Further Reading, Other Developments, and Coming Events (22, 23, 24, and 25 February 2021)

Further Reading

  • The Long Hack: How China Exploited a U.S. Tech Supplier” By Jordan Robertson and Michael Riley — Bloomberg. This piece argues that the United States (U.S.) government knew of vulnerabilities in Super Micro Computer Inc.’s products used by the People’s Republic of China (PRC) but chose to keep them secret. This article follows an infamous 2018 Bloomberg BusinessWeek article alleging that Apple and Amazon had discovered malicious chips in Supermicro products, a claim all three and the U.S. vociferously denied. Allegedly the Federal Bureau of Investigation (FBI) has been investigating and monitoring in its counterintelligence capacity, mostly to learn what the PRC is capable of. U.S. security agencies warned some companies not to use Supermicro products, and some agencies, like the Department of Defense (DOD), instituted an ad hoc ban on the companies products in classified systems. Apparently, the PRC used three sophisticated means of penetrating Supermicro products, Moreover, in a May 2019 Securities and Exchange Commission (SEC) filing, Supermicro admitted:
    • We experienced unauthorized intrusions into our network between 2011 and 2018. None of these intrusions, individually or in the aggregate, has had a material adverse effect on our business, operations, or products. We have taken steps to enhance the security of our network and computer systems but, despite these efforts, we may experience future intrusions, which could adversely affect our business, operations, or products. In addition, our hardware and software or third party components and software that we utilize in our products may contain defects in design or manufacture, including “bugs” and other problems that could unexpectedly interfere with the operation or security of the products.
  • ‘A managerial Mephistopheles’: inside the mind of Jeff Bezos” By Mark O’Connell — The Guardian. This long read contemplates what Amazon giveth and what Amazon taketh away from the vantage of the now former CEO’s writings.
  • Anatomy of a conspiracy: With COVID, China took leading role” By Erika Kinetz — Associated Press. A detailed history on the People’s Republic of China’s extensive and effective propaganda campaign, much of it waged on social media, trying to pin COVID-19 on the United States.
  • “Mark Changed The Rules”: How Facebook Went Easy On Alex Jones And Other Right-Wing Figures” By Ryan Mac and Craig Silverman — BuzzFeed News. Another disquieting view into Facebook from BuzzFeed News. The reproters draw a straight line from CEO Mark Zuckerberg softening a ban on Alex Jones-related content to the insurrection on 6 January 2021. Moreover, as has been reported many times, Vice President Joel Kaplan’s influence has consistently made the platform much more lenient on conservative figures and content, including many extremists.
  • China Censors the Internet. So Why Doesn’t Russia?” By Anton Troianovski — The New York Times. Unlike the People’s Republic of China which never let the genie of a free and open internet out of the bottle, Russia is vainly trying to get the genie back in. The efforts of President Vladimir Putin and his government to crack down on speech it does not like online has mostly failed. But they are trying methods other than simply blocking the outside world that prove effective.
  • How Chrome, Firefox, and Safari are stopping supercookies” By Shubham Agarwal — Fast Company. As soon as browsers find ways to combat the abuse of abusive cookies, largely through their removal, the online advertising industry hatches a new way of tracking people across the internet: so-called super cookies that often cannot be removed from one’s device. However, the Mozillas of the world are making process in ways to defeat super cookies, which undoubtedly has already prompted the advertising industry to conjure new means of tracking people.
  • Facebook knew ad metrics were inflated, but ignored the problem, lawsuit claims” by Megan Graham — CNBC; “Facebook’s Sheryl Sandberg Knew About Inflated Ad-Reach Figures for Years, Lawsuit Claims” By Todd Spangler — Variety. A small business alleged in its latest filing in its lawsuit against Facebook that top executives, including Chief Operating Officer Sheryl Sandberg, knew the company was overestimating the potential reach of ads but still pitched wrong figures to potential ad buyers. This suit was filed in August 2018 in federal court in California and is seeking class action status. This is not the first time Facebook has been accused of inflating the number of people who may see an advertisement. Last year, Facebook settled claims it had “misled [advertisers] about viewer engagement of video ads by using inflated video-viewing metrics” by paying out $40 million. In its filing this month, the plaintiffs in the new suit argued:
    • Facebook knew for years its Potential Reach was inflated and misleading. While Facebook brushed aside Plaintiffs’ allegations here, years ago it admitted the VAB report –relied upon in Plaintiffs’ Complaint –“has the order of magnitude in inflation correct.” Facebook knew the problem was largely due to fake and duplicate accounts —but, the company made a “deliberate decision” not to remove duplicate or fake accounts from Potential Reach. And senior executives blocked employees from fixing the problem, because it believed the “revenue impact [would be] significant.”
    • Facebook knew it was wrong. As the product manager for Potential Reach put it: “it’s revenue we should have never made given the fact it’s based on wrong data.” Another employee stated “[t]he status quo in ad Reach estimation and reporting is deeply wrong.” The only question was, “[h]ow long can we get away with the reach overestimation.” After learning these facts, Plaintiffs amended their complaint to add claims for fraud and a request for punitive damages, because Facebook’s officers engaged in or ratified conduct despicable under California law.
  • Amazon’s Great Labor Awakening” By Erika Hayasaki — The New York Times. A comprehensive look at Amazon’s labor practices through the eyes of workers at a California facility, which they allege, with reason, are inhumane and anti-labor. For example, the company only started taking steps to combat COVID-19 at its facilities well after the beginning of the epidemic amidst negative publicity and unrest among its work force.
  • SolarWinds hackers studied Microsoft source code for authentication and email” By Joseph Menn — Reuters. More details about the Russian Federation’s hack of United States (U.S.) government agencies and private sector companies. Microsoft has revealed that not only did intruders view source code for a number of its products like Azure and Exchange, but they are now saying “there was additional access, including in some cases, downloading component source code.” Microsoft insists that none of its source code was used by hackers to attack agencies and companies while leaving open the possibility that some of its resellers may have been used thusly. I suspect this is not the last that will be heard about Microsoft’s security practices and their role in the hack. Incidentally, I highly recommend the 26 January episode of The Verge’s Decoder podcast with the author of this piece dedicated to the SVR hack.
  • Twenty-Six Words Created the Internet. What Will It Take to Save It?” By Stephen Engelberg — ProPublica. An interview with the lawyer and professor who wrote the history on 47 USC 230 (Section 230) that illuminates the policy backdrop and genesis of this now controversial provision. He makes the case that until stakeholders can arrive at a shared definition of the problems with Section 230, any fixes will likely be Frankenstein bills pieced together from conflicting legislation with an eye toward passage and not coherence.
  • Deepfake porn is ruining women’s lives. Now the law may finally ban it.” By Karen Hao — MIT Technology Review. As a Motherboard writer predicted in 2017, deepfake porn is now being used on non-celebrity women with devastating effects to their health, well-being, careers, and lives. Those seeking to solve this growing problem of women having their face or image inserted into pornography are trying to convince policymakers in the United Kingdom (UK), United States (U.S.), and Europe to ban such deepfake porn. A key legal forum is close to making recommendations to the British parliament while in the U.S. concerns about violating the free speech clause of the First Amendment has thus far precluded action. Only two U.S. states, California and Virginia, have provisions in their revenge porn laws that also ban faked and deepfake videos. This is a problem that is likely to only get worse, especially given the spotty compliance people get from platforms to remove abusive material generally.
  • Major camera company can sort people by race, alert police when it spots Uighurs” By Johana Bhuiyan — Los Angeles Times. A company from the People’s Republic of China (PRC), Dahua, has developed and marketed facial recognition technology that can identify and filter on the basis of race. Critics claim this is because the PRC government is using this capability to locate, track, and oppress the Uighur minority. This technology is available and used in the United States despite Dahua being on the Entity List which stops the company from buying most American products but does not stop U.S. entities from buying and using their services. There is a ban on using federal funds to buy Dahua’s services and products, but the article documents a California school district that spent hundreds of thousands of federally provided dollars on Dahua systems.
