People

EPIC is in turmoil after its president took a coronavirus test without telling staff. It came back positive.

Employees say Marc Rotenberg put their health at risk and undercut EPIC's message.

EPIC President Marc Rotenberg

EPIC President Marc Rotenberg's employees say he put their safety at risk and undermined their organization's resistance to invasive coronavirus surveillance.

Photo: Mark Wilson/Getty Images

A chief critic of the tech industry's attempts to track coronavirus patients went to work and held meetings with employees after his doctor directed him to take a test for COVID-19 that subsequently came back positive.

Marc Rotenberg, the president and executive director of the Electronic Privacy Information Center in Washington, D.C., acknowledged in a memo to his staff and his board that he should have quarantined and alerted his staff that he was taking a coronavirus test on March 9, instead of continuing to work alongside them for two days.

But Rotenberg's apology hasn't quelled the anger of some EPIC employees, who say he not only put their safety at risk, but also undermined their organization's resistance to invasive coronavirus surveillance.

"He's out there saying privacy trumps surveillance," said one former employee who worked there at the time. "Every time he opens his mouth, what runs through my head is: We need more surveillance."

Internal documents and interviews with several current and former employees reveal that this incident has sparked an uprising within EPIC's small team of about a dozen people, with several employees resigning — including Rotenberg's deputy, Mary Stone Ross — following Rotenberg's dual revelation that he had COVID-19 and that EPIC was facing funding difficulties. Others have written to EPIC's board, asking for substantive changes to the organization's management structure.

Rotenberg meanwhile has continued to warn Congress and the public against embracing technological tools that use location data to enable widespread coronavirus surveillance without considering the privacy implications. "Sometimes people have an almost sacrificial sense about their privacy," Rotenberg told BuzzFeed News in an article published 19 days after Rotenberg received his results. "They say things like, 'Well, if it'll help save lives for me to disclose my data, of course, I should do that.' But that's actually not the right way to solve a problem."

Rotenberg has apologized to EPIC's staff, writing in a letter reviewed by Protocol, "I am genuinely sorry for the disruption, concern and worry I may have caused to you and your family. Please know that was never my intent. I tried my best to make good decisions, given the information I had. In retrospect, there is more I should have done."

Asked to comment, Rotenberg responded by accusing a former staff member of leaking the story to Protocol. Asked again to comment, he said: "I think I said what needed to be said."

It was direct contact tracing that first alerted employees that they had been exposed to the virus. On March 11, an EPIC employee emailed the rest of the team to say he'd received a call from the Washington, D.C., department of public health. A health official told him he may have come into contact with someone who tested positive for coronavirus. In the email, the employee let his colleagues know he'd be working from home and monitoring for symptoms in order to protect the rest of the EPIC team.

But then shortly after, another staffer followed up saying they'd gotten the same call. Then another. Then another. By the end of the day, all of the advocacy group's Washington, D.C.-based employees confirmed they'd received the same warning.

Rotenberg hadn't responded to the thread, but earlier in the day, he had emailed the staff, encouraging them to work from home. "Also, social distancing is a good practice," he wrote, according to an email reviewed by Protocol. He did not mention that his COVID-19 test had come back positive that very morning.

The staffers swapped stories, wondering who might have brought the virus into the office. Some theorized it was a mail carrier. Some wondered if it had been a journalist who recently visited. Others speculated that Rotenberg, who returned from a trip to Milan in late February, might have been the source.

The next day, on March 12, Rotenberg called the entire team to a Zoom meeting and confirmed that he had, in fact, tested positive for coronavirus. He also laid out a rough timeline of his recent medical history, according to interviews with people on the call. He told them he'd returned from Milan on Feb. 22, and registered a temperature of 99.5 on March 1. At the time, that was still below what the Centers for Disease Control considered to be a symptom. But on March 5, he contacted his physician about his temperature and his recent travel to Italy, after receiving guidance from Georgetown University, where he teaches. According to the account Rotenberg gave in his apology letter, his doctor initially didn't think he needed to be tested but changed course the following day. At that point, it was Friday, and Rotenberg later told the staff he was already on a plane about to depart for Miami for the weekend. So he scheduled a test for when he returned to D.C. on Monday, March 9.

