undetectable online tracking scheme." EPIC explained how "notice and choice" fails to protect consumers from this surreptitious activity. The FTC's report recommends continued industry-self regulation and application of the unworkable "notice and choice" approach to this new practice. (Jan. 26, 2017)

  • EPIC has filed a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence in federal district court in Washington, DC. The case is designated EPIC v. ODNI, No. 17-163 (D.D.C. filed Jan. 25, 2017). As EPIC makes clear in the complaint, "there is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks in democratic institutions." More details in the press release. Last week EPIC sued the FBI to uncover details of the Bureau's response to Russian interference. (Jan. 26, 2017)

  • Less than one week in office, the Trump Administration has published an Executive Order that limits the application of the federal Privacy Act. The Order states that "Agencies shall . . . ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act . . .” Few U.S. privacy laws distinguish between U.S. and non-U.S. citizens. The Privacy Act is an exception. Some efforts were made in the last few years to update the Privacy Act, a law adopted in 1974, as the federal government now collects detailed personal information on non-U.S. citizens. The reforms were also considered legally necessary to permit U.S. firms to obtain access to the data of European consumers. (Jan. 26, 2017)

  • This week the U.S. Senate confirmed Rep. Mike Pompeo to be Director of the CIA by a vote of 66-32. EPIC sent a statement to the Senate Select Committee on Intelligence highlighting Pompeo's troubling statements on privacy and surveillance. In a January 2016 op-ed, Mr. Pompeo wrote that "Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database. Legal and bureaucratic impediments to surveillance should be removed." EPIC warned the Senate Committee that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people." A recent Freedom of Information Act case pursued by an EPIC revealed that the CIA spied on staff members of the US Senate. (Jan. 25, 2017)

  • EPIC has awarded the 2017 International Privacy Champion Award to German Privacy expert and open government advocate Alexander Dix. Dr. Dix served as Commissioner for Data Protection and Access to Information in Berlin, as well as Chair of the International Working Group on Data Protection. The EPIC award was presented at the annual conference on Computer, Privacy, and Data Protection in Brussels. The EPIC Champion of Freedom Awards will be presented on June 5, 2017 at the National Press Club in Washington, DC. Press Release. (Jan. 25, 2017)

  • The U.S. Supreme Court has declined to review a ruling by the Fifth Circuit Court of Appeals that a Texas voter ID law violates the Voting Right Act. The decision means that Texas won't be able to enforce the law, which poses a significant threat to voter privacy and could discourage legal voters. Last summer, the appeals court held that the Texas Law had a "discriminatory effect" on minorities' voting rights and remanded the case to the lower court. Texas petitioned the Supreme Court to review the decision, but the court refused to do so Monday. EPIC filed an amicus brief arguing that that the Texas law places an unconstitutional burden on voters' rights to informational privacy because of the excessive collection of personal data. Such bills "disenfranchise individuals who seek to protect their personal information from data breach, cybercrime, and commercial exploitation," EPIC told the court. (Jan. 24, 2017)

  • The Director of National Intelligence released a final progress report from the Obama administration on signals intelligence reform. The DNI report detailed the agency's efforts under Presidential Policy Directive 28 to increase transparency and accountability. Clapper also highlighted the Privacy and Civil Liberties Oversight Board's oversight role and stated that transparency is "difficult, but also, in my view, essential." The DNI stated, "The IC routinely provides the Board with the information and access it requests to carry out its oversight duties." The report also notes implementation of the Freedom Act, which prohibits the bulk collection of domestic telephone records. EPIC has supported enhanced transparency for the Intelligence Community and filed a Supreme Court petition to end the bulk data collection program. (Jan. 24, 2017)

  • EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules. (Jan. 24, 2017)

  • During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement. (Jan. 23, 2017)

