EPIC is on the frontlines defending individuals and communities against government and corporate overreach. We need your support more than ever to carry forward our defense of privacy, human rights, and democratic values in the years ahead. Support us today at epic.org/donate.

The election results are in, and we are preparing for a dramatic transition next year. It is more important than ever to account for power and to hold the powerful to account. EPIC prides itself on being a fierce champion for human rights, and we will fight to protect individuals against data abuse and government and corporate overreach. That fight will continue next year as we brace for new changes and threats of government and corporate overreach. Read EPIC Executive Director Alan Butler's full statement here.

CBP’s Privacy Impact Assessment on Commercial Telemetry Data Highlights Urgent Need for PIA Reform
Kabbas Azhar, Equal Justice Works Fellow

On August 12, 2024, Customs and Border Protection (CBP) released its long overdue Privacy Impact Assessment (PIA) on Commercial Telemetry Data. CBP defines Commercial Telemetry Data (CTD) as historic location data collected from mobile devices by tracking their advertising ID’s. CBP’s PIA has an extremely narrow view of what constitutes CTD—which is no surprise. CBP’s PIA on CTD is extremely vague, years too late, and is a complete failure to comply with federal privacy regulations.

More EPIC Analysis:
 
Demystifying Generative AI Disclosures

EPIC submitted comments in response to the Department of Justice’s (DOJ) notice of proposed rule making on Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government Related Data to Countries of Concern. DOJ requested comments on how the Attorney General could implement a new program regulating certain types of data transactions that involve bulk U.S. sensitive personal data and government-related data that present an “unacceptable risk to U.S. national security.”

In Reply Comments filed with the Federal Communications Commission, EPIC, along with the National Consumers League and Public Knowledge, as well as industry groups CTIA and USTelecom, urged the agency to prioritize removing deficient records from the Robocall Mitigation Database and blocking providers who have been removed.

EPIC submitted a letter comment to the Federal Trade Commission in support of its proposed consent decree with Marriott International Inc. regarding a series of data breaches that occurred at Marriott and Starwood resorts over multiple years. EPIC encouraged the FTC to approve the proposed consent order and expressed support for the Commission’s continuing use of its Section 5 authority to protect consumers from deficient cybersecurity practices.

The Consumer Financial Protection Bureau published a report outlining the risks to consumers’ sensitive financial information when states include broad exemptions for financial institutions in their privacy laws. The report found that all of the state privacy laws exempt either the financial institutions or the data covered by the federal Gramm-Leach-Bliley Act and the communications covered by the federal Fair Credit Reporting Act. 

EPIC and a coalition of civil society organizations and experts sent a letter urging the Consumer Financial Protection Bureau to release a proposed rule to strengthen the Fair Credit Reporting Act as soon as possible. The CFPB is poised to adopt rules that could limit the wide-ranging harms caused by data brokers, protect the privacy of “credit header” information, and improve dispute resolution systems at credit reporting agencies. The coalition encouraged the CFPB to “take the crucial step of publishing a proposed Consumer Reporting Rule that will clarify the application of FCRA to data brokers, better regulate the use of personal information in consumer reporting, and carry forward the text and Congressional purpose of FCRA into an era of rapid technological change.” 

EPIC, along with 47 other civil society organizations, signed a joint statement following our participation in the Tech & Society Summit hosted by EDRi on October 1st in Brussels. EPIC works closely with international partners in the EU and beyond to strengthen digital rights globally. 

In a letter, a bipartisan group of twelve Senators called on Department of Homeland Security Inspector General Joseph Cuffari to investigate the Transportation Security Administration’s use of facial recognition. The letter was signed by members of the Senate Committee on Commerce, Science, and Transportation.

EPIC joined an amicus brief in Renderos v. Clearview AI urging the Ninth Circuit to recognize that lawsuits against privacy-invading companies are valuable ways to protect people’s rights, not back-door attempts to silence the companies’ speech. Renderos v. Clearview AI is a lawsuit against one of the most notorious face recognition companies in the world, which scraped billions of people’s faces from the internet and used them to train an algorithm marketed toward the police and security services.

EPIC joined over 40 civil society organizations and individual experts in a letter to the Department of Homeland Security (DHS) regarding a September 2024 single source contract between DHS and Paragon Solutions, an Israeli headquartered spyware vendor. While publicly available information does not specify the exact technologies or services involved, Paragon Solutions’ flagship product, Graphite, is a known spyware technology which can extract data from encrypted messages on apps like WhatsApp, Facebook Messenger, and Signal. 

EPIC joined a coalition of over 100 organizations led by Just Futures Law to push The Office of Management and Budget to use its authority to stop the Department of Homeland Security’s use of non-conforming artificial intelligence systems. Despite an Executive Order requiring all agencies to comply with certain AI risk management practices by the end of 2024, DHS continues to use non-compliant systems to inform or make its decisions regarding surveillance, deportation, and detention. 

EPIC joined Consumer Federation of America and Public Knowledge on reply comments submitted to the Federal Communications Commission by the National Consumer Law Center regarding proposed consent and disclosure requirements for robocalls in which AI is used. Building on their initial comments, the consumer advocacy groups articulated a tiered approach based on risk, such as whether the call requires prolonged interaction from the consumer or merely broadcasts information (e.g. an appointment reminder) or whether the call uses AI to impersonate a specific individual.

EPIC submitted comments on the Federal Trade Commission’s proposed consent order with DoNotPay, Inc. The FTC’s complaint alleged that DoNotPay violated Section 5 of the FTC Act by misrepresenting its AI system as being equivalent to a human lawyer and falsely claiming it could analyze legal violations in websites and documents.

The California Privacy Protection Agency voted to advance to formal rulemaking the draft regulations for automated decision-making technology, risk assessments, and cybersecurity audits. EPIC testified in support of these draft regulations.