Further Reading, Other Developments, and Coming Events (30 September)

Coming Events

  • On October 1, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing as part of its series on online competition at which it may unveil its proposal on how to reform antitrust enforcement for the digital age. The hearing is titled “Proposals to Strengthen the Antitrust Laws and Restore Competition Online.”
  • On 1 October, the Senate Commerce, Science, and Transportation Committee may hold a markup to authorize subpoenas to compel the attendance of the technology CEOs for a hearing on 47 U.S.C. 230 (aka Section 230). Ranking Member Maria Cantwell (D-WA) has said:
    • Taking the extraordinary step of issuing subpoenas is an attempt to chill the efforts of these companies to remove lies, harassment, and intimidation from their platforms. I will not participate in an attempt to use the committee’s serious subpoena power for a partisan effort 40 days before an election,” indicating a vote, should one occur, may well be along party lines.
    • Nonetheless, the Committee may subpoena the following CEOs:
      • Mr. Jack Dorsey, Chief Executive Officer, Twitter
      • Mr. Sundar Pichai, Chief Executive Officer, Alphabet Inc., Google
      • Mr. Mark Zuckerberg, Chief Executive Officer, Facebook
  • The Senate Judiciary Committee will markup the “Online Content Policy Modernization Act” (S.4632), a bill to reform 47 U.S.C. 230 (aka Section 230) that provides many technology companies with protection from lawsuits for third party content posted on their platforms and for moderating and removing such content.
  • On October 1, the Senate Armed Services Committee’s Readiness and Management Support Subcommittee will hold a hearing on supply chain integrity with Under Secretary of Defense for Acquisition and Sustainment Ellen Lord testifying. Undoubtedly, implementation of the ban on Huawei, ZTE, and other People’s Republic of China (PRC) equipment and services as required by Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) will be discussed. Also, the Cybersecurity Maturity Model Certification (CMMC) program will also likely be discussed.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • On 29 September, the House passed the following bills as summarized by the House Energy and Commerce Committee:
    • The “Consumer Product Safety Inspection Enhancement Act” (H.R. 8134) that “would amend the Consumer Product Safety Act to enhance the Consumer Product Safety Commission’s (CPSC) ability to identify unsafe consumer products entering the United States, especially e-commerce shipments entering under the de minimis value exemption. Specifically, the bill would require the CPSC to enhance the targeting, surveillance, and screening of consumer products. The bill also would require electronic filing of certificates of compliance for all consumer products entering the United States.
      • The bill directs the CPSC to: 1) examine a sampling of de minimis shipments and shipments coming from China; 2) detail plans and timelines to effectively address targeting and screening of de minimis shipments; 3) establish metrics by which to evaluate the effectiveness of the CPSC’s efforts in this regard; 4) assess projected technology, resources, and staffing necessary; and 5) submit a report to Congress regarding such efforts. The bill further directs the CPSC to hire at least 16 employees every year until staffing needs are met to help identify violative products at ports.
    • The “AI for Consumer Product Safety Act” (H.R. 8128) that “would direct the Consumer Product Safety Commission (CPSC) to establish a pilot program to explore the use of artificial intelligence for at least one of the following purposes: 1) tracking injury trends; 2) identifying consumer product hazards; 3) monitoring the retail marketplace for the sale of recalled consumer products; or 4) identifying unsafe imported consumer products.” The revised bill passed by the committee “changes the title of the bill to the “Consumer Safety Technology Act”, and adds the text based on the Blockchain Innovation Act (H.R. 8153) and the Digital Taxonomy Act (H.R. 2154)…[and] adds sections that direct the Department of Commerce (DOC), in consultation with the Federal Trade Commission (FTC), to conduct a study and submit to Congress a report on the state of blockchain technology in commerce, including its use to reduce fraud and increase security.” The revised bill “would also require the FTC to submit to Congress a report and recommendations on unfair or deceptive acts or practices relating to digital tokens.”
    • The “American Competitiveness Of a More Productive Emerging Tech Economy Act” or the “American COMPETE Act” (H.R. 8132) “directs the DOC and the FTC to study and report to Congress on the state of the artificial intelligence, quantum computing, blockchain, and the new and advanced materials industries in the U.S…[and] would also require the DOC to study and report to Congress on the state of the Internet of Things (IoT) and IoT manufacturing industries as well as the three-dimensional printing industry” involving “among other things:1) listing industry sectors that develop and use each technology and public-private partnerships focused on promoting the adoption and use of each such technology; 2) establishing a list of federal agencies asserting jurisdiction over such industry sectors; and 3) assessing risks and trends in the marketplace and supply chain of each technology.
