Further Reading, Other Developments, and Coming Events ( 1, 2, 3, and 4 March 2021)

5G, Antitrust, Appropriations, Big Data, CISA, Coming Events, Competition, COVID-19, Cybersecurity, Data Flows, Data Protection, data security, DHS, DOD, DOJ, EDPB, EU, FBI, FCC, FISMA, FTC, Further Reading, GDPR, Misinformation, NDAA, News Industry, NIST, NTIA, OMB, Other Developments, People's Republic of China, privacy, Privacy Bill, Privacy Shield, Russia, Section 230, Social Media, Technology, Telecommunications 54 Minutes

Further Reading

  • Millions of people’s data is at risk’ — Amazon insiders sound alarm over security” — By Vincent Mamancourt — Politico EU. Three whistleblowers are claiming that Amazon has widespread data protection and privacy issues, some of which may violate European Union (EU) or United States (U.S.) law. They claimed the company culture was such that any bad news was suppressed, minimized, or ignored even though there are allegedly massive vulnerabilities that could result in the personal data of millions of people being breached.
  • Luxembourg data watchdog: ‘Big penalties not the aim’” By Vincent Mamancourt — Politico EU. Critics of Luxembourg’s data protection authority (DPA) argue it is doing next to nothing in enforcing the General Data Protection Regulation (GDPR). The DPA says otherwise and points to corrective actions taken at levels below fines. The nation’s DPA is the lead regulator of Amazon in the EU.
  • Big Tech’s Next Big Problem Could Come From People Like ‘Mr. Sweepy’” By David McCabe — The New York Times. The United States (U.S.) federal and state anti-trust lawsuits against Google and Facebook have been followed by suits from companies and individuals claiming the same types of harm, often piggybacking on the facts the Department of Justice and state attorneys general ferreted out of the companies. It remains to be seen how successful these litigants will be, but many undoubtedly have in mind the $750 million settlement Microsoft paid AOL, the owner of Netscape, the browser at the center of the antitrust case against Microsoft two decades ago.
  • Clubhouse’s Security and Privacy Lag Behind Its Explosive Growth” By Lily Hay Newman — WIRED. The new kid on the social media app block, Clubhouse, seems to be having some growing pains, especially with respect to their privacy and security. In no particular order, some issues are no encryption of information that could identify users and the chatrooms they have been in, routing data through the People’s Republic of China, and efforts to surreptitiously record some of the chats. The startup is scrambling to right these and other problems as it seeks to grow at the same time.
  • Silicon Valley’s Safe Space” By Cade Metz — The New York Times. An interesting odyssey through a website and blog that seem to embody the Rationalist community in Silicon Valley.
  • Hackers Break Into ‘Biochemical Systems’ At Oxford University Lab Studying Covid-19” By Thomas Brewster — Forbes. A unit at Oxford University conducting research into COVID but separate from the vaccine lab was hacked, likely by criminals looking to sell access to nation states interested in acquiring information from labs in the west. This hack occurred even though the FiveEyes security services have been warning for nearly a year that entities researching COVID would be prime targets. No word yet on how the hackers got into the systems.
  • If Work Is Going Remote, Why Is Big Tech Still Building?” By Gregory Barber — WIRED. Even though the purported trend in the United States (U.S.) is towards telecommuting, in the technology world, there is a different train of thought. Tech giants are continuing plans to build new campuses and expand existing ones in line with overall growth, which has in some cases been sped up during the pandemic. One expert in the article makes the case that for all its drawbacks, Silicon Valley’s culture will continue to lure and keep tech companies and talent there. Obvious parallels would be the art, fashion, and finance industries in new York City; sky-high cost of living and other issues have not dissuaded people in those fields to flock there.
  • On social media, vaccine misinformation mixes with extreme faith” By Elizabeth Dwoskin — The Washington Post. Fears and concerns over COVID vaccines are dovetailing perfectly with the fears and concerns of a number of religious influencers and figures (the ones in this article are Christians predominantly). Consequently, there is much material online asserting or “questioning” whether a vaccine will hurt people or implant microchips. There are even claims more attenuated from reality being made, and platforms are struggling to discern which material violates their policies on spreading misinformation about COVID and vaccines.
  • Parler, a Social Network That Attracted Trump Fans, Returns Online” By Jack Nicas — The New York Times. The right-wing Twitter is back! After getting shut down by Amazon Web Services (AWS) for violations of terms of service, Parler is working with two smaller tech companies and now again has a website. One of the companies, SkySilk, portrayed their hosting of Parler as a defense of the First Amendment. Parler if bankrolled by a member of the Mercer family and was one of the key platforms the insurrectionists used before and on 6 January at the United States Capitol.
  • The Biden presidency: What it means for tech” By Marguerite Reardon — c/net. This piece provides a good view of the territory of tech policy and how the Biden Administration might try to leave its mark.
  • The Best Work-From-Home Cities All Have One Thing In Common” By Sascha Segan — PC. This piece makes the argument that local fiber internet service providers (ISP) have led to many small cities and towns having service just as fast as larger cities. And, contrary to the argument made by the giant ISPs, it appears having a local ISP spurs competition because the giant ISPs have chosen to compete in almost all of these markets.
  • Here’s the place that will make or break Biden’s $20 billion broadband plan” By Rae Hodge — c/net. This article delves deeply into broadband access in Appalachia and the very stark divide between the haves and haves not.
  • House Republicans propose nationwide ban on municipal broadband networks” By Jon Brodkin — Ars Technica. House Energy and Commerce Ranking Member Cathy McMorris Rodgers (R-WA) and Communications and Technology Subcommittee Ranking Member Bob Latta (R-OH) released the “Boosting Broadband Connectivity Agenda,” which includes a bill, the The Communities Overregulating Networks Need Economic Competition Today (CONNECT) Act that “would promote competition by limiting government-run broadband networks throughout the country and encouraging private investment.” The means by which this would be achieved would be by banning municipalities and localities from having their own internet service providers (ISP) even though it appears municipal ISPs actually spur competition. Moreover, nearly 20 states have laws that block municipalities from establishing their own ISPs.
  • Tension grows between Congress and the administration over how White House cyber policy should be run” By Ellen Nakashima — The Washington Post. The Biden Administration does not seem to be in a hurry to nominate the United States’ (U.S.) first National Cyber Director, a new position created in the FY 2021 National Defense Authorization Act (NDAA) per a Cyberspace Solarium Commission recommendation. This reluctance is angering the sponsors of the provision in Congress, and there is back and forth between the White House and Capitol. There are charges the White House will read the new statutory requirements as narrowly as possible, leading to a weak and ineffectual National Cyber Director, while Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger continues to lead cyber policy for the Administration.
  • Comcast reluctantly drops data-cap enforcement in 12 states for rest of 2021” By Jon Brodkin — Ars Technica. Comcast customers in Connecticut, Delaware, Massachusetts, Maryland, Maine, New Hampshire, New Jersey, North Carolina, New York, Pennsylvania, Vermont, West Virginia, and the District of Columbia will not immediately face a 1.2 TB cap on wireless data in their homes. Pressure from governments and customers prevailed in getting the company to relent and delay its push to cap usage until 2022. Right now, those in the Northeast are exempted and will continue to be. After negative media coverage last month, Comcast also gave in to demands from low cost customers for higher speed internet so students could attend online classes.
  • The Internet Is Splintering” By Shira Ovide — The New York Times. One woman’s free speech is another man’s abuse or hate speech. How do governments, even those committed to free speech and expression, balance these rights against their impulses to crack down on harmful speech? We may have entered the age of different internets in different nations.
  • Net neutrality law to take effect in California after judge deals blow to telecom industry” By Tony Romm — The Washington Post. A federal court declined the request of four cable company associations to block SB 822, California’s net neutrality law. And so long as the Federal Communications Commission and Congress remain deadlocked on the issue, states will be free to regulate in this space. Naturally, an appeal may be coming.