  • As one of the final acts of the outgoing President, the White House has released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the Freedom Act and Obama reformed intelligence practices, but the US failed to limit data collection outside the US. The "Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of data breach, identity theft, and financial fraud in the United States skyrocketed, even as Americans called for stronger protections. The 2016 Presidential election was marked by data breaches, email disclosures and cyber attack The U.S. is still one of the few democratic nations in the world without a data protection agency. (Jan. 19, 2017)

  • EPIC today filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation in federal district court in Washington, DC. The case is designated EPIC v. FBI, No. 17-127 (D.D.C. filed Jan. 18, 2017). The complaint states “EPIC challenges the FBI’s failure to make a timely decision concerning EPIC’s request for expedited processing of the FOIA request for records about the Russian interference with the 2016 Presidential Election.” A press conference will be held at the Fund for Constitutional Government on Capitol Hill on Thursday, January 19, 2017 at 1 pm. Media Advisory (Jan. 18, 2017)

  • EPIC has sent a statement to the Senate Foreign Relations Committee urging that the next UN Ambassador to advocate for human rights, particularly the right to privacy and the right to freedom of expression as set out in the Universal Declaration of Human Rights. EPIC also wrote that the UN Ambassador should support US ratification of the Council of Europe Privacy Convention, which is critical to the continued flow of personal data around the world. EPIC and consumer organizations have called on the United States to ratify the Privacy Convention. Next week, many countries around the world will recognize January 28, International Privacy Day, which celebrates the International Privacy Convention. (Jan. 18, 2017)

  • EPIC will host a press conference at the Fund for Constitutional Government, across the street from the U.S. Supreme Court, on Thursday, January 19, 2017, at 1 pm, concerning the Russian Interference with the 2016 Presidential Election. Details to follow. (Jan. 18, 2017)

  • EPIC has sent a letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the inadequacy of the Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law. (Jan. 18, 2017)

  • EPIC has filed a "friend-of-the-court" brief urging a federal appeals court to protect consumers' ability to sue companies that fail to safeguard personal information. A group of consumers sued health insurer Carefirst after the company's faulty security practices allowed hackers to obtain the personal information of 1,100,000 customers. A lower court wrongly dismissed the case because the judge believed that consumers must suffer identity theft before a court can consider violations of legal obligations. In the amicus brief, EPIC explained that the court misunderstood the relevant law, and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data. EPIC regularly files briefs defending consumer privacy. (Jan. 18, 2017)

  • EPIC has sent a statement to the Senate Select Committee on Intelligence highlighting CIA Director nominee Mike Pompeo's troubling positions on privacy and surveillance. In a January 2016 op-ed, Mr. Pompeo wrote that "Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database. Legal and bureaucratic impediments to surveillance should be removed." EPIC warned the Committee that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people." The CIA has a long history of unlawful surveillance. A recent Freedom of Information Act case pursued by an EPIC revealed the CIA spied on staff members of the US Senate. (Jan. 17, 2017)

  • Senator Richard Burr (R-NC) and Senator Mark Warner (D-VA), the Chairman and Ranking Member of the Senate Intelligence Committee, have announced a bipartisan inquiry into the Russian interference with the 2016 Presidential Election. Democratic members of the House Judiciary Committee have also pressed the FBI to confirm its investigation of President-elect Trump's ties to Russia. In a letter to FBI Director James Comey, Committee Members requested "all documentation relevant to this investigation" be provided to the Committee "as soon as possible." EPIC has filed two urgent Freedom of Information Act requests concerning Russian interference: one for records about the FBI's lax response to the foreign cyber threat, the other for the report "Russian Activities and Intentions in Recent US Elections". This week EPIC also urged the Senate Armed Services Committee to pursue an investigation. (Jan. 16, 2017)

