Further Reading, Other Developments, and Coming Events (18 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing on 23 September titled “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • On 23 September, the Commerce, Science, and Transportation Committee will hold a hearing titled “Revisiting the Need for Federal Data Privacy Legislation,” with these witnesses:
    • The Honorable Julie Brill, Former Commissioner, Federal Trade Commission
    • The Honorable William Kovacic, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Jon Leibowitz, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Maureen Ohlhausen, Former Commissioner and Acting Chairman, Federal Trade Commission
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • Former Principal Deputy Under Secretary in the Office of Intelligence and Analysis Brian Murphy has filed a whistleblower reprisal complaint against the United States Department of Homeland Security (DHS) for providing intelligence analysis the Trump White House and DHS did not want, mainly for political reasons, and then refusing to make alterations to fit the Administration’s chosen narrative on issues, especially on the Russian Federation’s interference in the 2020 Election. Murphy alleges “he was retaliatorily demoted to the role of Assistant to the Deputy Under Secretary for the DHS Management Division” because he refused to comply with orders from acting Secretary of Homeland Security Chad Wolf. Specifically, he claims:
    • In mid-May 2020, Mr. Wolf instructed Mr. Murphy to cease providing intelligence assessments on the threat of Russian interference in the United States, and instead start reporting on interference activities by China and Iran. Mr. Wolf stated that these instructions specifically originated from White House National Security Advisor Robert O’Brien. Mr. Murphy informed Mr. Wolf he would not comply with these instructions, as doing so would put the country in substantial and specific danger.
  • The National Security Agency (NSA) Office of the Inspector General (OIG) issued an unclassified version of its Semiannual Report to Congress consisting of “the audits, evaluations, inspections, and investigations that were completed and ongoing” from 1 October 2019 to 31 March 2020.
    • The OIG found ongoing problems with how the NSA is administering surveillance of United States’ people overseas (i.e. Section 704 and 705 of the Foreign Intelligence Surveillance Act), something that has been a long running problem at the agency. The OIG found
      • NSA does not have adequate and complete documentation of scenario-based data tagging rules for accurately assigning data labels to restrict access to data in accordance with legal and policy requirements, and consistently assessing data labeling errors;
      • NSA has not designated a standardized field in NSA data tags to efficiently store and identify data needed to verify the accuracy of data label assignments;
      • NSA does not document in its targeting tool a majority of a certain type of targeting request; and
      • NSA controls do not adequately and completely verify the accuracy of data labels assigned to data prior to ingest into NSA repositories.
      • As a result of these findings, the OIG made seven recommendations, six to assist NSA in strengthening its corporate data tagging controls and governance, and a seventh to help ensure that NSA’s FISA §§704 and 705(b) data tagging legal and policy determinations are consistent with NSA representations made to the FISC and other external overseers regarding how NSA handles such data, and that these tagging requirements are fully documented and promulgated to the NSA workforce.
    • The OIG noted the middling progress the NSA has made in securing its information technology, a weakness that could well be used by adversaries to penetrate the agency’s networks:
      • In accordance with U.S. Office of Management and Budget guidance, the OIG is required annually to assess the effectiveness of information security programs on a maturity model spectrum, which ranges from Level 1 (ad hoc) to Level 5 (optimized). Our assessment of eight IT security areas revealed that while progress was made in some areas from FY2018 to FY2019, there continues to be room for improvement in all eight IT security areas.
      • For the second consecutive year, Identity and Access Management was deemed the strongest security area with an overall maturity level of 3, consistently implemented. The Agency’s challenges in Security Training dropped the maturity level from 3, consistently implemented, to 2, defined. For the second consecutive year, Contingency Planning was assessed at an overall maturity level of ad hoc; although the Agency has made some improvements to the program, additional improvements need to be made.
  • The Office of the National Director of Intelligence (ODNI) released a June 2020 Foreign Intelligence Surveillance Court (FISC) opinion that sets the limits on using information gained from electronic surveillance of former Trump campaign adviser Carter Page
    • FISC noted
      • The government has acknowledged that at least some of its collection under color of those FISC orders was unlawful. It nevertheless now contends that it must temporarily retain, and potentially use and disclose, the information collected, largely in the context of ongoing or anticipated litigation. The Court hereby sets parameters for such use or disclosure.
    • The FISC ordered:
      • (1) With regard to the third-party FOIA litigation, see supra pp. 9-10, and the pending litigation with Page, see supra p. 12, the government may use or disclose Page FISA information insofar as necessary for the good-faith conduct of that litigation;
      • (2) With regard to any future claims brought by Page seeking redress for unlawful electronic surveillance or physical search or for disclosure of the results of such surveillance or search, the government may use or disclose Page FISA information insofar as necessary to the good-faith conduct of the litigation of such claims;
      • (3) Further use or disclosure of Page FISA information is permitted insofar as necessary to effective performance or disciplinary reviews of government personnel, provided that any such use or disclosure of raw information is permitted only insofar as a particular need to use or disclose the specific information at issue has been demonstrated. This paragraph applies, but is not limited to, use by, and disclosure by or to, the FBI’s INSD or OPR;
      • (4) Further use or disclosure of Page FISA information by DOJ OIG is permitted only insofar as necessary to assess the implementation of Recommendation 9 of the OIG Report;
      • (5) Further use or disclosure of Page FISA information is permitted only insofar as necessary to investigate or prosecute potential crimes relating to the conduct of the Page or Crossfire Hurricane investigations, provided that any such use or disclosure of raw information is permitted only insofar as a particular need to use or disclose the specific information at issue has been demonstrated. This paragraph applies, but is not limited to, use by, and disclosure by or to, personnel engaged in the review being lead by United States Attorney Durham. See supra p.17;and
      • (6) By January 29, 2021, and at intervals of no more than six months thereafter, the government shall submit under oath a written report on the retention, and any use or disclosure, of Page FISA information
  • Portland, Oregon has passed bans on the use of facial recognition technology by its government and private entities that is being characterized as the most stringent in the United States. Effective immediately, no city agency may use FRT and come 1 January 2021 no private companies may do so. In contrast, FRT bans in Boston, San Francisco, and Oakland only bar government entities from using the technology. However, Portland residents would still be permitted to use FRT; for example, those choosing to use FRT to unlock their phone would still be legal. The legislation explains
    • The purpose of this Chapter is to prohibit the use of Face Recognition Technologies in Places of Public Accommodation by Private Entities within the boundaries of the City of Portland.