  • How Oracle Sells Repression In China” By Mara Hvistendahl — The Intercept. This article extensively details Oracle’s efforts to market its database software to help government agencies in the People’s Republic of China (PRC) and elsewhere use big data to surveil, track, and possibly oppress groups of people. Oracle’s overseas endeavors occurred simultaneously to its securing of numerous contracts with United States (U.S.) security services. The company claims there was no wrongdoing and the pursuit of deals with regimes like the one in Beijing are not contrary to its ideals.
  • Amazon documents reveal company’s secret strategy to dodge India’s regulators” By Aditya Kalra — Reuters. Reuters goes deep into Amazon’s internal documents on its operations in India, which seem contrary to at least the spirit if not the letter of the South Asian nation’s recently enacted laws on direct foreign investment and foreign e-commerce firms. Amazon and Walmart’s online platform, Flipkart, are under investigation for anti-competitive practices, and Amazon is being separately investigated for violating foreign investment laws. Amazon has been allegedly trying to circumvent India’s laws barring e-commerce platforms from selling their own goods; instead, they can only sell third party offerings and collect fees for doing so. Amazon has worked with Indian forms like Infosys to create third party companies owned jointly that sell on Amazon. The Amazon/Infosys venture, Cloudtail, has been treated like an Amazon entity and by 2016 accounted for 47% of all sales on Amazon.in. Shortly thereafter the Indian government passed a law capping the largest share any one seller on e-commerce platforms could have at 25%, necessitating Amazon’s use of its wholesale subsidiary that sold smartphones to third parties that then sold them on Amazon.in.
  • Half London councils found using Chinese surveillance tech linked to Uighur abuses” By Avi Asher-Schapiro — Thomson Reuters Foundation. Half, and maybe more, of London’s boroughs are using surveillance tech sold to them by The People’s Republic of China’s (PRC) Hikvision and Dahua. Both companies’ products and services have been linked to the PRC’s oppression of Uighurs. Despite concerns articulated in the British Parliament there are no laws that bar boroughs and councils from buying tech from companies related to human rights violations. A British court rules against the South Wales Police force’s use of live facial recognition technology, resulting in police forces revising their policies on how this technology may be used. There are concerns boroughs and councils will soon move from passive or active surveillance, the latter entailing big data analytics, and, as has often been the case elsewhere, minorities and targeted groups will pay the price for increased surveillance.
  • Facebook mishandles ads from EU institutions and governments” By Mark Scott — Politico EU. The social media platform mislabeled posts by European Union entities and European governments as political messages, many of which were bought as public service announcements. Consequently, there were categorized as political alongside truly political messages.
  • The Grim Consequences of a Misleading Study on Disinformation” By Emma Briant — WIRED. This pieces takes apart the prestigious Oxford Internet Institute’s 2020 edition of its annual report on disinformation online. After the author finishes, one wonders what remains in the report that can be relied upon.

Other Developments

  • Senate Intelligence Committee Chair Mark Warner (D-VA) wrote the Federal Bureau of Investigation (FBI) and the Environmental Protection Agency (EPA) for more information on “a cyber incident in which hackers remotely breached a Florida water treatment plant and sought to dramatically alter water chemical levels in a move that could have poisoned thousands of residents.” Warner stated:
    • I am writing to request information about reports of a serious security compromise of a water treatment plant in Oldsmar, Florida on February 5, 2021.  The security and integrity of our critical infrastructure is of utmost importance.  The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in “illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.” Additionally, other critical infrastructure sectors such as healthcare, emergency services, energy, food and agriculture, and transportation systems depend on the cyber resilience of water facilities.
    • According to information released by the Pinellas County Sheriff’s Office, the Oldsmar water treatment facility was accessed remotely by an unauthorized entity, who increased the amount of sodium hydroxide in the potable water supply to a dangerous level.
    • Given the consequences of a successful compromise of this kind, and the broader security weaknesses this unsuccessful attempt may illustrate within critical infrastructure sectors reliant on similar industrial control systems, I would request first, to be informed of the progress of the FBI’s investigation of the incident; second, a review by the Environmental Protection Agency into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan, most recently updated in 2015, needs to be updated to confront similar risks; and third, to confirm the Federal Government is sharing timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers across the United States.
  • New York Attorney General Letitia James “filed a lawsuit against Amazon over its failures to provide adequate health and safety measures for employees at the company’s New York facilities and Amazon’s retaliatory actions against multiple employees amidst the COVID-19 pandemic” four days after Amazon sued James seeking an injunction to bar her from regulating its New York facilities on a number of grounds.
    • In her press release, James asserted:
      • In failing to maintain a safe work environment by reasonably protecting workers from the spread of COVID-19, Amazon violated New York State Labor Law. In addition, Amazon unlawfully fired and disciplined employees that objected to Amazon’s unsafe work conditions. 
      • The lawsuit, filed in the Supreme Court of New York County, argues that Amazon’s actions are in violation of New York labor, whistleblower protection, and anti-retaliation laws. The suit seeks broad injunctive relief and damages, including: 
        • Requiring Amazon to take all affirmative steps, including changing policies, conducting training, and undergoing monitoring, among others, to ensure that Amazon reasonably and adequately protects the lives, health, and safety of its employees.
        • Awarding backpay, liquidated damages, emotional distress damages, and reinstatement for former employee Christian Smalls.
        • Awarding liquidated damages and emotional distress damages for employee Derrick Palmer.
        • Requiring Amazon to give up the profits it made as a result of its illegal acts.
    • In Amazon’s suit, the company claimed:
      • The OAG then launched and pursued an investigation of Amazon’s COVID-19 response. Less than a month later and based on its cursory investigation to that point, the OAG took the highly unusual step of making a “preliminary assessment” that Amazon had violated safety requirements—including the federal Occupational Safety and Health Act (“OSH Act”) and its regulations—in connection with Amazon’s response to the COVID-19 pandemic, and that Amazon had unlawfully retaliated against Mr. Smalls and Mr. Palmer. The OAG’s letter to Amazon containing the preliminary assessment did not mention the New York City Sheriff’s Office’s findings that Amazon went “above and beyond” applicable compliance requirements and that complaints to the contrary were “baseless,” or include any other facts favorable to Amazon.
      • From the outset of the OAG’s investigation, Amazon provided the OAG with extensive information about its extraordinary efforts to protect its associates against COVID-19. Amazon also provided evidence of its compelling safety-related reasons for taking action against Mr. Smalls and Mr. Palmer, including photographs of Mr. Smalls violating Amazon’s social distancing guidelines at the JFK8 facility after Amazon instructed him to quarantine for a potential COVID-19 exposure. The evidence showed that Mr. Smalls not only failed to comply with social distancing requirements, but that, as someone directed to quarantine, he was required to stay off Amazon property—and was paid for doing so—yet he violated those clear requirements by returning to the JFK8 property.
      • Nevertheless, the OAG refused to give any weight to the substantial amount of detailed information and documents that Amazon provided regarding its comprehensive health and safety program or the New York City Sheriff’s Office’s reports—information that squarely rebuts the OAG’s preliminary assessments. Instead, the OAG continued to claim that Amazon violated health and safety standards and retaliated against Mr. Smalls and Mr. Palmer.
      • The OAG has now threatened to sue Amazon if it does not immediately agree to a list of demands, many of which have no connection to health and safety and have no factual or legal basis. Among other things, the OAG has demanded that Amazon “disgorge” profits, subsidize public bus service, reduce its production speeds and performance requirements, reinstate Mr. Smalls and pay large sums to Mr. Smalls and Mr. Palmer for “emotional distress,” retain a health and safety consultant to oversee safety and production, and adopt safety-related policies it already implemented.
      • The OAG’s exorbitant demands are based on a standard for workplace health and safety far more stringent than the standard adopted by the OAG when defending, in other litigation, the New York State Courts’ reasonable but more limited safety response to COVID-19 in the face of threats greater than those present in Amazon’s private facilities. The New York State Courts, for example, implemented temperature screening months after Amazon, and, unlike Amazon, has not developed its own testing capacity and provided free tests to its employees.
