Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 1 of 16 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ELECTRONIC PRIVACY INFORMATION CENTER 1718 Connecticut Avenue, N.W. Suite 200 Washington, D.C. 20009 Plaintiff, v. Civ. Action No. 17-1320 (CKK) PRESIDENTIAL ADVISORY COMMISSION ON ELECTION INTEGRITY; MICHAEL PENCE, in his official capacity as Chair of the Presidential Advisory Commission on Election Integrity; KRIS KOBACH, in his official capacity as Vice Chair of the Presidential Advisory Commission on Election Integrity; CHARLES C. HERNDON, in his official capacity as Director of White House Information Technology; EXECUTIVE OFFICE OF THE PRESIDENT OF THE UNITED STATES; OFFICE OF THE VICE PRESIDENT OF THE UNITED STATES; UNITED STATES DIGITAL SERVICE; EXECUTIVE COMMITTEE FOR PRESIDENTIAL INFORMATION TECHNOLOGY; The White House 1600 Pennsylvania Avenue, N.W. Washington, D.C. 20500 GENERAL SERVICES ADMINISTRATION 1800 F Street, N.W. Washington, D.C. 20405 UNITED STATES DEPARTMENT OF DEFENSE 1000 Defense Pentagon Washington, D.C. 20301-0001 Defendants. SECOND AMENDED COMPLAINT FOR INJUNCTIVE RELIEF Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 2 of 16 1. This is an action under the Administrative Procedure Act (“APA”), 5 U.S.C. §§ 551–706, the Federal Advisory Committee Act (“FACA”), 5 U.S.C. app. 2, and the United States Constitution for injunctive and other appropriate relief to halt the collection of state voter data by the Presidential Advisory Commission on Election Integrity (the “PACEI” or the “Commission”), by officers of the Commission, and by the agencies which oversee and facilitate the activities of the Commission, including the Department of Defense. 2. The Electronic Privacy Information Center (“EPIC”) challenges the Defendants’ intent to collect the personal data of millions of registered voters and to publish partial SSNs as an unconstitutional invasion of privacy and a violation of the obligation to conduct a Privacy Impact Assessment (“PIA”). Jurisdiction and Venue 3. This Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. § 1331, 5 U.S.C. § 702, and 5 U.S.C. § 704. This Court has personal jurisdiction over Defendants. 4. Venue is proper in this district under 5 U.S.C. § 703 and 28 U.S.C. § 1391. Parties 5. Plaintiff EPIC is a nonprofit organization incorporated in Washington, D.C., and established in 1994 to focus public attention on emerging privacy and civil liberties issues. Central to EPIC’s mission is oversight and analysis of government activities. EPIC’s Advisory Board members include distinguished experts in law, technology, public policy, and cybersecurity. EPIC has a long history of working to protect voter privacy and the security of election infrastructure. EPIC has specific expertise regarding the misuse of the Social Security Number (“SSN”) and has sought stronger protections for the SSN for more than two decades. 6. EPIC’s members include registered voters in California, the District of Columbia, Florida, Maryland, Massachusetts, Minnesota, New York, Pennsylvania, Texas, and Washington. 2 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 3 of 16 7. Defendant PACEI is an advisory committee of the U.S. government within the meaning of FACA, 5 U.S.C. app. 2 § 10. Defendant PACEI is also an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. 8. Defendant Michael Pence is the Vice President of the United States and the Chair of the PACEI. 9. Defendant Kris Kobach is the Secretary of State of Kansas and the Vice Chair of the PACEI. 10. Defendant Charles C. Herndon is the Director of White House Information Technology. 11. Defendant Executive Office of the President of the United States (“EOP”) is an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. 12. Defendant U.S. Digital Service is an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. 13. Defendant Executive Committee for Presidential Information Technology consists of the following officials or their designees: the Assistant to the President for Management and Administration; the Executive Secretary of the National Security Council; the Director of the Office of Administration; the Director of the United States Secret Services; and the Director of the White House Military Office. The Executive Committee is an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. 14. Defendant Office of the Vice President of the United States (“OVP”) is a subcomponent of EOP and an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. 