Further Reading, Other Developments, and Coming Events (27 October)

Further Reading

  •  “The Police Can Probably Break Into Your Phone” By Jack Nicas — The New York Times. So, about “Going Dark.” Turns out nations and law enforcement officials have either oversold the barrier that default end-to-end encryption on phones creates or did not understand the access that police were already getting to many encrypted phones. This piece is based in large part on the Upturn report showing that United States (U.S.) law enforcement agencies have multiple means of hacking into encrypted or protected smartphones. The point is made that the issue is really that encryption makes it harder to get into phones and is quite pricey. If an iPhone or Android user stores data in the cloud, then getting access is not a problem. But having it encrypted on a phone requires serious technological means to access. But, this article points to another facet of the Upturn report: police have very little in the way of policy or guidance on how to handle data in ways that respect privacy and possibly even the laws of their jurisdictions.
  • Pornhub Doesn’t Care” By Samantha Cole and Emanuel Maiberg — Vice. One of the world’s biggest pornography sites seems to have a poor track record at taking down non-consensual pornography. A number of women were duped into filming pornography they were told would not be distributed online or only in certain jurisdictions. The proprietor lied and now many of them are faced with having these clips turn up again and again on Pornhub and other sites even if they use digital fingerprinting of such videos. These technological screening methods can be easily defeated. Worse still, Pornhub, and its parent company, Mindgeek, did not start responding to requests from these women to have their videos taken down until they began litigating against the man who had masterminded the filming of the non-consensual videos.
  • ‘Machines set loose to slaughter’: the dangerous rise of military AI” By Frank Pasquale — The Guardian. This long read lays out some of the possibilities that may come to pass if artificial intelligence is used to create autonomous weapons or robots. Most of the outcomes sound like science fiction, but then who could have foreseen a fleet of drones in the Middle East operated by the United States.
  • How The Epoch Times Created a Giant Influence Machine” By Kevin Roose — The New York Times. An interesting tale of how a fringe publication may be on its way to being one of the biggest purveyors of right wing material online.
  • Schools Clamored for Seesaw’s App. That Was Good News, and Bad News.” By Stephanie Clifford — The New York Times. The pandemic has led to the rise of another educational app.