      • More fundamental than applying an inconsistent and incorrect standard, the OAG lacks the legal authority it purports to wield against Amazon. The federal OSH Act preempts the OAG’s use of state law to regulate workplace safety, and, as this Court has already held in litigation brought by Mr. Palmer concerning the very subject matter of the OAG’s investigation, OSHA has primary jurisdiction over workplace safety claims brought under New York Labor Law Section 200. Moreover, the National Labor Relations Act (“NLRA”) preempts the OAG’s claims that Amazon retaliated against Mr. Smalls and Mr. Palmer for organizing and participating in protests regarding working conditions at JFK8, and the U.S. National Labor Relations Board (“NLRB”) has authority for enforcement of this federal law. Even if the New York Labor Law were not preempted in these circumstances, the Labor Law provisions on which the OAG relies create only a private right of action by the individual who is the victim of the alleged retaliation—and here, Mr. Smalls and Mr. Palmer are already pursuing their own private actions with their own counsel.
  • Senate Finance Committee Chair Ron Wyden (D-OR), Senate Banking, Housing, and Urban Development Committee Chair Sherrod Brown (D-OH), Senate Intelligence Committee Chair Mark Warner (D-VA), and Senator Catherine Cortez Masto (D-NV) introduced the “Unemployment Insurance Technology Modernization Act” “that would establish one set of technology and security capabilities for state unemployment offices” per their joint press release. They asserted the bill:
    • Requires the Department of Labor to work with the technology experts to develop, operate and maintain a modular set of technology capabilities to modernize unemployment compensation technology.Prioritizes user experience, including by requiring consultation and testing with claimants, employers, State workforce agency staff and other users.
      • States will be able to use all of the capabilities or choose to use only those capabilities that meet their needs.
      • The updated technology will help states ensure timely and accurate delivery of payments and better identify fraudulent claims.
    • Requires a study to evaluate unemployment insurance technology needs, with an emphasis on program accessibility and equity.
    • Establishes a new Department of Labor Digital Services Team to expand the Department’s ability to assist states with technological issues.
    • Ensures the use of best practices in cybersecurity, procurement and transparency during and after the development of the technology capabilities.
    • Includes provisions from Senator Wyden’s Algorithmic Accountability Act to ensure that the new technology capabilities do not rely on automated decision systems that may produce biased results without impact assessments and public input.
  • The Australian government has issued the text for its “Online Safety Bill 2021,” which “together with the Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, will create a modern, fit for purpose regulatory framework that builds on the strengths of the existing legislative scheme for online safety” according to the explanatory memorandum. The government claimed the bill will:
    • retain and replicate provisions in the Enhancing Online Safety Act 2015 (EOSA) that are working well to protect Australians from online harms, such as the non-consensual sharing of intimate images scheme;
    • articulate a core set of basic online safety expectations to improve and promote online safety for Australians;
    • reflect a modernised online content scheme to replace the schemes in Schedules 5 and 7 of the Broadcasting Services Act 1992 (BSA) to address harmful online content;
    • create a new complaints-based, removal notice scheme for cyber-abuse being perpetrated against an Australian adult;
    • broaden the cyber-bullying scheme to capture harms occurring on services other than social media;
    • reduce the timeframe for service providers to respond to a removal notice from the eSafety Commissioner from 48 to 24 hours;
    • bring providers of app distribution services and internet search engine services clearly into the remit of the new online content scheme;
    • establish a specific and targeted power for the eSafety Commissioner to request or require internet service providers (ISPs) to disable access to material depicting, promoting, inciting or instructing in abhorrent violent conduct, for time-limited periods in crisis situations, reflecting industry’s call for Government leadership on this issue.
  • Facebook Global Affairs and Communications Vice President Nick Clegg issued the company’s responses to the Facebook Oversight Board’s first decisions that overturned Facebook in four of the five cases. The company claimed to have immediately implemented the decisions as it has committed to heeding the Board’s decisions. Clegg stated:
    • [W]e are committing to action to address 11 of the board’s recent recommendations. In several of these instances, we have already acted on the board’s recommendations, while in others, we are committing to what was recommended by the board, or going further. We also are assessing the feasibility of five more of the recommendations and will provide updates in the future.
    • There is one remaining recommendation that we disagree with and will not be taking action on since it relates to softening our enforcement of COVID-19 misinformation. In consultation with global health authorities, we continue to believe our approach of removing COVID-19 misinformation that might lead to imminent harm is the correct one during a global pandemic.  
    • For each recommendation, we have provided detailed responses and will continue to update as we make progress on our commitments. Some of the actions we are taking include:
      • Providing more transparency.  
        • Consolidating and clarifying health misinformation policies.  As announced earlier this month, we have consolidated information about health misinformation in a Help Center article, which we now link to in the Community Standards. We’ve also clarified our health misinformation policy as part of a larger COVID-19 update, including adding more details on our rules and giving examples of the type of false claims we will remove. 
        • Updating Instagram policies. We’ve updated Instagram’s policy on nudity to clarify that health-related nudity is permitted. We will also undertake a more comprehensive update to reflect all the policies we enforce on Instagram today, and give people more information on the relationship between Facebook’s Community Standards and Instagram’s Community Guidelines.
        • Launching a Transparency Center. We’ve been working on a new Transparency Center which we expect to launch in the coming months. It will be a destination for people to get more information about our Community Standards and how we enforce them. 
        • Explaining key terms. We will look for the best way to explain key terms in our Community Standards and share more information about our Dangerous Individuals and Organizations policy.
      • Carefully calibrating our use of automation.  
        • Improving automated detection. We are always improving our automation technology and will continue to refine our machine learning models so they’re better at detecting the kinds of nudity we do allow. This includes improving computer vision signals, sampling more training data for our machine learning, and, when we’re not as confident about the accuracy of our automation, ensure people review the content.
        • Exploring when people and technology should be used for review and appeals. Technology allows us to detect and remove harmful content before people report it, sometimes before people see it. We typically launch automated removals when they are at least as accurate as those by content reviewers. We’ll continue to evaluate which kind of reviews or appeals should be done by people and which can be safely handled by automated systems, and how best to provide transparency about how decisions were made.
        • Transparency around automation.  We will test the board’s recommendation to tell people when their content is removed by automation. 
      • Continuing to evaluate our COVID-19 policies.  
        • Continually evaluating tools. We’ll continue to assess and develop a range of tools to address health misinformation, considering the least intrusive to expression wherever possible.
        • Removing based on consultation with experts. We’ll keep looking to leading scientists, including from the World Health Organization and other public health authorities, to tell us what is likely to contribute to imminent physical harm. 
  • The European Parliamentary Research Service issued a brief indicating the proposal to revise the Network and Information Security (NIS) Directive is currently under consideration in the European Parliament. In mid-December 2020, the European Commission (EC) and the High Representative of the Union for Foreign Affairs and Security Policy unveiled a new EU Cybersecurity Strategy and “proposals to address both cyber and physical resilience of critical entities and networks: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2′), and a new Directive on the resilience of critical entities.” This proposal would replace the 2016 “Directive on security of network and information systems (NIS Directive)” ((EU) 2016/1148) currently in effect throughout the EU. NIS 2 would impose new obligations and responsibilities on EU member states and essential and important entities. The nations of the EU would need to draft and implement cybersecurity frameworks/strategies, which includes setting up vulnerability disclosure programs, voluntary cybersecurity information sharing programs, a policy to address information and communications technology (ICT) supply chain risk, and cybersecurity standards for publicly bought and used ICT. EU nations would also need to name “competent” national authorities to enforce NIS 2, for the EC identified lax or non-existent enforcement of existing cybersecurity laws as a rationale for the new proposal. Consequently, such authorities must be empowered to issue binding directives, if necessary, warnings, or instructions to cease certain conduct. These authorities must also work with data protection authorities in the event of data breaches. NIS 2 also provides for administrative fines and penalties to be established in the laws of EU nations.