15. Defendant General Services Administration (“GSA”) is an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. The GSA is charged with providing the PACEI 3 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 4 of 16 “such administrative services, funds, facilities, staff, equipment, and other support services as may be necessary to carry out its mission . . . .” Ex. 1.1 16. Defendant United States Department of Defense (“DoD”) is an agency within the meaning of 44 U.S.C. § 3502 and the APA, 5 U.S.C. § 701. The DoD manages and controls the Safe Access File System (“SAFE”). Facts The Commission’s Unprecedented Collection of State Voter Data 17. The Commission was established by Executive Order on May 11, 2017 (“Commission Order”). Ex 1.2 18. The Commission is charged with “study[ing] the registration and voting processes used in Federal elections.” Ex. 1.3 The Commission Order contains no authority to gather personal data or to undertake investigations.4 19. On June 28, 2017, the Vice Chair of the Commission undertook to collect detailed voter histories from all fifty states and the District of Columbia. Such a request had never been made by any federal official in the history of the country. The Vice Chair stated during a phone call with Commission members that “a letter w[ould] be sent today to the 50 states and District of Columbia on behalf of the Commission requesting publicly-available data from state voter rolls . . . .” Ex. 2.5 1 Exec. Order. No. 13,799, 82 Fed. Reg. 22,389, 22,390 (May 11, 2017). 82 Fed. Reg. at 22,389; see also Voter Privacy and the PACEI, EPIC.org (June 30, 2017), https://epic.org/privacy/voting/pacei/. 3 82 Fed. Reg. at 22,389. 4 See generally id. 5 Press Release, Office of the Vice President, Readout of the Vice President's Call with the Presidential Advisory Commission on Election Integrity (June 28, 2017). 2 4 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 5 of 16 20. According to the U.S. Census, state voter rolls include the names, addresses, and other personally identifiable information of at least 157 million registered voters.6 21. One of the letters from the Commission, dated June 28, 2017, was sent to North Carolina Secretary of State Elaine Marshall. Ex. 3.7 22. In the letter (“Commission Letter”), the Vice Chair urged the Secretary of State to provide to the Commission the “full first and last names of all registrants, middle names or initials if available, addresses, dates of birth, political party (if recorded in your state), last four digits of social security number if available, voter history (elections voted in) from 2006 onward, active/inactive status, cancelled status, information regarding any felony convictions, information regarding voter registration in another state, information regarding military status, and overseas citizen information.” Ex. 3.8 23. The Commission Letter also asked “[w]hat evidence or information [the state had] regarding instances of voter fraud or registration fraud” and “[w]hat convictions for electionrelated crimes ha[d] occurred in [the] state since the November 2000 federal election.” Ex. 3.9 24. The Commission Letter stated that “any documents that are submitted to the full Commission w[ould] also be made available to the public.” Ex. 3.10 25. The Commission asked for a response by July 14, 2017. Ex. 3.11 The “SAFE” URL, recommend by the Commission for the submission of voter data, leads election officials to a non- 6 U.S. Census Bureau, Voting and Registration in the Election of November 2016 at tbl. 4a (May 2017), https://www.census.gov/data/tables/time-series/demo/voting-and-registration/p20580.html. 7 Letter from Kris Kobach, Vice Chair, PACEI, to Elaine Marshall, Secretary of State, North Carolina (June 28, 2017). 8 Id. at 1–2. 9 Id. at 1. 10 Id. at 2. 11 Id. 5 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 6 of 16 secure site. Regarding this website, Google Chrome states: “Your connection is not private. Attackers may be trying to steal your information from [the site proposed by the Commission] (for example, passwords, messages, or credit cards).” Ex. 4.12 26. As of July 7, 2017, the Department of Defense has received voter data from at least one state, Arkansas, in the SAFE system. 27. According to representations made by the Commission in the July 10, 2017 response, the Commission sent a “Follow-up Communication” to the states, requesting that the States not submit any data until this Court rules on EPIC’s motion for a temporary restraining order. 28. The Follow-up Communication from the Commission to the States was not made public as would be required by the Federal Advisory Committee Act. 29. There is no public confirmation that all of the States received the Follow-up Communication from the Commission. 30. There is no public confirmation that the States that did receive the Follow-up Communication will comply. 31. According to representations made by the Commission in the July 10, 2017 response, the Director of White House Information Technology is “repurposing” a computer system to be used for collecting personal voter data. 32. On July 10, 2017, the Commission stated that it would not send further instructions about how to use the new system pending the Court’s resolution of EPIC’s motion for a temporary restraining order. 12 Screenshot: Google Chrome Security Warning for Safe Access File Exchange (“SAFE”) Site (July 3, 2017 12:02 AM). 