EPIC has filed appeals in two Freedom of Information Act cases seeking documents related to airport body scanners from the Department of Homeland Security and the Transportation Security Administration. EPIC filed FOIA requests with the agencies seeking records related to radiation risks from body scanners and the threat detection software the machines use. The TSA is currently developing formal rules for the use of body scanners in response to a court order in one of EPIC's previous cases. Body scanners allow routine digital strip searches of individuals who are not suspected of any crime. For more information, see EPIC: Radiation Risks lawsuit and EPIC: ATR lawsuit, and EPIC: Suspension of Body Scanner Program.
In a Statement of Administration Policy, the White House threaten to veto the controversial Cyber Intelligence Sharing and Protection Act (CISPA) unless more robust privacy and civil liberties protections are added and newly authorized information sharing goes through a civilian agency. EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process for CISPA. The markup for CISPA remained closed, and currently as drafted, CISPA would allow companies to disclose vast amounts of customer and client information to other companies and the government, including the National Security Agency, for "cybersecurity purposes." EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
The Department of Homeland Security has issued a Privacy Impact Assessment, updating information on its controversial social media monitoring program. As part of the program, DHS scours social media sites, including Twitter, Facebook, and Youtube, for public posts that contain words such as "cops," "police," "airport," "hacktivist," and "zombie." DHS then disseminates social media information it has collected to "federal, state, local, and foreign government and private sector partners." Although the Privacy Impact Assessment states DHS should only collect "relevant" social media information, the document also states that "any information posted publicly can be used by [DHS] in providing situational awareness and establishing a common operating picture." Recently, EPIC obtained a court order and an opinion in a Freedom of Information Act lawsuit against DHS, requiring the agency to turn over more documents about the monitoring of social media and Internet media organizations. For more information, see: EPIC: EPIC v. Department of Homeland Security: Media Monitoring.
Responding to growing interest in privacy and "big data," representatives of the data protection agencies in Europe have issued an opinion on the purpose limitation principles in the context of big data. The Article 29 Working Party recommends that personal data should be collected for "specified, explicit and legitimate purposes" and that personal data not be "further processed in a way incompatible with those purposes." The group also recommended that the proposed EU data protection regulation incorporate a list of factors to aid in determining compatible uses. Last fall, EPIC Executive Director Marc Rotenberg testified in support of the proposed reform before the European Parliament, and a group of transatlantic consumer organizations wrote a letter expressing their support. For more information, see EPIC: EU Data Protection Directive.
Speaking at the annual conference of the National Association of Attorneys General, EPIC President Marc Rotenberg said that the state AG's cannot sit on the sidelines as consumers face increasing risks of identity theft, security breaches, and secretive profiling. Rotenberg said the onus shouldn’t be on consumers to keep up with every-changing policy practices. “There is no reason that a customer should have to go back and check their privacy settings when a company changes its business practice." The Attorneys General recently fined Google $7 m for violating state consumer protection laws when the companies vehicles, loaded with Internet packet sniffers, intercepted private residential communications. EPIC has also launched a promotional video "Good to Really Know" with information for consumers about online privacy. For more information, see EPIC: Consumer Privacy Bill of Rights and EPIC: Consumer Privacy.
The Federal Trade Commission has released its annual report for the period from April 2012-2013. The report begins with a description of the FTC’s accomplishments on consumer privacy, and lists the data-breach lawsuit against Wyndham, Google’s $22.5 million fine for tracking Safari users, settlements with the data brokers Equifax and Spokeo, and a survey of the credit reporting industry. EPIC has previously recommended that the FTC enforce its consent orders with Google and Facebook, require adoption of the Consumer Privacy Bill of Rights, and modify proposed settlements in response to public comment. For more information, see EPIC: Federal Trade Commission.
In an order today, the U.S. Supreme Court has declined to review a decision concerning e-mail privacy. In Jennings v. Broome, the South Carolina Supreme Court held that the federal Electronic Communications Privacy Act (ECPA) does not protect emails stored on remote computer servers. As a result of this case, users in South Carolina have lesser privacy protections than those in California where a federal court reached the opposite conclusion. EPIC, joined by 18 national organization filed an amicus brief, urging the US Supreme Court to clarify the scope of e-mail privacy protections. For more information, see EPIC: Jennings v. Broome and EPIC: Electronic Communications Privacy Act.
In response to a request for comments, EPIC submitted comments on the National Institute of Standards and Technology’s review to develop a cybersecurity framework. Pursuant to Executive Order 13636, the agency is charged with defining a cybersecurity framework for the federal government. EPIC supports civilian control of cybersecurity and privacy protections based on the Fair Information Practices. In the comments to NIST, EPIC emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition.
EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
EPIC has submitted comments to the Federal Trade Commission, supporting several of the agency's changes to its FOIA regulations. EPIC applauded the agency for reducing fees for requesters. EPIC also urged the Committee to: (1) update its definition for news media representative; (2) clarify which documents are public information and ensure that hyperlinks to those records work properly; (3) disclose private sector contract rates for FOIA processing; (4) refrain from prematurely closing FOIA requests; and (5) adopt alternative dispute resolution or arbitration when resolving delinquent FOIA fees. EPIC routinely comments on agency proposals that impact the rights of FOIA requesters. Last year, EPIC submitted extensive comments to theDepartment of Defense, warning the agency not to erect new obstacles for FOIA requesters. For more information, see EPIC: Open Government.
The D.C. Circuit Court reversed a lower court decision and sided with the Citizens for Responsibility and Ethics in Washington in a case concerning an agency's obligation to respond to a Freedom of Information Act request. CREW argued that the Federal Election Commission's response to its FOIA request did not meet the statutory obligations of a "determination" under the Act. The federal appeals court held that an agency must make and communicate its determination whether to comply with a FOIA request, and which exemptions if any it will claim with respect to any withheld documents, within 20 working days of receiving the request, or within 30 days in exceptional circumstances. EPIC joined five other prominent open government groups in a "friend of the court" brief in support of CREW. For more information, see EPIC: Open Government.