  • With Democrats taking control of the Senate, key committees have new chairs, which was to be expected, but a change in the Democratic Caucus as to how and when Senators chairing a full committee may also chair a subcommittee has cleared the way for some junior Members to chair prize subcommittees. Among the notable new subcommittee chairs in the Senate are:
    • The Senate Commerce, Science, and Transportation Committee’s Consumer Protection, Product Safety, and Data Security Subcommittee will be chaired by Senator Richard Blumenthal (D-CT) with Senator Marsha Blackburn (R-TN) serving as the Ranking Member. On the same committee, Senator Ben Ray Lujan (D-NM) will chair the Communications, Media, and Broadband with Senator John Thune (R-SD) going from chair in the last Congress to Ranking Member. And, of course, Senators Maria Cantwell (D-WA) and Roger Wicker (R-MS) swapped their posts from the last Congress with the former becoming the new chair and the latter giving up the gavel to become the Ranking Member.
    • On the Senate Judiciary Committee, Senator Dick Durbin (D-IL) (also the Majority Whip) succeeds Senator Dianne Feinstein (D-CA) who was eased out of the top Democratic slot on the committee after her performance during key hearings last year was questioned. Durbin will now chair the full committee with Senator Chuck Grassley (R-IA) becoming the top Republicans after former Chair Lindsey Graham (R-SC) was forced out due to term limits. Senator Amy Klobuchar (D-MN) will chair the Competition Policy, Antitrust, and Consumer Rights Subcommittee with former Chair Mike Lee (R-UT) becoming the Ranking Member. Senators Chris Coons (D-DE) and Ben Sasse (R-NE) will be the chair and ranking member of the Privacy, Technology, and the Law Subcommittee.
    • On the Senate Appropriations Committee there are a number of new chairs, including:
      • Defense Subcommittee Chair Jon Tester (D-MT)
      • Financial Services and General Government Subcommittee Chair Chris Van Hollen (D-MD)
      • Homeland Security Subcommittee Chair Chris Murphy (D-CT)
  • The European Commission (EC) published two draft adequacy decisions that would allow the personal data of European Union (EU) residents to flow to the United Kingdom (UK) now that the UK has left the EU. Data flows are continuing through the end of June 2021 under the EU-UK Trade and Cooperation Agreement as if the UK were still in the EU, an arrangement agreed upon by Brussels and London to allow more time for adequacy decisions. The EC asserted:
    • Today, the Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission could proceed to adopt the two adequacy decisions.
    • Over the past months, the Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities. It concludes that the UK ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR) and, for the first time, under the Law Enforcement Directive (LED).
    • After taking the opinion of the European Data Protection Board into account, the European Commission will request the green light from Member States’ representatives in the so-called comitology procedure. Following that, the European Commission could adopt the final adequacy decisions for the UK.
  • Microsoft joined a number of European press associations in announcing a joint effort “to ensure that Europe’s press publishers get paid for the use of their content by gatekeepers that have dominant market power in line with the objectives of the new neighbouring right in the EU Digital Single Market Copyright Directive, which comes into force this June and to take inspiration from the new Australian legislation that requires the tech gatekeepers covered by that law to share revenue with news organisations.” This new initiative coincides with Australia’s enactment of its new code that requires Google and Facebook to provide compensation to major Australian media outlets (see here for more analysis.) It may be possible Microsoft is engaging in the time honored strategy of calling for regulation of a certain behavior or issue that will fall hardest on rivals. Google and Facebook would be most affected by European nations or the EU adopting a statute that requires compensating media for use of their content. Of course, when Prime Minister Scott Morrison floated the idea that Microsoft’s Bing could replace Google’s search engine, the company was quick to endorse this notion. Microsoft and its partners are calling on the European Union to expand the current scheme under which Google and Facebook have entered into negotiations in some nations, most notably in France. Microsoft, the European Publishers Council, News Media Europe, European Magazine Media Association, and European Newspaper Publishers’ Association are urging the EU to “address gatekeepers with dominant market power, through appropriate regulatory frameworks such as the Digital Markets Act, Digital Services Act or other national laws.” The organizations stated:
    • EMMA, ENPA, EPC, NME & Microsoft therefore call for an arbitration mechanism to be implemented in European or national law requiring such gatekeepers to pay for press content in full respect of the Publisher‘s Right set out in Directive 2019/790. We welcome proposals made by several Members of the European Parliament to introduce a final arbitration mechanism into relevant regulation. This is needed to prevent undermining the scope of the Publishers’ Right and to create legal certainty. Otherwise, even though press publishers have a neighbouring right, they might not have the economic strength to negotiate fair and balanced agreements with these gatekeeper tech companies, who might otherwise threaten to walk away from negotiations or exit markets entirely.
  • The Federal Communications Commission (FCC) adopted “a Report and Order that establishes the Emergency Broadband Benefit Program, a $3.2 billion federal initiative to provide qualifying households discounts on their internet service bills and an opportunity to receive a discount on a computer or tablet” as explained in an agency press release. The “Consolidated Appropriations Act, 2021” (P.L. 116-260) appropriated $3.2 billion to establish an Emergency Broadband Connectivity Fund, and the FCC acted with haste to put this program in place. In the Report and Order, the FCC stated:
    • the Emergency Broadband Benefit Program (EBB Program or Program) will use available funding from the Emergency Broadband Connectivity Fund to support participating providers’ provision of qualifying broadband service offerings and connected devices to qualifying households.  To participate in the Program, a broadband provider must elect to participate and either be designated as an eligible telecommunications carrier (ETC) or be approved by the Commission.  Participating providers will make available to eligible households a monthly discount off the standard rate for an Internet service offering and associated equipment, up to $50.00 per month. On Tribal lands, the monthly discount may be up to $75.00 per month.
    • Participating providers will receive reimbursement from the EBB Program for the discounts provided. Participating providers that also supply an eligible household with a connected device, defined in the Consolidated Appropriations Act as a laptop, desktop computer, or tablet, for use during the emergency period may receive a single reimbursement of up to $100.00 for the connected device, if the charge to the eligible household for that device is more than $10.00 but less than $50.00. A participating provider may receive reimbursement for only one supported device per eligible household. Providers must submit certain certifications to the Commission to receive reimbursement, and the Commission is required to adopt audit requirements to ensure provider compliance and prevent waste, fraud, and abuse.
  • House Energy and Commerce Ranking Member Cathy McMorris Rodgers (R-WA) and Communications and Technology Subcommittee Ranking Member Bob Latta (R-OH) issued a statement on the “Boosting Broadband Connectivity Agenda,” “statement on a comprehensive package of 28 bills that aim to turbocharge public and private investment by promoting new and upgraded infrastructure deployments, boosting competition, streamlining permitting processes, facilitating broadband deployment on federal lands, and closing the digital divide in both rural and urban areas” as claimed in their press release. McMorris Rodgers and Latta provided this summary of the bills and made available a more detailed version:
  • Plaintiffs and TikTok have proposed a class action settlement to settle a December 2020 complaint which argued that TikTok violated the Computer Fraud and Abuse Act, the California Comprehensive Data Access and Fraud Act, the California Unfair Competition Law, the California False Advertising Law, the Video Privacy Protection Act, Illinois’s Biometric Information Privacy Act, and other grounds. The proposed settlement provides a “a  $92  million  non-reversionary  cash settlement  fund  and  meaningful  injunctive  relief.” In their suit, the plaintiffs asserted:
    • Defendants have used automated software, proprietary algorithms, AI, facial recognition, and other technologies to commercially profit from Plaintiffs’ and Class Members’ identities, unique identifying information, biometric data and information, images, video and digital recordings, audio recordings, clipboard data, geolocation, names, e-mail addresses, passcodes, social media accounts, messaging services, telephone numbers, and other private, non-public, or confidential data and information, or meaningful combinations thereof, as more fully set forth herein.