    • Face Recognition Technologies have been shown to falsely identify women and People of Color on a routine basis. While progress continues to be made in improving Face Recognition Technologies, wide ranges in accuracy and error rates that differ by race and gender have been found in vendor testing.
    • Community members have raised concerns on the impacts of Face Recognition Technologies on civil liberties and civil rights. In addition, the collection, trade, and use of face biometric information may compromise the privacy of individuals even in their private setting. While these claims are being assessed, the City is creating safeguards aiming to protect Portlanders’ sensitive information until better infrastructure and policies are in place.
    • Portland’s commitment to equity means that we prioritize the safety and well-being of communities of color and other marginalized and vulnerable community members.
    • However, the ban does not apply
      • To the extent necessary for a Private Entity to comply with federal, state, or local laws;
      • For user verification purposes by an individual to access the individual’s own personal or employer issued communication and electronic devices; or
      • In automatic face detection services in social media applications.
  • President Donald Trump has nominated Nathan Simington to replace Federal Communications Commission (FCC) Commissioner Michael O’Reilly. Reports indicate Trump was displeased that O’Reilly was not receptive to Executive Order (EO) 13925 “Preventing Online Censorship” and so declined to renominate O’Reilly for anther term. Simington is currently serving as Senior Advisor in the National Telecommunications and Information Administration (NTIA) and is reported to have been deeply involved in the drafting of the EO. A White House press release provided this biography:
    • Among his many responsibilities across the telecommunications industry, he works on 5G security and secure supply chains, the American Broadband Initiative, and is NTIA’s representative to the Government Advisory Committee of the Internet Corporation for Assigned Names and Numbers.
    • Prior to his appointment at NTIA, Mr. Simington was Senior Counsel to Brightstar Corporation, a leading international company in the wireless industry.  In this role, he negotiated deals with companies across the spectrum of the telecommunications and internet industry, including most of the world’s leading wireless carriers. As the head lawyer on the advanced mobility products team, he spearheaded numerous international transactions in the devices, towers and services fields and forged strong relationships with leading telecom equipment manufacturers.  Prior to his career with Brightstar, Mr. Simington was an attorney in private practice with prominent national and international law firms.
    • Following the directive in the EO, on 27 July, the NTIA filed a petition with the FCC, asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself.
    • In early August, the FCC asked for comments on the NTIA petition, and comments were due by 2 September. Over 2500 comments have been filed, and a cursory search turned up numerous form letter comments drafted by a conservative organization that were then submitted by members and followers.

Further Reading

  • “I Have Blood on My Hands”: A Whistleblower Says Facebook Ignored Global Political Manipulation” By Craig Silverman, Ryan Mac, and Pranav Dixit — BuzzFeed News. In a blistering memo on her way out the door, a Facebook engineer charged with moderating fake content around the world charged the company is unconcerned about how the manipulation of its platform is benefitting regimes throughout the world. There is also the implication the company is much more focused on content moderation in the United States (U.S.) and western Europe, possibly because of political pressure from those nations. Worse than allowing repressive and anti-democratic governments target news organizations and opposition figures, the company was slow to respond when human rights advocates accounts were falsely flagged as violating terms of service. The engineer finally quit after sleepless nights of worrying about how her time and efforts may be falling short of protecting nations and people in many nations. She further claimed “[i]t’s an open secret within the civic integrity space that Facebook’s short-term decisions are largely motivated by PR and the potential for negative attention.”
  • Online learning’s toll on kids’ privacy” By Ashley Gold — Axios. With the shift to online education for many students in the United States, the privacy and data security practices of companies in this space are starting to be examined. But schools and parents may be woefully underinformed about or lack power to curb some data collection and usage practices. The Federal Trade Commission (FTC) enforces the Children’s Online Privacy Protection Act (COPPA), which critics claim is not strong enough and to the extent the FTC enforces the law, it is “woefully insufficient.” Moreover, the differences between richer schools and poorer schools plays out with respect to privacy and data security and the latter group of schools likely cannot afford to vet and use the best companies.
  • Unlimited Information Is Transforming Society” By Naomi Oreskes and Erik M. Conway — Scientific American. This comprehensive article traces the field of information alongside other technological advances like electricity, nuclear power, and space travel. The authors posit that we are at a new point with information in that creation and transmission of it now flows in two directions whereas for much of history it flowed one way, often from the elites to everyone else.
  • First death reported following a ransomware attack on a German hospital” By Catalin Cimpanu — ZDNet. The first fatality associated with a ransomware attack happened in Gernmany when a patient in an ambulance was diverted from a hospital struggling with ransomware. Appafently, the hackers did not even mean to target the hospital in Dusseldorf and instead were aiming to infect and extort a university hospital nearby. Nonetheless, Germany’s Bundesamt für Sicherheit in der Informationstechnik thereafter issued a warning advising entities to update the CVE-2019-19871 vulnerability on Citrix network gateways.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Peggy und Marco Lachmann-Anke from Pixabay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s