Further Reading, Other Developments, and Coming Events (17 November)

CISA, Coming Events, COVID-19, Cybersecurity, Data Flows, Data Protection, data security, DHS, EDPB, Election, FCC, Fourth Amendment, GDPR, Misinformation, People's Republic of China, privacy, Section 230 10 Minutes

Further Reading

  • How the U.S. Military Buys Location Data from Ordinary Apps” By Joseph Cox — Vice’s Motherboard. This article confirms the entirely foreseeable: the Department of Defense and its contractors are obtaining and using personal information from smartphones all over the world. Given this practice is common in United States’ (U.S.) law enforcement agencies, it is little surprise the U.S. military is doing the same. Perhaps the fact the U.S. is doing this has been one of the animating force behind the Trump Administration’s moves against applications from the People’s Republic of China (PRC)?
  • Regulators! Stand Back: Under a Biden administration, Big Tech is set for a field day” By Lizzie O’Shea — The Baffler. This piece argues that a Biden Administration may be little more than a return to the Obama Administration’s favorable view of and largely laissez-faire regulatory approach. At least one expert worries the next administration may do enough on addressing big tech to appear to be doing something but not nearly enough to change the current market and societal dynamics.
  • Cheating-detection companies made millions during the pandemic. Now students are fighting back.” By Drew Harwell — The Washington Post. There are scores of problems with online testing platforms, including weak or easily compromised data security and privacy safeguards. Many students report getting flagged for stretching, looking off-screen, and even needing to go to the restroom. However, the companies in the market are in growth-mode and seem unresponsive to such criticisms.
  • Zuckerberg defends not suspending ex-Trump aide Bannon from Facebook: recording” By Katie Paul — Reuters. On an internal company call, Facebook CEO Mark Zuckerberg defended the platform’s decision not to deactivate former White House advisor Steve Bannon’s account after he “metaphorically” advocated for the beheadings of Federal Bureau of Investigation Director Christopher Wray and National Institute of Allergy and Infectious Diseases (NIAID) Director Anthony Fauci. Zuckerberg also reassured employees that a Biden Administration would not necessarily be entirely adversarial to Facebook.
  • How Trump uses Twitter to distract the media – new research” By Ullrich Ecker, Michael Jetter, and Stephan Lewandowsky — The Conversation. Research backs up the assertion that President Donald Trump has tweeted bizarre non-sequiturs to distract from what he perceived to be negative stories, and it worked because the media reported on the tweets almost every time. Trump is not the only politician or leader using this strategy.
  • Bumble Vulnerabilities Put Facebook Likes, Locations And Pictures Of 95 Million Daters At Risk” By Thomas Brewster — Forbes. Users of the dating app, Bumble, were at risk due to weak security white hacker researchers easily circumvented. Worse still, it took the company months to address and fix these vulnerabilities after being informed.