  • Google Kicks Location Data Broker That Sold Muslim Prayer App User Data” By Joseph Cox — Motherboard. Google told application developers to remove location data broker Predicio from their offerings or face removal from the Google Play Store. Predicio is part of the data ecosystem that funnels location data to Venntel, a company that contracts with law enforcement agencies to give them location data. Motherboard has already detailed how Venntel has sold location data to Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP). In December, both Google and Apple banned a Predicio rival, X-Mode, from their app stores, threatening developers with banishment if they used their software development kit (SDK).
  • Is This Beverly Hills Cop Playing Sublime’s ‘Santeria’ to Avoid Being Live-Streamed?” By Dexter Thomas — Motherboard. It appears some officers are trying to foil some people’s exercise of their First Amendment rights to record police interactions by playing copyrighted songs the rights holders. Once the video is posted or livestreamed, the rights holders may object causing the video to be taken down.
  • Fears over DNA privacy as 23andMe plans to go public in deal with Richard Branson” By Kari Paul — The Guardian. The firm that started out as a resource for people looking to research their heritage has transitioned to a company that can offer health care companies a library of DNA. And now 23andMe is teaming up with Richard Branson, giving rise to all sorts of privacy concerns about the DNA people have submitted to the company.
  • New state privacy initiatives turn up heat on Congress” By Rebecca Klar and Chris Mills Rodrigo — The Hill. Undoubtedly the central thrust of this piece is true: with Virginia on the verge of enacting privacy legislation with others thinking of doing the same, Congress feels more pressure to enact federal privacy legislation. However, there is no hint of the White House’s position on either of the two issues that have held up a bill: preemption of state privacy laws and whether people can sue for violations (aka a private right of action.) I have not seen much movement on those issues, and it may be that since most of the major stakeholders have largely been silent on privacy that there are serious talks happening away from the public view. I think it is more likely that higher priority items have taken the fore like the Biden Administration’s COVID-19 bill, and even in the tech space, there is much more heat around Section 230 than privacy. And, lest anyone forget data breach/data security was one of the hot topics about ten years ago as almost every state had a different statute, a seemingly untenable situation that never resulted in legislation. The status quo is the same today and somehow companies can do business.
  • Twitter Says It Won’t Block Journalists, Activists, And Politicians In India To Protect Free Speech” By Pranav Dixit — BuzzFeed News. A continuing free speech standoff in the world’s most populous democracy. In response to blocking orders issued by the Ministry of Electronics and Information Technology (MeitY), Twitter has decided to unblock some accounts it originally blocked. These accounts are those of “news media entities, journalists, activists, and politicians,” according to the company’s blog posting. However, the company is continuing to block some accounts inside India (with these accounts still presumably visible to the rest of the world) and is contemplating litigation (i.e., “exploring options under Indian law — both for Twitter and for the accounts that have been impacted.”) However, Twitter and its employees may be subjecting themselves to criminal liability, for the government in New Delhi could prosecute them for violating MeitY’s orders.
  • Instagram bans Robert F. Kennedy Jr. over false vaccine, Covid claims” By Minyvonne Burke — NBC News. The anti-vaccine activist has been removed from Instagram for “repeatedly sharing debunked claims about the coronavirus or vaccines” according to a Facebook spokesperson. A few days earlier Facebook had announced an expansion of “efforts to remove false claims on Facebook and Instagram about COVID-19, COVID-19 vaccines and vaccines in general during the pandemic.” Kennedy claimed he was not posting false information and his being banned is a blow to the First Amendment. Thus far, Facebook has left his page up, however. One wonders if the two feeds were so different as to warrant a ban on one but not the other.
  • A Clearview AI Patent Application Describes Facial Recognition For Dating, And Identifying Drug Users And Homeless People” By Caroline Haskins, Ryan Mac, and Brianna Sacks — BuzzFeed News. Even though Clearview AI has repeatedly said its facial recognition technology is intended only for law enforcement agencies, it filed a patent application last year with the United States government to enter the private sector in a number of markets. The patent application states “In many instances, it may be desirable for an individual to know more about a person that they meet, such as through business, dating, or other relationship,” which very much sounds like applications other than law enforcement purposes. Clearview AI CEO Hoan Ton-That  asserted “[w]e applied for a patent because we believe we have made significant innovations in the field of facial recognition, especially regarding accuracy and the use of our large-scale database of publicly available facial images.” He added “Clearview AI is currently only used by law enforcement for after-the-crime investigations,” which does not definitively rule out future applications beyond law enforcement.
  • There’s a Smarter Way to Make Tech Pay for News” By Will Oremus — OneZero. This piece provides an overview and critique of the various proposals other than Australia’s to help media in the social media age. Speaking of which, almost all the experts asked panned Australia’s law, saying it will most likely solidify the position of the incumbents in social media and in news media, an outcome not to be desired.

Other Developments

  • The National Institute of Standards and Technology (NIST) issued “the final NIST Interagency or Internal Report (NISTIR) 8323, Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. NIST stated “[t]he national and economic security of the United States (US) is dependent upon the reliable functioning of the nation’s critical infrastructure.”
    • NIST explained:
      • The PNT Profile was created by applying the NIST Cybersecurity Framework (CSF) to help organizations:
        • Identify systems dependent on PNT 
        • Identify appropriate PNT sources
        • Detect disturbances and manipulation of PNT services
        • Manage the risk to these systems 
      • The PNT Profile provides a flexible framework for users of PNT services to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural, manufactured, intentional, and unintentional. It was created by applying the NIST Cybersecurity Framework (CSF) [NIST CSF] and can be applied to all organizations that use PNT services, irrespective of the level of familiarity or knowledge that they have with the CSF. Organizations that have fully or partially adopted, or who have not adopted the CSF can benefit.
      • The PNT Profile is voluntary and does not: issue regulations, define mandatory practices, provide a checklist for compliance, or carry statutory authority. It is intended to be a foundational set of guidelines. Sector-specific agencies (SSAs) and entities may wish to augment or further develop their own PNT cybersecurity efforts via full or partial implementation of the recommended practices in this document. Any implementation of its recommendations will not necessarily protect organizations from all PNT disruption or manipulation. Each organization is encouraged to make their risk management decisions in the context of their own cyber ecosystem, architecture, and components. The PNT Profile’s strategic focus is to supplement preexisting resilience measures and elevate the postures of less mature initiatives.
  • The European Parliament’s Panel for the Future of Science and Technology (STOA) issued a study it commissioned on the liability of online platforms. STOA explained “[g]iven the central role that online platforms (OPs) play in the digital economy, questions arise about their responsibility in relation to illegal/harmful content or products hosted in the frame of their operation.”
    • The researchers who drafted the study explained:
      • the study reviews the main legal/regulatory challenges associated with the operation of OPs and analyses the incentives for OPs, their users and third parties, to detect and remove illegal/harmful and dangerous material, content and/or products. To create a functional classification which can be used for regulatory purposes, it discusses the notion of OPs and attempts to categorise them under multiple criteria. The study then maps and critically assesses the whole range of OP liabilities, taking hard and soft law, self-regulation, as well as national legislation into consideration. To do so, the study distinguishes between liabilities connected with the activities performed or the content uploaded by OP users – from the liability exemptions established by the e-Commerce Directive, to the sectoral rules provided in media law, intellectual property (IP) law, product safety and product liability , protection of minors, hate speech, disinformation and voting manipulation, terrorist activities – and alternative sources of liability, such as OPs’ contractual liability towards users, both businesses and consumers, as well as that deriving from infringements of privacy and data protection law.
