​TikTok’s growth in the American market is explosive. In just the first quarter of 2022 alone, the short-video app has been downloaded 19 million times. In all, TikTok has about 80 million U.S. users – about one-fourth of the U.S. population.
 
TikTok is owned by a Chinese company, ByteDance. This is a matter of worry in Washington, since explicit Chinese law that requires Chinese companies share information with the intelligence agencies of the Chinese Communist Party. Given the massive torrents of data TikTok collects on its users, the Trump Administration proposed forcing ByteDance to sell off TikTok. The company allayed these concerns by promising to seal off any sensitive data from China. With TikTok storing U.S. user data in the United States, with backups in Singapore, the issued seemed resolved.
 
Then on June 17, Buzzfeed reported that leaked audio from dozens of TikTok internal meetings revealed that employees expressed concern U.S. user data was being accessed by China.
 
“I feel like these tools, there’s some backdoor to access user data in almost all of them,” one external auditor said.
 
“Everything is seen in China,” said a member of TikTok’s “trust and safety” department.
 
Another insider referred to a Beijing-based engineer as a “Master Admin” who has “access to everything.”
 
Now Brendan Carr, Republican member of the Federal Communications Commission, has written to CEOs Tim Cook and Sundar Pichai to ask that Apple and Google remove TikTok from their app stores.
 
Carr wrote that TikTok’s image as “an app for sharing funny videos or memes” is just “the sheep’s clothing.” He added:
 
“TikTok collects everything from search and browsing histories to keystroke patterns and biometric identifiers, including faceprints – which researchers have said might be used in unrelated facial recognition technology – and voiceprints. It collects location data as well as draft messages and metadata, plus it has collected the text, images, and videos that are stored on a device’s clipboard.”
 
TikTok has already paid $92 million to settle lawsuits that it clandestinely transferred vast amounts of Americans’ user data to China. India has banned TikTok, as have the U.S. military and many federal agencies. With so much criticism, TikTok is now working furiously on a project, codenamed “Project Texas,” to work out a deal with Oracle and the Committee on Foreign Investment in the United States to exclusively store sensitive user information on U.S. servers.
 
Commissioner Carr remains skeptical. “TikTok has long claimed that its U.S. user data has been stored on servers in the U.S., and yet those representations provided no protection against the data being accessed from Beijing.”
 
Some might find Carr’s demands to private businesses to be heavy handed. Whether or not Apple and Google should remove TikTok from their app stores, at a minimum Americans need to be aware that their personal data might be at risk.

The Project for Privacy and Surveillance Accountability today announced the filing of a lawsuit in federal court against the National Security Agency, the Central Intelligence Agency, the U.S. Department of Justice, and the Office of the Director of National Intelligence, to compel the release of documents pertaining to the possible purchasing of the personal information of more than 100 current and former Members of the House and Senate Judiciary Committees from private data brokers.
 
The lawsuit, filed in the United States District Court for the District of Columbia, seeks records relating to data purchases of these current and former lawmakers that include Jerrold Nadler, Chairman of the House Judiciary Committee, Ranking Member Jim Jordan, Sen. Dick Durbin, Chairman of the Senate Judiciary Committee and Ranking Member Sen. Chuck Grassley. The list includes many leading lights of both parties, from current Vice President Kamala Harris to Florida Gov. Ron DeSantis, both former Members of Congress.
 
These government agencies responded over the summer 2021 to PPSA’s FOIA request with Glomar responses, a judicially invented doctrine that neither confirms nor denies that such records exist.
 
At the time, Gene Schaerr, PPSA general counsel, responded: “The government doesn’t want to even entertain our question. What do they have to hide?”
 
He added: “This troubling refusal gives all the more reason for Congress to pass the Fourth Amendment Is Not for Sale Act, which would ban such surveillance from purchased data. If Vice President Harris and Gov. DeSantis are potentially having their rights violated, imagine how little protection you and I have.”

​The Project for Privacy and Surveillance Accountability today announced the filing of a Freedom of Information Act (FOIA) request seeking documents from U.S. government agencies regarding secret subpoenas issued on the phone records of Stephanie Kirchgaessner, U.S.-based investigative reporter for The Guardian, as well as warrants and subpoenas issued to Microsoft and the email accounts it provides to the activist journalists of Project Veritas.
 
The Washington, D.C., based Kirchgaessner has long irritated officialdom with her disclosures on stories ranging from the sinister misuses of Pegasus surveillance technology to stories involving surveillance overreach in the United States. James O’Keefe of Project Veritas suffered a pre-dawn raid on his home and confiscation of his cellphone when Department of Justice officials were seeking to track down the chain of custody in the missing diary of Ashley Biden, the president’s daughter. Late last year, federal Judge Analisa Torres was forced to order the Department of Justice to stop the extraction and review of the contents of O’Keefe’s phone, much of which involved stories having nothing to do with the Biden diary.
 