6 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 7 of 16 33. On July 10, 2017, the Commission stated that it would not download the data that Arkansas already transmitted via the DoD system, and that the data will be deleted from the site. There has been no confirmation that the data has been deleted. The General Service Administration’s Role in Providing Support to the Commission 34. The Executive Order provides that the GSA “shall provide the Commission with such administrative services, funds, facilities, staff, equipment, and other support services as may be necessary to carry out its mission on a reimbursable basis.”13 35. The Commission Charter designates the GSA as the “Agency Responsible for Providing Support,” and similarly orders that the GSA “shall provide the Commission with such administrative services, funds, facilities, staff, equipment, and other support services as may be necessary to carry out its mission on a reimbursable basis.”14 36. The GSA routinely conducts and publishes Privacy Impact Assessments when it collects, maintains, and uses personal information on individuals.15 37. There is no authority in the Executive Order of the Commission Charter for any other entity to provide “administrative services,” “facilities,” or “equipment” to “carry out [the Commission’s] mission.” Many States Oppose the Commission’s Demand for Personal Voter Data 38. In less than three days following the release of the Commission Letter, election officials in twenty-four states said that they would oppose, partially or fully, the demand for personal voter data.16 13 82 Fed. Reg. at 22,390. Charter, Presidential Advisory Commission on Election Integrity ¶ 6. 15 Privacy Impact Assessments, GSA (Apr. 13, 2017), https://www.gsa.gov/portal/content/102237. 14 7 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 8 of 16 39. California Secretary of State Alex Padilla stated that he would “not provide sensitive voter information to a committee that has already inaccurately passed judgment that millions of Californians voted illegally. California’s participation would only serve to legitimize the false and already debunked claims of massive voter fraud.”17 40. Kentucky Secretary of State Alison Lundergan Grimes stated that “Kentucky w[ould] not aid a commission that is at best a waste of taxpayer money and at worst an attempt to legitimize voter suppression efforts across the country.”18 41. Virginia Governor Terry McAuliffe stated that he had “no intention of honoring [Kobach’s] request.”19 42. More than fifty experts in voting technology and twenty privacy organizations wrote to state election officials to warn that “[t]here is no indication how the information will be used, who will have access to it, or what safeguards will be established.”20 Failure to Conduct a Privacy Impact Assessment 16 Philip Bump & Christopher Ingraham, Trump Says States Are ‘Trying to Hide’ Things from His Voter Fraud Commission. Here’s What They Actually Say, Wash. Post (July 1, 2017), https://www.washingtonpost.com/news/wonk/wp/2017/07/01/trump-says-states-are-trying-tohide-things-from-his-voter-fraud-commission-heres-what-they-actually-say/. 17 Press Release, Secretary of State Alex Padilla Responds to Presidential Election Commission Request for Personal Data of California Voters (June 29, 2017), http://www.sos.ca.gov/administration/news-releases-and-advisories/2017-news-releases-andadvisories/secretary-state-alex-padilla-responds-presidential-election-commission-requestpersonal-data-california-voters/. 18 Bradford Queen, Secretary Grimes Statement on Presidential Election Commission's Request for Voters' Personal Information, Kentucky (last accessed July 3, 2017) http://kentucky.gov/Pages/Activity-stream.aspx?n=SOS&prId=129. 19 Terry McAuliffe, Governor McAuliffe Statement on Request from Trump Elections Commission (June 29, 2017), https://governor.virginia.gov/newsroom/newsarticle?articleId=20595. 20 Letter from EPIC et al. to Nat’l Ass’n of State Sec’ys (July 3, 2017), https://epic.org/privacy/voting/pacei/Voter-Privacy-letter-to-NASS-07032017.pdf. 8 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 9 of 16 43. Under the E-Government Act of 2002,21 any agency “initiating a new collection of information that (I) will be collected, maintained, or disseminated using information technology; and (II) includes any information in an identifiable form permitting the physical or online contacting of a specific individual” is required to complete a Privacy Impact Assessment (“PIA”) before initiating such collection.22 44. The agency must “(i) conduct a privacy impact assessment; (ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and (iii) if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means.”23 45. The Commission is an agency subject to the E-Government Act because it is an “establishment in the executive branch of the Government,” a category which “includ[es] the Executive Office of the President.”24 46. The Executive Office of the President is an agency subject to the E-Government Act. 47. The U.S. Digital Service is an agency subject to the E-Government Act. 48. The Director of White House Information Technology is subject to the E-Government Act. 49. The Director of White House Information Technology was established in 2015 and has “the primary authority to establish and coordinate the necessary policies and procedures for 21 Pub. L. 107–347, 116 Stat. 2899 (codified as amended at 44 U.S.C. § 3501 note). 