      • Finally, the study drafts policy options for an efficient EU liability regime: (i) maintaining the status quo; (ii) awareness-raising and media literacy; (iii) promoting self-regulation; (iv) establishing co-regulation mechanisms and tools; (v) adopting statutory legislation; (vi) modifying OPs’ secondary liability by employing two different models – (a) by clarifying the conditions for liability exemptions under e-Commerce Directive, or (b) by establishing a harmonised regime of liability.
  • The European Union Agency for Cybersecurity (ENISA) published “two reports on cryptography: one on the progress of post-quantum cryptography standardisation, and the other on exploring the technologies under the hood of crypto-assets.”
    • In “Post-Quantum Cryptography: Current state and quantum mitigation,” ENISA stated
      • Given the recent developments in the Quantum Computing race among industries and nation states, it seems prudent for Europe to start considering mitigation strategies now. The EU Cybersecurity Agency is not alone in this line of though. Other authorities and EU Institutions have also raised concerns; for in- stance, the European Data Protection Supervisor has highlighted the dangers against data protection, national authorities have been investigating and preparing; e.g., the German Federal Office for Information Security has been evaluating Post-Quantum alternatives since before the launch of NIST’s standardisation process.
      • This study provides an overview of the current state of play on the standardisation process of Post-Quantum Cryptography (PQC). It introduces a framework to analyse existing proposals, considering five (5) main families of PQC algorithms; viz. code-based, isogeny-based, hash-based, lattice-based and multivariate-based. It then goes on to describe the NIST Round 3 finalists for encryption and signature schemes, as well as the alternative candidate schemes. For which, key information on cryptodesign, implementation considerations, known cryptanalysis efforts, and advantages & disadvantage is provided.
      • Since the NIST standardisation process is going, the report makes no claim on the superiority of one proposal against another. In most cases the safest transition strategy involves waiting for national authorities to standardise PQC algorithms and provide a transition path. There might be cases thought were the quantum risk in not tolerated, in which case the last chapter offers 2 proposals that system owners can implement now in order to protect the confidentiality of their data against a quantum capable attacker; namely hybrid implementations that use a combination of pre-quantum and post-quantum schemes, and the mixing of preshared keys into all keys established via public-key cryptography. These solutions come at a cost and as such system designers are well advised to perform a thorough risk and cost-benefit analysis.
    • In “Crypto Assets: Introduction to Digital Currencies and Distributed Ledger Technologies,” ENISA asserted:
      • The European Commission on the 24th September 2020 adopted a comprehensive package of legislative proposals for the regulation of crypto-assets, updating relevant financial market rules, and is moving forward with a Pan-European blockchain regulatory sandbox facility to test innovative solutions and identify obstacles that arise in using Distributed Ledger Technnologies (DLTs) in the trading and post trading of securities. Crypto-assets may qualify as “financial instruments”, in which case they fall under the Markets in Financial Instruments Directive (e.g.: tokenised equities or tokenised bonds). But there are also types that do not qualify as “financial instruments”, such as utility tokens or payment tokens, generally referred to as digital currencies. Further, digital currencies when based on DLTs, like the Blockchain, are usually called cryptocurrencies; as opposed to centralized digital currencies.
      • These timely policy initiatives make evident that crypto-assets are a playground of not only technical, but also financial innovation that demands scrutiny in all its aspects. With this first introductory study focusing on the rise of cryptocurrencies & DLT, the European Union Agency for CyberSecurity is launching a series of information security studies in the area of crypto-assets to support policy-makers and raise awareness on the arising security and data protection.
      • The creation of BitCoin by Nakamoto [Nak08] in 2008 created a flurry of interest in so-called ‘digital currencies’. The basic ideas of a blockchain, a consensus mechanism, and operations on a public ledger have potentially wide application outside of the narrow confines of creating a digital currency.
      • The technological ideas behind such distributed ledger technologies go back to way before 2008, often to the 1970s. What digital ledger technologies do is bring various technical components such as digital signatures, cryptographic hash functions, Merkle-Trees, consensus mechanisms, zero-knowledge proofs, secret sharing, together into an interesting combination which can address a number of application needs.
      • However, the hype behind such technologies understandably also creates unrealistic expectations as to what problems the technology can solve. This has led to a common quote of ‘If you think your problem can be solved by blockchain, then you do not understand your problem’. This report aims to increase the under- standing of blockchain technologies. It aims to explain the underlying technical concepts and how they relate to each other. The goal is to explain the components, and illustrate their use by pointing to deployed instances where the ideas are utilized.
  • A United States (U.S.) appeals court reversed a lower court’s ruling that suspicionless searches could not be conducted at the U.S. border or at ports of entry. The United States Court of Appeals For the First Circuit (First Circuit) overturned a district court and hewed to rulings handed down by other circuits.
    • The First Circuit explained:
      • Plaintiffs bring a civil action seeking to enjoin current policies which govern searches of electronic devices at this country’s borders. They argue that these border search policies violate the Fourth and First Amendments both facially and as applied. The policies each allow border agents to perform “basic” searches of electronic devices without reasonable suspicion and “advanced” searches only with reasonable suspicion.
    • The First Circuit held:
      • In these cross-appeals we conclude that the challenged border search policies, both on their face and as applied to the two plaintiffs who were subject to these policies, are within permissible constitutional grounds. We find no violations of either the Fourth Amendment or the First Amendment. While this court apparently is the first circuit court to address these questions in a civil action, several of our sister circuits have addressed similar questions in criminal proceedings prosecuted by the United States. We join the Eleventh Circuit in holding that advanced searches of electronic devices at the border do not require a warrant or probable cause. United States v. Vergara, 884 F.3d 1309, 1311-12 (11th Cir. 2018). We also join the Ninth and Eleventh Circuits in holding that basic border searches of electronic devices are routine searches that may be performed without reasonable suspicion. United States v. Cano, 934 F.3d 1002, 1016 (9th Cir. 2019), petition for cert. filed (Jan. 29, 2021) (No. 20-1043); United States v. Touset, 890 F.3d 1227, 1233 (11th Cir. 2018). We also hold the district court erroneously narrowed the scope of permissible searches of such equipment at the border.
    • In November 2019, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
    • The case was brought by the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) on behalf of 10 U.S. citizens and one legal permanent resident who had had their phones and computers searched by CBP or ICE agents upon entering the U.S., typically at airports. The ACLU argued these searches violated the Fourth Amendment’s because the agents did not obtain search warrants before conducting the searches of the devices for contraband. The plaintiffs further alleged the searches violated the First Amendment because “warrantless searches of travelers’ electronic devices unconstitutionally chill the exercise of speech and associational rights” according to their complaint. The agencies claimed that such searches require neither a warrant nor probable cause and that the First Amendment claim held no water, a position a number of federal appeals courts have held.
  • The Cybersecurity and Infrastructure Security Agency (CISA) announced a six-month extension of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force. CISA stated:
    • In December of last year, the Task Force released its Year 2 Report, which built off previous work completed in year one. It showcased the collective ongoing efforts of five working groups within the Task Force to address challenges to information sharing, threat analysis, qualified bidder and qualified manufacturer lists, vendor attestation, and impacts from COVID-19 on supply chains. 
    • The extension of the Task Force will allow working groups to continue their work as outlined in the Year 2 Report, to include the release of specific reports, including the latest Working Group 2 Threat Scenarios Report, as well as other upcoming working group products. It will also ensure both government and industry members can continue to collaborate on other ongoing public-private engagement efforts around supply chain and support the Federal Acquisition Security Council (FASC)
    • Over the next six months, through July 2021, the Task Force will continue to explore means for building partnerships with international partners, new sectors, and stakeholders who can help grow the applicability and utilization of Task Force. With the interconnectedness between the sectors and the scale of supply chain risks faced by both government and industry, private-public coordination is essential to enhance ICT supply chain resilience.