Rotenberg went to the office that Monday, Tuesday and Wednesday, and left as soon as he received the call about his results Wednesday morning. But he didn't mention any of this to his staff until the Zoom meeting that Thursday.

"We were all a little shocked," said one former employee who was on the call. "There was no sense of apology, no humility, not even, 'I thought I was responsible at the time, but looking back I would have done things differently.'"

Then Rotenberg dropped another bomb, telling the staff that EPIC only had enough money to pay people's salaries for another six months.

"It was, 'I exposed my team to a pandemic, and you might not have a job' in the same meeting," the former employee said. "Pretty rough."

"That really did it for everybody," said one current employee. "Everybody was like, 'What is going on?"

As privacy advocates, the EPIC staff understood more than most the importance of protecting employees' private health information. The nonprofit's lawyers are constant fixtures on Capitol Hill, forever butting heads with tech giants like Facebook and Google over the ways they collect and share personal data. But those employees also believed their boss had a responsibility to protect them, too. "The idea [of anonymity] is for workplace retaliation. I think that rationale is pretty strained when it's the executive director," said one of the former employees.

Even after testing positive and alerting staff, internal emails show, Rotenberg told employees he was going to the office to collect the mail, though it's unclear if he ever did. This prompted multiple employees to contact D.C.'s department of public health.

More than two weeks after the meeting, after EPIC employees wrote to members of the board with their concerns, Rotenberg sent the board and the staff a five-page letter both apologizing and defending his actions.

"I know some people are surprised and concerned that I was in the office on March 9, and I can imagine a scenario where someone else in the same situation could have stayed home to wait for a determination. In retrospect, that was obviously the better choice," Rotenberg wrote on March 30. "But at the time, and even today, that is not the CDC protocol. People are routinely tested then continue to practice social-distancing rather than self-quarantine."

For EPIC's employees — at least one of whom says they've experienced some symptoms consistent with the virus — this is hardly enough. Beyond the concerns for their own safety, the employees Protocol spoke with say Rotenberg's behavior gives those who might like to expand surveillance of coronavirus patients — and the rest of the population — the very excuse they need. "It rubs us all the wrong way when we see him quoted in the press talking about contact-tracing privacy issues when he's violating the guidelines," a former employee said.


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


In his letter to the staff and the board, Rotenberg said he followed all CDC protocols as they stood at the time. His letter didn't address whether he went to the office to check the mail after being diagnosed.

Of course, there's also Rotenberg's privacy to consider. EPIC's employees say they thought a lot about that before sharing this information publicly. But they argue that, in this situation, the risks to him maintaining his privacy outweighed the benefits.

"Privacy is something that's constantly weighed against other things," one current employee said. "It doesn't make sense for it to be absolute."

Protocol | Policy

5 things to know about FCC nominee Gigi Sohn

The veteran of some of the earliest tech policy fights is a longtime consumer champion and net-neutrality advocate.

Gigi Sohn, who President Joe Biden nominated to serve on the FCC, is a longtime net-neutrality advocate.

Photo: Alex Wong/Getty Images

President Joe Biden on Tuesday nominated Gigi Sohn to serve as a Federal Communications Commissioner, teeing up a Democratic majority at the agency that oversees broadband issues after months of delay.

Like Lina Khan, who Biden picked in June to head up the Federal Trade Commission, Sohn is a progressive favorite. And if confirmed, she'll take up a position in an agency trying to pull policy levers on net neutrality, privacy and broadband access even as Congress is stalled.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

If you've ever tried to pick up a new fitness routine like running, chances are you may have fallen into the "motivation vs. habit" trap once or twice. You go for a run when the sun is shining, only to quickly fall off the wagon when the weather turns sour.

Similarly, for many businesses, 2020 acted as the storm cloud that disrupted their plans for innovation. With leaders busy grappling with the pandemic, innovation frequently got pushed to the backburner. In fact, according to McKinsey, the majority of organizations shifted their focus mainly to maintaining business continuity throughout the pandemic.