44 U.S.C. § 3501 note (“Privacy Impact Assessments”). 23 Id. 24 44 U.S.C. § 3502(1). 22 9 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 10 of 16 operating and maintaining the information resources and information systems provided to the President, Vice President, and EOP.”25 This authority includes: providing “policy coordination and guidance for, and periodically review[ing], all activities relating to the information resources and information systems provided to the President, Vice President, and EOP by the Community, including expenditures for, and procurement of, information resources and information systems by the Community. Such activities shall be subject to the Director’s coordination, guidance, and review in order to ensure consistency with the Director’s strategy and to strengthen the quality of the Community’s decisions through integrated analysis, planning, budgeting, and evaluating process.26 The Director may also “advise and confer with appropriate executive departments and agencies, individuals, and other entities as necessary to perform the Director’s duties under this memorandum.”27 50. The Director has the independent authority to oversee and “provide the necessary advice, coordination, and guidance to” the Executive Committee for Presidential Information Technology, which “consists of the following officials or their designees: the Assistant to the President for Management and Administration; the Executive Secretary of the National Security Council; the Director of the Office of Administration; the Director of the United States Secret Service; and the Director of the White House Military Office.”28 51. A Privacy Impact Assessment for a “new collection of information” must be “commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information.”29 The PIA must specifically address “(I) what information is to be 25 Memorandum on Establishing the Director of White House Information Technology and the Executive Committee for Presidential Information Technology § 1, 2015 Daily Comp. Pres. Doc. 185 (Mar. 19, 2015), attached as Ex. 5. 26 Id. § 2(c). 27 Id. § 2(d). 28 Id. § 3. 29 44 U.S.C. § 3501 note (“Privacy Impact Assessments”). 10 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 11 of 16 collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; [and] (VI) how the information will be secured . . . .”30 52. Under the FACA, “records, reports, transcripts, minutes, appendixes, working papers, drafts, studies, agenda, or other documents which were made available to or prepared for or by [an] advisory committee shall be available for public inspection and copying at a single location in the offices of the advisory committee or the agency to which the advisory committee reports until the advisory committee ceases to exist.”31 53. None of the Defendants have conducted a Privacy Impact Assessment for the Commission’s collection of state voter data. 54. None of the Defendants have ensured review of a PIA by any Chief Information Officer or equivalent official. 55. The Commission has not published a PIA or made such an assessment available for public inspection. The DoD’s Privacy Impact Assessment Does Not Permit the Collection of Personal Information from The General Public 56. The DoD last approved a PIA for the Safe Access File Exchange system in 2015.32 57. The 2015 PIA indicates that the SAFE system may “collect, maintain, use and/or disseminate PII” about only “federal personnel and/or federal contractors.”33 30 Id. 5 U.S.C. app. 2 § 10(b). 32 Army Chief Information Officer, U.S. Dep’t of Def., Privacy Impact Assessments (April 27, 2016), http://ciog6.army.mil/PrivacyImpactAssessments/tabid/71/Default.aspx. 33 EPIC Supp. Ex. 5, ECF No. 20-1, at 1. 31 11 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 12 of 16 58. The 2015 PIA specifically indicates that the SAFE system may not be used to “collect, maintain, use and/or disseminate PII” from “members of the general public.”34 59. According to the 2015 PIA, the SAFE system may not be used to collect the data set out in the June 28, 2017, from Vice Chair Kobach, directing state election officials to provide voter roll data. 60. The DoD has not issued a PIA for the collection of personal data from the general public. 61. The DoD has not issued a PIA that would permit the receipt of data specified in the June 28, 2017, Kobach letter. Count I Violation of APA: Unlawful Agency Action 62. Plaintiff asserts and incorporates by reference paragraphs 1–42. 63. Defendants’ collection of state voter data prior to creating, reviewing, and publishing a Privacy Impact Assessment, 44 U.S.C. § 3501 note, is arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law under 5 U.S.C. § 706(2)(a) and short of statutory right under 5 U.S.C. § 706(2)(c). 