- “Google is giving data to police based on search keywords, court docs show” By Alfred Ng — c|net. Google is responding to keyword warrants where prosecutors ask the company to provide IP addresses for all people who made a certain search within a geographical area during a certain time. In the case discussed in the piece (bizarrely witness intimidation of someone testifying against R. Kelly), a keyword warrant allowed them to locate a person who may have burned down someone’s house. It is likely this warrant will be challenged on Fourth Amendment grounds.
- “Google AI Tech Will Be Used for Virtual Border Wall, CBP Contract Shows” By Lee Fang and Sam Biddle — The Intercept. Google may again be wading into territory its labor force may find objectionable. The United States (U.S.) Customs and Border Protection (CBP) will use Google Cloud in its artificial intelligence-driven virtual fence on the U.S.-Mexico border. This may result in employee push back as it did in 2018 when this sort of internal pressure caused Google to walk away from a Department of Defense program, Project Maven. A whistleblower group ferreted out the fact that Google is contracting with CBP, which took some effort considering Google appears to be a subcontractor to a prime contractor.
- “Facebook Manipulated the News You See to Appease Republicans, Insiders Say” By Monika Bauerlein and Clara Jeffery — Mother Jones. In January 2018 Facebook changed its algorithm to try to address the growing toxicity during and after the 2016 election. The supposed solution was to remove untrustworthy information. However, the original test of this new algorithm led to deprioritizing many conservative sources that traffic in misinformation and slanted stories. This was deemed unacceptable from a political point of view, and the opposite was done. A number of liberal media organizations saw their traffic drop off a cliff.
- “Why A Gamer Started A Web Of Disinformation Sites Aimed At Latino Americans” By Kaleigh Rogers and Jaime Longoria — FiveThirtyEight. The reason why a gamer and YouTuber started fake sites aimed at Latinos was profit, nothing else.
- “Twitter and White House deny claims that researcher hacked Trump’s account” By Adi Robertson — The Verge. A Dutch researcher claims the password maga2020 got him into President Donald Trump’s Twitter account even though the White House and Twitter both deny the claim. There is a bizarre tweet Trump sent earlier this month that may, in fact, be the work of this researcher. In any event, he is being coy about whether he sent it or not.
- The United Kingdom’s Information Commissioner’s Office (ICO) reduced its fine on British Airways (BA) to a ninth of the preliminary total for violations of the General Data Protection Regulation (GDPR). The ICO has levied a £20 million fine on the airline “for failing to protect the personal and financial details of more than 400,000 of its customers.” In July 2019, the ICO issued a notice of its intention to fine British Airways £183.39 million because the “[p]ersonal data of approximately 500,000 customers were compromised.” After BA made its case, the ICO reduced the fine to £30 million before knocking off another £10 million because of mitigating factors and a British government policy to ease up on businesses during the pandemic. Conceivably, the fine could have been much higher for the GDPR allows for fines of up to 4% of worldwide revenue, and in this case, for the period in question, BA had £12.26 billion in revenue. The ICO explained:
- The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
- Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
- Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
- The ICO found:
- There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
- protecting employee and third party accounts with multi-factor authentication.
- Additional mitigating measures BA could have used are listed in the penalty notice.
- None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.
- Since the attack, BA has made considerable improvements to its IT security.
- ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.
- It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.
- There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:
- The Congressionally created Cyberspace Solarium Commission (CSC) issued a white paper “Building a Trusted ICT Supply Chain,” with its assessment as to why the United States (U.S.) no longer has a thriving technological industrial base and how it might again, which is nothing less than a matter of signal importance considering the growing dominance of the People’s Republic of China (PRC) in those fields. With the CSC releasing this white paper, it has become another player on the field in U.S. government policy circles proposing how the U.S. may protect its information and communications technology (ICT) supply chain against sabotage, malice, or control by an adversarial power.
- The CSC claimed:
- United States lacks key industrial capacities crucial to the production of essential technologies, including fifth-generation (5G) telecommunications equipment. Among other factors, the willingness of countries such as China to subsidize and support their domestic industries has created the uneven playing field that hinders the competitiveness and, ultimately, the viability of U.S. companies in global markets. The resulting lack of industrial capacity has forced critical dependencies on companies that manufacture in adversary countries, such as China, where companies are beholden to Chinese national intelligence, national cybersecurity, and national security laws. While dependency on foreign production and foreign goods is not inherently bad—indeed, the United States relies on manufacturing and companies headquartered in partner countries such as Finland, Sweden, South Korea, and Taiwan—the U.S. government must emphasize the importance of trusted suppliers, and these dependencies pose three concrete risks to the security of the United States.