Other Developments

  • The United Kingdom’s (UK) Parliamentary Business, Energy and Industrial Strategy (BEIS) Committee wrote a number of companies, including technology firms, “to seek answers in relation to the Committee’s inquiry exploring the extent to which businesses in the UK are exploiting the forced labour of Uyghur in the Xinjiang region of China” according to the committee’s press release. The committee wrote to Amazon and TikTok because as the chair of the committee, Minister of Parliament Nusrat Ghani asserted:
    • The Australian Strategic Policy Institute’s (ASPI) ‘Uyghur’s for Sale’ report names 82 foreign and Chinese companies directly or indirectly benefiting from the exploitation of Uyghur workers in Xinjiang. The companies listed in the Australian Strategic Policy Institute’s report span industries including the fashion, retail and information technology sectors. On the BEIS Committee, we are determined to ask prominent businesses operating in Britain in these sectors what they are doing to ensure their profits are not on the back of forced labour in China. These businesses are trusted by many British consumers and I hope they will repay this faith by coming forward to answer these questions and also take up the opportunity to give evidence to the Business Committee in public.
    • In its March report, the ASPI argued:
      • The Chinese government has facilitated the mass transfer of Uyghur and other ethnic minority citizens from the far west region of Xinjiang to factories across the country. Under conditions that strongly suggest forced labour, Uyghurs are working in factories that are in the supply chains of at least 82 well-known global brands in the technology, clothing and automotive sectors, including Apple, BMW, Gap, Huawei, Nike, Samsung, Sony and Volkswagen.
      • This report estimates that more than 80,000 Uyghurs were transferred out of Xinjiang to work in factories across China between 2017 and 2019, and some of them were sent directly from detention camps. The estimated figure is conservative and the actual figure is likely to be far higher. In factories far away from home, they typically live in segregated dormitories, undergo organised Mandarin and ideological training outside working hours, are subject to constant surveillance, and are forbidden from participating in religious observances. Numerous sources, including government documents, show that transferred workers are assigned minders and have limited freedom of movement.
      • China has attracted international condemnation for its network of extrajudicial ‘re-education camps’ in Xinjiang. This report exposes a new phase in China’s social re-engineering campaign targeting minority citizens, revealing new evidence that some factories across China are using forced Uyghur labour under a state-sponsored labour transfer scheme that is tainting the global supply chain.
  • A group of nations worked together to find and apprehend individuals accused of laundering ill-gotten funds for cyber criminals. The United States (U.S.) indicted the accused. Europol explained:
    • An unprecedented international law enforcement operation involving 16 countries has resulted in the arrest of 20 individuals suspected of belonging to the QQAAZZ criminal network which attempted to launder tens of millions of euros on behalf of the world’s foremost cybercriminals. 
    • Some 40 house searches were carried out in Latvia, Bulgaria, the United Kingdom, Spain and Italy, with criminal proceedings initiated against those arrested by the United States, Portugal, the United Kingdom and Spain. The largest number of searches in the case were carried out in Latvia in operations led by the Latvian State Police (Latvijas Valsts Policija). Bitcoin mining equipment was also seized in Bulgaria.
    • This international sweep follows a complex investigation led by the Portuguese Judicial Police (Polícia Judiciária) together with the United States Attorney Office for the Western District of Pennsylvania and the FBI’s Pittsburgh Field Office, alongside the Spanish National Police (Policia Nacional) and the regional Catalan police (Mossos D’esquadra) and law enforcement authorities from the United Kingdom, Latvia, Bulgaria, Georgia, Italy, Germany, Switzerland, Poland, Czech Republic, Australia, Sweden, Austria and Belgium with coordination efforts led by Europol. 
    • The U.S. Department of Justice (DOJ) claimed:
      • Comprised of several layers of members from Latvia, Georgia, Bulgaria, Romania, and Belgium, among other countries, the QQAAZZ network opened and maintained hundreds of corporate and personal bank accounts at financial institutions throughout the world to receive money from cybercriminals who stole it from bank accounts of victims.  The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using “tumbling” services designed to hide the original source of the funds.  After taking a fee of up to 40 to 50 percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.  
      • The QQAAZZ members secured these bank accounts by using both legitimate and fraudulent Polish and Bulgarian identification documents to create and register dozens of shell companies which conducted no legitimate business activity. Using these registration documents, the QQAAZZ members then opened corporate bank accounts in the names of the shell companies at numerous financial institutions around the world, thereby generating hundreds of QQAAZZ-controlled bank accounts available to receive stolen funds from cyber thieves.
      • QQAAZZ advertised its services as a “global, complicit bank drops service” on Russian-speaking online cybercriminal forums where cybercriminals gather to offer or seek specialized skills or services needed to engage in a variety of cybercriminal activities. The criminal gangs behind some of the world’s most harmful malware families (e.g.: Dridex, Trickbot, GozNym, etc.) are among those cybercriminal groups that benefited from the services provided by QQAAZZ. 
