Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 1 of 12 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ELECTRONIC PRIVACY INFORMATION CENTER 1718 Connecticut Avenue, N.W. Suite 200 Washington, D.C. 20009 Plaintiff, v. Civ. Action No. 17-1320 (CKK) PRESIDENTIAL ADVISORY COMMISSION ON ELECTION INTEGRITY; MICHAEL PENCE, in his official capacity as Chair of the Presidential Advisory Commission on Election Integrity; KRIS KOBACH, in his official capacity as Vice Chair of the Presidential Advisory Commission on Election Integrity; EXECUTIVE OFFICE OF THE PRESIDENT OF THE UNITED STATES; OFFICE OF THE VICE PRESIDENT OF THE UNITED STATES; The White House 1600 Pennsylvania Avenue, N.W. Washington, D.C. 20500 GENERAL SERVICES ADMINISTRATION 1800 F Street, N.W. Washington, D.C. 20405 UNITED STATES DEPARTMENT OF DEFENSE 1000 Defense Pentagon Washington, D.C. 20301-0001 Defendants. AMENDED COMPLAINT FOR INJUNCTIVE RELIEF 1. This is an action under the Administrative Procedure Act (“APA”), 5 U.S.C. §§ 551–706, the Federal Advisory Committee Act (“FACA”), 5 U.S.C. app. 2, and the United States Constitution for injunctive and other appropriate relief to halt the collection of state voter data by Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 2 of 12 the Presidential Advisory Commission on Election Integrity (the “PACEI” or the “Commission”), by officers of the Commission, and by the agencies which oversee and facilitate the activities of the Commission, including the Department of Defense. 2. The Electronic Privacy Information Center (“EPIC”) challenges the Commission’s intent to collect the personal data of millions of registered voters and to publish partial SSNs as an unconstitutional invasion of privacy and a violation of the agency’s obligation to conduct a Privacy Impact Assessment (“PIA”). Jurisdiction and Venue 3. This Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. § 1331, 5 U.S.C. § 702, and 5 U.S.C. § 704. This Court has personal jurisdiction over Defendants. 4. Venue is proper in this district under 5 U.S.C. § 703 and 28 U.S.C. § 1391. Parties 5. Plaintiff EPIC is a nonprofit organization incorporated in Washington, D.C., and established in 1994 to focus public attention on emerging privacy and civil liberties issues. Central to EPIC’s mission is oversight and analysis of government activities. EPIC’s Advisory Board members include distinguished experts in law, technology, public policy, and cybersecurity. EPIC has a long history of working to protect voter privacy and the security of election infrastructure. EPIC has specific expertise regarding the misuse of the Social Security Number (“SSN”) and has sought stronger protections for the SSN for more than two decades. 6. EPIC’s members include registered voters in California, the District of Columbia, Florida, Maryland, Massachusetts, Minnesota, New York, Pennsylvania, Texas, and Washington. 7. Defendant PACEI is an advisory committee of the U.S. government within the meaning of FACA, 5 U.S.C. app. 2 § 10. Defendant PACEI is also an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. 2 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 3 of 12 8. Defendant Michael Pence is the Vice President of the United States and the Chair of the PACEI. 9. Defendant Kris Kobach is the Secretary of State of Kansas and the Vice Chair of the PACEI. 10. Defendant Executive Office of the President of the United States (“EOP”) is an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. 11. Defendant Office of the Vice President of the United States (“OVP”) is a subcomponent of EOP and an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. 12. Defendant General Services Administration (“GSA”) is an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. The GSA is charged with providing the PACEI “such administrative services, funds, facilities, staff, equipment, and other support services as may be necessary to carry out its mission . . . .” Ex. 1.1 13. Defendant United States Department of Defense (“DoD”) is an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. The DoD manages and controls the Safe Access File System (“SAFE”). Facts The Commission’s Unprecedented Collection of State Voter Data 14. The Commission was established by Executive Order on May 11, 2017 (“Commission Order”). Ex 1.2 1 Exec. Order. No. 13,799, 82 Fed. Reg. 22,389, 22,390 (May 11, 2017). 82 Fed. Reg. at 22,389; see also Voter Privacy and the PACEI, EPIC.org (June 30, 2017), https://epic.org/privacy/voting/pacei/. 