Keep Reading Show less
Gaurav Kataria
Group Product Manager, Trello at Atlassian
Protocol | Workplace

Adobe wants a more authentic NFT world

Adobe's Content Credentials feature will allow Creative Cloud subscribers to attach edit-tracking information to Photoshop files. The goal is to create a more trustworthy NFT market and digital landscape.

Adobe's Content Credentials will allow users to attach their identities to an image

Image: Adobe

Remember the viral, fake photo of Kurt Cobain and Biggie Smalls that duped and delighted the internet in 2017? Doctored images manipulate people and erode trust and we're not great at spotting them. The entire point of the emerging NFT art market is to create valuable and scarce digital files and when there isn't an easy way to check for an image's origin and edits, there's a problem. What if someone steals an NFT creator's image and pawns it off as their own? As a hub for all kinds of multimedia, Adobe feels a responsibility to combat misinformation and provide a safe space for NFT creators. That's why it's rolling out Content Credentials, a record that can be attached to a Photoshop file of a creator's identity and includes any edits they made.

Users can connect their social media addresses and crypto wallet addresses to images in Photoshop. This further proves the image creator's identity, but it's also helpful in determining the creators of NFTs. Adobe has partnered with NFT marketplaces KnownOrigin, OpenSea, Rarible and SuperRare in this effort. "Today there's not a way to know that the NFT you're buying was actually created by a true creator," said Adobe General Counsel Dana Rao. "We're allowing the creator to show their identity and attach it to the image."

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Protocol | China

Why another Chinese lesbian dating app just shut down

With neither political support nor a profitable business model, lesbian dating apps are finding it hard to survive in China.

Operating a dating app for LGBTQ+ communities in China is like walking a tightrope.

Photo: Nicolas Asfouri/AFP via Getty Images

When Lesdo, a Chinese dating app designed for lesbian women, announced it was closing down, it didn't come as a surprise to the LGBTQ+ community.

It's unclear what directly caused this decision. 2021 hasn't been kind to China's queer communities; WeChat has deactivated queer groups' public accounts and Beijing has pressured charity organizations not to work with queer activists.

Keep Reading Show less
Zeyi Yang
Zeyi Yang is a reporter with Protocol | China. Previously, he worked as a reporting fellow for the digital magazine Rest of World, covering the intersection of technology and culture in China and neighboring countries. He has also contributed to the South China Morning Post, Nikkei Asia, Columbia Journalism Review, among other publications. In his spare time, Zeyi co-founded a Mandarin podcast that tells LGBTQ stories in China. He has been playing Pokemon for 14 years and has a weird favorite pick.

The Oura Ring was a sleep-tracking hit. Can the next one be even more?

Oura wants to be a media company, an activity tracker and even a way to know you're sick before you feel sick.

Over the last few years, the Oura Ring has become one of the most recognizable wearables this side of the Apple Watch.

Photo: Oura

Oura CEO Harpreet Rai swears he didn't know Kim Kardashian was a fan. He was as surprised as anyone when she started posting screenshots from the Oura app to her Instagram story, and got into a sleep battle with fellow Oura user Gwyneth Paltrow. Or when Jennifer Aniston revealed that Jimmy Kimmel got her hooked on Oura … and how her ring fell off in a salad. "I am addicted to it," Aniston said, "and it's ruining my life" by shaming her about her lack of sleep. "I think we're definitely seeing traction outside of tech," Rai said. "Which is cool."

Over the last couple of years, Oura's ring (imaginatively named the Oura Ring) has become one of the most recognizable wearables this side of the Apple Watch. The company started with a Kickstarter campaign in 2015, but really started to find traction with its second-generation model in 2018. It's not exactly a mainstream device — Oura said it has sold more than 500,000 rings, up from 150,000 in March 2020 but still not exactly Apple Watch levels — but it has reached some of the most successful, influential and probably sleep-deprived people in the industry. Jack Dorsey is a professed fan, as is Marc Benioff.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Latest Stories