Author: Jeff Cassman

In comments to the Federal Trade Commission, EPIC commended the FTC for taking enforcement action against prison communications company Global Tel*Link (GTL, now known as ViaPath) for unfair and deceptive trade practices related to a 2020 data breach exposing the personal information of hundreds of thousands of incarcerated persons and their families, friends, lawyers, and other contacts, as well as to the company’s subsequent further misconduct.

GTL put more than 600,000 unique individuals’ personally identifiable information, including such sensitive information as usernames or email addresses in combination with passwords, home addresses, driver’s license numbers, passport numbers, location information, and information about race, religion and whether the individual is transgender. It also included tens of thousands of grievances sent by incarcerated consumers to facilities, as well as tens of thousands of messages exchanged between incarcerated and non-incarcerated users, which sometimes contained financial information and Social Security numbers. Numerous consumers reported fraudulent transactions on their credit card after the breach.

Despite this, after the incident GTL continued to represent that it had never experienced a breach, including in its Request for Proposal (RFP) responses to contract opportunities with other facilities. GTL did not provide notice of the breach to consumers for approximately nine months and when it did, it notified fewer than eight percent of impacted consumers. GTL additionally represented that consumer payment and medical information was not affected when it knew that to be false.

EPIC encouraged the FTC to approve the proposed consent order, praised the Commission for its attention to harms to incarcerated persons and their families, and encouraged the FTC “to work with the FCC to rein in the litany of harmful data practices in the prison telecommunications industry and reduce costs for consumers forced to use companies like GTL to communicate with their loved ones.”

Additionally and specifically, EPIC praised the FTC’s imposition of technical controls and data retention limits, but noted that GTL should not be permitted to retain data for its intelligence services offerings. EPIC also praised the proposed consent order’s requirement that GTL facilitate communications between incarcerated persons and credit monitoring services, but EPIC urged the FTC to further tailor its remedies to include assistance with resolving credit report disputes and providing support in multiple languages.

EPIC regularly files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights. Additionally, EPIC advocates for stronger consumer protection safeguards in the prison communications context.

“As we watch TV, our TVs watch us,” said Sara Geoghegan, a consumer privacy advocate and legal counsel at the Electronic Privacy Information Center. “Smart TVs collect tons of information.” 

Geoghegan said the amount of data each TV manufacturer collects can often be opaque, but once a customer sets up their smart TV, viewing habits, location, and potentially more personal data are collected and shared — unless that customer adjusts the device’s security settings. 

…Not everyone is happy with the idea that the device mounted on your wall can gather intel. 

Geoghegan argued that many people may be uncomfortable learning that a spying tool was one of the primary reasons their new flatscreen was on sale for $70. 

“I think when you’re browsing your television, you don’t expect that these kinds of intimate things that are just happening inside your home will be used in this way to profile you, and sell you things,” Geoghegan said. 

“The monetization of our personal information is a problem that we should be concerned about.” 

Read more here.

Whether the ban will go into effect will depend on determinations over the FTC’s authority. Meta responded to the proposal by calling the move a “political stunt” that usurps the authority of Congress. However, a coalition including the Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy later sent a letter to FTC Chair Lina Khan outlining the ways the Commission is able to modify its 2020 privacy order with Meta. “The FTC’s impetus to secure limitations on minors’ data reflects minor’s unique vulnerability to Meta’s repeated violations of the law, and is well-founded under the Commission’s authority,” the statement read. 

Meta and Google have also been accused of COPPA violations by outside groups. In 2019, a coalition including Common Sense Media and the Electronic Privacy Information Center filed a complaint with the FTC using information revealed by a class action lawsuit. The suit, which was settled in 2016, alleged that Meta created a system that “encouraged children to make unknowing and unauthorized credit card purchases” for games and “set up a labyrinthine complaint system to deter refund requests.” And as recently as August, a coalition of parental rights groups urged the FTC to look into YouTube for allegedly still serving up personalized ads on its “made for kids” videos. The FTC has not officially investigated either matter.

Read more here. 

The Federal Trade Commission announced a settlement with Rite Aid today over the pharmacy’s discriminatory use of facial recognition technology in its stores. Between 2012 and 2020, Rite Aid deployed facial recognition surveillance systems to identify individuals who may be shoplifting—yet did so without assessing the accuracy or bias of the technology. Rite Aid also used facial recognition technology disproportionately in stores in plurality non-white neighborhoods.

While the use of facial recognition surveillance can be harmful in any context, Rite Aid failed to implement even the most basic safeguards, validation studies, or trainings for employees required to “enforce” the match alerts issued by the system. As a result, “Rite Aid employees recorded thousands of false positive match alerts between December 2019 and July 2020,” the FTC explained.

In addition to placing a 5-year ban on Rite Aid’s use of facial recognition, the settlement requires the company to delete any images of consumers collected with the technology and any algorithms developed using such images. Rite Aid must notify consumers when their biometric information is processed by a surveillance system in the future or any action is taken affecting them because of such a system. The company is also required to implement strong data security and provenance practices.