2 3 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 4 of 12 15. The Commission is charged with “study[ing] the registration and voting processes used in Federal elections.” Ex. 1.3 The Commission Order contains no authority to gather personal data or to undertake investigations.4 16. On June 28, 2017, the Vice Chair of the Commission undertook to collect detailed voter histories from all fifty states and the District of Columbia. Such a request had never been made by any federal official in the history of the country. The Vice Chair stated during a phone call with PACEI members that “a letter w[ould] be sent today to the 50 states and District of Columbia on behalf of the Commission requesting publicly-available data from state voter rolls . . . .” Ex. 2.5 17. According to the U.S. Census, state voter rolls include the names, addresses, and other personally identifiable information of at least 157 million registered voters.6 18. One of the letters from the Commission, dated June 28, 2017, was sent to North Carolina Secretary of State Elaine Marshall. Ex. 3.7 19. In the letter (“Commission Letter”), the Vice Chair urged the Secretary of State to provide to the Commission the “full first and last names of all registrants, middle names or initials if available, addresses, dates of birth, political party (if recorded in your state), last four digits of social security number if available, voter history (elections voted in) from 2006 onward, active/inactive status, cancelled status, information regarding any felony convictions, 3 82 Fed. Reg. at 22,389. See generally id. 5 Press Release, Office of the Vice President, Readout of the Vice President's Call with the Presidential Advisory Commission on Election Integrity (June 28, 2017). 6 U.S. Census Bureau, Voting and Registration in the Election of November 2016 at tbl. 4a (May 2017), https://www.census.gov/data/tables/time-series/demo/voting-and-registration/p20580.html. 7 Letter from Kris Kobach, Vice Chair, PACEI, to Elaine Marshall, Secretary of State, North Carolina (June 28, 2017). 4 4 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 5 of 12 information regarding voter registration in another state, information regarding military status, and overseas citizen information.” Ex. 3.8 20. The Commission Letter also asked “[w]hat evidence or information [the state had] regarding instances of voter fraud or registration fraud” and “[w]hat convictions for electionrelated crimes ha[d] occurred in [the] state since the November 2000 federal election.” Ex. 3.9 21. The Commission Letter stated that “any documents that are submitted to the full Commission w[ould] also be made available to the public.” Ex. 3.10 22. The Commission asked for a response by July 14, 2017. Ex. 3.11 The “SAFE” URL, recommend by the Commission for the submission of voter data, leads election officials to a nonsecure site. Regarding this website, Google Chrome states: “Your connection is not private. Attackers may be trying to steal your information from [the site proposed by the Commission] (for example, passwords, messages, or credit cards).” Ex. 4.12 23. As of July 7, 2017, the Department of Defense has received voter data from at least one state, Arkansas, in the SAFE system. Many States Oppose the Commission’s Demand for Personal Voter Data 24. In less than three days following the release of the Commission Letter, election officials in twenty-four states said that they would oppose, partiallly or fully, the demand for personal voter data.13 8 Id. at 1–2. Id. at 1. 10 Id. at 2. 11 Id. 12 Screenshot: Google Chrome Security Warning for Safe Access File Exchange (“SAFE”) Site (July 3, 2017 12:02 AM). 13 Philip Bump & Christopher Ingraham, Trump Says States Are ‘Trying to Hide’ Things from His Voter Fraud Commission. Here’s What They Actually Say, Wash. Post (July 1, 2017), 9 5 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 6 of 12 25. California Secretary of State Alex Padilla stated that he would “not provide sensitive voter information to a committee that has already inaccurately passed judgment that millions of Californians voted illegally. California’s participation would only serve to legitimize the false and already debunked claims of massive voter fraud.”14 26. Kentucky Secretary of State Alison Lundergan Grimes stated that “Kentucky w[ould] not aid a commission that is at best a waste of taxpayer money and at worst an attempt to legitimize voter suppression efforts across the country.”15 27. Virginia Governor Terry McAuliffe stated that he had “no intention of honoring [Kobach’s] request.”16 28. More than fifty experts in voting technology and twenty privacy organizations wrote to state election officials to warn that “[t]here is no indication how the information will be used, who will have access to it, or what safeguards will be established.”17 The Commission’s Failure to Conduct a Privacy Impact Assessment 29. Under the E-Government Act of 2002,18 any agency “initiating a new collection of information that (I) will be collected, maintained, or disseminated using information technology; https://www.washingtonpost.com/news/wonk/wp/2017/07/01/trump-says-states-are-trying-tohide-things-from-his-voter-fraud-commission-heres-what-they-actually-say/. 