Vox: Do we really need an app for everything?

“There’s really no limit to data collection, so this data can be collected about you and shared and sold between different data brokers or analytics companies to build really granular consumer profiles, which can then be used for targeted advertising and sold for other purposes,” said Suzanne Bernstein, a law fellow at the Electronic Privacy Information Center (EPIC). Sure, maybe there’s a lengthy privacy disclosure, but nobody reads those, even if they do get into the details. “This whole system is sustained by this imbalance of power and control, this asymmetry, where we’re kind of in the dark as consumers as to what is happening with our data.”

Read the full article here.

EPIC Awards Johnny Ryan, Beeban Kidron as EPIC International Privacy Champions

EPIC was pleased to present the EPIC International Privacy Champion Award to both Johnny Ryan and Beeban Kidron on May 25th at the Computers, Privacy, and Data Protection (CPDP) conference in Brussels.

Johnny Ryan’s work at the Irish Council for Civil Liberties and beyond has established him as an international leader and prominent voice on privacy. His work focuses on holding enforcement bodies accountable for their actions (and lack of action), highlighting the crisis in digital surveillance advertising, and fighting for meaningful and actionable individual privacy rights.

Beeban Kidron has been a global leader in children’s privacy rights, founding the 5Rights Foundation to set forth age appropriate design codes, toolkits, and standards that are now enshrined in the UK’s Children’s Code and spreading worldwide. Her thoughtful and dedicated work on children’s privacy has prompted a global conversation and multiple legislative proposals internationally.

EPIC is thrilled to honor the work of these leaders in privacy.

FTC Finds Amazon Ring Cameras Responsible for “Egregious Violations of Users’ Privacy,” Requires Data Deletion

In a proposed consent order released today, the Federal Trade Commission will require Amazon to “delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed,” implement new privacy and security measures, and pay a fine of $5.8 million. The proposed order was published alongside a complaint finding that Amazon marketed Ring camera products on promises of security and privacy, but that the company implemented unreasonably lax cybersecurity practices and permitted employees nearly unlimited access to sensitive videos. The complaint alleges that Amazon’s practices were both unfair and deceptive.

In one case, an Amazon employee had access to dozens of cameras surveilling intimate spaces like bathrooms and bedrooms, which the employee used to spy on women. In another, Amazon failed to implement cybersecurity practices to prevent known hacking attacks, leading to bad actors severely harassing and spying on people through their indoor Ring cameras. The FTC has increasingly used data deletion and algorithmic disgorgement requirements to prevent companies from continuing to profit from wrongful practices after a database or algorithm is created. EPIC Senior Counsel Ben Winters authored a paper on algorithmic disgorgement last year.

EPIC regularly files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights. In comments to the FTC last year, EPIC applauded the agency’s use of disgorgement penalties. In 2019, EPIC and a coalition of groups published a product warning for Ring cameras, citing ease of hacking, failures to protect personal information, and Amazon’s practice of sharing Ring videos with police departments without user consent. In 2021, EPIC filed a complaint against Amazon in Washington, DC highlighting Amazon’s unfair and deceptive use of deceptive design to prevent people from cancelling their Prime subscriptions.

FTC Announces $25 Million Fine Against Amazon for Kids Privacy Violations

Today the Federal Trade Commission announced a major enforcement action against Amazon, moving to fine the tech and retail giant $25 million and requiring updated data deletion practices. As the complaint explains, Amazon’s children’s data retention practices violated the Children’s Online Privacy and Protection Act (COPPA) Rule and Section 5 of the FTC Act. This enforcement action follows the 2019 complaint drafted by groups including the Center for Digital Democracy, Fairplay, and the Consumer Federation of America that called on the FTC to investigate Amazon for COPPA violations.

More than 800,000 children have their own Alexa profiles on Amazon devices that target and collect children’s personal data, retaining voice recordings and geolocation indefinitely—including when a child’s Alexa profile has been inactive. The FTC noted that even when parents requested that Alexa delete their children’s voice recordings, Amazon failed to honor those requests for a significant length of time, if at all. Instead, Amazon retained that data for its own use to improve its Alexa algorithm. In addition to Section 5 violations for unfair and deceptive business practices, the complaint charges that Amazon violated the COPPA Rule by retaining children’s voice recordings indefinitely and failing to provide parents with truthful notice or an effective opportunity to delete the recordings.

Under the proposed order, Amazon will be fined $25 million and required to delete inactive accounts held by children. Additionally, Amazon will be prohibited from “using geolocation, voice information, and children’s voice information subject to consumers’ deletion requests for the creation or improvement of any data product.” In a statement joined by Chair Kahn and Commissioner Slaughter, Commissioner Bedoya reiterated that data used to improve algorithms must be lawfully collected, emphasizing that “machine learning is no excuse to break the law.”