  • Representatives Suzan DelBene (D-WA) and John Katko (R-NY) reintroduced the “Internet of Things (IoT) Readiness Act” (H.R.981) “that would prepare the U.S. for the continued growth of IoT devices and devices that use 5G networks” per their press release. DelBene and Katko asserted:
    • IoT devices, ranging from fitness watches to sensors that monitor traffic, require significant spectrum capacity so that information, such as time, location, and temperature, can be transmitted to and from other devices. Spectrum is a limited resource and if the available capacity cannot accommodate all the devices in the same vicinity, the signals will interfere with each other and cause them to fail.
    • The IoT Readiness Act directs the Federal Communications Commission (FCC) to collect and provide Congress with the data needed to be prepared for the continued growth of these devices and their connectivity needs.
    • As a recent example, after the introduction of smartphones over the last decade, the number of devices that could access the internet increased dramatically. Cellular networks became overwhelmed, and the FCC had to go through the lengthy and burdensome process of reallocating spectrum. Now, IoT devices are facing the same problem.
    • In 2015, a family of four had an average of 10 IoT devices connected to the internet. The Organization for Economic Co-operation and Development estimates that that average will increase to 50 devices per family by 2022.
  • At a White House press conference, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger made remarks on the Biden Administration’s investigation of and response to the Russian Federation’s massive hack through SolarWinds and likely other entities. Neuberger revealed that the administration is working on an executive order as part of its response without laying out a timeline. She also said the Biden Administration aspires to “modernize” federal defenses without discussing possible costs or ramifications for current programs and authorities. Neuberger remarked:
    • As of today, 9 federal agencies and about 100 private sector companies were compromised.  As you know, roughly 18,000 entities downloaded the malicious update.  So the scale of potential access far exceeded the number of known compromises.  Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions. 
    • what are we going to do about it?  Three things: First, finding and expelling the adversary.  Second, building back better to modernize federal defenses and reduce the risk of this happening again.  And finally, potential response options to the perpetrators. 
    • So, first, finding and expelling the adversary.  We’re coordinating the interagency response from the National Security Council.  I was on the Hill last week, had Hill discussions this week, and will be on the Hill next week, as well.  We’re working closely with daily conversations with our private sector partners.  They have visibility and technology that is key to understanding the scope and scale of compromise.  There are legal barriers and disincentives to the private sector sharing information with the government.  That is something we need to overcome. 
    • And then, finally, this is challenging.  This is a sophisticated actor who did their best to hide their tracks.  We believe it took them months to plan and execute this compromise.  It’ll take us some time to uncover this, layer by layer. 
    • Second, building back better to modernize federal defenses.  We’re absolutely committed to reducing the risk this happens again.  If you can’t see a network, you can’t defend a network.  And federal networks’ cybersecurity need investment and more of an integrated approach to detect and block such threats. 
    • We’re also working on close to about a dozen things — likely eight will pass — that will be part of an upcoming executive action to address the gaps we’ve identified in our review of this incident. 
    • And, finally, in terms of response to the perpetrator, discussions are underway.  I know some of you will want to know what kind of options are being contemplated.  What I will share with you is how I frame this in my own mind.  This isn’t the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners.  So as we contemplate future response options, we’re considering holistically what those activities were. 
  • The Chamber of Commerce of the United States of America, Internet Association, NetChoice, and the Computer & Communications Industry Association sued to stop implementation of the “Taxation – Tobacco Tax, Sales and Use Tax, and Digital Advertising Gross Revenues Tax” (HB0732) that would impose a tax on digital advertising in the state, the first such tax in the United States (U.S.) The plaintiffs argued:
    • Although the Act is styled as a tax, several features confirm its punitive character, including its severity (up to 10% of gross revenues), its focus on extraterritorial conduct, the segregation of its proceeds from the State’s general fund, and the legislative history leading to its enactment. Among other things, the legislative history shows that lawmakers believe that the charge cannot be passed to consumers, and that the targets of the law, and they alone, will bear the burden of the assessment. A pass-through prohibition recently introduced in the Maryland Senate would lock in that understanding; if adopted into law, it would expressly prohibit the targets of the charge from passing it on to advertisers as a line item.
    • The Act is unlawful in several ways. First, it is preempted by the Internet Tax Freedom Act (ITFA), which prohibits States from imposing “multiple and discriminatory taxes on electronic commerce.” 47 U.S.C. § 151 note. Second, the Act violates the Due Process Clause and Commerce Clause of the United States Constitution by burdening and penalizing purely out-of- state conduct and interfering with foreign affairs.
    • The plaintiffs are seeking a declaration that the law is illegal and an injunction barring its enforcement.
  • The “Consumer Data Protection Act” (SB 1392) passed both the Virginia General Assembly and Virginia Senate by large margins, sending the bill to Governor Ralph Northam (D). This bill is one of the weaker privacy bills within sight of enactment. It would permit many of the same data collection and processing activities currently occurring in Virginia to continue largely in the same fashion in 2023. The bill uses the opt out consent model but only in limited circumstances, for if entities disclose how they propose to process personal information, there limited cases in which people could opt out. There is no private right of action, and the attorney general would have to give entities a 30 day window to cure any potential violations and would be barred from proceeding if his office receives an express written statement that the violations have been cured. (see here for more analysis.)
  • The United States (U.S.) Department of Justice (DOJ) unsealed a federal indictment against “three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform” per the DOJ’s press release. The DOJ stated:
    • The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018. 
    • The indictment alleges a broad array of criminal cyber activities undertaken by the conspiracy, in the United States and abroad, for revenge or financial gain. The schemes alleged include:
      • Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
      • Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
      • Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
      • Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
      • Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.
      • Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
      • Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense.
      • Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.
      • According to the allegations contained in the hacking indictment, which was filed on Dec. 8, 2020, in the U.S. District Court in Los Angeles and unsealed today, the three defendants were members of units of the RGB who were at times stationed by the North Korean government in other countries, including China and Russia. While these defendants were part of RGB units that have been referred to by cybersecurity researchers as Lazarus Group and APT38, the indictment alleges that these groups engaged in a single conspiracy to cause damage, steal data and money, and otherwise further the strategic and financial interests of the DPRK government and its leader, Kim Jong Un.
  • The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury (Treasury) issued “a joint cybersecurity advisory about North Korean government malicious activity the U.S. government refers to as “AppleJeus”…[that] highlights technical details on this specific threat activity, mitigations for networks compromised by it, and recommended proactive mitigations for defense against it.” The agencies added:
    • The joint advisory provides technical details on seven versions of the AppleJeus malware, which has been used by North Korea posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. 
    • Working closely with our interagency and international partners, the FBI, CISA and Treasury share timely cyber threat information with the intent to disrupt malicious cyber activity and help our partners protect their networks. Today’s advisory along with seven malware analysis reports adds to a still growing list of malicious cyber activity by North Korean state actors. Four of the seven versions of AppleJeus malware were identified in 2020 and reveal a determination by this group to evolve and continue this scheme. A complete list of their activity and important mitigation recommendations, can be found here.   
    • Organizations, specifically those in the financial services sector, should give this activity the highest priority for assessing their networks and implementing appropriate mitigation. You can read the joint cybersecurity advisory here and the seven malware analysis reports here.