Other Developments

  • A number of United States (U.S.) election security stakeholders issued a statement, carefully and tactfully refuting the claims of President Donald Trump and other Republicans who have claimed that President-elect Joe Biden won the election only because of massive fraud. These officials declared “[t]he November 3rd election was the most secure in American history” and “[t]here is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
    • The officials seemed to flatly contradict Trump and others:
      • While we know there are many unfounded claims and opportunities for misinformation about the process of our elections, we can assure you we have the utmost confidence in the security and integrity of our elections, and you should too.
    • The members of Election Infrastructure Government Coordinating Council (GCC) Executive Committee – Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director Bob Kolasky, U.S. Election Assistance Commission Chair Benjamin Hovland, National Association of Secretaries of State (NASS) President Maggie Toulouse Oliver, National Association of State Election Directors (NASED) President Lori Augino, and Escambia County (Florida) Supervisor of Elections David Stafford – and the members of the Election Infrastructure Sector Coordinating Council (SCC) – Chair Brian Hancock (Unisyn Voting Solutions), Vice Chair Sam Derheimer (Hart InterCivic), Chris Wlaschin (Election Systems & Software), Ericka Haas (Electronic Registration Information Center), and Maria Bianchi (Democracy Works) issued the statement.
  • President Donald Trump signed an executive order that would bar from the United States’ (U.S.) security markets those companies from the People’s Republic of China (PRC) connected to the PRC’s “military-industrial complex.” This order would take effect on 11 January 2021 and seeks, as a matter of national security, to cut off access to U.S. capital for these PRC companies because “the PRC exploits United States investors to finance the development and modernization of its military.” Consequently, Trump declared a national emergency with respect to the PRC’s behavior, which triggers a host of powers at the Administration’s request to deny funds and access to the object of such an order. It remains to be seen whether the Biden Administration will rescind or keep in place this executive order when it takes office ten days after it takes effect. Nevertheless, Trump asserted:
    • that the PRC is increasingly exploiting United States capital to resource and to enable the development and modernization of its military, intelligence, and other security apparatuses, which continues to allow the PRC to directly threaten the United States homeland and United States forces overseas, including by developing and deploying weapons of mass destruction, advanced conventional weapons, and malicious cyber-enabled actions against the United States and its people.
  • Microsoft revealed it has “detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19.” Microsoft attributed these attacks to Russian and North Korean hackers and tied the announcement to its participation to the company’s advocacy at the Paris Peace Forum where the United States (U.S.) multinational reiterated its calls for “the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law.” Microsoft sought to position its cyber efforts among larger diplomatic efforts to define the norms of cyberspace and to bring cyber action into the body of international law. The company asserted:
    • In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.
    • Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials. One is a clinical research organization involved in trials, and one has developed a Covid-19 test. Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for Covid-19 related work.
    • Strontium continues to use password spray and brute force login attempts to steal login credentials. These are attacks that aim to break into people’s accounts using thousands or millions of rapid attempts. Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives. The majority of these attacks were blocked by security protections built into our products. We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered help.
  • The United Kingdom’s (UK) Information Commissioner’s Office (ICO) announced a £1.25 million fine of Ticketmaster UK for failing “to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page” in violation of the General Data Protection Regulation (GDPR). The ICO explained:
    • The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem.
    • In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
    • The ICO’s investigation found that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details.
    • Although the breach began in February 2018, the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect. The chat-bot was completely removed from Ticketmaster UK Limited’s website on 23 June 2018.
    • The ICO added:
      • The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.
      • Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
      • The ICO found that Ticketmaster failed to:
        • Assess the risks of using a chat-bot on its payment page
        • Identify and implement appropriate security measures to negate the risks
        • Identify the source of suggested fraudulent activity in a timely manner
  • The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation issued an interagency paper titled “Sound Practices to Strengthen Operational Resilience.” The agencies stated the paper “generally describes standards for operational resilience set forth in the agencies’ existing rules and guidance for domestic banking organizations that have average total consolidated assets greater than or equal to (1) $250 billion or (2) $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.” The agencies explained the paper also:
    • promotes a principles-based approach for effective governance, robust scenario analysis, secure and resilient information systems, and thorough surveillance and reporting.
    • includes an appendix focused on sound practices for managing cyber risk.
    • In the appendix, the agencies stressed they could not “endorse the use of any particular tool,” they did state:
      • To manage cyber risk and assess cybersecurity preparedness of its critical operations, core business lines and other operations, services, and functions firms may choose to use standardized tools that are aligned with common industry standards and best practices. Some of the tools that firms can choose from include the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework (NIST), the Center for Internet Security Critical Security Controls, and the Financial Services Sector Coordinating Council Cybersecurity Profile.
  • A class action was filed in the United Kingdom (UK) against Facebook over the Cambridge Analytica scandal. Facebook You Owe Us announced its legal action “for the illegal use of one million users’ data in the England and Wales.” The campaign claimed:
    • Group legal actions like Facebook You Owe Us will pave the way for consumers in the UK to gain redress and compensation for the persistent mass misuse of personal data by the world’s largest companies.  
    • Facebook has exhibited a pattern of unethical behaviour including allegations of election interference and failing to remove fake news. The Information Commissioners Office noted when issuing a £500,000 fine against Facebook for the Cambridge Analytica data breach that “protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy.” Facebook You Owe Us aims to fight back by holding the company to account for failing to protect Facebook users’ personal data and showing that Facebook is not above the law.  
    • The launch of Facebook You Owe Us follows Google You Owe Us’ victory in the Court of Appeal. The Google You Owe Us case has been appealed by Google and is now scheduled to be heard before the Supreme Court in April 2021. If successful, the case will demonstrate that personal data is of value to individuals and that companies cannot simply take it and profit from it illegally. Both cases are led by James Oldnall at Milberg London LLP, with Richard Lloyd, the former executive director of Which?. 

Coming Events

  • The Senate Homeland Security and Governmental Affairs Committee’s Regulatory Affairs and Federal Management Subcommittee will hold a hearing on how to modernize telework in light of what was learned during the COVID-19 pandemic on 18 November.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.
  • On 27 November, The European Data Protection Board “is organising a remote stakeholder workshop on the topic of Legitimate Interest.” The EDPB explained “[p]laces will be allocated on a first come, first served basis, depending on availability.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s