Odds and Ends (14 April)

Every week, not surprisingly, there are more developments in the technology space than I can reasonably get to. And so, this week, at least, I’ve decided to include some of the odds and ends.

To no great surprise, federal and state elected officials have been questioning Zoom on its security and privacy practices and demanding improvements thereof.

Earlier this month, Senator Michael Bennet (D-CO) sent a letter after the Washington Post found that thousands of Zoom calls could be accessed online that contained people’s sensitive personal information such as therapy sessions and financial information. The culprit is apparently Zoom’s practice of using an identical name format for each video, meaning once someone knows the format they can look up many videos. Security experts call for unique names for each file for a platform like Zoom so as to avoid this outcome.

With these revelations in mind, Bennet wrote Zoom CEO Eric Yuan, asking him to “provide answers to the following questions no later than April 15, 2020: 

  • Please describe all data that Zoom collects from users with and without accounts and please specify how long Zoom retains this data. 
  • Please list every third party and service provider with which Zoom shares user data and for what purposes and level of compensation, if any.
  • Will Zoom require participants to provide affirmative consent if their calls are being recorded or will later be uploaded to the cloud or transcribed? When recorded calls are uploaded and transcribed, will Zoom provide all participants a copy along with an opportunity to correct errors in the recording?
  • Does Zoom plan to change the naming convention that allowed thousands of videos to become easily searchable online?
  • What steps has Zoom taken to notify users featured in videos that are now searchable online? And when users wish for these videos to be removed, what steps will Zoom take to do so, for example, by engaging the third parties where the videos are now viewable?
  • Which privacy settings for users with and without accounts are activated by default, and which require them to opt-in? Does Zoom plan to expand its default privacy settings?
  • What dedicated staff and other resources is Zoom devoting to ensure the privacy and safety of users on its platform?

Bennet was also quoted in a Politico article along with other Democratic Members calling for the Federal Trade Commission (FTC) to open an investigation. House Energy and Commerce Chair Frank Pallone Jr (D-NJ) and Consumer Protection & Commerce Subcommittee Chair Jan Schakowsky (D-IL) were both quoted as being in support of the FTC investigating. Senators Amy Klobuchar (D-MN) and Sherrod Brown (D-OH) are also requesting that the agency investigate Zoom’s claims on security and privacy as promised versus what the company is actually providing. Brown sent letters to Zoom and the FTC on this matter.

Moreover, the Politico article relates that In blessing Zoom for Government from a security standpoint, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the General Services Administration’s Federal Risk and Authorization Management Program explained in a statement:

We advise federal government users to not initiate video conferences using Zoom’s free/commercial offering, but instead to use Zoom for Government

More recently, Senators Elizabeth Warren (D-MA) and Ed Markey (D-MA) asked Zoom how well they are protecting the personal data of students per the Family Education Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). If the FTC were to find COPPA violations, the company would be facing as much as $42,530 per violation.

Markey wrote the FTC separately, urging agency “to issue guidance and provide a comprehensive resource for technology companies that are developing or expanding online conferencing tools during the coronavirus pandemic, so that these businesses can strengthen their cybersecurity and protect customer privacy.” He argued that “[a]t a minimum, this guidance should cover topics including:

  • Implementing secure authentication and other safeguards against unauthorized access;
  • Enacting limits on data collection and recording;
  • Employing encryption and other security protocols for securing data;and
  • Providing clear and conspicuous privacy policies for users.

Markey also “request[ed] that the FTC develop best practices for users of online conferencing software, so that individuals can make informed, safe decisions when choosing and utilizing these technologies. At a minimum, this guidance should cover topics including:

  • Identifying and preventing cyber threats such as phishing and malware;
  • Sharing links to online meetings without compromising security;
  • Restricting access to meetings via software settings; and
  • Recognizing that different versions of a company’s service may provide varying levels of privacy protection.

