Further Reading, Other Developments, and Coming Events (10 February 2021)

Further Reading

  • A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say” By Andy Greenberg — WIRED. Given the fact that most water and sewage systems are linked to the internet, even their operational systems, it is surprising these sorts of incidents do not occur more frequently.
  • UK regulator to write to WhatsApp over Facebook data sharing” By Alex Hern — The Guardian. The United Kingdom’s (UK) Information Commissioner Elizabeth Denham said her agency will be pressing Facebook to keep the data its subsidiary, WhatsApp, separate. Now that the UK has exited the European Union, it is no longer bound by the EU‘s system which made Ireland’s Data Protection Commission the lead regulator on Facebook and WhatsApp. And so, WhatsApp’s 2017 commitment not to hand over user data to Facebook until it was compliant with the General Data Protection Regulation (GDPR) falls to the ICO to oversee in the UK.
  • Telegram, Pro-Democracy Tool, Struggles Over New Fans From Far Right” By Michael Schwirtz — The New York Times. The same features that makes messaging app Telegram ideal for warding off attacks by authoritarian regimes to shut down communication makes the platform ideal for right-wing extremists in the United States (U.S.) Federal and state authorities may see their attempts to track and monitor domestic terrorism hit the same roadblocks that foiled Moscow and Tehran’s attempts to crack down on Telegram. The platform uses end-to-end encrypted communications and has servers all over the world.
  • Exclusive: The end of the Maher era at Wikipedia” By Felix Salmon — Axios. The CEO who revitalized Wikimedia is leaving the organization stronger than she found it.
  • After Defending Its Low-Cost Internet Offering, Comcast Agrees To Increase Speeds” By Caroline O’Donovan — BuzzFeed News. The bad publicity seems to have worked on Comcast as the company is now meeting most of the demands of activists, students, and officials by increasing the speed of its low cost broadband option. Comcast said the changes will take effect on 1 March.