64. Defendants’ decision to initiate collection of voter data is a final agency action within the meaning of 5 U.S.C. § 704. 65. Plaintiff, by itself and as a representative of its members, is adversely affected and aggrieved by Defendants’ actions. 66. Plaintiff has exhausted all applicable administrative remedies. Count II Violation of APA: Agency Action Unlawfully Withheld 34 EPIC Supp. Ex. 5, ECF No. 20-1, at 1. 12 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 13 of 16 67. Plaintiff asserts and incorporates by reference paragraphs 1–42. 68. Defendants have failed to create, review, and/or publish a privacy impact assessment for Defendants’ collection of voter data, as required by 44 U.S.C. § 3501 note and 5 U.S.C. app. 2 § 10(b). 69. Defendants’ failure to take these steps constitutes agency action unlawfully withheld or unreasonably delayed in violation of 5 U.S.C. § 706(1). 70. Plaintiff, by itself and as a representative of its members, is adversely affected and aggrieved by Defendants’ actions and inaction. 71. Plaintiff has exhausted all applicable administrative remedies. Count III Violation of FACA: Failure to Make Documents Available for Public Inspection 72. Plaintiff asserts and incorporates by reference paragraphs 1–42. 73. Defendants have failed to make available for public inspection a privacy impact assessment for the collection of voter data. 74. Defendants’ failure to make available for public inspection a PIA required by law is a violation of 5 U.S.C. app. 2 § 10(b). 75. Plaintiff, by itself and as a representative of its members, is adversely affected and aggrieved by Defendants’ actions and inaction. 76. Plaintiff has exhausted all applicable administrative remedies. Count IV Violation of Fifth Amendment: Substantive Due Process/Right to Informational Privacy 77. Plaintiff asserts and incorporates by reference paragraphs 1–42. 13 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 14 of 16 78. Defendants, by seeking to assemble an unnecessary and excessive federal database of sensitive voter data from state records systems, have violated the informational privacy rights of millions of Americans, including members of the EPIC Advisory Board, guaranteed by the Due Process Clause of the Fifth Amendment. See U.S. Const. amend. V; NASA v. Nelson, 562 U.S. 134, 138 (2011); Nixon v. Administrator of General Services, 433 U.S. 425, 457 (1977); Whalen v. Roe, 429 U.S. 589, 599–600 (1977). 79. Plaintiff, as a representative of its members, is adversely affected and aggrieved by Defendants’ actions. Count V Violation of Fifth Amendment: Procedural Due Process 80. Plaintiff asserts and incorporates by reference paragraphs 1–42. 81. Defendants, by seeking to assemble an unnecessary and excessive federal database of sensitive voter data from state records systems, have deprived EPIC’s members of their liberty interest in avoiding the disclosure of personal matters. U.S. Const. amend. V; NASA v. Nelson, 562 U.S. 134, 138 (2011); Nixon v. Administrator of General Services, 433 U.S. 425, 457 (1977); Whalen v. Roe, 429 U.S. 589, 599–600 (1977). 82. Defendants have done so without providing notice to EPIC’s members, without providing EPIC’s members an opportunity to challenge the collection of their personal data, and without providing for a neutral decisionmaker to decide on any such challenges brought by EPIC’s members. 83. Defendants have violated EPIC’s members Fifth Amendment right to due process of law. U.S. Const. amend. V. 14 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 15 of 16 84. Plaintiff, as a representative of its members, is adversely affected and aggrieved by Defendants’ actions and inaction. Requested Relief WHEREFORE, Plaintiff requests that this Court: A. Hold unlawful and set aside Defendants’ authority to collect personal voter data from the states; B. Order Defendants to halt collection of personal voter data; C. Order Defendants to securely delete and properly disgorge any personal voter data collected or subsequently received; D. Order Defendants to promptly conduct a privacy impact assessment prior to the collection of personal voter data; E. Award EPIC costs and reasonable attorney’s fees incurred in this action; and F. Grant such other relief as the Court may deem just and proper. Respectfully Submitted, /s/ Marc Rotenberg MARC ROTENBERG, D.C. Bar # 422825 EPIC President and Executive Director ALAN BUTLER, D.C. Bar # 1012128 EPIC Senior Counsel CAITRIONA FITZGERALD* EPIC Policy Director JERAMIE D. SCOTT, D.C. Bar # 1025909 EPIC Domestic Surveillance Project Director ELECTRONIC PRIVACY INFORMATION CENTER 1718 Connecticut Avenue, N.W. 15 Case 1:17-cv-01320-CKK Document 30-1 Filed 07/11/17 Page 16 of 16 Suite 200 Washington, D.C. 20009 (202) 483-1140 (telephone) (202) 483-1248 (facsimile) Attorneys for Plaintiff EPIC * Pro hac vice motion pending Dated: July 11, 2017 16