  • The National Academies of Sciences has released a new report that examines how disparate federal data sources can be used for policy research while protecting privacy. The NAS Statistics and Privacy Report states that privacy must be a "core value" of any use of government data and recommends that federal statistical agencies "adopt modern database, cryptography, privacy-preserving, and privacy-enhancing technologies” and "engage in collaborative research with academia and industry to continuously develop new techniques to address potential breaches of the confidentiality of their data." EPIC President Marc Rotenberg and EPIC Advisory Board member Cynthia Dwork served on the committee that developed the report. Mr. Rotenberg testified before the Commission on Evidence-Based Policymaking, which is working on increasing access to government data for policy analysis. EPIC also filed comments with the Commission urging it to promote Privacy Enhancing Techniques. (Jan. 12, 2017)

  • EPIC has sent a statement to the Senate Commerce Committee, highlighting two significant privacy issues: drones and autonomous vehicles. The Senate Committee met this week to consider the nomination of Elaine Chao for Secretary of Transportation. EPIC sued the FAA, an agency subject to the Committee's oversight, for its failure to establish drone privacy rules, as required by Congress. EPIC also testified last year before the Committee on the risks of connected cars, EPIC has recently submitted comments on federal automated vehicles policy and filed an amicus brief in federal appeals court on the risks to consumers of connected vehicles. (Jan. 12, 2017)

  • The Director of National Intelligence has announced new rules that permit intelligence agencies to disseminate "raw" signals intelligence without first removing or "minimizing" personal information. EPIC and other civil liberties groups opposed these changes in a letter last year to the Director, explaining that the changes would "fatally weaken existing restrictions on access to the phone calls, emails, and other data the NSA collects." The Director said that the new rules would "prohibit recipient elements from querying raw [intelligence] for a law enforcement purpose." But EPIC previously highlighted the risks of consolidating personal data in a FOIA lawsuit, EPIC v. ODNI, against the Director of National Intelligence. (Jan. 12, 2017)

  • The Federal Trade Commission has filed a lawsuit against Internet of Things device maker D-Link. The complaint alleges that D-Link failed to use adequate security in its internet cameras and routers despite promises that the devices were "easy to secure" and used "advanced network security." The poor security practices alleged by the FTC include using easily-guessed default passwords, mishandling code-signing keys, and storing usernames and passwords in plaintext. EPIC has worked extensively on the risks of the Internet of Things, recommending safeguards for connected cars, "smart homes," and "always on" devices. In 2013, EPIC submitted comments to the FTC addressing the security and privacy risks of IoT devices. (Jan. 12, 2017)

  • EPIC and a coalition of privacy advocates have submitted comments asking the FCC to prohibit forced arbitration clauses in communications contracts. Arbitration clauses require consumers to settle complaints in private proceedings out of court, often in inconvenient locations and before arbitrators of the company's choosing. The comments note that forced arbitration clauses allow corporations to "escape accountability for systemic harms" such as overbilling. The FCC's broadband privacy rules, adopted in October 2016, did not address forced arbitration clauses, but Chairman Wheeler announced at the FCC's October meeting that the agency had begun an internal process for rulemaking on that issue. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Jan. 12, 2017)

  • The Federal Trade Commission has responded to EPIC's complaint about toys that spy, promising to "carefully review" the filing. EPIC's complaint, filed last month and joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, alleges that the internet-connected children's toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy laws. The complaint is part of coordinated, international efforts to ban these toys from the marketplace. Walmart, Toys "R" Us, and stores across Europe have already pulled the toys from their shelves. EPIC's complaint has also spurred a congressional investigation by Sen. Edward Markey (D-MA) into the data practices of toymaker Genesis Toys and speech technology developer Nuance Communications. (Jan. 11, 2017)

  • In a letter to the Senate Committee on Homeland Security, EPIC and leading experts urged Congress to keep a close eye on the White House Homeland Security Advisor. EPIC explained that the position, equal in power to the National Security Advisor, carries "significant implications for the safety and security of the American people." EPIC said that the Homeland Security Advisor should ensure "the Russian government poses no further threats to the United States electoral system or to other democratic governments." EPIC also said that "data protection and privacy should remain a central focus" of U.S. cyber security policy. The EPIC letter was signed by distinguished experts in cyber security, information technology, encryption, and human rights law. (Jan. 10, 2017)