  • Epic Games and plaintiffs agreed to a settlement in a class action suit, alleging the company was engaged in predatory practices through the sale of random loot boxes to users. In a statement, the company and the plaintiffs’ attorneys announced over $78 million in relief for the litigants. Specifically, they asserted:
    • A class action settlement with Epic Games, Inc. (“Defendant” or “Epic Games”) has been reached. Under the Settlement, all U.S. players of Fortnite: Save the World and Rocket League who bought a random item loot box in either game before Epic Games discontinued random loot boxes will receive certain benefits immediately and automatically. The Settlement also provides up to $26.5 million in cash and other benefits to U.S.-based Fortnite and Rocket League players to resolve claims arising from players’ purchases of Fortnite and Rocket League in-game items. The case is Zanca, et al. v. Epic Games, Inc., Case No. 21-CVS-534, currently pending in the Superior Court of Wake County, North Carolina before the Honorable Keith Gregory, General Court of Justice, Superior Court Division (the “Action”). The proposed Settlement is not an admission of wrongdoing by Epic Games, and it denies that it violated the law. The Court has not decided who is right or wrong. Rather, to avoid the time, expense, and uncertainty of litigation, the Parties have agreed to settle the lawsuit. The Court has granted preliminary approval of the Settlement and has conditionally certified the Settlement Class for purposes of settlement only.
    • Settlement Class means all persons in the United States who, at any time between July 1, 2015, and the date of Preliminary Approval, had a Fortnite or Rocket League account that they used to play either game on any device and in any mode, and (a) exchanged in game virtual currency for any in-game benefit, or (b) made a purchase of virtual currency or other in-game benefit for use within Fortnite or Rocket League.
    • As part of the Settlement, Epic Games will automatically add 1,000 Fortnite V-Bucks to each Fortnite: Save the World account that was used to acquire a random-item “Loot Llama” loot box, and 1,000 Rocket League Credits to each Rocket League account that was used to acquire a random item “Crate” loot box. Additionally, you may submit a Claim Form to receive your choice of a cash benefit or additional V-Bucks/Credits, as set forth in more detail in this website and in the Settlement Agreement.
  • At the 2021 Virtual Munich Security Conference, United States (U.S.) President Joe Biden renewed the U.S. commitment to the North Atlantic Treaty Organization (NATO), its long time European allies, and multilateralism in a reversal of policy from the Trump Administration. He endorsed efforts to craft cyberspace norms of behavior and called upon the nations of NATO to join the U.S. in fighting against the authoritarianism of the People’s Republic of China (PRC) and the Russian Federation. Biden declared:
    • America is back.  The transatlantic alliance is back.  And we are not looking backward; we are looking forward, together. 
    • It comes down to this: The transatlantic alliance is a strong foundation — the strong foundation — on which our collective security and our shared prosperity are built.  The partnership between Europe and the United States, in my view, is and must remain the cornerstone of all that we hope to accomplish in the 21st century, just as we did in the 20th century.
    • With respect to the broad foreign policy strokes his administration will pursue, Biden stated:
      • we must prepare together for a long-term strategic competition with China.  How the United States, Europe, and Asia work together to secure the peace and defend our shared values and advance our prosperity across the Pacific will be among the most consequential efforts we undertake.  Competition with China is going to be stiff.  That’s what I expect, and that’s what I welcome, because I believe in the global system Europe and the United States, together with our allies in the Indo-Pacific, worked so hard to build over the last 70 years. 
      • We can own the race for the future.  But to do so, we have to be clear-eyed about the historic investments and partnerships that this will require.  We have to protect — we have to protect for space for innovation, for intellectual property, and the creative genius that thrives with the free exchange of ideas in open, democratic societies.  We have to ensure that the benefits of growth are shared broadly and equitably, not just by a few. 
      • We have to push back against the Chinese government’s economic abuses and coercion that undercut the foundations of the international economic system.  Everyone — everyone — must play by the same rules. 
      • U.S. and European companies are required to publicly disclose corporate governance — to corporate governance structures and abide by rules to deter corruption and monopolistic practices.  Chinese companies should be held to the same standard. 
      • We must shape the rules that will govern the advance of technology and the norms of behavior in cyberspace, artificial intelligence, biotechnology so that they are used to lift people up, not used to pin them down.  We must stand up for the democratic values that make it possible for us to accomplish any of this, pushing back against those who would monopolize and normalize repression. 
      • You know, this is also — this is also how we’re going to be able to meet the threat from Russia.  The Kremlin attacks our democracies and weaponizes corruption to try to undermine our system of governance.  Russian leaders want people to think that our system is more corrupt or as corrupt as theirs.  But the world knows that isn’t true, including Russians — Russia’s own citizens. 
  • Secretary of Homeland Security Alejandro Mayorkas issued a statement titled “DHS Announces Steps to Advance President’s Commitment to Elevate Cybersecurity,” in which he announced “DHS will lead efforts to mitigate risks to the United States, further strengthen its partnerships with the private sector, and expand its investment in the infrastructure and people required to defend against malicious cyber attacks as part of a whole-of-government effort.” However, the statement was mostly a recitation of programs and efforts that largely pre-date the Biden Administration. However, Mayorkas stated:
    • This week, Secretary Mayorkas will increase the required minimum spend on cybersecurity through FEMA grant awards. To accelerate critical improvements in state and local cybersecurity, CISA will urgently evaluate and implement additional capabilities including potential new grant programs that will enable critical security investments. This is important: the nation’s cybersecurity is only as strong as its weakest link.
  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) named three new Biden Administration appointees for “leadership roles:” “Nitin Natarajan has joined CISA as its Deputy Director, Eric Goldstein as Executive Assistant Director for Cybersecurity, and Dr. David Mussington as Executive Assistant Director for Infrastructure Security.” However, no names have been floated to head CISA, and nor, for that matter, have any been circulated as the White House’s choice to be the first National Cyber Director, a position established in the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (P.L. 116-283) on the basis of a recommendation by the Cyberspace Solarium Commission (CSC).
    • CISA provided biographical sketches:
      • Deputy Director Natarajan led a practice at an international consulting firm focused on health security and provided subject matter expertise on continuity of operations, environmental emergency management, public health, and homeland security matters. He also held a number of roles in federal government, focused on critical infrastructure resilience.  Deputy Director Natarajan started his career as a first responder in New York including service as a flight paramedic.
      • In addition to serving on the Agency Review Team, Executive Assistant Director Goldstein was previously the Head of Cybersecurity Policy, Strategy, and Regulation at Goldman Sachs, where he led a global team to improve and mature the firm’s cybersecurity risk management program.  He served at CISA’s precursor agency, the National Protection and Programs Directorate, in various roles from 2013 to 2017.
      • Executive Assistant Director Mussington is an internationally known expert in critical infrastructure protection and cybersecurity – leading projects and program analyses for US federal agencies, states, and internationally for institutions in Canada, Europe, and the United Kingdom.  In an over two-decade career, he has played a variety of roles in both the public and private sectors.  His research and teaching activities have focused on cyber physical system risk management, election cybersecurity, and critical infrastructure security risk management.
  • The United Kingdom’s (UK) Supreme Court ruled against Uber in its appeal of a lower court’s finding that people driving for the company are to be considered workers and must have the rights afforded to workers in the UK. In its judgment, the court stated:
    • New ways of working organised through digital platforms pose pressing questions about the employment status of the people who do the work involved. The central question on this appeal is whether an employment tribunal was entitled to find that drivers whose work is arranged through Uber’s smartphone application (“the Uber app”) work for Uber under workers’ contracts and so qualify for the national minimum wage, paid annual leave and other workers’ rights; or whether, as Uber contends, the drivers do not have these rights because they work for themselves as independent contractors, performing services under contracts made with passengers through Uber as their booking agent. If drivers work for Uber under workers’ contracts, a secondary question arises as to whether the employment tribunal was also entitled to find that the drivers who have brought the present claims were working under such contracts whenever they were logged into the Uber app within the territory in which they were licensed to operate and ready and willing to accept trips; or whether, as Uber argues, they were working only when driving passengers to their destinations.