Other Developments

  • The Federal Communications Commission (FCC) announced that it is “seeking comment on several petitions requesting permission to use E-Rate program funds to support remote learning during the pandemic.” Comments are due by 16 February and reply comments are due by 23 February. The FCC explained:
    • Today’s Public Notice from the FCC’s Wireline Competition Bureau highlights three petitions that cover the bulk of issues presented in other petitions filed with the Commission.  These include petitions filed by a coalition of E-Rate stakeholders led by the Schools, Health & Libraries Broadband (SHLB) Coalition; a petition filed on behalf of the State of Colorado; and a petition filed by the State of Nevada, Nevada Board of Education and Nevada Department of Education. 
    • The FCC noted:
      • The E-Rate program was authorized by Congress as part of the Telecommunications Act of 1996 (the Telecommunications Act), and created by the Commission in 1997 to, among other things, enhance, to the extent technically feasible and economically reasonable, access to advanced telecommunications and information services for all public and nonprofit elementary and secondary schools and libraries. Under the E-Rate program, eligible schools, libraries, and consortia (comprised of eligible schools and libraries) may request universal service discounts for eligible services and/or equipment (collectively, eligible services), including connections necessary to support broadband connectivity to eligible schools and libraries. Eligible services must be used “primarily for educational purposes.” In the case of schools, “educational purposes” is defined as “activities that are integral, immediate, and proximate to the education of students. In the case of libraries, “educational purposes” is defined as activities that are “integral, immediate, and proximate to the provision of library services to library patrons.”
      • As the pandemic continues to force schools and libraries across the country to remain closed and rely on remote learning and virtual services, either in whole or in part, the need for broadband connections—particularly for those students, teachers, staff, and patrons that lack an adequate connection at home—is more critical than ever.  Eligible schools and libraries explain that they are hampered in their ability to address the connectivity needs brought on, and in many cases exacerbated, by COVID-19 because of the restrictions on off-campus use of E-Rate-funded services and facilities.   Last spring, as the COVID-19 pandemic forced schools and libraries to grapple with the challenges of transitioning to remote learning, the FCC began to receive requests for emergency relief aimed at ensuring that all students have sufficient connectivity at home.
  • The European Commission’s President appealed to the United States (U.S.) in joining the European Union to jointly regulate technology. At the Davos Agenda, EC President Ursula von der Leyen made remarks, a significant portion of which focused on technological issues and the European Union’s (EU) proposals, the Digital Services Act and Digital Markets Act. It is unclear to extent to which the new administration in Washington will be willing to work with the EU. Undoubtedly, the Biden Administration will interpret a number of EU policies and decisions as being implicitly aimed at the U.S. technology sector but there may be common ground. Von der Leyen stated:
    • A year ago at Davos, we talked also intensively about digitalisation. The pandemic has massively accelerated the process. The European Union will dedicate 20% of NextGenerationEU to digital projects. To nurture innovative ecosystems, for example where universities, companies, innovators can access data and cooperate. To boost the vibrant start-up scene we have in cities like Sofia and Lisbon and to become a global hub for Artificial Intelligence. So that the 2020s can finally be Europe’s Digital Decade.
    • But for this to be a success, we must also address the darker sides of the digital world. Like for so many of us, the storming of the Capitol came as a shock to me. We are always quick to say: Democracy and values, they are part of our DNA. And that is true. But we must nurture our democracy every day, and defend our institutions against the corrosive power of hate speech, of disinformation, fake news and incitement to violence. In a world where polarising opinions are the loudest, it is a short step from crude conspiracy theories to the death of a police officer. Unfortunately, the storming of the Capitol Hill showed us how just true that is.
    • The business model of online platforms has an impact – and not only on free and fair competition, but also on our democracies, our security and on the quality of our information. That is why we need to contain this immense power of the big digital companies. Because we want the values we cherish in the offline world also to be respected online. At its most basic, this means that what is illegal offline should be illegal online too. And we want the platforms to be transparent about how their algorithms work. Because we cannot accept that decisions, that have a far-reaching impact on our democracy, are taken by computer programmes alone.
    • Right after von der Leyen addressed the unease she and others felt about the U.S. President’s freedom of expression being abridged because of a company’s rules outside of any controlling legal framework, she stated:
      • I want to invite our friends in the United States to join our initiatives. Together, we could create a digital economy rulebook that is valid worldwide: It goes from data protection and privacy to the security of critical infrastructure. A body of rules based on our values: Human rights and pluralism, inclusion and the protection of privacy. So Europe stands ready.
      • The challenges to our democracy, the pandemic, climate change – in his inauguration speech President Joe Biden so aptly spoke of a Cascade of Crises. And indeed, we face an outstanding set of challenges. But we can meet them – if we work together. That is what we all have to learn again after four long years. That it is not a sign of weakness, to reach out and help each other, but a signal of strength.
  • Consumer Reports tried to become an authorized agent under the “California Consumer Privacy Act” (CCPA) (AB 375) to make do not sell personal data requests or opt out requests. The CCPA was designed to allow California residents to use services that would handle these preferences on a global scale. In their report on the pilot program, Consumer Reports concluded:
    • Unfortunately, too many companies have made it difficult, if not impossible, for agents and consumers to submit opt-out requests. The AG should enforce companies’ compliance with the law so that the authorized agent provisions work as intended. Moreover, the AG should promulgate additional common-sense rules to make sure that opt outs are simple and effective, even when submitted by an authorized agent.
    • Consumer Reports made these recommendations:
