Tag: Privacy

EPIC submitted comments in response to DOJ and DHS’ Request for Written Submissions on Sec. 13e of Executive Order 14074 urging DOJ and DHS to center vulnerable communities in its crafting of new guidance on the use of facial recognition, predictive policing technologies, social media surveillance tools, and DNA analysis tools. EPIC argued that DOJ, DHS, and other law enforcement agencies should cease to use some of the most privacy-invasive and dangerous surveillance technologies—like facial recognition—because of their systemic issues, severe effects on vulnerable populations such as racial minorities, and threat to our democracy. However, EPIC also provided recommendations to create a robust framework of safeguards to protect privacy, civil rights, and civil liberties. EPIC continues to advocate for a set of principles that would adequately assess the risks of these technologies and shape the policy on how law enforcement officials use them. In brief, these include:

• prohibiting mass surveillance;
• protecting privacy, civil rights, and civil liberties;
• protecting constitutional rights;
• proving that the technology and its implementation do not result in a disparate impact for protected classes; 
• requiring adequate evaluation of the purpose, objectives, benefits, and risks of the technology;
• adopting stricter data minimization procedures; 
• ensuring adequate security for retained data;
• regular independent auditing;
• strengthening accountability and oversight; and
• advancing public trust, prioritizing transparency, and requiring substantiation for claims relating to the technology, especially related to its effectiveness. 

EPIC runs a robust surveillance oversight program with several areas of focus. EPIC opposes the spread of facial recognition in both the public and private sector. For many years, EPIC has worked to end TSA’s use of facial recognition at airports. Over the last year, EPIC has helped lead a yearlong coalition campaign to fundamentally reform FISA § 702 as it nears its sunset date. EPIC also regularly calls for increased transparency and oversight of automated decision-making and predictive policing. EPIC has filed complaints with the Attorney General, submitted several Freedom of Information Act (FOIA) requests, and engaged in extensive research to map DHS’ web of databases to shine light on law enforcement use of overbroad surveillance technology. 

Alan Butler, executive director of consumer privacy group Electronic Privacy Information Center, said that a website on the safety of technologies could provide as an additional layer of protection. This would allow the FCC to limit the amount of information on the label and avoid confusing consumers. Consumers expect to understand if their devices could pose potential threats, he said. 

Read more here.

On Tuesday, EPIC submitted comments to the Federal Communications Commission applauding new rules that will strengthen consumer protections against SIM swap and port-out fraud and urging the FCC to further incentivize carriers to reduce security vulnerabilities. SIM swap and port-out fraud occur when a fraudster takes control of a victim’s phone number by convincing a carrier to transfer the victim’s phone service to the fraudster’s phone.

EPIC alerted the Commission to increased instances of SIM swap and port-out fraud targeting major cryptocurrency investors and unsuspecting telecommunications customers alike. EPIC called on the Commission to harmonize CPNI and CPI rules with SIM swap authentication requirements, to establish additional authentication requirements, and to require carriers to report incidents of fraud. Additionally, EPIC requested the Commission articulate its enforcement power under the Communications Act of 1934 and hold carriers liable for SIM swap attacks conducted using their networks and devices, as presently carriers seek to evade liability for SIM swap fraud.

EPIC routinely comments on regulations concerning telecommunications customers privacy and protection from fraud.

On January 17, EPIC submitted reply comments to the Federal Communications Commission in the FCC’s proceeding on reclassifying internet service providers and other broadband providers as common carriers. In its comments, EPIC urged the FCC to outline a broad interpretation of its privacy and data security authorities under Title II of the Communications Act (which governs common carriers such as phone carriers), to explain that the FCC’s consumer protection authorities complement those of the FTC, to make findings that prioritize protecting consumers over protecting data broker and advertiser profits, to initiate an immediate rulemaking to safeguard consumer privacy and data security on the internet, and to continue to facilitate cooperation among state and federal agencies in combating fraud.

EPIC has long advocated for consumer privacy protections in broadband services and regularly files comments with the FCC.

Google hasn’t followed through on promises to delete sensitive user-location information, including visits to abortion clinics, according to a complaint filed with the Federal Trade Commission Thursday and provided to Bloomberg Law. 

The Electronic Privacy Information Center, a nonprofit privacy research and advocacy group, is asking the FTC to investigate the Alphabet Inc. unit for “unfair and deceptive trade practices” around how it handles the data. The complaint follows ongoing reporting that Google has continued to collect location data for users visiting abortion clinics and other sensitive locations, despite promises by the tech giant in July 2022 that it would delete those records. 