- The CSC explained why fostering a supply chain for ICT in the U.S. will not be easy:
- Three main challenges confront attempts to rebuild U.S. high-tech manufacturing capacity: (1) lack of patient funding capital, (2) high investment barriers to entry, and (3) standards and intellectual property barriers to entry. These challenges arise from the simple fact that the economics of the hardware industry are not as attractive as those of many other technology sectors. One of the major shortcomings of U.S. efforts to date to secure ICT supply chains is their failure to address how the United States got to this point, where ICT equipment manufacturing and production is a critical economic weakness. In order to craft an effective strategy to rebuild high-tech manufacturing and gain greater industrial independence, policymakers must first understand the challenges to reinvigorating the United States’ high-tech manufacturing industry. Only then can they comprehend why market forces have pushed U.S. high-tech industrial capacity to atrophy over the past two decades and recognize the issues that they must tackle in developing an industrial base strategy.
- None of these barriers are insurmountable, but the reality is that the United States has lost much of its market share for the manufacture of electronics components and nearly all of its market share for the manufacture and assembly of finished electronics products. Nonetheless, a U.S. strategy to secure its ICT supply chain from all threats must include a plan to identify the key technologies and materials, and then attract more patient investment in hardware manufacturing, devise a method to retrain the atrophied muscles of production, and set the conditions to overcome barriers to entry posed by the constraints of standards and intellectual property.
- The CSC “specifies a strategy to build trusted supply chains for critical ICT by:
- Identifying key technologies and equipment through government reviews and public-private partnerships to identify risk.
- Ensuring minimum viable manufacturing capacity through both strategic investment and the creation of economic clusters.
- Protecting supply chains from compromise through better intelligence, information sharing, and product testing.
- Stimulating a domestic market through targeted infrastructure investment and ensuring the ability of firms to offer products in the United States similar to those offered in foreign markets.
- Ensuring global competitiveness of trusted supply chains, including American and partner companies, in the face of Chinese anti-competitive behavior in global markets.
- The CSC also highlighted “five key and eight supporting recommendations to build trusted supply chains for critical ICT technologies:
- Supply Chain 1: Congress should direct the executive branch to develop and implement an information and communication technologies industrial base strategy.
- Supply Chain 2: Congress should direct the Department of Homeland Security, in coordination with the Department of Commerce, Department of Defense, Department of State, and other departments and agencies, to identify key information and communication technologies and materials through industry consultation and government review.
- Supply Chain 3: Congress should direct the Department of Commerce, in consultation with the Department of Homeland Security, the Department of State, and the Department of Defense, to conduct a viability study of localities fit for economic clustering. It should fund the Department of Commerce, in consultation with the Department of Homeland Security, Department of State, and Department of Defense, to solicit competitive bids and applications from candidate states, municipalities, and localities for the designation of no fewer than three and no more than five critical technology manufacturing clusters.
- Supply Chain 3.1: The federal government should commit significant and consistent funding toward research and development in emerging technologies.
- Supply Chain 3.2: The federal government should, in partnership with partner and ally governments, develop programs to incentivize the movement of critical chip and technology manufacturing out of China.
- Supply Chain 3.3: Congress should direct the President to conduct a study on the viability of a public-private national security investment corporation to attract private capital for investment in strategically important areas.
- Supply Chain 4: The President should designate a lead agency to integrate and coordinate government ICT supply chain risk management efforts into an ongoing national strategy and to serve as the nexus for public-private partnerships on supply chain risk management.
- Supply Chain 4.1: Congress should direct the President to construct or designate a National Supply Chain Intelligence Center.
- Supply Chain 4.2: Congress should fund three Critical Technology Security Centers, selected and designated by DHS, in collaboration with the Department of Commerce, Department of Energy, Office of the Director of National Intelligence (ODNI), and Department of Defense.
- Supply Chain 5: The Federal Communications Commission (FCC) should tie 5G infrastructure investment to open and interoperable standards and work with the Department of Defense and the National Telecommunications and Information Agency to facilitate the release of more mid-band spectrum in order to ensure a strong domestic market for telecommunications equipment.
- Supply Chain 5.1: The U.S. Agency for International Development (USAID) should work with international partners to develop a digital risk impact assessment that highlights the risks associated with the use of untrusted technologies in implementing digitization and telecommunications infrastructure projects.
- Supply Chain 5.2: Congress should ensure that the Export-Import Bank (EXIM), U.S. International Development Finance Corporation (DFC), and United States Trade Development Agency (USTDA) all operate in legal, regulatory, and funding environments conducive to successfully competing with Chinese state-owned and state-backed enterprises, including their ability to support investments from companies headquartered in partner and ally countries.