    • Further, Defendants, through the TikTok app, collected, captured, obtained, stored and, upon information and belief, disclosed and otherwise disseminated Illinois resident TikTok users’ biometric information in violation of the Illinois’ Biometric Information Privacy Act (“BIPA”), 740 ILCS §14/1, et seq. Public policy in Illinois provides that given the risks of unwanted data collection, Illinois citizens need the power to make decisions about the fate of their unique biometric identifiers and information. Defendants’ actions robbed them of that power.
    • What  is  more,  unknown  to  its  users,  included  in  the  TikTok  app  is  surveillance  software developed in China. The TikTok app has clandestinely vacuumed up and transferred to servers in China (and to other servers accessible from within China) vast quantities of private and personally identifiable user data and content that could be employed to identify, profile, and track the physical and digital location and activities of United States users now and in the future.
    • The TikTok app has surreptitiously taken TikTok users’ private draft videos they never intended for publication –   without notice or consent. 
    • Defendants and their sophisticated engineering teams also covertly collect and useTikTok users’ highly sensitive and immutable biometric identifiers and information.
    • Defendants also covertly  transmit  personally  identifiable  information  about  each  TikTok user’s video viewing history to third parties without notice or consent, in violation of the Video Privacy Protection Act (“VPPA”).
    • In short, the TikTok app’s lighthearted fun comes at a heavy cost. Meanwhile, Defendants unjustly profit from the secret harvesting of this massive array of private and personally identifiable TikTok user data and content by using it for targeted advertising, improvements to Defendants’ artificial intelligence technologies, the filing of patent applications, and the development of consumer demand for, and use of, Defendants’ other products.
    • TikTok accesses its users’ data for various purposes, including tracking users by age, gender, location, operating system, and interest in order to attract marketing and ad sales. By collecting and filtering this user data, TikTok offers a sophisticated targeted ad and marketing platform that allows its ad clientele to hone into their target demographics with shocking precision.
  • The Government Accountability Office (GAO) issued another of its periodic assessments of the Department of Veterans Affairs’ troubled efforts to buy and implement a new electronic health record (EHR) system to replace the Veterans Health Information Systems and Technology Architecture (VistA). The GAO concluded:
    • VA made progress in preparing for the deployment of the new EHR by, for example, making system configuration decisions, developing system capabilities and system interfaces, conducting end user training, and completing system testing events. In addition, the department had taken actions consistent with our October 2020 recommendations calling for it to resolve existing critical and high severity test findings at the time of initial EHR system deployment. Nevertheless, 55 high severity test findings remained open and additional testing of the system in advance of future deployments will likely lead to the identification of new critical and high severity test findings. If the department does not address these findings prior to deployments, it risks deploying a system that does not perform as intended.
    • Further, the Office of Electronic Health Record Modernization (OEHRM) identified key risks and issues that could negatively impact the program’s cost, schedule, and performance, in accordance with its risk management plan. The office was maintaining registers to track open risks and issues and their associated mitigation plans.
    • The GAO made two recommendations:
      • The Secretary of VA should direct the Executive Director of the Office of Electronic Health Record Modernization to postpone deployment of the new EHR in new locations until all existing open critical severity test findings are resolved and closed, and until any additional critical severity findings identified before planned deployment are closed. (Recommendation 1)
      • The Secretary of VA should direct the Executive Director of the Office of Electronic Health Record Modernization to postpone deployment of the new EHR in new locations until all existing open high severity test findings are either resolved and closed or deferred, and until any additional high severity test findings identified before planned deployment are either closed or deferred. (Recommendation 2)
  • The National Institute of Standards and Technology (NIST) released Interagency or Internal Report (NISTIR) 8276, Key Practices in Cyber Supply Chain Risk Management (C-SCRM): Observations from Industry. This final document provides the ever-increasing community of digital businesses a set of Key Practices that any organization can use to manage cybersecurity risks associated with their supply chains. NIST explained:
    • In today’s highly connected, interdependent world, all organizations rely on others for critical products and services. However, the reality of globalization, while providing many benefits, has resulted in a world where organizations no longer fully control—and often do not have full visibility into—the supply ecosystems of the products that they make or the services that they deliver. With more and more businesses becoming digital, producing digital products and services, and moving their workloads to the cloud, the impact of a cybersecurity event today is greater than ever before and could include personal data loss, significant financial losses, compromise of product integrity or safety, and even loss of life. Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful; threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link.
    • That is why identifying, assessing, and mitigating cyber supply chain risks is a critical capability to ensure business resilience. The multidisciplinary approach to managing these types of risks is called Cyber Supply Chain Risk Management (C-SCRM). This document provides the ever-increasing community of digital businesses a set of Key Practices that any organization can use to manage cybersecurity risks associated with their supply chains. The Key Practices presented in this document can be used to implement a robust C-SCRM function at an organization of any size, scope, and complexity. These practices combine the information contained in existing C-SCRM government and industry resources with the information gathered during the 2015 and 2019 NIST research initiatives.
  • Former Rhode Island Governor Gina Raimondo was confirmed by the Senate as the next Secretary of Commerce by an 84-15 vote. Senator Ted Cruz had placed a hold on her nomination in Early February, and as he explained in a tweet after the hold had been reported: “I’ll lift the hold when the Biden admin commits to keep the massive Chinese Communist Party spy operation Huawei on the Entity List.” Cruz’s hold followed a call from House Foreign Affairs Committee Ranking Member Michael McCaul (R-TX) for Senate Republicans to block Raimondo’s nomination until the White House indicates whether they will keep Huawei on a list of entities to whom the United States (U.S.) restricts exports.
  • Neera Tanden’s nomination to head the powerful Office of Management and Budget (OMB) has been withdrawn after it became clear that President Joe Biden’s nominee lacked the votes to be confirmed by the Senate. OMB is charged with a myriad of responsibilities over federal cybersecurity, data security, privacy, artificial intelligence, and other areas and is the organ through which the White House makes and changes policy in those and other technology-related realms. Perhaps even more crucially, OMB vets and edits agency budget submissions to ensure they align with White House policies. Tanden had most recently served as the head of the center-left think tank the Center for American Progress, and the issue that sank her nomination was her voluminous, often biting tweets about members of Congress, usually Republicans. Late last week, Senator Joe Manchin (D-WV) cited the tweets as the reason why he could not support the nomination, an announcement followed shortly thereafter by Senators Susan Collins (R-ME) and Mitt Romney (R-UT). Interestingly, Senator Lisa Murkowski (R-AK) said the White House never directly asked her to vote for Tanden, suggesting she could have been persuaded to vote yes, especially after Murkowski led Tanden in an “Alaska 101” discussion on issues important to her state. These comments suggest another Democrat objected to Tanden’s nomination, possibly Kyrsten Sinema (D-AZ), given that if all Democrats minus Manchin voted yes along with Murkowski, the nomination would have 50 votes, and Vice President Kamala Harris could have broken the tie. And yet, the Senate Budget and Homeland Security and Governmental Affairs Committees cancelled votes on Tanden’s nomination, pointing to the likelihood not enough Democrats on either committee were going to support Tanden. Making things all the more interesting, Sinema does not serve on the Senate Budget Committee, suggesting some unidentified Democrat was going to vote no, possibly Chair Bernie Sanders (I-VT), a frequent target of Tanden’s on Twitter (say that five times fast.) The only Democrat serving on both committees is freshman Alex Padilla (D-CA) for whatever that fact tells us. But, it is being reported elsewhere the Biden Administration did not want to pay the price Murkowski was demanding given elements of the Democratic Party would revolt and that Sinema’s vote was never in question.
  • Governor Ralph Northam (D) signed the United States’ (U.S.) second privacy law. The “Consumer Data Protection Act” (SB 1392) joins the “California Consumer Privacy Act” (AB 375) and the “California Privacy Rights Act” (Proposition 24) as the only state privacy laws. However, Virginia’s new privacy law is one of the weakest proposed (see here for more analysis.)