14 Press Release, Secretary of State Alex Padilla Responds to Presidential Election Commission Request for Personal Data of California Voters (June 29, 2017), http://www.sos.ca.gov/administration/news-releases-and-advisories/2017-news-releases-andadvisories/secretary-state-alex-padilla-responds-presidential-election-commission-requestpersonal-data-california-voters/. 15 Bradford Queen, Secretary Grimes Statement on Presidential Election Commission's Request for Voters' Personal Information, Kentucky (last accessed July 3, 2017) http://kentucky.gov/Pages/Activity-stream.aspx?n=SOS&prId=129. 16 Terry McAuliffe, Governor McAuliffe Statement on Request from Trump Elections Commission (June 29, 2017), https://governor.virginia.gov/newsroom/newsarticle?articleId=20595. 17 Letter from EPIC et al. to Nat’l Ass’n of State Sec’ys (July 3, 2017), https://epic.org/privacy/voting/pacei/Voter-Privacy-letter-to-NASS-07032017.pdf. 6 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 7 of 12 and (II) includes any information in an identifiable form permitting the physical or online contacting of a specific individual” is required to complete a Privacy Impact Assessment (“PIA”) before initiating such collection.19 30. The agency must “(i) conduct a privacy impact assessment; (ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and (iii) if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means.”20 31. The PACEI is an agency subject to the E-Government Act because it is an “establishment in the executive branch of the Government,” a category which “includ[es] the Executive Office of the President.”21 32. A Privacy Impact Assessment for a “new collection of information” must be “commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information.”22 The PIA must specifically address “(I) what information is to be collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; [and] (VI) how the information will be secured . . . .”23 18 Pub. L. 107–347, 116 Stat. 2899 (codified as amended at 44 U.S.C. § 3501 note). 44 U.S.C. § 3501 note (“Privacy Impact Assessments”). 20 Id. 21 44 U.S.C. § 3502(1). 22 § 3501 note (“Privacy Impact Assessments”). 23 Id. 19 7 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 8 of 12 33. Under the FACA, “records, reports, transcripts, minutes, appendixes, working papers, drafts, studies, agenda, or other documents which were made available to or prepared for or by [an] advisory committee shall be available for public inspection and copying at a single location in the offices of the advisory committee or the agency to which the advisory committee reports until the advisory committee ceases to exist.”24 34. The Commission has not conducted a Privacy Impact Assessment for its collection of state voter data. 35. The Commission has not ensured review of a PIA by any Chief Information Officer or equivalent official. 36. The Commission has not published a PIA or made such an assessment available for public inspection. The DoD’s Privacy Impact Assessment Does Not Permit the Collection of Personal Information from The General Public 37. The DoD last approved a PIA for the Safe Access File Exchange system in 2015.25 38. The 2015 PIA indicates that the SAFE system may “collect, maintain, use and/or disseminate PII” about only “federal personnel and/or federal contractors.”26 39. The 2015 PIA specifically indicates that the SAFE system may not be used to “collect, maintain, use and/or disseminate PII” from “members of the general public.”27 40. According to the 2015 PIA, the SAFE system may not be used to collect the data set out in the June 28, 2017, from Vice Chair Kobach, directing state election officials to provide voter roll data. 24 5 U.S.C. app. 2 § 10(b). Army Chief Information Officer, U.S. Dep’t of Def., Privacy Impact Assessments (April 27, 2016), http://ciog6.army.mil/PrivacyImpactAssessments/tabid/71/Default.aspx. 26 EPIC Supp. Ex. 5, ECF No. 20-1, at 1. 27 EPIC Supp. Ex. 5, ECF No. 20-1, at 1. 25 8 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 9 of 12 41. The DoD has not issued a PIA for the collection of personal data from the general public. 42. The DoD has not issued a PIA that would permit the receipt of data specified in the June 28, 2017, Kobach letter. Count I Violation of APA: Unlawful Agency Action 43. Plaintiff asserts and incorporates by reference paragraphs 1–42. 