- Supply Chain 5.3: USAID, DFC, and USTDA should develop and maintain a list of prohibited contractors and clients, including companies subject to the Chinese national security and national intelligence laws, that may not be used to implement USAID-, DFC-, and USTDA-funded projects.
- The CSC claimed:
- The Federal Trade Commission (FTC) has reportedly met to review its anti-trust case against Facebook that could get filed as soon as next month. The FTC start looking into Facebook’s dominance in the social messaging market about the same time it handed down a $5 billion fire for the tech giant’s involvement with Cambridge Analytica that violated the 2012 consent decree. The anti-trust investigation is reportedly focused on Facebook’s acquisitions of WhatsApp and Instagram, two of the world’s largest messaging platforms. The FTC is reportedly focused on the effects of Facebook’s buying two potential competitors, WhatsApp and Instagram, and if the FTC succeeds in a suit against Facebook, the company may be forced to spin off those two entities. Moreover, New York Attorney General Tish James is leading a state investigation of Facebook that “focuses on Facebook’s dominance in the industry and the potential anticompetitive conduct stemming from that dominance.” This inquiry started over a year ago, and any timing on possible action is not clear. The European Commission is also reportedly looking at Facebook for anti-trust violations as media accounts indicated in late 2019.
- The House Judiciary Committee argued in its recent report on competition in digital markets that “the strong network effects associated with Facebook has tipped the market toward monopoly such that Facebook competes more vigorously among its own products—Facebook, Instagram, WhatsApp, and Messenger—than with actual competitors.” In response to the House Judiciary Committee’s view on these deals, a Facebook spokesperson claimed “[a] strongly competitive landscape existed at the time of both acquisitions and exists today…[and] [r]egulators thoroughly reviewed each deal and rightly did not see any reason to stop them at the time.”
- In February 2019, the German agency with jurisdiction over competition issued a decision that potentially could block Facebook from combining the personal data of Germans from other Facebook-owned entities such as Instagram and WhatsApp or from unrelated third-party sources. According to the Bundeskartellamt’s press release, the agency “has imposed on Facebook far-reaching restrictions in the processing of user data.”
- A group of nations are proposing a third way to bridge the dual efforts of two United Nations (U.N.) groups to develop cyber norms. In the “The future of discussions on ICTs and cyberspace at the UN,” this group of nations propose to “explore establishment of a Programme of Action for advancing responsible State behaviour in cyberspace with a view to ending the dual track discussions (GGE/OEWG) and establishing a permanent UN forum to consider the use of ICTs by States in the context of international security.” They stressed “the urgent need for the international community to address the use of ICTs in the context of international peace and security.” France, Egypt, Argentina, Colombia, Ecuador, Gabon, Georgia, Japan, Morocco, Norway, Salvador, Singapore, the Republic of Korea, the Republic of Moldova, The Republic of North Macedonia, the United Kingdom, the EU and its member States submitted the proposal.
- These nations argued:
- Since 2018, two working groups and many initiatives have started under the auspices of the UN. We welcome the willingness of the international community to engage, and recognize that each of those initiatives has its own merits and specificities. Yet, they aim at tackling the same issues: advancing norms of responsible behaviour, understanding how international law concretely applies to cyberspace, developing CBMs and fostering capacity building. We consider that this situation, although evidencing the growing commitment of the international community to dedicating time and resources to the matters at hand, creates redundancies and, at times, can be counter-productive. It is therefore a cause for concern.
- In the fall of 2019, the U.N. Group of Governmental Experts (GGE) and the U.N. Open-ended Working Group (OEWG) started meeting per U.N. resolutions to further consultative discussions on an international agreement or set of agreements on what is considered acceptable and unacceptable cyber practices. Previous efforts largely stalled over disagreements between a bloc led by the U.S. and its allies and nations like the People’s Republic of China (PRC), Russia, and others with a different view on acceptable practices. Notably, unlike 2010, 2013 and 2015, the 2017 U.N. GGE could not reach agreement on additional voluntary, non-binding norms on how nations should operate in cyberspace. The OEWG was advocated for by countries like Russia, the PRC, and others seen as being in opposition to some of the views propagated by the U.S. and its allies, notably on the issue of what kind of measures a nation may use inside its borders to limit internet usage for its citizens.
- As explained in a 2018 U.N. press release, competing resolutions were offered to create groups “aimed at shaping norm-setting guidelines for States to ensure responsible conduct in cyberspace:”
- the draft resolution “Developments in the field of information and telecommunications in the context of international security” (document A/C.1/73/L.27.Rev.1), tabled by the Russian Federation. By the text, the Assembly would decide to convene in 2019 an open-ended working group acting on a consensus basis to further develop the rules, norms and principles of responsible behaviour of States.