The collection of location data can cause “substantial injury” to consumers because it can reveal sensitive personal practices, including visits to abortion clinic visits or houses of worship, according to the complaint. Such data can “lead to criminal prosecution and unduly discourage individuals from seeking vital health care services,” EPIC wrote. 

Read more here.

In a complaint filed today, the Electronic Privacy Information Center (EPIC) and Accountable Tech called on the Federal Trade Commission to investigate tech giant Google for failing to promptly delete location records of users’ visits to abortion clinics and other sensitive facilities despite publicly promising it would do so.

Google retains and processes vast troves of personal information collected through its many applications, programs, and partners. This includes massive amounts of location data, which can reveal sensitive details about a person—including health information like whether and when a person visited a doctor’s office, an addiction treatment center, or an abortion clinic. When this information is retained by companies like Google, it can be accessed by law enforcement and can be used to profile individuals in harmful ways.

In July 2022, following the U.S. Supreme Court’s rescindment of the constitutional right to abortion in Dobbs v. Jackson Women’s Health Organization, Google announced a major policy change to its handling of location data. Google stated that if “its systems identified that a user had visited” an abortion clinic, it would “delete these entries from Location History soon after they visit.” Google’s commitment also extended to location records identifying a user’s visits to addiction treatment centers, domestic violence shelters, and other similarly sensitive facilities.

But Google broke that promise. Months later, research by Accountable Tech and others showed that Google had failed to delete the location information it had promised to. For example, Google’s systems retained search queries and directions to Planned Parenthood clinics and granular map data placing users at Planned Parenthood locations they had visited for more than a month. And the problem continues to this day: a follow-up experiment from Accountable Tech found that while Google had scrubbed “Planned Parenthood” from a user’s Location History map, it retained the route to the clinic itself in four out of eight of its tests. Although Google recently promised—again—to extend enhanced protections to users’ location data, it has yet to follow through on the deletion promise it made more than a year ago, leaving users vulnerable to privacy harms.

“Google’s personal location data practices have caused or are likely to cause substantial injury to its users because they expose users to excessive retention of their ‘particularly personal’ information that can reveal highly sensitive information about them, including whether an individual visited a medical treatment facility, domestic violence shelter, abortion clinic, fertility center, addiction treatment facility, or a surgery clinic.,” EPIC and Accountable Tech’s complaint explains. “The ability of law enforcement to access such data can lead to criminal prosecution and unduly discourage individuals from seeking vital health care services—a risk of substantial injury that has dramatically increased following the Dobbs ruling.”

The complaint calls on the FTC to investigate Google for unfair and deceptive practices in violation of Section 5 of the FTC Act and for violating the 2011 FTC Consent Order arising from Google’s previous mishandling of personal data in the rollout of the…

The Electronic Privacy Information Center says it believes the FCC “should adopt a dual-layer labeling solution” for the program that “would include an easily glanceable primary label and a secondary label that displays additional cybersecurity and privacy information, empowering consumers to make an informed purchase,” Executive Director Alan Butler says. EPIC supports the FCC’s proposal to “require data minimization” as part of its criteria for the Cyber Trust Mark, limiting a qualifying device to “collect only the data necessary to provide its essential functions and services.” The group opposes device manufacturers’ bid for a “safe harbor that would provide a shield against liability for insecure devices,” he says.

Read more here.

Municipalities around the nation have used ARPA federal dollars to fund community surveillance cameras, according to the Electronic Privacy Information Center, a nonprofit research and advocacy center. But EPIC warns that once such systems are in place police can access and collect mass surveillance data leading to privacy issues. 

Read more here.

“This type of tracking which occurs entirely outside of the user’s view is just so far outside of what people expect when they use the internet,” Caitriona Fitzgerald, Deputy Director of the Electronic Privacy Information Center, told The Markup in an interview. Fitzgerald said that while users are likely aware that Meta knows what they are doing while they are on Facebook and Instagram, “they don’t expect Meta to know what stores they walk into or what news articles they’re reading or every site they visit online.” 

… 

Fitzgerald echoed these recommendations, saying the problem lies with the fact that the burden is on the consumer to take action to prevent this data collection. Even a “global opt-out” mechanism allowing users to avoid having their data shared is not enough because “that still requires the user to take an action to protect their privacy. A lot of people are not going to have the time or knowledge to do that,” said Fitzgerald. 

Vazquez, Meta’s spokesperson, said the company would “continue to invest in data minimization technologies to keep up with evolving expectations. As we cover in our terms, businesses are responsible for getting permission to share people’s information with companies like ours.” 

For now, the lack of a federal privacy law leaves consumers in most states with few options. “I think people should be encouraging their elected officials to pass privacy laws that require businesses to change some of these business practices to stop this ubiquitous tracking of our every click and every movement,” said Fitzgerald. 

Read more here.