44. Defendants’ collection of state voter data prior to creating, reviewing, and publishing a Privacy Impact Assessment, 44 U.S.C. § 3501 note, is arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law under 5 U.S.C. § 706(2)(a) and short of statutory right under 5 U.S.C. § 706(2)(c). 45. Defendants’ decision to initiate collection of voter data is a final agency action within the meaning of 5 U.S.C. § 704. 46. Plaintiff, by itself and as a representative of its members, is adversely affected and aggrieved by Defendants’ actions. 47. Plaintiff has exhausted all applicable administrative remedies. Count II Violation of APA: Agency Action Unlawfully Withheld 48. Plaintiff asserts and incorporates by reference paragraphs 1–42. 49. Defendants have failed to create, review, and/or publish a privacy impact assessment for Defendants’ collection of voter data, as required by 44 U.S.C. § 3501 note and 5 U.S.C. app. 2 § 10(b). 50. Defendants’ failure to take these steps constitutes agency action unlawfully withheld or unreasonably delayed in violation of 5 U.S.C. § 706(1). 9 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 10 of 12 51. Plaintiff, by itself and as a representative of its members, is adversely affected and aggrieved by Defendants’ actions and inaction. 52. Plaintiff has exhausted all applicable administrative remedies. Count III Violation of FACA: Failure to Make Documents Available for Public Inspection 53. Plaintiff asserts and incorporates by reference paragraphs 1–42. 54. Defendants have failed to make available for public inspection a privacy impact assessment for the collection of voter data. 55. Defendants’ failure to make available for public inspection a PIA required by law is a violation of 5 U.S.C. app. 2 § 10(b). 56. Plaintiff, by itself and as a representative of its members, is adversely affected and aggrieved by Defendants’ actions and inaction. 57. Plaintiff has exhausted all applicable administrative remedies. Count IV Violation of Fifth Amendment: Substantive Due Process/Right to Informational Privacy 58. Plaintiff asserts and incorporates by reference paragraphs 1–42. 59. Defendants, by seeking to assemble an unnecessary and excessive federal database of sensitive voter data from state records systems, have violated the informational privacy rights of millions of Americans, including members of the EPIC Advisory Board, guaranteed by the Due Process Clause of the Fifth Amendment. See U.S. Const. amend. V; NASA v. Nelson, 562 U.S. 134, 138 (2011); Nixon v. Administrator of General Services, 433 U.S. 425, 457 (1977); Whalen v. Roe, 429 U.S. 589, 599–600 (1977). 10 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 11 of 12 60. Plaintiff, as a representative of its members, is adversely affected and aggrieved by Defendants’ actions. Count V Violation of Fifth Amendment: Procedural Due Process 61. Plaintiff asserts and incorporates by reference paragraphs 1–42. 62. Defendants, by seeking to assemble an unnecessary and excessive federal database of sensitive voter data from state records systems, have deprived EPIC’s members of their liberty interest in avoiding the disclosure of personal matters. U.S. Const. amend. V; NASA v. Nelson, 562 U.S. 134, 138 (2011); Nixon v. Administrator of General Services, 433 U.S. 425, 457 (1977); Whalen v. Roe, 429 U.S. 589, 599–600 (1977). 63. Defendants have done so without providing notice to EPIC’s members, without providing EPIC’s members an opportunity to challenge the collection of their personal data, and without providing for a neutral decisionmaker to decide on any such challenges brought by EPIC’s members. 64. Defendants have violated EPIC’s members Fifth Amendment right to due process of law. U.S. Const. amend. V. 65. Plaintiff, as a representative of its members, is adversely affected and aggrieved by Defendants’ actions and inaction. Requested Relief WHEREFORE, Plaintiff requests that this Court: A. Hold unlawful and set aside Defendants’ authority to collect personal voter data from the states; B. Order Defendants to halt collection of personal voter data; 11 Case 1:17-cv-01320-CKK Document 21 Filed 07/07/17 Page 12 of 12 C. Order Defendants to securely delete and properly disgorge any personal voter data collected or subsequently received; D. Order Defendants to promptly conduct a privacy impact assessment prior to the collection of personal voter data; E. Award EPIC costs and reasonable attorney’s fees incurred in this action; and F. Grant such other relief as the Court may deem just and proper. Respectfully Submitted, /s/ Marc Rotenberg MARC ROTENBERG, D.C. Bar # 422825 EPIC President and Executive Director ALAN BUTLER, D.C. Bar # 1012128 EPIC Senior Counsel ELECTRONIC PRIVACY INFORMATION CENTER 1718 Connecticut Avenue, N.W. Suite 200 Washington, D.C. 20009 (202) 483-1140 (telephone) (202) 483-1248 (facsimile) Dated: July 7, 2017 12