The Federal Communications Commission announced today its largest privacy fines to date. The agency's first data security case stems from an investigation of TerraCome and YourTel American who "stored Social Security numbers, names, addresses, driver's licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access." The carriers will be fined $10 million for their breach of consumer privacy. Last month, the FCC reached a $7.4 million settlement with Verizon over privacy violations. EPIC previously urged the FCC to determine whether Verizon violated the Communications Act when it released consumer call detail information to the National Security Agency. Also, in response to a 2005 EPIC petition, the FCC strengthened privacy protections for telephone records, which EPIC defended in a "friend of the court" brief for the DC Circuit, establishing support for opt-in privacy safeguards. For more information, see EPIC: NCTA v. FCC (Concerning privacy of CPNI) and In re EPIC (NSA Telephone Records Surveillance).
Senator Rockefeller has asked Whisper to answer several questions about the company's practices and policies. Whisper said that it does not track users and that it respects users' decisions to opt out of geolocational tracking. But the Guardian revealed that Whisper tracks "the precise time and approximate location of all messages" and specifically tracks certain users the company deems "newsworthy." Senator Rockefeller, chair of the Senate Committee on Commerce has asked Whisper to explain its tracking, data retention, and disclosure practices. EPIC has several similar matters pending before the Federal Trade Commission. For more information, see EPIC: WhatsApp, EPIC: Snapchat, and EPIC: FTC.
EPIC has joined a coalition of more than 50 organizations that has asked President Obama to strengthen the Freedom of Information Act. "Only statutory reform and your public commitment to that reform will ensure the commitments you have made last beyond your presidency," the groups wrote. President Obama signed a memorandum in support of Open Government the day after he was inaugurated in 2009, but open government groups say he has not done enough to promote government transparency. The groups are now urging the President to commit to a "presumption of openness" and to endorse the "foreseeable harm" standard mandated by the Attorney General. The groups would also like to see the President support a narrowing of the communication privilege and end the withholding of documents more than 25 years old. Finally, the groups said that agencies that miss statutory deadlines should not charge fees and that the FOIA ombudsman should be strengthened. For more information, see EPIC: Open Government.
EPIC's Spotlight on Surveillance Project returns to focus attention on domestic drone surveillance. Congress recently mandated that the Federal Aviation Administration integrate drones into the National Airspace, raising concerns about both safety and privacy. The FAA has begun granting limited exemptions to the current ban on commercial drones. EPIC's Spotlight "Eyes in the Sky" examines the surveillance capabilities of drone technology and recommend comprehensive privacy legislation. EPIC has also testified in Congress in support of drone privacy law, urged the FAA to mandate minimum privacy standards, and pursued several significant FOIA cases. For more information, see EPIC's Spotlight on Surveillance on Drones and EPIC: EPIC v. Army (Surveillance Blimps).
In comments to a federal agency developing a privacy research agency, EPIC expressed support for Fair Information Practices and the Consumer Privacy Bill of Rights. EPIC also recommended research on Privacy Enhancing Technologies ("PETs") that "minimize or eliminate the collection of personally identifiable information." EPIC highlighted current privacy issues including identity theft, security breaches, financial fraud, and the increasing use of predictive analytics in big data analysis. Earlier this year, EPIC submitted comments on "Big Data and the Future of Privacy" and called for the end of opaque algorithmic profiling. The White House's subsequent report on Big Data and the Future of Privacy incorporated several recommendations from EPIC and other privacy organizations. For more information, see EPIC: Big Data and the Future of Privacy.
The Office of the Director of National Intelligence has released the first report on the implementation of Presidential Policy Directive 28. In January, the President proposed a revised policy for foreign signals intelligence. Under the revised directive, PPD-28, intelligence agencies are required to "review and update" their policies and "establish new ones as necessary" to safeguard personal information collected through signals intelligence. Signals intelligence activities must also be "as tailored as feasible," and there must be limitations on the querying, use, dissemination, and retention of personal information. The report states that all intelligence agencies in place by January 17, 2015, one year after the President's speech. EPIC previously challenged the NSA's bulk collection of domestic and international call detail records. EPIC has also filed Freedom of Information Act requests with the NSA and other intelligence agencies elements seeking disclosure of current procedures regarding surveillance conducted under Executive Order 12333. For more information, see EPIC: EO 12333 and In re EPIC.
EPIC has submitted detailed comments to the National Highway Traffic Safety Administration, urging the agency to protect driver privacy for "vehicle-to-vehicle" (V2V) technology. The technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA is in the initial stages of mandating vehicle-to-vehicle technology. EPIC's comments pointed to several privacy and security risks with V2V techniques. EPIC urged NHTSA to "complete a more detailed privacy and security assessment of V2V communications" and to: "(1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications; (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights." Last year EPIC, joined by a coalition of consumer privacy organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Internet of Things.
Today the Supreme Court agreed to hear Los Angeles v. Patel, a challenge to a local ordinance that allows police to inspect hotel guest registries without a warrant or judicial supervision. A federal appeals court ruled that the LA law was "facially" unconstitutional because the authority could violate the Fourth Amendment. The Supreme Court will consider both the scope of privacy protections for hotel guests and also whether the Fourth Amendment prohibits laws that allow unlawful searches. The second issue has far-reaching consequences because many recent laws authorize the police searches without judicial review. Thus far, courts have only considered "as applied" challenges on a case-by-case basis. EPIC will likely file an amicus brief in the Supreme Court case in support of the decision of the federal appeals court. For more information, see EPIC: Los Angeles v. Patel and EPIC: Amicus Briefs.
President Obama signed an Executive Order today to Improve the Security of Consumer Financial Transactions. The Order will require enhanced security features for government financial transactions, including chip-and-PIN technology which has greatly reduced financial fraud and identity crimes in Europe. The Executive Order states that "the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality..." The White House also announced a series of measures to safeguard consumer financial security, including more secure payment systems, efforts to reduce identity theft and support "algorithmic transparency." EPIC has endorsed many of these proposals. The White House also announced a summit on cybersecurity and consumer protection. For more information, see EPIC: "Cybersecurity and Data Protection in the Financial Sector" (House 2011), EPIC: "Cybersecurity and Data Protection in the Financial Sector" (Senate 2011), and EPIC: Identity Theft.