      • The AG should hold companies accountable when they violate the law. The AG needs to hold companies accountable for failure to comply with the CCPA’s authorized agent provisions. Without a viable authorized agent option, consumers could be left to navigate complicated processes or interfaces in order to exercise their California privacy rights themselves. Enforcement will help ensure that companies work harder to make sure that they have appropriate agent flows. The AG should also step in when customer service isn’t effective, and should consider directing enforcement resources to encourage better training in this area.
      • The AG should clarify that data shared for cross-context targeted advertising is a sale, and tighten the restrictions on service providers. Many companies have exploited ambiguities in the definition of sale and the rules surrounding service providers to ignore consumers’ requests to opt out of behavioral advertising. While the newly-passed California Privacy Rights Act will largely address these loopholes, these provisions will not go into effect until January 1, 2023. Thus, the AG should exercise its broad authority to issue rules to clarify that the transfer of data between unrelated companies for any commercial purpose falls under the definition of sale. Another common way for companies to avoid honoring consumers’ right to opt out of behavioral advertising is by claiming a service provider exemption. For example, the Interactive Advertising Bureau (IAB), a trade group that represents the ad tech industry, developed a framework for companies to evade the opt out by abusing a provision in the CCPA meant to permit a company to perform certain limited services on its behalf. To address this problem, the AG should clarify that companies cannot transfer data to service providers for behavioral advertising if the consumer has opted out of sale.
      • The AG should prohibit dark patterns as outlined in the Third Set of Proposed Modifications. We appreciate that the AG has proposed to “require minimal steps to allow the consumer to opt-out” and to prohibit dark patterns, “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out[,]” in the Third Set of Proposed Modifications to the CCPA Regulations. This proposal should be finalized as quickly as possible. This is essential, given the difficulties that authorized agents and consumers have experienced in attempting to stop the sale of their information, as demonstrated in the study.
      • The AG should require companies to notify agents when the opt-out request has been received and when it has been honored. Too often, the company provided no information on whether or not the opt-out request had been honored. While the CCPA rules require companies to notify consumers if an opt-out request has been rejected, there is no requirement to provide notice of receipt, or notice of confirmation—nor is there guidance on how to respond to opt-out requests when the company does not possess the consumer’s data. The authorized agent was, in some cases, unable to explain to the consumer whether not the opt-out process had been completed. To ensure that the authorized agent service is effective, companies must be required to provide notification upon receipt and completion of the opt-out request. Required notification is also important for compliance purposes. For example, the regulations require companies to comply with opt outs within 15 business days. Without providing adequate notification, there’s no way to judge whether or not the company has honored the law and to hold them accountable if not. Further, if the company does sell consumers’ personal information, but does not have personal information about the consumer who is the subject of the request, the company should be required to notify the agent that the request has been received, and that the company will honor the opt out if and when they do collect the consumer’s data. In the case of an agent opt out, the notification should go to the agent. Otherwise, the consumer could end up getting emails from hundreds, if not thousands, of different companies.
      • The AG should clarify that if an agent inadvertently submits a request incorrectly, the company should either accept it or inform the agent how to submit it appropriately. The regulations provide helpful guidance with respect to consumer access and deletion requests, which ensures that even if a consumer inadvertently submits a request incorrectly, there is a process in place to help them submit it properly. If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall either: (1) Treat the request as if it had been submitted in accordance with the business’s designated manner, or (2) Provide the consumer with information on how to submit the request or remedy any deficiencies with the request, if applicable. The AG should clarify that this guidance applies to all authorized agent-submitted requests as well.
  • The Government Accountability Office (GAO) assessed the Department of Defense’s (DOD) efforts to transition to a more secure version of the Global Positioning System (GPS), an initiative that spans back to the administration of former President George W. Bush. The GAO stated “due to the complexity of the technology, M-code remains years away from being widely fielded across DOD. M-code-capable receiver equipment includes different components, and the development and manufacture of each is key to the modernization effort. These include:
    • special M-code application-specific integrated circuit chips,
    • special M-code receiver cards, being developed under the Air Force Military GPS User Equipment (MGUE) programs, and
    • the next generation of GPS receivers capable of using M-code signals from GPS satellites.
    • The GAO added:
      • DOD will need to integrate all of these components into different types of weapon systems… Integration across DOD will be a considerable effort involving hundreds of different weapon systems, including some with complex and unique integration needs or configurations.
    • The GAO further asserted:
      • The Air Force is almost finished—approximately one year behind schedule— developing and testing one M-code card for testing on the Marine Corps Joint Light Tactical Vehicle and the Army Stryker vehicle. However, one card intended for use in aircraft and ships is significantly delayed and missed key program deadlines. The Air Force is revising its schedule for testing this card.
      • The M-code card development delays have had ripple effects on GPS receiver modernization efforts and the weapon systems that intend to use them.
  • The advocate who brought the cases that brought down both the Safe Harbor and Privacy Shield agreements between the United States (U.S.) and European Union (EU) announced that Ireland’s Data Protection Commission (DPC) has agreed to finally decide on the legality of Facebook’s data transfers to the U.S. that gave rise to both lawsuits. In a press release, none of your business (noyb). Last fall, noyb announced “[t]he Irish High Court has granted leave for a “Judicial Review” against the Irish DPC today…[and] [t]he legal action by noyb aims to swiftly implement the [Court of Justice for the European Union (CJEU)] Decision prohibiting Facebook’s” transfer of personal data from the European Union to the United States (U.S.)” In September 2020, after the DPC directed Facebook to stop transferring the personal data of European Union citizens to the U.S., the company filed suit in Ireland’s court to stop enforcement of the order and succeeded in staying the matter until the court rules on the merits of the challenge.