  • The Department of Homeland Security (DHS) announced the availability of $1.87 billion in preparedness grants for states and localities, with an emphasis on cybersecurity. In his statement on the grants funding, Secretary of Homeland Security Alejandro Mayorkas stated:
    • With today’s grant awards, I am also directing additional grant funding to support cybersecurity efforts. As we have seen in recent events, attacks on our cyber networks can have devastating effects. Accordingly, I have required that State Homeland Security Program (SHSP) and Urban Area Security Initiative (UASI) recipients spend at least 7.5 percent of their grant awards to enhance their cybersecurity posture. With this funding, state and local grant recipients can conduct cybersecurity risk assessments, strengthen their ‘dot gov’ internet domains, improve the cybersecurity of their critical infrastructure, and conduct additional cybersecurity training and planning.
  • House Energy and Commerce Committee Ranking Member Cathy McMorris Rodgers (R-WA) and Communications and Technology Subcommittee Ranking Member Bob Latta (R-OH) wrote the National Telecommunications and Information Administration (NTIA) asking the agency to “prioritize unserved and rural areas for broadband deployment,” in particular “[t]he new grant programs at NTIA –particularly the Broadband Infrastructure Program.” McMorris Rodgers and Latta asserted:
    • To have the greatest impact, NTIA should start with Program applications for areas that are unserved and where no provider has committed to deploy broadband pursuant to a Federal or state commitment. NTIA should also avoid awarding these limited funds to overbuild places that already have broadband service, either through private investment or other broadband funding programs.
    • Second, we request that NTIA incorporate a challenge process into the Program, noticed during the application invitation period and administered within the application approval period,4to ensure that any broadband deployment funding is properly targeted to truly unserved areas. Challenge processes give broadband providers and other stakeholders a reasonable timeframe to provide the most up-to-date information about broadband availability in areas that could receive funding. This helps avoid overbuilding broadband in areas where broadband exists or where funding has been committed by other agencies or private companies. This procedure is routinely used by the FCC and other Federal and state broadband programs. It is especially important at this time when multiple agencies are already in the process of distributing significant broadband deployment funding, and because the FCC does not have updated, accurate broadband maps as Congress directed under the Broadband DATA Act. Given the expedited timeframe in which NTIA must implement this program to respond to the COVID-19 pandemic, public transparency before funds are awarded will help all interested stakeholders and Congress support NTIA’s implementation of this critical program.
  • The Department of Defense’s (DOD) Office of the Inspector General (OIG) found that the Pentagon was using funding provided under the first COVID-19 stimulus bill well to buy information technology (IT). The OIG stated:
    • The Army, Navy, Air Force, Defense Health Agency, and Defense Information Systems Agency procured information technology products and services in accordance with the CARES Act and other Federal and DoD requirements. Specifically, for 28 of 367 nonstatistically sampled contract actions reviewed, the DOD Components:
    • procured information technology products and services to support operations in response to the COVID-19 pandemic and provided contract documentation that supported that the contracts were issued to support the DOD’s response to the pandemic;
    • paid fair and reasonable prices for products and services procured because their contracting officials completed and documented one or more Federal Acquisition Regulation-compliant price analysis techniques in their fair and reasonable price determinations;
    • assessed whether known cybersecurity risks existed by running vulnerability scans before procuring or using the information technology products and developing corrective action plans for the vulnerabilities that could not be immediately mitigated; and
    • accurately reported the COVID-19-related codes to USAspending.gov in accordance with Federal requirements. Army, Navy, Air Force, Defense Health Agency, and Defense Information Systems Agency contracting officials accurately reported the National Interest Action Code in the DOD FY 2020 second and third quarter Digital Accountability and Transparency Act submissions.
    • As a result of the DOD’s compliance with the CARES Act and other Federal and DOD requirements, DOD stakeholders have assurance that the Army, Navy, Air Force, Defense Health Agency, and Defense Information Systems Agency procured $81.5 million in information technology products and services in response to the COVID-19 pandemic at reasonable prices and at a reduced risk of cybersecurity vulnerabilities.  Continued DOD efforts to comply with the CARES Act and other Federal and DOD requirements will reduce the risk of waste, fraud, and abuse associated with the procurement of information technology products and services and ensure that the American public has visibility of DOD spending on contract actions associated with the response to COVID-19.  Furthermore, continued DOD efforts to identify and mitigate cybersecurity vulnerabilities before procuring or using the information technology products and services, will reduce the risk of introducing vulnerabilities into DOD systems and networks that could potentially jeopardize the DOD’s missions, information, and assets.
  • 33 female House Democrats wrote White House Chief of Staff Ronald Klain asking that acting Federal Communications Commission (FCC) Chair Jessica Rosenworcel be nominated to permanently chair the FCC. In the last few decades, acting chairs have not typically been nominated to permanently chair the FCC. Nonetheless, these Members argued:
    • She has spent years raising the important voices and unique needs of women that have been ignored for far too long in technology and telecommunications policy. She has already hit the ground running by taking several bold and important actions as Acting Chairwoman, has been unanimously confirmed by the Senate twice, and is perfectly qualified to be the first Chairwoman of the FCC.
    • Since President Biden appointed Jessica Rosenworcel to the role of Acting Chairwoman just four weeks ago, she has already taken steps to reduce the Homework Gap, promote telehealth, and advance many more key priorities.  As women lawmakers, we understand the critical importance that women’s voices bring to policymaking, and we cheer what Acting Chairwoman Rosenworcel has long brought to the FCC’s work.
    • In its nearly 90-year history, the FCC has embarrassingly never had a woman as a permanent chair. This is an unacceptable reality for an agency that oversees one-sixth of our nation’s economy and makes consequential decisions that impact all Americans. We urge the Administration to rectify this track record by nominating Jessica Rosenworcel to the role of FCC Chairwoman.
  • Senators Catherine Cortez Masto (D-NV) and Deb Fischer (R-NE) and Representatives Haley Stevens (D-MI) and Anthony Gonzalez (R-OH) introduced the “Promoting Digital Privacy Technologies Act” (S.224/H.R.847) that, as asserted in their press release, do the following:
    • [R]equires the National Science Foundation (NSF) to support research into privacy enhancing technologies (PET), including:
      • Fundamental research on PET technologies.
      • Fundamental research into the mathematics that underlie PETs.
      • Fundamental research into technologies that promote data minimization principles.
      • Research in coordination with other relevant agencies.
    • The legislation also integrates this mission with the NSF’s Computer and Network Security Program and requires the National Institute of Standards and Technology (NIST) to work with academic, public, and private sectors to develop and establish voluntary consensus standards for the integration of PET into business and governmental applications, including working with NIH and CDC to increase responsible public health research.
    • Finally, the Promoting Digital Privacy Technologies Act requires reports to Congress on progress with research and standard setting every two years.
  • The Washington State Senate passed the “Washington Privacy Act” (SB 5062) by a 48-1 vote. SB 5062 tracks closely with the two bills produced by the Washington Senate and House last year lawmakers could not ultimately reconcile. However, there are no provisions on facial recognition technology, which was largely responsible for sinking a privacy bill in Washington State two years ago. (see here for analysis.) However, there is a rival bill in the House, perhaps the first among others, the “People’s Privacy Act” (HB 1433), is among the strongest privacy bills introduced in the United States (U.S.) (see here for more analysis.) Getting to agreement on privacy legislation in Washington will likely not prove easy.
  • The Federal Trade Commission (FTC) announced it is reviewing the process under which proposed mergers are reviewed by the agency and the United States (U.S.) Department of Justice (DOJ) and an end to all early terminations (ET) of reviews. Consequently the FTC and DOJ will be taking the full 30 day review period allowed under the “Hart Scott Rodino Antitrust Improvements Act of 1976” (HSR Act). In a press release, the FTC explained:
    • During the transition to the new Administration and given the unprecedented volume of HSR filings for the start of a fiscal year, the Federal Trade Commission, with support from the Antitrust Division of the U.S. Department of Justice, will be reviewing the processes and procedures used to grant early termination to filings made under the Hart-Scott-Rodino Act.