The FTC announced another enforcement action against Amazon today, addressing privacy violations from their Ring camera products and requiring data deletion. EPIC regularly advocates before the FTC for strong consumer protection and data protection safeguards, including privacy protections for children. The FTC previously considered EPIC’s recommendations in an early review of the COPPA Rule and incorporated several of EPIC’s recommendations in the 2013 regulations. EPIC filed comments in response to the FTC’s rulemaking on commercial surveillance, arguing for regulations that would safeguard the privacy of minors. Recently, EPIC led a coalition amicus brief to defend California’s Age-Appropriate Design Code.

Ireland Fines Meta €1.2 Billion, Orders Halt of Personal Data Transfers to U.S.

Ireland’s Data Protection Commission has fined Meta €1.2 billion and ordered the company to suspend transfers of personal data to the United States within five months, finding that Meta’s transfers violation the EU’s General Data Protection Regulation. The order also requires Meta to delete EU users’ personal data unlawfully transferred to the U.S. and to bring its processing into compliance with the GDPR.

The order arises from the long-running dispute over cross-border transfers of EU residents’ personal data to the U.S. In 2013, privacy advocate (and EPIC Advisory Board member) Max Schrems filed a complaint alleging that Facebook violated EU law when it transferred personal data to the U.S., where surveillance law fails to provide adequate privacy protections or remedies for non-U.S. persons. The dispute ultimately led the European Court of Justice to invalidate both the U.S.-EU Safe Harbor Agreement (in Schrems I) and the U.S.-EU Privacy Shield Agreement (in Schrems II, a case in which EPIC participated as amicus).

Following Schrems II, Meta continued to carry out cross-border data transfers on the basis of “standard contractual clauses,” which purport to provide EU user data with protections equivalent to the GDPR when transferred to other countries. But Monday’s decision—the result of an investigation by the Irish DPC and a recent ruling by the European Data Protection Board—rejected Meta’s argument that these clauses adequately safeguard the fundamental rights of EU data subjects.

The DPC’s order could have major consequences for other platforms and companies that transfer personal data between the EU and U.S. The proposed Trans-Atlantic Data Privacy Framework may provide companies with a legal basis to continue such transfers when the European Commission’s approval is finalized, though concerns remain that the framework fails to provide EU citizens with adequate remedies for unlawful surveillance.

EPIC, Coalition Urge FCC to Prevent Misuse of Family Tracker Apps in Safe Connections Act Reply Comments

On May 12, EPIC, the Clinic to End Tech Abuse (CETA), the National Network to End Domestic Violence (NNEDV), Public Knowledge, and supporters including 10 other survivor advocacy and direct service organizations filed reply comments to the Federal Communications Commission regarding its implementation of the requirements of the Safe Connections Act of 2022. The rulemaking seeks to help survivors of domestic violence separate their phone line from a shared account with an abuser, to protect the privacy of calls with hotlines and shelters, and to support survivors experiencing financial hardship through affordability programs.

The coalition emphasized the support in the record for survivor self-certification and a presumption of financial hardship, identified logistical challenges with some commenter proposals, and built a more robust record regarding the privacy concerns facing survivors of domestic and sexual violence.

The coalition also called upon the FCC to investigate “dual-use” apps like family trackers, to articulate its legal authority to prevent survivor CPNI from purely stalkerware apps, to require carriers to protect survivor data from unauthorized access by law enforcement or the carrier’s own employees, and to decline to disclose in 911 calls that the call comes from a line separated under the Safe Connections Act.

EPIC, CETA, NNEDV, Public Knowledge, and its sign-on partners also urged the FCC to give phone carriers guidance in how to support survivors with phone device-related privacy and safety concerns, such as stalkerware, a concern the FCC included in this rulemaking as a result of the advocacy of EPIC and its partners at the Notice of Inquiry stage.

EPIC advocates for laws, regulations, and policies that safeguard user privacy and protect users from technology-facilitated abuse and harassment, including actions against stalkerware developers. EPIC also filed an amicus brief urging that dating platform companies be held liable when they ignore harassment and abuse.

EPIC Comments on EU Metaverse Vision

EPIC has contributed to the EU Commission’s call for input to inform its vision for regulations and guidance related to the metaverse. EPIC’s comments focus on the privacy risks and harms present in the metaverse, how the metaverse interacts with existing regulations, and proposals that may mitigate privacy risks.

While many privacy risks of the metaverse are also present in other technologies and systems, the metaverse is set apart by risks to bystanders, the volume of personal data (including sensitive personal data) collected, and the inferences that can be made from that data. Several of these risks come into direct tension with the GDPR—particularly with respect to notification, choice, and processing of sensitive personal data—and may also conflict with the AI Act.