      • The bill would direct the DOC to study and report on the effect of unmanned delivery services on U.S. businesses conducting interstate commerce. In addition to these report elements, the bill would require the DOC to examine safety risks and effects on traffic congestion and jobs of unmanned delivery services.
      • Finally, the bill would require the FTC to study and report to Congress on how artificial intelligence may be used to address online harms, including scams directed at senior citizens, disinformation or exploitative content, and content furthering illegal activity.
    • The “Cyber Sense Act of 2019” (H.R.360) requires the Secretary of Energy to establish the Cyber Sense Program. This voluntary program would identify cyber-secure products that could be used in the bulk-power system. 
    • The “Enhancing Grid Security through Public-Private Partnerships Act” (H.R.359) directs the Secretary of Energy – in consultation with States, other Federal agencies, and industry stakeholders – to create and implement a program to enhance the physical and cybersecurity of electric utilities. The bill also requires an update to the Interruption Cost Estimate (ICE) Calculator, an electric reliability planning tool for estimating electricity interruption costs and the benefits of reliability improvements, at least once every two years. 
    • The “Energy Emergency Leadership Act” (H.R.362) creates a new Department of Energy Assistant Secretary position with jurisdiction over all energy emergency and security functions related to energy supply, infrastructure and cybersecurity. 
  • Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a trio of public service announcements to dispels myths about the threats to voting while also casting light on the realistic risk that might disrupt the 2020 Election:
    • In “False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections,” the FBI and CISA issued the “announcement to raise awareness of the potential threat posed by attempts to spread disinformation regarding cyberattacks on U.S. voter registration databases or voting systems.” The agencies added:
      • During the 2020 election season, foreign actors and cyber criminals are spreading false and inconsistent information through various online platforms in an attempt to manipulate public opinion, sow discord, discredit the electoral process, and undermine confidence in U.S. democratic institutions. These malicious actors could use these forums to also spread disinformation suggesting successful cyber operations have compromised election infrastructure and facilitated the “hacking” and “leaking” of U.S. voter registration data.
      • In reality, much U.S. voter information can be purchased or acquired through publicly available sources. While cyber actors have in recent years obtained voter registration information, the acquisition of this data did not impact the voting process or election results.
      • In addition, the FBI and CISA have no information suggesting any cyberattack on U.S. election infrastructure has prevented an election from occurring, prevented a registered voter from casting a ballot, compromised the accuracy of voter registration information, or compromised the integrity of any ballots cast.
    • In “Cyber Threats to Voting Processes Could Slow But Not Prevent Voting,” the agencies wanted “to inform the public that attempts by cyber actors to compromise election infrastructure could slow but not prevent voting.” The FBI and CISA asserted they
      • have not identified any threats, to date, capable of preventing Americans from voting or changing vote tallies for the 2020 Elections. Any attempts tracked by FBI and CISA have remained localized and were blocked, minimal, or easily mitigated.
      • have no reporting to suggest cyberactivity has prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information. However, even if actors did achieve such an impact, the public should be aware that election officials have multiple safeguards and plans in place—such as provisional ballots to ensure registered voters can cast ballots, paper backups, and backup pollbooks—to limit the impact and recover from a cyber incident with minimal disruption to voting.
      • continue to assess that attempts to manipulate votes at scale would be difficult to conduct undetected.
    • In “Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results,” the FBI and CISA explained the announcement aims “to raise awareness of the potential threat posed by attempts to spread disinformation regarding the results of the 2020 elections.” The agencies explained:
      • Foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions. State and local officials typically require several days to weeks to certify elections’ final results in order to ensure every legally cast vote is accurately counted. The increased use of mail-in ballots due to COVID-19 protocols could leave officials with incomplete results on election night.
      • Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.
      • The FBI and CISA urged “the American public to critically evaluate the sources of the information they consume and to seek out reliable and verified information from trusted sources, such as state and local election officials” and stated “[t]he public should also be aware that if foreign actors or cyber criminals were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised.”
  • The Government Accountability Office (GAO) evaluated the United States’ (U.S.) Department of State proposed reorganization to create an office that would have cybersecurity issues in its portfolio. However, the proposal fell short of what the chair and ranking member of the House Foreign Affairs Committee had envisioned in legislation marked up and reported out of committee. The GAO found that the Department of State failed to coordinate with other agencies with international cybersecurity responsibilities, setting up the possibility that the new office will work at cross purposes, thus limiting the effectiveness of the U.S. cyber diplomacy.