  • Representatives Anna Eshoo (D-CA) and Bobby L. Rush (D-IL), and Senator Ron Wyden (D-OR) wrote the Privacy and Civil Liberties Oversight Board (PCLOB) asking that the privacy watchdog “investigate the federal government’s surveillance of recent protests, the legal authorities for that surveillance, the government’s adherence to required procedures in using surveillance equipment, and the chilling effect that federal government surveillance has had on protesters.”
    • They argued:
      • Many agencies have or may have surveilled protesters, according to press reports and agency documents.
        • The Customs and Border Protection (CBP) deployed various aircraft –including AS350 helicopters, a Cessna single-engine airplane, and Predator drones –that logged 270 hours of aerial surveillance footage over 15 cities, including Minneapolis, New York City, Buffalo, Philadelphia, Detroit, and Washington, D.C.
        • The FBI flew Cessna 560 aircraft over protests in Washington, D.C., in June, and reporting shows that the FBI has previously equipped such aircraft with ‘dirt boxes,’ equipment that can collect cell phone location data, along with sophisticated cameras for long-range, persistent video surveillance.
        • In addition to specific allegations of protester surveillance, the Drug Enforcement Agency (DEA) was granted broad authority to “conduct covert surveillance ”over protesters responding to the murder of Mr. Floyd.
    • Eshoo, Rush, and Wyden claimed:
      • Recent surveillance of protests involves serious threats to liberty and requires a thorough investigation. We ask that PCLOB thoroughly investigate, including by holding public hearings, the following issues and issue a public report about its findings:
        • (1) Whether and to what extent federal government agencies surveilled protests by collecting or processing personal information of protesters.
        • (2) What legal authorities agencies are using as the basis for surveillance, an unclassified enumeration of claimed statutory or other authorities, and whether agencies followed required procedures for using surveillance equipment, acquiring and processing personal data, receiving appropriate approvals, and providing needed transparency.
        • (3) To what extent the threat of surveillance has a chilling effect on protests.
  • Ireland’s Data Protection Commission (DPC) has opened two inquiries into Facebook and Instagram for potential violations under the General Data Protection Regulation (GDPR) and Ireland’s Data Protection Act 2018. This is not the only regulatory action the DPC has against Facebook, which is headquartered in Dublin. The DPC is reportedly trying to stop Facebook from transferring personal data out of the European Union (EU) and into the United States (U.S.) using standard contractual clauses (SCC) in light of the EU-U.S. Privacy Shield being struck down. The DPC stated “Instagram is a social media platform which is used widely by children in Ireland and across Europe…[and] [t]he DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination.
    • The DPC explained the two inquiries:
      • This Inquiry will assess Facebook’s reliance on certain legal bases for its processing of children’s personal data on the Instagram platform. The DPC will set out to establish whether Facebook has a legal basis for the ongoing processing of children’s personal data and if it employs adequate protections and or restrictions on the Instagram platform for such children. This Inquiry will also consider whether Facebook meets its obligations as a data controller with regard to transparency requirements in its provision of Instagram to children.
      • This Inquiry will focus on Instagram profile and account settings and the appropriateness of these settings for children. Amongst other matters, this Inquiry will explore Facebook’s adherence with the requirements in the GDPR in respect to Data Protection by Design and Default and specifically in relation to Facebook’s responsibility to protect the data protection rights of children as vulnerable persons.
  • The United States’ National Institute of Standards and Technology (NIST) issued a draft version of the Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT) Services (NISTIR 8323). Comments are due by 23 November.
    • NIST explained:
      • NIST has developed this PNT cybersecurity profile to help organizations identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated risks to the systems, networks, and assets dependent on PNT services. This profile will help organizations make deliberate, risk-informed decisions on their use of PNT services.
    • In its June request for information (RFI), NIST explained “Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services, was issued on February 12, 2020 and seeks to protect the national and economic security of the United States from disruptions to PNT services that are vital to the functioning of technology and infrastructure, including the electrical power grid, communications infrastructure and mobile devices, all modes of transportation, precision agriculture, weather forecasting, and emergency response.” The EO directed NIST “to develop and make available, to at least the appropriate agencies and private sector users, PNT profiles.”

Coming Events

  • The Senate Commerce, Science, and Transportation Committee will hold a hearing on 28 October regarding 47 U.S.C. 230 titled “Does Section 230’s Sweeping Immunity Enable Big Tech Bad Behavior?” with testimony from:
    • Jack Dorsey, Chief Executive Officer of Twitter;
    • Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and 
    • Mark Zuckerberg, Chief Executive Officer of Facebook.
  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

“How Encryption Works” by Afsal CMK is licensed under CC BY 4.0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s