Many of the Democrats on the House Energy and Commerce Committee also asked Zoom about its recent update to privacy policies made after some of its substandard practices came to light. These Members stated:

“Despite Zoom’s recent clarifications to its privacy policy, a review of Zoom’s privacy policy shows that Zoom may still collect a significant amount of information about both registered and non-registered users from their use of the platform as well as from third parties. Zoom may use that information for a broad range of purposes, including for targeted marketing from both Zoom and third parties… As consumers turn to Zoom for business meetings, remote consultations with psychologists, or even virtual happy hours with friends, they may not expect Zoom to be collecting and using so much of their information.”

Moreover, federal agency Chief Information Officers are formally and informally directing agency employees not to use the commercial/free edition of Zoom as detailed by Federal News Network.

Last week, CISA and the United Kingdom’s National Cyber Security Centre (NCSC) released a joint advisory titled “COVID-19 exploited by malicious cyber actors.” The two agencies argued:

Malicious cyber actors are using the high appetite for COVID-19 related information as an opportunity to deliver malware and ransomware and to steal user credentials. Individuals and organisations should remain vigilant.

CISA and NCSC noted “[t]hreats observed include:

  • Phishing, using the subject of coronavirus orCOVID-19 as a lure
  • Malware distribution using coronavirus orCOVID-19 themed lures
  • Registration of new domain names containing coronavirus orCOVID-19 related wording
  • Attacks against newly (and often rapidly) deployed remote access or remote working infrastructure.

The agencies added they “are working with law enforcement and industry partners to disrupt or prevent these malicious COVID-19 themed cyber activities.”

The Electronic Privacy Information Center (EPIC) sent the FTC a letter, renewing the concerns it detailed on Zoom’s security practices in its complaint last year asking the agency to open an investigation. EPIC stated “[w]e asked you to open an investigation, to compel Zoom to fix the security flaws with its conferencing services, and to investigate the other companies engaged in similar practices.” The organizations stated that “[w]e anticipated that the FTC, with a staff of more than a 1,000 (EPIC has about a dozen people), would find many problems we missed…[t]hat would lead to a change in business practices, a consent order, and 20 years of agency oversight.”

However, the FTC and the Federal Communications Commission (FCC) sent  joint letters “to three companies providing Voice over Internet Protocol (VoIP) services, warning them that routing and transmitting illegal robocalls, including Coronavirus-related scam calls, is illegal and may lead to federal law enforcement against them.” The FTC and FCC “sent a separate letter to USTelecom – The Broadband Association (USTelecom), a trade association that represents U.S.-based telecommunications-related businesses…thank[ing] USTelecom for identifying and mitigating fraudulent robocalls that are taking advantage of the Coronavirus national health crisis, and notes that the USTelecom Industry Traceback Group has helped identify various entities that appear to be responsible for originating or transmitting Coronavirus-related scam robocalls.”

The FCC also denied “an emergency petition requesting an investigation into broadcasters that have aired the President of the United States’ statements and press conferences regarding the novel coronavirus (COVID-19) and related commentary by other on-air personalities” that Free Press filed. The FCC claimed “the Petition misconstrues the Commission’s rules and seeks remedies that would dangerously curtail the freedom of the press embodied in the First Amendment.” In its press release, the FCC added “[t]he decision also makes clear that the FCC will neither act as a roving arbiter of broadcasters’ editorial judgments nor discourage them from airing breaking news events involving government officials in the midst of the current global pandemic.”

Markey and Senator Richard Blumenthal (D-CT) sent a letter “to Google requesting information about the company’s recently announced COVID-19 Community Mobility Reports.” They asked Google to answer the following

  • Does Google plan to share with any government entities, researchers, or private sector partners any users’ coronavirus-related personal data or pseudonymous information
  • Does Google plan to use datasets other than Location History for its Community Mobility Reports?
  • What measures has Google undertaken to ensure that the trends detailed in the reports are representative of the entire population of an area, including non-Google users, those without smartphones, or individuals that have opted out of Location History?
  • Does Google expect that the Community Mobility Reports to be accurate for more rural or less connected communities?
  • What guidance has Google provided to public health officials about how to interpret the reports, including how Google accounts for common social patterns and categorizes locations?