    • For the reasons given in this judgment, I would affirm the conclusion of the Employment Appeal Tribunal and the majority of the Court of Appeal that the employment tribunal was entitled to decide both questions in the claimants’ favour.
  • The Election Assistance Commission (EAC) adopted Voluntary Voting System Guidelines (VVSG) 2.0, which it characterized in its press release as “a major step toward improving the manufacturing and testing of voting machines.” The EAC asserted:
    • The VVSG 2.0 represents a significant advancement in defining standards that will serve as the cornerstone of the next generation of voting systems. It lays the groundwork for 21st century voting systems that are desperately needed with improved cybersecurity, accessibility, and usability requirements. The VVSG 2.0 also supports various audit methods supporting software independence to confirm the accuracy of the vote and increase voter confidence. With its adoption, manufacturers are empowered to begin designing and building voting machines according to these new guidelines.
    • Despite the requirements being voluntary, at least 38 states use the standards in some way making today’s vote on advancing of the next version of VVSG very important. This is the most significant update of the federal standards for voting technology since VVSG 1.0 was adopted in 2005.
    • The major updates included in the VVSG 2.0 are the following:
      • Improved cybersecurity requirements to secure voting and election management systems associated with the administration of elections.
        • Software independence
        • Requires systems to be air-gapped from other networks and disallows the use of wireless technologies
        • Physical security
        • Multi-factor authentication
        • System integrity
        • Data protection
      • Interoperability
        • Ensures devices are capable of importing and exporting data in common data formats
        • Requires manufacturers to provide complete specifications of how the format is implemented
        • Requires that encoded data uses a publicly available method
  • The Estonian Foreign Intelligence Service has released its annual security report, titled “International Security and Estonia 2021,” which focused, in some part, on the Russian Federation and the People’s Republic of China’s cyber and influence operations. The agency asserted:
    • Russia continues to be the primary security threat to Western democracies also in cyberspace. In addition to espionage, Russian special services are actively using cyberspace in their influence operations to create divisions in Western societies, transnational relations and NATO.
    • Cyber operations originating in Russia and the abuse of cyberspace for the purpose of influencing will very likely continue in 2021. These are effective, inexpensive and well-established measures for the Russian services. Moreover, influence operations can be a way to achieve long-term effects without always requiring intervention in the target country’s domestic politics.
    • The Chinese propaganda machine uses Western information channels to spread its narrative. Since the coronavirus pandemic outbreak, the amount of biased and fake news produced in China has increased, and its content has become more aggressive.
    • Tactically, China follows Russia’s example in spreading propaganda and disinformation. However, this points more to conformity resulting from shared objectives rather than any coordinated cooperation, as do the good relations between Chinese and Russian representatives on social media and the sharing of each other’s posts . At present, China does not use disinformation as actively and as professionally as Russia, but it is likely that it will expand and intensify its activities in this area in the near future. China’s influence operations aim to weaken Europe’s open society by promoting its own propaganda messages.
    • China’s ambition to become the world leader in technology poses major security threats.
    • Following Xi Jinping’s strategic guide-lines, China is devoting all its resources to technological development to become a world leader in the field and make other countries dependent on Chinese technology . China faces sanctions and obstacles, which is giving rise to the sinicisation of its technology – increasing reliance on domestic producers. If Chinese technology becomes entirely domestic, the technology and software’s working principles will be even more opaque than before.
    • Cyber espionage has also been one of China’s traditional means of getting hold of foreign high technology. To justify its actions, China is ostensibly working to break the Western monopoly and considers it acceptable to use any means necessary to achieve this .
  • The Government Accountability Office (GAO) issued a response to a request “to review [the Department of] State’s efforts to advance U.S. interests in cyberspace.” The GAO stated that “[t]his report examines the extent to which State used data and evidence to develop and justify its proposal to establish [the] Bureau of Cyberspace Security and Emerging Technologies (CSET).” House Foreign Affairs Committee Chair Gregory Meeks (D-NY) and Ranking Member Michael McCaul (R-TX) had requested that the GAO investigate the Trump Administration’s Department of State decision to stand up the CSET in the face of criticism from Members on both sides of the aisle. The Trump Administration was subjected to criticism for allegedly downgrading the United States’ (U.S.) cyber diplomacy capabilities and legislation was introduced to essentially reverse the decision (i.e., the “Cyber Diplomacy Act of 2019” (H.R.739) in the last Congress.) The GAO concluded:
    • The United States faces expanding cyber threats and the challenge of building international consensus on standards for acceptable state behavior in cyberspace. In leading federal efforts to advance U.S. interests in cyberspace, State has notified Congress of its proposal to establish a new bureau focused on cyberspace security and the security aspects of emerging technologies. State, however, has not demonstrated that it used data and evidence to support its proposal, particularly for the bureau’s focus and organizational placement. Without developing evidence to support its proposal for the new bureau, State lacks needed assurance that the proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals.
    • The GAO recommended:
      • The Secretary of State should ensure that State uses data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals.
  • Acting Federal Trade Commission (FTC) Chair Rebecca Kelly Slaughter made remarks at a recent conference that maps out her enforcement priorities and how she wants FTC staff to be investigating and charging cases. Notably, she said she will be pressing to ensure that all possible offenses are charged, the agency should litigate if entities will not settle in ways that will make consumers whole, and that certain types of relief are pursued such as forcing companies that violate the FTC Act erase all their ill-gotten data and algorithms. Specifically, Kelly Slaughter stated:
    • I’ve supported many of the Commission’s privacy and security cases, like Equifax and TikTok, but for those of you who have followed the FTC’s privacy and security work closely, you’ll know that I dissented in cases like Facebook, YouTube, and Zoom. When I dissented, in most instances it was because I believed that the Commission should have obtained stronger relief for consumers, including by pursuing litigation if we were unable to negotiate sufficient relief in settlement.
    • Two types of relief I want us to seek and believe we can achieve are meaningful disgorgement and effective consumer notice. The Commission achieved an innovative disgorgement remedy in the settlement with photo app Everalbum announced last month. In that case, we alleged that the company violated its promises about the circumstances under which it would use facial recognition technology. As part of the settlement, the Commission required the company to delete facial recognition models or algorithms developed with users’ photos or videos.
    • We routinely obtain disgorgement of ill-gotten monetary gains when consumers pay for a product that is marketed deceptively. Everalbum shows how we can apply this principle to privacy cases where companies collect and use consumers’ data in unlawful ways: we should require violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data.
    • A good example of effective notice is the Commission’s recent fem-tech case involving the Flo menstruation and fertility app. We alleged that Flo violated its promises not to share consumers’ sensitive information to third parties by sharing the information with Facebook, Google, and others. An important remedy the Commission achieved in this case was to require the company to notify consumers of its false promises.
    • Notice lets consumers “vote with their feet” and helps them better decide whether to recommend the service to others. Finally, and crucially, notice accords consumers the dignity of knowing what happened. There’s a fundamental equity issue here: many people—including those who most need to know—won’t hear about the FTC’s action against a company they deal with unless the company tells them. So, I’ll be pushing staff to include provisions requiring notice in privacy and data security orders as a matter of course.
    • The other lesson we can take from Flo is the need to fully plead all law violations. As I mentioned in my joint statement with Commissioner Chopra on that case, I believe we also should have applied the Health Breach Notification Rule to those facts and I’m glad we are conducting a review of this Rule, which requires that vendors of personal health records notify consumers of breaches. In other cases, I have argued that we should have included unfairness counts. In all of our cases, I want to make sure that we are analyzing all of the relevant laws and pleading all the violations that are applicable.