    • The GAO stated
      • In 2019, members of Congress introduced the Cyber Diplomacy Act of 2019, which would establish a new office to lead State’s international cyberspace efforts that would consolidate cross-cutting efforts on international cybersecurity, digital economy, and internet freedom, among other cyber diplomacy issues. In June 2019, State notified Congress of its intent to establish a new Bureau of Cyberspace Security and Emerging Technologies (CSET) that would focus more narrowly on cyberspace security and the security aspects of emerging technologies. According to State officials, Members of Congress raised objections to State’s plan, which has not been implemented as of August 2020.
      • [House Foreign Affairs Committee Chair Eliot Engel (D-NY) and Ranking Member Michael McCaul (R-TX)] asked us to review State’s efforts to advance U.S. interests in cyberspace, including State’s planning process for establishing a new bureau to lead its international cyber mission. This report examines the extent to which State involved other federal agencies in the development of its plan for establishing CSET. As part of our ongoing work on this topic, we are also continuing to monitor and review State’s overall planning process for establishing this new bureau.
      • Under State’s proposal, CSET would not focus on the economic and human rights aspects of cyber diplomacy issues. According to State officials, while the department recognized the challenges posed by cyberspace, it considered efforts related to digital economy and internet freedom to be separate and distinct from CSET’s cyberspace security focus. In contrast, under H.R. 739, State would consolidate cyber diplomacy activities, such as those related to international cybersecurity, digital economy, and internet freedom, in a new office.
    • The GAO concluded
      • State has not initiated a process to involve other federal agencies in the development of its plans for the new CSET bureau. As a result, State has not addressed key practices for involving stakeholders in the development of reforms. State officials told us that they were not obligated to consult with other agencies before completing the CSET plan because it was an internal decision. These officials added that they were not consulted by these agencies when they established offices or bureaus responsible for cyber issues. While State is not legally obligated to involve other agencies in the development of its plans for the new bureau, our prior work on government reforms and reorganizations has shown that it is important for agencies to directly and continuously involve key stakeholders, including agencies supporting similar goals, to develop proposed reforms, such as State’s plan for establishing CSET.
      • Without addressing the key reform practice of involving other agencies in its plans for a new cyber diplomacy bureau, State lacks assurance that it will effectively achieve its goals for establishing CSET. Furthermore, because multiple agencies contribute to cyber diplomacy efforts and are engaged in similar activities, State increases the potential for negative effects from fragmentation, overlap, and duplication of efforts if it does not involve agency partners in the development of its plans to reorganize its cyber diplomacy efforts. Potential negative effects include increased costs or inefficiencies from unnecessary overlap or duplication of efforts.
  • The United States Department of Housing and Urban Development’s (HUD) information security and privacy practices were called into question by the Government Accountability Office (GAO) in an assessment of how effectively the agency is “protecting sensitive information exchanged with external entities.” The GAO performed this evaluation because the House Appropriations Committee required the agency to undertake it. Most alarmingly, the GAO found “HUD was not fully able to identify external entities that process, store, or share sensitive information with its systems used to support housing, community investment, or mortgage loan programs.”
    • The GAO concluded:
      • HUD had minimally addressed the leading practices for requiring the implementation of risk-based security and privacy controls, identifying and tracking corrective actions, and monitoring progress in implementing controls when sharing information with external entities. Moreover, the department had not taken steps to make sure that independent assessments are performed to ensure controls are implemented by external entities. Among the reasons for these weaknesses was HUD’s failure to make it a priority to update and improve IT security and privacy policies. Without leading practices for protecting sensitive information shared with external entities in place, HUD lacks assurance that sensitive information shared with external entities is being protected.
      • Further, HUD had a limited ability to identify external entities that process, store, or share sensitive information with its systems. Until the department has access to better quality information and takes action to improve its inventory of systems that share sensitive information with external entities, HUD will face greater risk that it is falling short in working to protect privacy and sensitive data.
    • The GAO made five recommendations to HUD:
      • The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)
      • The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)
      • The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)
      • The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)
      • The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)
  • Amnesty International’s Security Lab followed up on a March 2019 report on the use of German spyware to surveil human rights activists, dissidents, and journalists in a number of countries. Amnesty International explained:
    • FinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and recording audio and video, from the computer or mobile devices it is silently installed on. FinSpy is produced by Munich-based company FinFisher Gmbh and sold to law enforcement and government agencies around the world.