“This is a groundbreaking case, a major stride for privacy and civil rights, and hopefully just the beginning of a trend,” EPIC Director of Litigation John Davison said. “Rite Aid engaged in an appalling program of surveillance, deploying an untested and discriminatory facial recognition system against its own customers. The result was sadly predictable: thousands of misidentifications that disproportionately affected Black, Asian, and Latino customers, some of which led to humiliating searches and store ejections. But it’s important to note that Rite Aid isn’t alone. Businesses routinely use unproven algorithms and snake oil surveillance tools to screen consumers, often in secret. The FTC is right to crack down on these practices, and businesses would be wise to take note. Algorithmic lawlessness is not an option anymore.”

“Companies should not be able to collect data, break the law, and continue to profit from it. Deletion of both all data collected as part of this illegal operation as well as any algorithms created using that data is the right decision by the Commission and should create a warning to companies considering irresponsible use. This enforcement order institutes essential practices such as meaningful notice, independent third-party assessments, and commonsense data deletion practices,” EPIC Senior Counsel Ben Winters said.

Facial recognition systems have been shown to produce biased and inaccurate results that disproportionately affect non-white populations, particularly Black people. Although the FTC did not disclose the particular vendors used by Rite Aid, a 2019 National Institute of Standards and Technology study analyzing a majority of industry models found the highest rates of false positives were for Black women.

Due to this disparate impact and the inherent threats the technology poses to privacy and autonomy, EPIC has consistently advocated to ban facial recognition.

Senior Counsel…

“It makes perfect sense for California to be taking that next step and requiring browsers to include this by default,” said John Davisson, director of litigation and senior counsel at the Electronic Privacy Information Center, adding that the strongest privacy protections would target businesses, instead of placing the responsibility on consumers to protect their own data. 

“It’s really making good on the promise of the CPPA to provide this universal mechanism [to opt-out]. While the legislation has only just been proposed, if it continues to advance, there is a good possibility companies will fight it. But, Davisson said, companies like Google and Microsoft and others with ad exchanges claim that consumers really want targeted advertising, so, by their own logic, the opt-out should not be a threat to their business model. 

(Subscription Newsletter)

But others are still skeptical. Sara Geoghegan, counsel at the Electronic Privacy Information Center, said she thinks the changes Google outlined were “long overdue.” She remains wary of Google’s commitment to keeping people’s sensitive location data safe. 

“The devil is in the details, and it remains to be seen whether Google’s implementation stands up to the commitments,” she said. “Unfortunately, Google has repeatedly shown that we can’t trust the company’s pinkie promises to protect privacy when it comes to their invasive data practices.” 

Read more here.

On December 14, EPIC, Public Knowledge, Consumer Federation of America, and Demand Progress Education Fund submitted comments to the Federal Communications Commission applauding the agency’s proposal to reclassify broadband providers as common carriers subject to Title II of the Communications Act. The coalition emphasized the current harms and persistent risks suffered by consumers at the hands of their internet service providers (ISPs), and outlined three avenues of enforcement and rulemaking authority that would be available to the FCC if the agency moves forward with its proposal to apply Title II to broadband providers. The groups also urged the Commission to explicitly state that its Title II authority would not preempt state privacy and consumer protection laws, called on the FCC to immediately commence a consumer privacy and data security rulemaking, and suggested updates to the Commission’s transparency rule in line with EPIC’s comments about broadband nutrition labels and cybersecurity IoT labels.

EPIC has long advocated for consumer privacy protections in broadband services and regularly files comments with the FCC.

On December 5, the Federal Communications Commission published its final rule for the Safe Connections Act, a law designed to support survivors of domestic violence (DV) and other forms of interpersonal violence by making it easier for survivors to separate their phone line from a group phone plan, to obtain discounted phone service through the Lifeline program, and to contact hotlines confidentially by removing records of calls from customer-facing logs like monthly bills.

In response to comments from EPIC and its advocacy partners, the Commission’s rule requires law enforcement to obtain a court order to access information about a line separation request. It also requires covered providers to provide line separation requests in the same languages that the provider advertises its services and requires providers to process all requests for line separation within two days. In a related Fact Sheet, the FCC also cited to EPIC et al.’s comments for issues related to the sensitivity of current address information and to a survivor benefiting from the program more than once.

EPIC and its coalition partners have been advocating on behalf of survivors going back to the FCC’s initial Notice of Inquiry in 2022; the Commission seemed to take these comments into account as it developed its Notice of Proposed Rulemaking earlier this year. In March 2023, EPIC published a blog post with the Safety Net Project of the National Network to End Domestic Violence that further emphasized these points. EPIC filed comments addressing ease of use by survivors, data minimization, and misuse of data by law enforcement in DV contexts, as well as reply comments addressing dual-use applications and services that act as stalkerware.

EPIC advocates for laws, regulations, and policies that safeguard user privacy and protect users from technology-facilitated abuse and harassment, including actions against stalkerware developers. EPIC also filed an amicus brief urging that dating platform companies be held liable when they ignore harassment and abuse.