Blumenthal also joined a letter sent along with Senator Mark Warner (D-VA) and Representative Anna Eshoo (D-CA) “a letter to White House Senior Advisor Jared Kushner, raising questions about reports that the White House has assembled technology and health care firms to establish a far-reaching national coronavirus surveillance system.” They stated their “fear that – absent a clear commitment and improvements to our health privacy laws – these extraordinary measures could undermine the confidentiality and security of our health information and become the new status quo.”

Warner, Eshoo, and Blumenthal argued

Given reports indicating that the Administration has solicited help from companies with checkered histories in protecting user privacy, we have serious concerns that these public health surveillance systems may serve as beachheads for far-reaching health data collection efforts that go beyond responding to the current crisis. Public health surveillance efforts must be accompanied by governance measures that provide durable privacy protections and account for any impacts on our rights. For instance, secondary uses of public health surveillance data beyond coordinating our public health response should be strictly restricted. Any secondary usage for commercial purposes should be explicitly prohibited unless authorized on a limited basis with appropriate administrative process and public input. 

They asked that Kushner answer these questions:

  1. Which technology companies, data providers, and other companies have you approached to participate in the public health surveillance initiative and on what basis were they chosen?
  2. What measures will the Administration put into place to ensure that federal agencies and private sector partners do not misuse or reuse health data for non-pandemic-related purposes, including for training commercial algorithmic decision-making systems, and to require the disposal of data after the sunset of the national emergency? What additional steps have you taken to protect health data from their potential misuse or mishandling?
  3. What is the program described in the press meant to accomplish? Will it be used for the allocation of resources, symptom tracking, or contact tracing? What agency will be operating the program and which agencies will have access to the data? 
  4. When will the federal government stop collecting and sharing health data with the private sector for the public health surveillance initiative? Will the Administration commit to a sunset period after the lifting of the national emergency?
  5. What measures will the Administration put into place to ensure that the public health surveillance initiative protects against misuse of sensitive information and mitigates discriminatory outcomes, such as on the basis of racial identity, sexual orientation, disability status, and income?
  6. Will the Administration commit to conducting an audit of data use, sharing, and security by federal agencies and private sector partners under any waivers or surveillance initiative within a short period after the end of the health emergency?
  7. What steps has the Administration taken under the Privacy Act, which limits the federal government’s authority to collect personal data from third parties and imposes numerous other privacy safeguards?
  8. Will you commit to working with us to pass strong legal safeguards that ensure public health surveillance data can be effectively collected and used without compromising privacy? 

Finally, Consumer Reports showed that Facebook’s system of preventing incorrect COVID-19 from being posted on its platform is not as robust as a top company official claimed. Kaveh Waddell of Consumer Reports stated

Facebook has been saying for weeks that it’s intent on keeping coronavirus misinformation off its platforms, which include Instagram and WhatsApp. During one recent interview with NPR, Nick Clegg, Facebook’s vice president for global affairs and communication, cited two examples of the kinds of posts the company would not allow: any message telling people to drink bleach, or discrediting urgent calls for social distancing to slow the pandemic. 

Waddell continued

  • I’ve been covering Facebook and online misinformation for several years, and I wanted to see how well the company is policing coronavirus-related advertising during the global crisis. So I put the two dangerous claims Clegg brought up, plus other false or dangerous information, into a series of seven paid ads.
  • Facebook approved them all. The advertisements remained scheduled for publication for more than a week without being flagged by Facebook. Then, I pulled them out of the queue to make sure none of them were seen by the public. Consumer Reports made certain not to publish any ads with false or misleading information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s