“There have been many recent reports that agencies under administrations of both parties are using secret subpoenas and warrants to surveil the phone and email records of journalists,” said Gene Schaerr, PPSA general counsel. “Investigators are getting far too comfortable in fishing through the records of journalists. This practice chills free expression and threatens to criminalize customary journalistic practice.”

​The Project for Privacy and Surveillance Accountability today announced the filing of a Freedom of Information Act (FOIA) request seeking records with information about any decisions, orders, or opinions issued by Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISCR), the court that reviews FISC opinions. PPSA’s FOIA also includes a request for agency records describing which government officials have access to such opinions.
 
PPSA directed its request to the Drug Enforcement Administration, the Federal Bureau of Investigation, and several offices within the Department of Justice – the National Security Division, the Office of Legal Policy, and the Office of Privacy and Civil Liberties.
 
Thanks to the Snowden revelations, we know the FISC court since 9/11 has issued secret legal opinions that have resulted in allowing the National Security Agency to engage in bulk surveillance of Americans. Many in Congress were outraged by the revelations of this domestic surveillance, which flew directly in the face of assurances made by the then-Director of National Intelligence, James Clapper, and other intelligence officials.
 
In response, when Congress passed the USA FREEDOM Act in 2015, it required the government to review FISC opinions for declassification. The government interpreted this as a mandate to only disclose opinions after June 2015. The government then vets any disclosures by officials in the executive branch, without judicial oversight.
 
“The very idea of secret law – which can affect the free expression and privacy of millions of Americans – is not compatible with the basics of American democracy,” said Gene Schaerr, PPSA general counsel. “These secret precedents and opinions are corrosive to the operations of a free society. It’s time for the government to come clean.”

The U.S. House of Representatives today passed the NDO Fairness Act by voice vote. This legislation would restrain the government practice of using non-disclosure orders to block service providers from informing American consumers that their personal information held by third parties, often in the cloud, has been searched by the government.
 
“This was a strong stand by the House that Americans are concerned about privacy and will not grant the government carte blanche to riffle through our personal data in defiance of the Fourth Amendment to the Constitution,” said Bob Goodlatte, PPSA senior policy advisor and former Chairman of the House Judiciary Committee. “This measure earlier passed the Judiciary Committee by a unanimous, bipartisan voice vote – a good sign of how popular it is on both sides of the aisle. And kudos to Chairman Jerry Nadler and Ranking Member Jim Jordan for driving it to a successful floor vote.”
 
The Project for Privacy and Surveillance Accountability earlier joined with 11 other leading civil liberties organizations in sending a letter (see below) to every Member of the House urging passage.
 
“PPSA will now join with our civil liberties peer organizations to encourage passage of this legislation in the Senate,” Goodlatte said. “There is great support behind this bill by the American people, which should provide enough momentum to expeditiously propel this bill to final passage.”

This bill, H.R. 7072, passed by a unanimous, bipartisan voice vote in the House Judiciary Committee on April 6. Once enacted into law, this measure will rein in the widespread practice by the government in surveilling Americans’ email and internet records and then obtaining a non-disclosure order (NDO) to block service providers from notifying their customers that their personal information has been searched.
 
Under current practice, thousands of Americans – including many who are not even under investigation or suspected of any wrongdoing – will never know that records that could potentially reveal their health status, financial transactions, and personal relationships have been disclosed to the government. Recent media reports reveal that federal agencies have obtained non-disclosure orders when demanding the private data of Members of Congress, journalists at major news outlets, and law-abiding companies. If powerful individuals and institutions can be targeted in secret, just imagine how little power the average individual has in the face of such actions.
 
People who have been subject to surveillance should have a right to know that their personal information has been obtained by the government. Among other things, the secrecy imposed by a non-disclosure order has the effect of denying the person being investigated the ability to challenge such an order in court. In such cases, there may be no way to hold the government accountable for unlawful surveillance—a state of affairs that only increases the likelihood of improper conduct by the government.
 
The NDO Fairness Act is an important first step toward bringing balance to this system by amending 18 U.S.C. 2705 to require prosecutors to justify their non-disclosure orders in court and limit both initial orders and any extensions to a reasonable time period of 60 days. It would also require notice to customers 72 hours after these orders expire, including what information was disclosed.
 
This Act is not a comprehensive solution to the problem of notice. There are service providers who do not provide notice to their customers when the government obtains their data. In many of those cases, the targets of surveillance will continue to be unaware of the surveillance, as the government’s own legal obligations to notify the targets are far too weak. Nonetheless, the NDO Fairness Act makes a significant improvement to the status quo and could serve as a model for further efforts to contain secret government surveillance and data collection.
 