    • In explaining the most recent development, noyb further asserted:
      • The DPC has agreed with Max Schrems’ demand to swiftly end a 7.5 year battle over EU-US data transfers by Facebook and come to a decision on Facebook’s EU-US data flows. This only came after a Judicial Review against the DPC was filed by Mr Schrems. The case would have been heard by the Irish High Court today.
      • New “own volition” procedure blocked pending complaint from 2013. The Irish DPC oversees the European operations of Facebook. In Summer 2020 the European Court of Justice (CJEU) ruled on a complaint by Mr Schrems that had been pending since 2013 and came before the CJEU for the second time (“Schrems II”): Under the CJEU judgment the DPC must stop Facebook’s EU-US data flows over extreme US Surveillance Laws (like FISA 702). Instead of implementing this ruling, the DPC started a new “own volition” case and paused the original procedure for an indefinite time. Mr Schrems and Facebook brought two Judicial Review procedures against the DPC: While Facebook argued in December that the “own volition” procedure should not go ahead, Mr Schrems argued that his complaints procedure should be heard independently of the “own volition” case.
      • Walls are closing in on Facebook’s EU-US data transfers. The DPC has now settled the second Judicial Review with Mr Schrems just a day before the hearing was to take place, and pledged to finalize his complaints procedure swiftly.
      • As part of the settlement, Mr Schrems will also be heard in the “own volition” procedure and get access to all submissions made by Facebook, should the Court allow the “own volition” investigation to go ahead. Mr Schrems and the DPC further agreed that the case will be dealt with under the GDPR, not the Irish Data Protection Act that was applicable before 2018. The DPC may await the High Court judgement in Facebook’s Judicial Review before investigating the original complaint.
      • This agreement could in essence make the original complaints procedure from 2013 the case that ultimately determines the destiny of Facebook’s EU-US transfers in the wake of the Snowden disclosures. Under the GDPR the DPC has every liberty to issue fines of up to 4% pf Facebook’s global turnover and transfer prohibitions, even on the basis of this individual case.
  • The Information Technology Industry Council (ITI), BSA | The Software Alliance, Internet Association, Computer and Communications Industry Association, and the National Foreign Trade Council made recommendations to the Biden Administration on technology policy and asserted in their press release:
    • Prioritize strategic engagement with U.S. trading partners by ensuring continued protected transatlantic data flows, establishing a U.S.-EU Trade & Technology Council, engaging China through prioritization of digital and technology issues, broadening U.S. engagement and leadership in the Asia-Pacific region, addressing key barriers to digital trade with India, and providing capacity building assistance to the African Union;
    • Promote U.S. competitiveness through leadership on digital trade by countering unilateral, targeted digital taxes, building acceptance of state-of-the-art digital trade commitments, promoting workforce development initiatives globally, and more; and
    • Reassert U.S. multilateral leadership by strengthening and leveraging engagement in global fora such as the WTO, OECD, United Nations, G20, G7, APEC, and others, and by expanding existing plurilateral trade agreements.
  • A group of civil rights organizations and public interest organizations issued “Civil Rights, Privacy, and Technology: Recommended 2021 Oversight Priorities for the 117th Congress” that builds upon the October 2020 Civil Rights Principles for the Era of Big Data. These groups stated:
    • The 117th Congress must take action to ensure that technology serves all people in the United States, rather than facilitating discrimination or reinforcing existing inequities.
    • They cited the following areas of policy that need to be addressed:
      • Broadband Internet
      • Democracy: Voting, the Census, and Hateful Content Online
      • Policing and Justice
      • Immigration Surveillance Technology
      • Commercial Data Practices and Privacy
      • Workers, Labor, and Hiring
  • The United Kingdom’s (UK) Information Commissioner Elizabeth Denham sketched out how she is approaching her final year in office in a blog post. Denham stated:
    • The ICO’s immediate focus remains supporting organisations through the impacts of COVID 19. We have prioritised providing advice and support on data protection related aspects of the pandemic since the start, and will continue to do so, adjusting and responding to the new challenges the country will face until, well, ‘all this is finished’. That work includes protecting people’s rights, and making sure data protection is considered at the earliest stage of any innovations.
    • The Age Appropriate Design Code will start to have a real impact, as the transition period around its introduction comes to an end, and we will be working hard to support organisations to make the necessary changes to comply with the law.
    • We’ll also be focused on supporting organisations around data sharing, following the publication of our guidance last month. The guidance is accompanied by practical resources to help organisations share data in line with the law. As I discussed with the House of Lords Public Services Committee this month, data sharing is an important area of focus, and we will also be supporting broader work to encourage the necessary culture change to remove obstacles to data sharing.
    • Other support for organisations planned for this year includes guidance on political campaigning, facial recognition, and codes of conduct and certification schemes, as well as a digital version of our Data Protection Practitioners’ Conference in April. We’ll also have the latest phases of our grants scheme and sandbox programme. Both are an effective way of the ICO supporting original thinking around privacy, illustrated by the innovative data sharing projects we’ve recently worked with.
    • Our operational work will also continue, including the latest phases of our work looking at data broking, the use of sexual crime victims’ personal information, and adtech, including audits focused on digital marketing platforms.

Coming Events

  • On 10 February, the House Homeland Committee will hold a hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” with these witnesses:
    • Mr. Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
    • Ms. Sue Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence
    • Mr. Michael Daniel, President & CEO, Cyber Threat Alliance
    • Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights” on 11 February.
  • The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Supushpitha Atapattu from Pexels

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s