    • For this period, the agencies will not grant early terminations. We anticipate that this temporary suspension will be brief. The agencies implemented a similar temporary suspension of early termination grants in March 2020, following the Premerger Notification Office’s establishment of its e-filing system.
    • The two Republican Commissioners Noah Joshua Phillips and Christine S. Wilson decried this action:
      • In 45 years of administering the HSR Act, the Agencies have done so only when a crisis made them unable to discharge their duties. Even when HSR filings more than doubled in November 2020 compared to November 2019, the processing of ET requests continued. And the number of filings has fallen approximately 70 percent since last November. Absent exigent circumstances, an indefinite suspension of the ET process—with no clarity regarding when and under what circumstances it will resume—is unwarranted. We write to express our concern.
  • Microsoft’s President Brad Smith asserted in a blog post that Microsoft supports Australia’s new law that requires Google and Facebook to negotiate with media companies and then possibly face binding arbitration is a deal cannot be struck in good faith (i.e., the “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2021”) (see here for more analysis.) Smith stated the company’s opposition to the Biden Administration lining up with Google and Facebook and claimed “[t]he United States should not object to a creative Australian proposal that strengthens democracy by requiring tech companies to support a free press…[i]t should copy it instead.” Recently, Microsoft joined a number of European press associations in announcing a joint effort “to ensure that Europe’s press publishers get paid for the use of their content by gatekeepers that have dominant market power in line with the objectives of the new neighbouring right in the EU Digital Single Market Copyright Directive, which comes into force this June and to take inspiration from the new Australian legislation that requires the tech gatekeepers covered by that law to share revenue with news organisations.”
  • The GPS Innovation Alliance (GPSIA) wrote National Economic Council Director Brian Deese about the lack of coordination across federal agencies on 5G and spectrum issues, particularly because of the Federal Communications Commission’s role as evidenced by its decision in the Ligado proceedings (see here for more analysis.) GPSIA asserted:
    • As a satellite-based navigation system, GPS operates in a manner that is distinctly different from terrestrial-based communications services. Given the fundamental differences in power and function between the two, it is paramount that policy formulation draw upon the expertise of the U.S Space Force and Department of Transportation (DoT), the U.S. government’s lead military and civilian agencies, respectively, for the criticality of GPS to their missions and operations. These agencies’ views must continue to be a core element in any federal actions that may affect GPS. Today, these and other federal agencies that support the GPS program, coordinate their spectrum management requirements and positions through the National Telecommunications and Information Administration (NTIA), while the Federal Communications Commission (FCC) maintains responsibility for licensing the commercial spectrum. Each has a necessary and important role to play in spectrum policy. Unfortunately, though, activities leading up to the adoption of the FCC’s April 2020 Order, authorizing the deployment of a nationwide terrestrial wireless network by Ligado Networks, LLC (Ligado), demonstrate that the current coordination process needs reform.
    • Inter-agency disputes involving spectrum, though, are not unique to GPS. In recent years, the FCC has found itself at odds with NTIA and other federal agencies on spectrum allocated for intelligent transportation systems (5.9 GHz) and with spectrum located near satellites used for weather forecasting (24 GHz). While GPSIA takes no position on the substance of these matters, they reflect a continued pattern by which shared decision-making is replaced by the FCC acting with exclusive authority as the final arbiter. These decisions have enormous implications for our nation’s economy, including GDP growth and job creation, as well as national defense and should, therefore, be made in collaboration with the federal agencies responsible for managing and/or using these incumbent systems and services.
    • The GPSIA asked the Biden Administration for the following:
      • Updating the 2003 Memorandum of Understanding (MOU) between the FCC and NTIA. The current version of this document was signed nearly 20 years ago, at a time when spectrum was highly stovepiped for federal and non-federal users; thus, disputes were neither as frequent nor complex. An update of the MOU must reflect this changed and still evolving landscape, with an emphasis on establishing a formal process for resolving Executive Branch and FCC disputes, such as occurred in the FCC’s Ligado proceeding. If necessary, Congress could consider codifying this aspect of the MOU in statute, ensuring that shared decision-making authority between the two agencies is fully embraced.
      • To ensure the FCC has in-house expertise relating to GPS and other technologies that use spectrum, GPSIA recommends that the Commission’s Office of Engineering & Technology maintain a detailee from one of the federal agencies responsible for managing the GPS program. This would ensure that when the FCC’s technical communications experts must address positioning, navigation, and timing (PNT) issues involving GPS, they have the benefit of relevant expertise.
      • Each FCC Commissioner would also benefit from having his or her own technical advisor. A practice that was discontinued years ago and proposed once again in bipartisan legislation more than a decade ago, it would ensure that, as Commissioners tackle increasingly complex technical matters, they have the benefit of an electrical engineer or computer scientist on their staff.
      • Finally, we would encourage a focus on Executive Branch preparations and leadership for the ITU World Radiocommunication Conference in 2023, to ensure that the Administration views are appropriately developed and executed in the ITU and regional bodies that participate in the WRC. Ensuring that the Administration’s priorities are advanced requires a whole of government approach, with appropriate level engagement, funding and staffing at the Department of State and the NTIA.
  • The Federal Trade Commission’s Office of the Inspector General (OIG) released the results of its annual “Federal Information Security Modernization Act of 2014” (P.L. 113-283) (FISMA) audit performed by a private firm of the FTC’s cybersecurity. The firm generally returned positive results:
    • We determined the maturity level for each FISMA domain based on the responses to the questions contained in the FISMA Reporting Metrics and testing for each domain. We determined the FTC’s overall maturity level for its security program as Managed and Measurable based upon a simple majority of the component scores for each domain’s maturity level. Our testing of the information security program found no significant control issues and concluded the FTC’s security program controls in place were effective.
  • House Energy and Commerce Committee Chair Frank Pallone, Jr. (D-NJ), Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), Communications and Technology Subcommittee Chair Mike Doyle (D-PA), and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) wrote to Facebook CEO Mark Zuckerberg, explaining:
    • The Committee is deeply concerned about dangerous and divisive rhetoric thriving on Facebook’s platform and is considering legislation to address these issues. From conspiracy theorists peddling false information to extremist voices urging and organizing violence, Facebook has become a breeding ground for polarization and discord.
    • This deadly attack on the Capitol laid bare the dire consequences of hyperpolarization and extremism in our current political discourse—much of which is occurring on your platform. With more than 3 billion monthly users across different services, Facebook must play a leading role in lessening the divide and lowering the temperature.
    • To that end, the Committee is interested in understanding more about Facebook’s research on divisive content and user behavior, the reported presentations and recommendations made to Facebook executives and their actions in response, and the steps Facebook leadership has taken to reduce polarization on its platform. The Committee, therefore, requests you provide the following information to the Committee as soon as possible, but no later than March 9, 2021:
      • 1. Please describe when and why Facebook first began conducting research into divisive content and behavior on its platform. In your response, please specify each factor that prompted Facebook to engage in this research.
      • 2. In the course of any internal study or analysis, did Facebook uncover any evidence or reach any findings that would confirm or suggest its platform, algorithms, or other tools exacerbate divisiveness or polarization? If yes, please provide a detailed explanation of what was found and how that information was used.
      • 3. Please describe in detail the Common Ground task force and the Integrity Teams discussed above, including, but not limited to, date(s) established, roles and missions (as originally stated and including any amendments thereto), date(s) and reason(s) for disbandment (if applicable), and all findings and recommendations made by the Common Ground task force and/or Integrity Teams regarding divisiveness, polarization, or user behavior, including details on whether and how Facebook addressed or adopted such findings and recommendations, in whole or in part.
      • 4. Please provide a complete description of the Eat Your Veggies process, including its relationship to and any interactions with the Common Ground task force and/or Integrity Teams; the name and role of each person involved in the process, including Mr. Kaplan; and the divisions and offices involved. In your response, please indicate if Facebook continues to follow this process today.