That is no doubt why the NDO Fairness Act enjoys wide, bipartisan support in the Judiciary Committee. It was introduced by Chairman Jerry Nadler and Rep. Scott Fitzgerald, and the committee markup session featured enthusiastic support from Ranking Member Jordan as well as other leading members of both parties. 
 
The NDO Fairness Act is an important curb on governmental power that will help protect our rights without weakening the government’s ability to identify wrongdoers. We urge you to support the Act. And we stand ready to support and amplify your efforts.
 
Thank you.
 
Sincerely,
 
Advocacy for Principled Action in Government
American Civil Liberties Union
Americans for Prosperity
Brennan Center for Justice at NYU School of Law
Demand Progress
Due Process
Free Press Action
FreedomWorks
Government Information Watch
Muslim Justice League
Project for Privacy and Surveillance Accountability
Restore The Fourth

Oral arguments in a federal lawsuit against six government agencies over their stonewalling about “unmasking” and surveillance of the 2016 presidential campaign and transition has been set for September 15.
 
The general counsel of the Project for Privacy and Surveillance Accountability had filed the appeal in January before the U.S. Court of Appeals for the D.C. Circuit. The lawsuit is challenging the refusal of the agencies to respond to its Freedom of Information Act (FOIA) requests seeking information on the surveillance of campaign and transition officials in the 2016 election.

The FOIA requests filed with the Department of Justice, the FBI, CIA, National Security Agency, Department of State and the Office of the Director of National Intelligence sought records regarding the unmasking and “upstreaming,” or the interception of internet communications, of people, including Members of Congress, who were affiliated with the Trump campaign and transition.
 
The agencies responded by issuing “Glomar” responses that refuse to confirm or deny the existence of such records.

Gene Schaerr, PPSA general counsel, who filed the appeal, said: “We ask the court to understand that judicial doctrine is being distorted into a cover-up of alarming misbehavior by the U.S. intelligence community. Americans deserve to know if our government has used its sweeping surveillance authority under the Foreign Intelligence Surveillance Act as a political weapon wielded against the campaign and presidential transition team of an opposing party.

“However you feel about the candidate in question, Donald Trump, what was done to him in 2016 can be done by an administration of either party in a future election,” Schaerr said.

When it comes to digital privacy, Americans feel like a well-dressed person caught in the rain without an umbrella. At first, you try to wait it out under an eave. Then you accept getting a little bit wet. Finally, when your clothes are thoroughly soaked, you just give up.
 
When it comes to digital privacy, Americans have long accepted we couldn’t get any wetter. The social media services and apps we use track and sell our location history, our contacts, our communications, our purchases and (most revealing) our web searches. These data points, like the dots in a pointillistic painting, create a portrait of users with great detail. These portraits are then sold by data brokers to government agencies and commercial entities.
 
A recent Apple commercial portrayed this process by putting a young woman’s virtual self on an auction block. In the ad, the heroine Ellie turns on Apple’s privacy devices, vaporizing her would-be auctioneers. But such controls on a smartphone only involve a small portion of the torrents of information that are collected about us and sold wholesale.
 
So just when many are ready to declare the death of privacy, a bicameral, bipartisan group of legislators have put forward a discussion draft of the American Data Privacy and Protection Act (ADPPA). In a House hearing on Tuesday morning, this bill drew robust discussion from civil rights groups, digital reformers, and industry-allied organizations. This legislation is the first attempt at a comprehensive, national approach to, in the words of House Energy and Commerce Committee Chairman, Rep. Frank Pallone put “consumers back in control of their data and protecting their privacy.”
 
Under ADPPA, companies would have to obtain consumers’ consent for them to collect, process or transfer sensitive personal information. Affirmative consent would be required before the data of children between ages 13 and 17 could be transferred. The Federal Trade Commission (FTC) would form a Young Privacy Marketing Division to police the use of children’s data.
 
Best of all, the shadowy world of data brokers would be exposed to sunlight, with a public online registry created by FTC and third-party audits of how these brokers share information with others.
 
ADPPA would preempt some state privacy laws, while granting an exemption for the Illinois Biometrics Information Privacy Act (recently used to extract a sweeping settlement in the privacy practices of facial recognition provider Clearview AI), and California’s Privacy Rights Act. Other states with recent privacy laws are preempted, which Govtech.com writes “reeks of backroom dealing.”
 
The current draft includes a limited private right of action, which would allow individuals to bring suits for privacy violations after giving industry four years to adjust. Federal Trade Commission enforcement would be strengthened, and state attorneys general would be empowered to act against data holders who violate ADPPA. Companies would be given a limited right to cure a problem, which would give them standing to seek injunctive relief.
 
The discussion that took place in the House Subcommittee on Consumer Protection and Commerce reveals serious legislation with major issues to resolve. Here are a few of them.
 