    • Finally, I think we need to think carefully about the overlap between our work in data privacy and in competition. Many of the largest players in digital markets are as powerful as they are because of the breadth of their access to and control over consumer data. The FTC has a structural advantage over our counterparts in other jurisdictions that focus exclusively on antitrust or on data protection. Our dual missions can and should be complementary, and we need to make sure we are looking with both privacy and competition lenses at problems that arise in digital markets.
  • In making remarks before a business organization, the Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales unveiled “the agency’s first-ever international strategy, CISA Global.” In the document’s, cover letter, Wales explained:
    • CISA Global outlines our approach to how CISA will work with international partners to fulfill our responsibilities, execute our work, and create unity
      of effort within our mission areas. This strategy presents the global vision and international operational priorities of the CISA Director, consistent with CISA’s international authorities as outlined in the Homeland Security Act of 2002; Department of Homeland Security’s Strategic Plan for FY 2020-2024; EO 13800 Report, DHS International Cybersecurity Priorities; and the CISA Strategic Intent. This overarching strategy provides an approach for how CISA will execute its responsibilities and serves as a reference point to guide our work and create unity of effort.
    • In CISA’s press release, the agency stated “[t]he strategy describes CISA’s international vision and identifies four goals:
      • Advancing operational cooperation;
      • Building partner capacity;
      • Strengthening collaboration through stakeholder engagement and outreach; and
      • Shaping the global policy ecosystem.
    • In CISA Global, CISA expanded upon each of the four goals:
      • Given the increasing interconnectedness of our networks, the interdependencies among critical infrastructure sectors, and cross- border data flows, operational cooperation with foreign counterparts is a key tool in collaborating to prevent, detect, deter, and mitigate threats and hazards effectively. Operational cooperation, for the purposes of this document, can be defined as engagement with international partners that is characterized by mutually beneficial information sharing that informs and enhances our relationships. Through such international operational cooperation, CISA can improve its collective situational awareness, and is able foster innovative approaches for responding to and mitigating threats and hazards to critical infrastructure and cybersecurity. Developing CISA’s partnerships into trusted relationships will enable critical operational information sharing that can improve communications capabilities, foster an environment for joint operations, and support resilience efforts – whether that be by sharing operational best practices, working on joint exercises, addressing threat information and related mitigation advice, or collaborating in a fashion so as to align security and defense efforts with like-minded partners. Ultimately, CISA seeks to mature our partnerships to establish an attaché program and to deploy personnel overseas to effectively execute CISA’s mission.
      • Liaise with and support international partners in developing their own capacity to effectively detect threats, assess impact potential, and take appropriate response actions to mitigate risk that enable cooperation with and increase benefits for CISA divisions. The global implications of all threats and hazards — especially those stemming from the cyber-physical nexus — actuates CISA to assist countries in building their own competency in managing risk, strengthen security and resilience, and address current and emerging risks. Enhancing other countries’ organic capabilities simultaneously enables CISA to comprehensively protect the Homeland, to bolster international security, and to promote global societal resilience. Sharing lessons learned, best practices, and information sharing while leveraging the technology, research, and capacities of other nations will be the cornerstone of this effort while working with Department of State.
      • The CISA international mission depends upon strategic stakeholder engagement to establish a vast, diverse, and robust network of public and private stakeholders and experts in order to promote a collective effort towards protecting critical infrastructure and strengthening the global cyber posture. CISA aims to build and to mature partnerships internationally to create channels of communication that facilitate the exchange of information, best practices, ideas, and lessons-learned as well as to remain timely and relevant on ongoing global efforts to address common issues. Through stakeholder engagement and outreach, CISA is not only able to raise awareness to a broader audience but is also able to maintain a platform amenable to U.S. initiatives and priorities.
      • CISA will ensure that its overall mission and objectives are supported and reflected in a manner consistent with CISA’s authorities and U.S. policy goals while shaping the legal environment and effectively driving research and development. By advancing domestic initiatives and promoting national models at the international level, CISA will lead global efforts to support common approaches to shared challenges in securing critical infrastructure and cyberspace. Through cooperation with the Department and the interagency, CISA will guide overall U.S. government efforts to work bilaterally, regionally and multilaterally with foreign counterparts to promote the adoption of standards, regulations and policies that support a homeland and global community that is safe, secure and resilient to threats and hazards.
  • Senate Finance Committee Chair Ron Wyden (D-OR), Senator Kirsten Gillibrand (D-NY), Senate Banking Committee Chair Sherrod Brown (D-OH), Senator Mazie Hirono (D-HI), and Representative Anna Eshoo (D-CA) reintroduced the “Invest in Child Safety Act” (S.223/H.R.807), legislation that claimed in their press release would “confront online child exploitation and reverse a decade of underfunding key enforcement and prevention efforts.” There is a messaging angle of this bill in that it implicitly proposes a different route to combatting online child sexual abuse material apart from modifying 47 U.S.C. 230 (aka Section 230.) The sponsors released bill text and a one page summary. They stated:
    • The Invest in Child Safety Act would direct $5 billion in mandatory funding to investigate and target the predators and abusers who create and share child sexual abuse material online. It also directs substantial new funding for community-based efforts to prevent children from becoming victims in the first place. And it would create a new White House office to coordinate efforts across federal agencies, after [the Department of Justice] refused to comply with a 2008 law requiring coordination and reporting of those efforts.
    • The bill would require a historic, mandatory investment in personnel and funding to take on child exploitation, including:
      • Quadruple the number of prosecutors and agents in DOJ’s Child Exploitation and Obscenity Section from 30 FTEs to 120 FTEs;
      • Add 100 new agents and investigators for the Federal Bureau of Investigation’s Innocent Images National Initiative, Crimes Against Children Unit, Child Abduction Rapid Deployment Teams, and Child Exploitation and Human Trafficking Task Forces;
      • Fund 65 new National Center for Missing and Exploited Children (NCMEC) analysts, engineers, and mental health counselors, as well as a major upgrade to NCMEC’s technology platform to enable the organization to more effectively evaluate and process CSAM reports from tech companies;
      • Double funding for the state Internet Crimes Against Children (ICAC) Task Forces; 
      • Double funding for the National Criminal Justice Training Center, to administer crucial Internet Crimes Against Children and Missing and Exploited Children training programs; 
      • Increase funding for evidence-based programs, local governments and non-federal entities to detect, prevent and support victims of child sexual abuse, including school-based mental health services and prevention programs like the Children’s Advocacy Centers and the HHS’ Street Outreach Program;  
      • Require tech companies to increase the time that they hold evidence of CSAM, in a secure database, to enable law enforcement agencies to prosecute older cases; 
      • Establish an Office to Enforce and Protect Against Child Sexual Exploitation, within the Executive Office of the President, to direct and streamline the federal government’s efforts to prevent, investigate and prosecute the scourge of child exploitation; 
      • Require the Office to develop an enforcement and protection strategy, in coordination with HHS and GAO; and 
      • Require the Office to submit annual monitoring reports, subject to mandatory Congressional testimony to ensure timely execution. 
  • The National Institute of Standards and Technology (NIST) released for comment NIST Special Publication (SP) 800-47 Revision 1, Managing the Security of Information Exchanges that “provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information” per the agency’s press release. NIST explained:
    • Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.
    • NIST is specifically interested in feedback on:
      • Whether the agreements addressed in the draft publication represent a comprehensive set of agreements needed to manage the security of information exchange.
      • Whether the matrix provided to determine what types of agreements are needed is helpful in determining appropriate agreement types.
      • Whether additional agreement types are needed, as well as examples of additional agreements.
      • Additional resources to help manage the security of information exchange.
    • A public comment period for this document is open through March 12, 2021.