  • The European Union Agency for Cybersecurity (ENISA) issued a report “Security in 5G Specifications Report” “about key security controls in the Third Generation Partnership Project (3GPP), the main body developing technical specifications for fifth generation of mobile telecommunications (5G) networks” per the agency’s press release. ENISA stated “[a]s vendors, system integrators and operators build, deploy and manage 5G networks, the ENISA publication underlines the need for cybersecurity and for the national regulatory authorities in charge of cybersecurity policy development and implementation to have a good understanding of these controls.” The agency added:
    • This new ENISA report is directly driven by the objectives set in the EU toolbox for 5G security – mainly technical measure ‘TM02’. This technical measure calls on the relevant authorities in EU Member States to ensure and evaluate the implementation of security measures in existing 5G standards (3GPP specifically) by operators and their suppliers.
    • The aim of the report is to help national and regulatory authorities to better understand the standardisation environment pertaining to 5G security, 3GPP security specifications and key security controls that operators must implement to secure 5G networks.
    • More specifically, the report provides:
      • A high-level overview of the specification and standardisation landscape for the security of 5G networks, and of the main activities by various standardisation organisations and industrial groups in the area of 5G;
      • An explanation of the technical specifications developed by 3GPP for the security of 5G networks, with a focus on optional security features;
      • Summary of key findings and good security practices.
  • The Department of Defense’s (DOD) Office of the Inspector General (OIG) issued an “Audit of Cybersecurity Requirements for Weapon Systems in the Operations and Support Phase of the Department of Defense Acquisition Life Cycle,” a heavily redacted assessment of how well the DOD is doing in managing cybersecurity risk on five selected weapons systems through the use of the DOD’s Risk Management Framework. The OIG assessed the following procurements: Advanced Threat Infrared Countermeasures/Common Missile Warning System (ATIRCM/CMWS), Multifunctional Information Distribution System (MIDS), Advanced Anti-Radiation Guided Missile (AARGM), B-2 Spirit Bomber, and the AC-130J Precision Strike Package (PSP). The OIG asserted:
    • Program officials for the five DOD weapon systems that we assessed complied with Risk Management Framework requirements and obtained an authorization to operate. The officials also took actions to update cybersecurity requirements during the Operations and Support (O&S) phase of the acquisition life cycle based on publicly acknowledged or known cybersecurity threats and intelligence-based cybersecurity threats. Specifically, officials from the Army, Navy, Air Force, and U.S. Special Operations Command regularly obtained and analyzed cyber threats from various intelligence agencies to assess potential operational impacts to the weapon systems, and, based on their analysis, updated cybersecurity requirements to account for additional countermeasures implemented or needed to protect the weapon systems from the identified threats.
    • We identified best practices employed by program officials that ensured that information gathered and analysis performed was sufficient to identify and mitigate potential malicious activity, cyber vulnerabilities, and threats; and assess the effectiveness of protection measures within the weapon system for data and cyber resiliency. For example, the program officials formed intelligence-based working groups, conducted cyber tabletop exercises, and regularly completed cyber threat and risk assessments to mitigate the DOD’s susceptibility to cybersecurity threats to weapon systems.
    • Because the O&S phase of the acquisition life cycle may last for years, DOD Components must continue to emphasize the protection of weapon systems by mitigating cyber threats throughout the O&S phase. For example, the B-2 Spirit Bomber, one of the weapon systems that we assessed, has been in the O&S phase for 16 years. Program officials for all weapon systems should consider the best practices described in this report when developing plans and procedures for reducing cybersecurity risks within their programs.

Coming Events

  • The Senate Banking, Housing and Urban Affairs Committee will hold a hearing on the nominations of Federal Trade Commission Commissioner Rohit Chopra to be the Director of the Consumer Financial Protection Bureau and former Commodity Futures Trading Commission Chair Gary Gensler to be the Chair of the Securities and Exchange Commission on 2 March.
  • The Government Accountability Office’s (GAO) 2021 High-Risk List. On 2 March the House Oversight and Reform and Senate Homeland Security and Governmental Affairs Committees will hold hearings on the forthcoming GAO biennial report on “government operations that we identified as ‘high risk’” with United States Comptroller General Gene Dodaro testifying. In its 2019 list, the GAO identified the following areas of operations and not for the first time:
    • Ensuring the Cybersecurity of the Nation
    • Strengthening Department of Homeland Security Management Functions
    • Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests
    • Improving the Management of IT Acquisitions and Operations
  • On 2 March, the House Energy and Commerce Committee’s Health Subcommittee will hold a hearing titled “The Future of Telehealth: How COVID-19 is Changing the Delivery of Virtual Care” with these witnesses:
    • Megan R. Mahoney, M.D., Chief of Staff, Stanford Health Care
    • Ateev Mehrotra, M.D., M.P.H, Associate Professor of Health Care Policy, Harvard Medical School
    •  Elizabeth Mitchell, President and CEO, Purchaser Business Group on Health
    • Jack Resneck, Jr., M.D., Board of Trustees, American Medical Association
    • Frederic Riccardi, President, Medicare Rights Center
  • Former Trump Administration National Security Advisor and retired Lieutenant General Herbert R. McMaster, Jr. and Brookings Institution Senior Fellow Dr. Thomas Wright will testify before the Senate Armed Services Committee “on global security challenges and strategy” on 2 March that will likely include testimony and questions related to the technology aspects of the United States’ challenges with the People’s Republic of China, the Russian Federation, and other nations and actors.
  • The Senate Homeland Security and Governmental Affairs Committee will hold a 4 March hearing to consider the nominations of Shalanda Young to be the Office of Management and Budget’s (OMB) Deputy Director and Jason Miller to be OMB’s Deputy Director for Management.
  • On 17 March, the Federal Communications Commission (FCC) will hold an open meeting with the following tentative agenda:
    • Public Drafts of Meeting Items – The FCC is publicly releasing the draft text of each item expected to be considered at this Open Commission Meeting with the exception of items involving national security matters and specific, enforcement-related matters including restricted proceedings and hearing designation orders. One-page cover sheets are included in the public drafts to help summarize each item. Links to these materials are provided below.
    • Promoting Public Safety Through Information Sharing. The Commission will consider a Second Report and Order that would provide state and federal agencies with direct, read-only access to communications outage data for public safety purposes while also preserving the confidentiality of that data. (PS Docket No. 15-80)
    • Improving the Emergency Alert System and Wireless Emergency Alerts. The Commission will consider a Notice of Proposed Rulemaking and Notice of Inquiry to implement section 9201 of the National Defense Authorization Act for Fiscal Year 2021, which is intended to improve the way the public receives emergency alerts on their mobile phones, televisions, and radios. (PS Docket Nos. 15-94, 15-91)
    • Facilitating Shared Use in the 3.45 GHz Band . The Commission will consider a Second Report and Order that would establish rules to create a new 3.45 GHz Service operating between 3.45-3.55 GHz, making 100 megahertz of mid-band spectrum available for flexible use throughout the contiguous United States. (WT Docket No. 19-348)
    • Auction of Flexible-Use Service Licenses in the 3.45-3.55 GHz Band. The Commission will consider a Public Notice that would establish application and bidding procedures for Auction 110, the auction of flexible use licenses in the 3.45-3.55 GHz band. (AU Docket No. 21-62)
    • Promoting the Deployment of 5G Open Radio Access Networks . The Commission will consider a Notice of Inquiry seeking comment on the current status of Open Radio Access Networks (Open RAN) and virtualized network environments, including potential obstacles to their development and deployment, and whether and how deployment of Open RAN-compliant networks could further the Commission’s policy goals and statutory obligations. (WT Docket No. 21-63)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Enforcement Bureau Action . The Commission will consider an Enforcement Bureau Action.
  • The House Energy and Commerce Committee’s Communications and Technology and Consumer Protection and Commerce Subcommittees will hold a joint hearing on 25 March “on misinformation and disinformation plaguing online platforms” with these witnesses: Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Twitter CEO Jack Dorsey.
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Andrés Medina on Unsplash

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s