How far should preemption of state privacy laws go?
 
Colorado, Texas, Virginia, Utah, and Connecticut have passed their own privacy laws. Will they eventually be excluded from preemption along with those of California and Illinois? If they are, do we run the risk of balkanizing the internet?
 
“American consumers and businesses deserve the clarity and certainty of a single federal standard for privacy,” said Former FTC Commissioner Maureen Ohlhausen.
 
Can we protect personal data by degrees of sensitivity without degrading the ability of digital commerce to function?
 
One goal of the bill is to have data minimization, which tasks companies with using only data that is needed for a given transaction. But can a law define the limits of what is needed?
 
John Miller of the Information Technology Industry Council noted that one provision, “information identifying an individual’s online activities over time or across third party websites or online services” could create restrictions for routine browsing. Or, as Ohlhausen put it, the bill “creates uncertainty for routine operational uses of information that are necessary to serve customers and operate a business.”
 
How broad should the private right of action be for individuals?
 
“The current proposal inserts several procedural hurdles that will not reduce litigation costs but will block injured individuals from having their day in court,” said David Brody, managing attorney of the Digital Justice Initiative Lawyers’ Committee for Civil Rights Under Law. “The private right of action in the Act is weak and difficult to enforce.”
 
John Miller countered, “while it is true neither punitive nor statutory damages are permitted” under the bill’s private right of action, “the availability of attorney’s fees could encourage the filing of borderline meritorious cases by specialized attorneys charging exorbitant hourly rates.”
 
Should government purchases of Americans’ personal data be included in the bill?
 
One issue that was not addressed on Tuesday is the frequent sale of Americans’ personal data to the government, a problem addressed by the proposed Fourth Amendment Is Not For Sale Act. Any privacy solution should look beyond the private uses of data by businesses to those of law enforcement and intelligence agencies. After all, only the government can use your information to bang down your door at dawn and arrest you.
 
There were further debates about how the bill might impact the ability of companies to handle cybersecurity threats, and whether small businesses would get tagged with onerous provisions aimed at tech giants. The legislative process in the House and Senate will have to untangle these and many other knotty issues to make this law workable. Yet the hearing room echoed with statements of determination by leaders in both parties to make a national privacy law a reality. 

In the early post-Cold War era, anti-Communist crusaders were often accused of being hysterical, seeing Communists under their beds. Now a report from Christopher Balding and Joe Wu, researchers at New Kite Data Labs, sees the Chinese Communist Party inside coffee makers in American homes. And they are not crazy.
 
This alarming report is a consequence of the Internet of Things (IoT), in which ordinary appliances are given smart applications to interact with each other, as well as to report on performance and consumer behavior. According to Balding, interviewed by The Washington Times, Chinese-made coffee makers gather and report information about customers’ names, their locations, usage patterns and other information. In hotels, a coffee maker could report to China types of payments and routing information.
 
Similar issues have been found with vacuum cleaners that respond to voice commands, baby monitors and video doorbells.
 
The Chinese government has famously built a “panopticon,” a ubiquitous surveillance network that seamlessly integrates facial recognition, social media activities, payments, and other data to potentially track every citizen of that country. IoT, by design but mostly by technological evolution, is rapidly scaling the capacity to bring universal surveillance into the homes of the world.

A record produced by the Office of the Director of National Intelligence (ODNI) in response to a 2020 Freedom of Information Act (FOIA) request by PPSA indicates that the White House in 2018 had directed the ODNI to classify an action to prevent embarrassment or stop disclosure of something official that had been done for political purposes.
 
This is the tantalizing glimpse into one of two heavily redacted ODNI records produced by that agency in response to a FOIA request filed by PPSA seeking documents from a wide range of agencies that contain references to Executive Order 13526. That order, issued by President Obama, was meant to streamline government classification of documents.
 
The action at the heart of this memo is redacted. But the fact that ODNI disclosed this record in response to a FOIA request about challenges to classification decisions strongly suggests that the action did involve classification. Under EO 13526, officials are forbidden from classifying documents to prevent embarrassment or to hide an error. The redacted, partially declassified Top Secret document sent by an investigative analyst to the Assistant Inspector General for Investigations at ODNI confirms that a confidential complaint had centered around an act intended to “prevent embarrassment and for political purposes.”
 
The Inspector General of the Intelligence Community decided not to conduct its own investigation, purportedly because this matter fell outside of its purview to investigate “waste, fraud and abuse.” It did refer the complaint to two ODNI offices, the Office of Civil Liberties, Privacy, and Transparency, and the Office of Analytic Integrity and Standards Group.
 
Civil libertarians and journalists should dig into the remaining questions: Who in the White House issued this request? What was the act itself and what was the classification meant to hide? And finally, what was the ultimate disposition of this investigation?
 
PPSA will report any new revelations in our inquiry.