    • In September 2019, Amnesty International discovered samples of FinFisher’s spyware distributed by malicious infrastructure tied to the attacker group commonly known as NilePhish. likely to be state sponsored. These attacks took place amid an unprecedented crackdown on independent civil society and any critical voices. Over the years, numerous research reports, including by Amnesty International, detailed NilePhish’s campaigns of targeting of Egyptian civil society organizations. Further technical investigation by Amnesty’s Security Lab led to the discovery of additional previously unknown samples for Linux and Mac OS computers, provided with extensive interception capabilities.
    • With this report, Amnesty’s Security Lab shares new insights into the capabilities of the NilePhish attacker group, as well as provides detailed analysis of newly discovered variants of FinSpy in order to enable cybersecurity researchers to further investigate and develop protection mechanisms. In addition, we hope to raise awareness among Human Rights Defenders (HRDs) on the evolution of digital attack techniques and help address common misconceptions that Linux and Mac computers are safer against spyware attacks.
  • In advance of Palantir’s initial public offering, Amnesty International published an issue brief, “Failing to Do Right: The Urgent Need for Palantir to Respect Human Rights,” in which the human rights organization “concludes that Palantir is failing to conduct human rights due diligence around its contracts with Immigration and Customs Enforcement (ICE), and that there is a high risk that Palantir is contributing to human rights violations of asylum-seekers and migrants through the ways the company’s technology facilitates ICE operations.” In the report, Amnesty International stated
    • Through Palantir’s contracts with DHS/ICE for products and services for the Homeland Security Investigations (HSI) division of ICE, Amnesty International has determined there is a high risk that Palantir is contributing to serious human rights violations of migrants and asylum-seekers by the U.S. government, which Amnesty International has thoroughly documented for years. In particular, Palantir’s contracts to provide its Integrated Case Management System (ICM) and FALCON analytical platforms to ICE risk contributing to human rights violations of asylum-seekers and migrants who are separated from family members, subject to workplace raids, detained, and face deportation by ICE.

Further Reading

  • Making a Phone Call from Behind Bars Shouldn’t Send Your Family into Debt” By Sylvia A. Harvey — Politico. This piece summarizes the shameful state of how much many inmates are charged in prisons. The Federal Communications Commission (FCC) and Congress are both working to end the usurious rates charged by the duopoly that owns the majority of this market as a matter of public policy.
  • Ring’s latest security camera is a drone that flies around inside your house” By Dan Seifert — The Verge. Amazon appears to be expanding its home security offerings at the potential price of one’s privacy.
  • Exclusive: China preparing an antitrust investigation into Google – sources” By Cheng Leng, Keith Zhai, David Kirton — Reuters. Google may be facing yet another antitrust investigation but one from a country that may be seeking to even up the score with the United States (U.S.). The People’s Republic of China is reportedly considering whether to bring an action that would focus on Google and its Android operating system with the rub that the scrutiny is being caused by U.S. moves to harm and limit PRC companies like Huawei, TikTok, and WeChat. The PRC is apparently examining the European Union’s case against Google that resulted in a € 4.3 billion fine in 2018.
  • Scars, Tattoos, And License Plates: This Is What Palantir And The LAPD Know About You” By Caroline Haskins — BuzzFeed News. Ahead of its initial public offering (IPO), Palantir’s history and usage by the Los Angeles Police Department seems to lead one to the conclusion that artificial intelligence and big data are being used to confirm existing practices and biases in policing. However, millions of federal, state, and local dollars went to the company to pay for a few different iterations of a predictive policing system that seemed to violate rights and produce little in the way of tangible benefits.
  • How Amazon hid its safety crisis” By Will Evans — The Center for Investigative Reporting. As revealed in leaked company records, Amazon’s record on injuries for workers in its warehouses keeps getting worse. This has been exacerbated by Prime Day, a sale that now rivals the holidays, and the move to robots in some warehouses that has radically increased the number of packages workers are supposed to process per hour. Amazon’s response has been to massage the injury numbers in a variety of ways.
  • Justice Dept. Case Against Google Is Said to Focus on Search Dominance” By Cecilia Kang, Katie Benner, Steve Lohr and Daisuke Wakabayashi — The New York Times. As has been long rumored, the United States Department of Justice has indeed narrowed its case against Google to just its online search engine. This approach may well lead to Democratic state attorneys general filing a different, broader case against Google for antitrust claims related to its online advertising business and online search practices that disadvantages rivals. However, Texas Attorney General Ken Paxton is ready to file an antitrust case focused just on Google’s online advertising business.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s