In order to mitigate these risks, EPIC’s comments propose a ban on certain processing (including, for example, “social scoring,” trait inferences, and emotion detection), technical and legal protection for bystanders, and regulation specific to extended reality technologies.

New EPIC Report Sheds Light on Generative A.I. Harms 

EPIC has just released a new report detailing the wide variety of harms that new generative A.I. tools like ChatGPT, Midjourney, and DALL-E pose. While many of these tools have been lauded for their capability to produce new and believable text, images, audio, and videos, the rapid integration of generative AI technology into consumer-facing products has undermined years-long efforts to make AI development transparent and accountable. With free or low-cost generative AI tools on the market, consumers face many new and heightened risks of harm. Everything from information manipulation and impersonation to data breaches, intellectual property theft, labor manipulation, and discrimination can all result from the misuse of generative AI technologies.

EPIC’s report, Generating Harms: Generative AI’s Impact & Paths Forward, builds on the organization’s years of experience protecting consumers from abusive data collection and use. While generative A.I. may be new, many of its harms reflect longstanding challenges to privacy, transparency, racial justice, and economic justice imposed by technology companies. To illustrate these challenges and potential paths forward, the report includes numerous case studies, examples, and research-backed recommendations. The report also includes an Appendix of Harms, designed to provide readers with a common lexicon for understanding the various harms that new technologies like generative A.I. can produce. 

Generating Harms: Generative AI’s Impact & Paths Forward is part of EPIC’s A.I. & Human Rights Project, which advocates for transparent, equitable, and accountable A.I. regulations. Download EPIC’s report at epic.org/GAI

Anna Gomez Nominated to Federal Communications Commission

President Biden has nominated Anna Gomez to serve as member of the Federal Communications Commission, as well as current Commissioners Brendan Carr and Geoffrey Starks. The FCC has been without a full Commission for an unprecedented two-and-a-half years as President Biden’s initial nomination of attorney and consumer advocate Gigi Sohn stalled in the U.S. Senate over groundless attacks on Sohn’s record. Anna Gomez currently serves in the State Department’s Cyberspace and Digital Policy Bureau and previously served at NTIA, the FCC, and Sprint Nextel. “Anna Gomez brings decades of telecom experience to an FCC that needs to quickly and dramatically ramp up its responses to emerging threats to Americans’ privacy and data security, especially as they relate to location data,” said Alan Butler, EPIC’s Executive Director. “EPIC is optimistic that a full Commission will be in a much better position to protect Americans from these harms.”

The Drug War: An Irrational Crusade

It’s been over five decades since the war on drugs began in the United States, and billions of dollars coerced from taxpayers have been spent on this frivolous operation. The General Accounting Office’s report found that the Drug Abuse Resistance Education (DARE) program did not deter youth from drug abuse. How exactly has this war benefited taxpayers when drug use has increased, and more potent drugs are being consumed? Even the diabolical Charles Manson distributed drugs while imprisoned. Does one honestly think the government will eradicate drugs off the streets?

The mere suggestion of legalizing drugs causes many to accuse me of advocating drug abuse. I do not have any inclination to consume harmful drugs, and neither do I condone such behavior. My motivation for writing this article, however, is grounded in freedom. I hope that after reading this, people across the political spectrum will understand this objective. For people on the right, they should realize this war is unconstitutional. The Constitution does not grant the government control of what someone injects into their body. The state continues to extend its tentacles of power over its people, and the war on drugs is just one facet of that reality.

The state believes it has the prerequisites to decree what can and cannot be allowed, not just regarding drug policy but in our private lives as well. Lysander Spooner, the nineteenth-century theorist, argued that vices are not crimes: “Vices are those acts by which a man harms himself or his property. Crimes are those acts by which one man harms the person or property of another.” You have total autonomy of your body, not the government or anyone else. This should hopefully register with individuals on the left. Today’s political climate has forced citizens into a political dichotomy with no room outside the uniparty’s parameters. Most politically passionate people fail to realize that they share quite a bit of similarities with their supposed “enemies.” It’s not Left versus Right; it’s the state versus you!

Many today disregard the significant number of deaths caused by alcohol, tobacco, and prescription drugs. A considerable number of people abuse these substances, but drug warriors seem to disregard these addictions. Alcohol is a form of drug and can be dangerous when consumed as it affects people differently. On average, 140,000 people die every year from this beverage. Prescription drugs claim 16,500 lives per year. Tobacco consumption is the foremost cause of preventable deaths at an astounding 480,000 deaths annually. One can consider food to be a drug, and its abuse leads to a multitude of health issues. Heart disease, being one of those issues, is the leading cause of death in America.

The government doesn’t care about your well-being or privacy; it only wishes for complete control over you. Financial privacy has even been encroached upon by the state due to the drug war. Deposits of more than $10,000 in the bank are reported to the…