  • The European Commission’s (EC) Health and Food Safety Directorate General issued an “Assessment of the EU Member States’ rules on health data in the light of GDPR,” which found “that while the General Data Protection Regulation (GDPR) lays down horizontal directly applicable rules in all Member States, there remains variation in the range of national-level legislation linked to its implementation in the area of health.” The authors of the report added that “[t]his, the study suggests, has led to a fragmented approach in the way that health data processing for health and research is conducted in the Member States…[and] [t]his can negatively impact cross-border cooperation for care provision, healthcare system administration, public health or research.” The authors of the report asserted:
    • The work conducted in the context of the study makes clear that a number of legal and operational issues need to be addressed to ensure that European healthcare systems can make best possible use of data for the three interlinked purposes of primary use for direct patient care, secondary use to support the safe and efficient functioning of healthcare systems, and secondary use to drive health research and innovation. It is clear from the evidence of workshop participants, country correspondents and stakeholder consultation that while the GDPR is a much appreciated piece of legislation, variation in application of the law and national level legislation linked to its implementation have led to a fragmentation of the law which makes cross-border cooperation for care provision, healthcare system administration or research difficult. Furthermore, the interpretation of the law is complex for researchers at national level and patients do not always find it easy to exercise the rights granted by the GDPR.
    • It is clear that addressing these challenges requires a multifaceted approach. The identified future EU level actions to address these challenges, that should be complementary and cumulative, include stakeholders driven codes of conduct, new targeted and sector specific EU level legislation, guidance and support to the cooperation among Member States and relevant stakeholders, but also support for digitalisation, interoperability and digital infrastructures, allowing for the use of data for healthcare, policy making and research and innovation. It is important that these future actions are developed in full respect of principles of proportionality and subsidiarity
  • The New York State Department of Financial Services (NYDFS) issued a report “detailing the findings of an investigation into the transmission of sensitive user data by application and website designers to Facebook.” NYDFS stated “[f]ollowing a report by the Wall Street Journal, the Governor directed DFS to perform an investigation which found that app developers regularly sent Facebook sensitive data, including medical and personal data, derived from consumers’ usage of third-party websites and applications.” NYDFS stated “[t]he data was then shared with Facebook by app developers as part of Facebook’s free online data analytics services…[and] [t]hough such data-sharing violated Facebook policy, Facebook took few steps to enforce the policy or to block the flow of sensitive data prior to the state’s investigation.” NYDFS asserted:
    • The Department found that consumer data was regularly shared with Facebook by app developers who downloaded Facebook’s Software Development Kit as part of Facebook’s free online data analytics services. Personal data that was wrongfully shared included sensitive and/or medical data such as health diagnoses, blood pressure readings, and even fertility data.
    • The report focuses on the facts surrounding the conduct described by the WSJ, the inadequate controls at Facebook that allowed it to happen, the remedial measures Facebook has undertaken as a result of the DFS investigation, and the Department’s recommendations on how to better protect consumer privacy:
      • Inadequate Controls: Despite the fact that sensitive data has been transmitted to Facebook every day in violation of Facebook policy, prior to the DFS investigation, Facebook did little to track whether app developers were violating its policies and to this day takes no real action against developers that do.
      • Remediation Efforts as a Result of the Department’s Investigation: As a result of the DFS investigation, Facebook built and implemented a screening system that is designed to identify and block sensitive information before it enters the Facebook system. Facebook also enhanced app developer education to better inform developers of their obligations to avoid transmitting sensitive data and took steps to give users more control over data that is collected about them, including from off-Facebook activity.
      • Recommended Further Action: Although Facebook’s remediation efforts are important first steps, Facebook must meaningfully ensure that developers are fully aware of its prohibition on transmitting sensitive data, and the report recommends Facebook do more to prevent developers from transmitting sensitive data in the first place rather than simply relying on a back-end screening system. The report further urges Facebook to take additional steps to police its own rules by putting in place appropriate consequences for doing so.
      • Federal Regulatory Oversight: Current laws and regulations have not kept pace with the technological advancements of the “big data” industry. Although the U.S. Federal Trade Commission has taken some action, consumers would benefit from a comprehensive federal regulatory approach, as noted in the DFS’s Twitter report.
    • The report also supports the adoption of Governor Cuomo’s proposal to enact NYDATA, a comprehensive data privacy law that would significantly enhance privacy protections for New Yorkers. The law would mandate that any entity that collects data on large numbers of New Yorkers disclose the purposes of such collection, and limit the data collected to that purpose.
  • Over 40 privacy, civil liberties, and civil rights groups “called on the Biden administration to 1) place a moratorium on federal use of facial recognition and other biometric technologies, 2) stop state and local governments from purchasing facial recognition services with federal funds, and 3) support the Facial Recognition and Biometric Technology Act” (S.4084.)
  • “[A] bipartisan coalition of technology policy organizations” wrote the chairs and ranking members of the subcommittees that control the appropriations for the Federal Trade Commission (FTC) urging them “to provide increased resources for the FTC so that the agency can respond to growing demands and fulfill its mission of protecting consumers and promoting competition in the digital age.” They added:
    • Over the past decade, the agency reported an increase of over 100 percent for consumer complaints, and an increase in premerger filings of over 75 percent. It has recently increased its enforcement activity too, bringing a much higher number of cases in 2020 as compared to prior years. A recent financial report by the Commission noted, “constraints from stagnant financial resources are further magnified by increasing costs and rising expectations from the American public.”
    • To address this institutional gap, we urge you to provide a significant increase to the Commission’s gross budget authority for FY 2021. We expect that even a substantial increase would have a minimal impact on the national debt, considering the revenue generating activities of the Commission. Additionally, to minimize the burden on taxpayers, Congress should consider increasing the authorized limit for offsetting collections, and adjust HSR fees with indexing to inflation.
  • The International Standards Organization (ISO) published “[t]wo new ISO guidance documents…to help organizations ensure the best possible frameworks and keep them cybersecure:
    • Developed in collaboration with the International Electrotechnical Commission (IEC), ISO/IEC TS 27110, Information technology, cybersecurity and privacy protection – Cybersecurity framework development guidelines, specifies how to create or refine a robust system to protect against cyber-attacks.
    • ISO/IEC TS 27100, Information technology – Cybersecurity – Overview and concepts, which defines cybersecurity, establishes its context in terms of managing information security risks when information is in digital form, and describes relevant relationships including how cybersecurity is related to information security.

Coming Events

  • On 23 February, the Senate Intelligence Committee will hold a “Hearing on the Hack of U.S. Networks by a Foreign Adversary” with these witnesses:
    • Kevin Mandia, CEO, FireEye
    • Sudhakar Ramakrishna, CEO, SolarWinds
    • Brad Smith, President, Microsoft
    • George Kurtz, President and CEO, CrowdStrike
  • On 24 February, the House Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled “Fanning the Flames: Disinformation and Extremism in the Media” with these witnesses:
    • Soledad O’Brien, Anchor, Matter of Fact and CEO, Soledad O’Brien Productions
    • Emily Bell, Director, The Tow Center for Digital Media, Columbia University
    • Kristin Danielle Urquiza, Co-Founder, Marked by COVID
    • Jonathan Turley, Professor, The George Washington University Law School
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Reviving Competition, Part 1: Proposals to Address Gatekeeper Power and Lower Barriers to Entry Online” on 25 February.
  • On 17 March, the Federal Communications Commission (FCC) will hold an open meeting but an agenda has not yet been released.
  • The House Energy and Commerce Committee’s Communications and Technology and Consumer Protection and Commerce Subcommittees will hold a joint hearing on 25 March “on misinformation and disinformation plaguing online platforms” with these witnesses: Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Twitter CEO Jack Dorsey.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Maxim Hopman on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s