- the draft resolution “Advancing Responsible State Behaviour in Cyberspace in the Context of International Security” (document A/C.1/73/L.37), tabled by the United States…[that] would request the Secretary-General, with the assistance of a group of governmental experts to be established in 2019, to continue to study possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States.
- These nations argued:
- The United Kingdom’s Information Commissioner’s Office (ICO) published a compulsory audit of the Department for Education (DfE) and found:
- The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority.
- The ICO explained:
- The Commissioner’s Enforcement team ran a broad range investigation in 2019 following complaints from DefendDigitalMe and Liberty and their concerns around the National Pupil Database (NPD). The ICO met with key senior level data protection professionals at the DfE’s offices in London in November2019 where the possibilities of a consensual audit were discussed. However, due to the risks associated with the volume and types of personal data processed within the NPD as well as the ages of the data subjects involved, the Commissioner decided, in line with her own Regulatory Action Policy, to undertake a compulsory audit using her powers under section 146 of the DPA18.The Commissioner determined this approach would provide a comprehensive review of DfE data protection practices, governance and other key control measures supporting the NPD and internally held databases, using the framework of scope areas of audit as listed below. This would allow the Commissioner to identify any risk associated with the data processed and implications to the individual rights of over 21 million data subjects.
- The European Commission (EC) announced it “made commitments offered by [United States firm] Broadcom legally binding under EU antitrust rules.” The EC started looking into the company in mid-2019 for supposedly abusive behavior that was harming players and people in the TV and modem chipset markets in the European Union.
- The EC explained:
- In June 2019, the Commission initiated proceedings into alleged abuse of dominance by Broadcom and at the same time issued a Statement of Objections seeking the imposition of interim measures. In October 2019, the Commission took a decision concluding that interim measures were necessary to prevent serious and irreparable damage to competition from occurring in the worldwide markets for SoCs for (i) TV set-top boxes, (ii) xDSL modems, (iii) fibre modems, as well as (iv) cable modems.
- The Commission took issue with certain exclusivity or quasi-exclusivity and leveraging arrangements imposed by Broadcom in relation to SoCs for TV set top boxes, xDSL and fibre modems. The decision ordered Broadcom to stop applying these provisions contained in agreements with six of its main customers and ordered the implementation of interim measures applicable for a period of three years.
- The EC asserted Broadcom has agreed to the following:
- At European Economic Area (EEA) level, Broadcom will:
- a) Not require or induce by means of price or non-price advantages an OEM to obtain any minimum percentage of its EEA requirements for SoCs for TV set-top boxes, xDSL modems and fibre modems from Broadcom; and
- b) Not condition the supply of, or the granting of advantages for, SoCs for TV set-top boxes, xDSL modems and fibre modems on an OEM obtaining from Broadcom another of these products or any other product within the scope of the commitments (i.e. SoCs for cable modems, Front End Chips for set-top boxes and modems and/or Wi-Fi Chips for set-top boxes and modems).
- At worldwide level (excluding China), Broadcom will:
- a) Not require or induce an OEM by means of certain types of advantages to obtain more than 50% of its requirements for SoCs for TV set-top boxes, xDSL modems and fibre modems from Broadcom; and
- b) Not condition the supply of, or the granting of advantages for, SoCs for TV set-top boxes, xDSL modems and fibre modems on an OEM obtaining from Broadcom more than 50% of its requirements for any other of these products, or for other products within the scope of the commitments.
- The commitments also include specific provisions regarding incentives to bid equipment based on Broadcom products as well as certain additional clauses with regard to service providers in the EEA.
- At European Economic Area (EEA) level, Broadcom will:
- The EC explained:
- The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released its agenda:
- Restoring Internet Freedom Order Remand. The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11-42)
- Establishing a 5G Fund for Rural America . The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
- Increasing Unlicensed Wireless Opportunities in TV White Spaces. The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
- Streamlining State and Local Approval of Certain Wireless Structure Modifications . The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
- Revitalizing AM Radio Service with All-Digital Broadcast Option . The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
- Expanding Audio Description of Video Content to More TV Markets. The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
- Modernizing Unbundling and Resale Requirements. The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next-generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
- Enforcement Bureau Action. The Commission will consider an enforcement action.
- The Senate Commerce, Science, and Transportation Committee will hold a hearing on 28 October regarding 47 U.S.C. 230 titled “Does Section 230’s Sweeping Immunity Enable Big Tech Bad Behavior?” with testimony from:
- Jack Dorsey, Chief Executive Officer of Twitter;
- Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and
- Mark Zuckerberg, Chief Executive Officer of Facebook.
- On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
- On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.
Photo by Isaac Struna on Unsplash