  • The European Commission has released its proposal to update EU law on privacy and security safeguards for electronic communications. The revamped e-Privacy Regulation would extend important new safeguards to users of all online communications services, including email, instant messaging, and social media. The proposal would also protect both communications content and metadata, and would limit tracking of internet users. In the US, the FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation, and must next be adopted by the European Parliament and European Council. (Jan. 10, 2017)

  • EPIC has submitted an urgent Freedom of Information Act request to the Office of the Director of National Intelligence (ODNI) seeking the complete report on the Russian interference in the 2016 Presidential Election. On January 6, the ODNI released a public summary on the Russian interference, but withheld important information. EPIC is seeking expedited release of the complete, unreacted report. EPIC is also seeking records from the FBI about the agency's lax response to the foreign cyber threat. EPIC submitted a statement to the Senate Armed Services Committee hearing on Russian interference. Congress will hold a second hearing today, and a bill initiating new sanctions against Russia is expected this week. EPIC will continue to press the ODNI for prompt release of the report. (Jan. 10, 2017)

  • In comments to the TSA, EPIC urged the agency to abandon a proposed information collection plan under the REAL ID Act. REAL ID is a federal to turn the state driver's license into a national identity statement. Many states have opposed REAL ID. The TSA now plans to subject Americans, without a TSA "compliant" ID, to broad information collection requirements. EPIC, supported by a broad coalition, opposed REAL ID because it compromised privacy and enabled government surveillance. EPIC provided detailed comments to DHS later issued a report. Since adoption of REAL ID, many states have suffered data breaches of DMVs because of criminals seeking REAL ID mandated documents. (Jan. 10, 2017)

  • Tomorrow the Senate Judiciary Committee will begin hearings on the nomination of Senator Jeff Sessions for Attorney General. EPIC submitted a statement to the Committee, which stated “Senator Sessions’ record regarding the privacy rights of Americans raises serious questions about his selection as Attorney General.” EPIC pointed to Sessions’ support for warrantless surveillance of the American people and opposition to government oversight. Senator Sessions also opposed Apple in its dispute with the FBI and failed to support efforts to modernize the Electronic Communications Privacy Act. The Lawyers for Good Government also raised concerns about Senator Session’s support for the Privacy Act, the Freedom of Information Act, as well as his independence to “prosecute all criminal acts including those that may implicate the President of the United States.” (Jan. 9, 2017)

  • The U.S. Supreme Court declined today to review In re Nickelodeon, a class action suit concerning privacy protections for Internet users under the Video Privacy Protection Act. Last year, a federal appeals court rejected claims that Google and Viacom had violated the statute, holding that static IP and MAC addresses are not "personally identifiable information." That opinion contradicted a previous ruling from a different federal appeals court, which held that unique IDs are personally identifiable under the video privacy law. EPIC filed an amicus brief in the Nickelodeon case, explaining that Congress defined personal information broadly "to ensure that the underlying intent of the Act-to safeguard personal information against unlawful disclosure-is preserved as technology evolves." (Jan. 9, 2017)

  • The White House Office of Management and Budget has released guidance establishing common standards and practices for how federal agencies manage data breaches. The Data Breach Memorandum sets out a risk-based framework for evaluating data breaches and requires each agency to develop a data breach response plan. Not all breaches will trigger individual notification under the guidance. The new guidance comes four months after a House Government and Oversight Committee report criticized the Office of Personnel Management about the 2015 data breaches that compromised the records of 22 million federal employees and family members. EPIC testified in 2009 and 2011 in support of strong data breach notification laws, filed comments with the Office of Personal Management recommending limits on data collection, and has urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information. (Jan. 4, 2017)

  • The Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote “we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States.”“Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify. (Jan. 4, 2017)

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy