Other Developments, Further Reading, and Coming Events (29 March 2021)

First, subscribe to my new newsletter, the Wavelength, to get all the content you have come to enjoy on my blog. I’m a former lobbyist and Congressional staffer who understand the politics, policy, and law and technology. I cover the U.S. and much of the rest of the world and cover much of the breadth of the technology world.

Other Developments

  • A federal court has approved a class action suit brought under an Illinois statute against Facebook for $650 million. Plaintiffs had sued Facebook under the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq. (2008), alleging the latter’s use of its photo tagging program for uploaded photos violated their privacy rights under BIPA, an assertion multiple courts agreed with. And while Facebook faced liability as high as $35 billion, the settlement will require a much smaller payment with class members receiving potential payments as low as $340. This is a common outcome in class actions as the attorneys will likely take up to a third of the award and be able to recover their costs. Nevertheless, in the settlement, the court explained:
    • The case raised several complicated and intensely litigated issues, including the question of whether a statutory privacy injury was sufficiently “real” and concrete to establish an injury in fact for standing under Article III and the BIPA. The Court determined that it was, and two other courts — the Illinois Supreme Court and the Ninth Circuit — reached the same conclusion. The standing issue makes this settlement all the more valuable because Facebook and other big tech companies continue to fight the proposition that a statutory privacy violation is a genuine harm. In a pending Supreme Court case about the Fair Credit Reporting Act, which is unrelated to this action, Facebook, Google, and eBay filed an amicus brief that points to this settlement and asks the Court to reverse the “mistaken holding” that a statutory privacy violation is an actual injury.
    • Overall, the settlement is a major win for consumers in the hotly contested area of digital privacy. Final approval of the class action settlement is granted. Attorneys’ fees and costs, and incentive awards to the named plaintiffs, are also granted, although in lesser amounts than requested.
    • This case has traveled a long and winding road since it was filed in 2015, and the Court focuses here on the key events most pertinent to final approval and the fees award. A heavily litigated class certification motion was resolved in favor of certification of a class of Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011. Dkt. No. 333 at 15. The certified class, which is also the class for the settlement, Dkt. No. 468, Ex. A at 5-6 (¶ 1.7), challenged Facebook’s “Tag Suggestions” program, which looks for and identifies people’s faces in photographs uploaded to Facebook to promote user tagging. The class members alleged that Facebook collected and stored their biometric data — namely digital scans of their faces — without prior notice or consent, thereby violating Sections 15(a) and 15(b) of the BIPA, 740 Ill. Comp. Stat. 14/15(a)-(b).
  • Senator Ed Markey (D-MA) and Representative Ted Lieu (D-CA) reintroduced the “Cyber Shield Act” (H.R.2236/S.965), a bill they have introduced over the last few Congresses that would “create a voluntary cybersecurity certification program for Internet of Things (IOT) devices” according to their press release. They asserted:
    • The Cyber Shield Act will specifically establish an advisory committee of cybersecurity experts from academia, industry, consumer groups, government, and the public to create cybersecurity benchmarks for IOT devices – such as baby monitors, home assistants, smart locks, cameras, cell phones, and laptops. IOT manufacturers can then voluntarily certify that their products meet those cybersecurity benchmarks, and display this certification to the public with a “Cyber Shield” label that will help consumers identify and purchase more secure technology for their homes.
  • The White House named a new Federal Chief Information Officer (CIO) and administrator of the Office of Electronic Government at the Office of Management and Budget (OMB). President Joe Biden named Clare Martorana to both roles, and the White House provided the following biography:
    • Throughout her career, Clare Martorana worked to improve and simplify the digital experiences people have when interacting with businesses and government. Martorana most recently served as Chief Information Officer of the U.S. Office of Personnel Management, where for the past two years she stabilized and secured agency operations to deliver better digital-first services for the Federal workforce. Martorana began her public service career as a member of the U.S. Digital Service team at the U.S. Department of Veterans Affairs, establishing the agency’s enterprise-wide Digital Modernization effort to deliver for veterans the 21st-century digital experience they deserve. Prior to joining government, Martorana was President at Everyday Health and Senior Vice President and General Manager and editor-at-large at WebMD.
  • The European Commission (EC) proposed “a Digital Green Certificate to facilitate safe free movement inside the EU during the COVID-19 pandemic” according to a press release. The EC added:
    • The Digital Green Certificate will be a proof that a person has been vaccinated against COVID-19, received a negative test result or recovered from COVID-19. It will be available, free of charge, in digital or paper format. It will include a QR code to ensure security and authenticity of the certificate. The Commission will build a gateway to ensure all certificates can be verified across the EU, and support Member States in the technical implementation of certificates. Member States remain responsible to decide which public health restrictions can be waived for travellers but will have to apply such waivers in the same way to travellers holding a Digital Green Certificate.
  • The European Data Protection Supervisor (EDPS) issued his opinion on the European Commission’s (EC) proposal to revise the European Union’s cybersecurity regulation. In his press release, the EDPS stated he “welcomes the Proposal for the NIS 2.0 Directive, which aims to replace the existing Directive on security of network and information systems (NIS)…[and] [t]he goal of the Proposal is to harmonise and strengthen cybersecurity practices across the EU.” The EDPS stated:
    • The EDPS therefore equally welcomes the aim of the Proposal to introduce systemic and structural changes to the current NIS Directive in order to cover a wider set of entities across the Union, with stronger security measures, including mandatory risk management, minimum standards and relevant supervision and enforcement provisions. In this regard, the EDPS considers that it is necessary to fully integrate Union institutions, offices, bodies and agencies in the overall EU-wide cybersecurity framework for achieving a uniform level of protection, by including Union institutions, offices, bodies and agencies explicitly in the scope of the Proposal.
    • The EDPS further highlights the importance of integrating the privacy and data protection perspective in the cybersecurity measures stemming from the Proposal or from other cybersecurity initiatives of the Strategy in order to ensure a holistic approach and enable synergies when managing cybersecurity and protecting the personal information they process. It is equally important that that any potential limitation of the right to the protection of personal data and privacy entailed by such measures fulfil the criteria laid down in Article 52 of EU Charter of Fundamental Rights, and in particular that they be achieved by way of a legislative measure, and be both necessary and proportionate.
    • It is the expectation of the EDPS that the Proposal does not seek to affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments. This means that all cybersecurity systems and services involved in the prevention, detection, and response to cyber threats should be compliant with the current privacy and data protection framework. In this regard, the EDPS considers it important and necessary to establish a clear and unambiguous definition for the term “cybersecurity” for the purposes of the Proposal.
    • The EDPS issues specific recommendations to ensure that the Proposal correctly and effectively complements the existing Union legislation on personal data protection, in particular the GDPR and the ePrivacy Directive, also by involving the EDPS and the European Data Protection Board when necessary, and establishing clear mechanisms for the collaboration between competent authorities from the different regulatory areas.
    • Furthermore, the provisions on managing internet Top Level Domain registries should clearly define the relevant scope and conditions in law. The concept of the proactive scans of network and information systems by the CSIRTs equally requires further clarifications on the scope and the types of personal data processed. Attention is drawn to the risks for possible non-compliant data transfers related to the outsourcing of cybersecurity services or the acquisition of cybersecurity products and their supply chain.
    • The EDPS welcomes the call for the promotion of the use of encryption, and in particular end-to-end encryption, and reiterates his position on encryption as a critical and irreplaceable technology for effective data protection and privacy, whose circumvention would deprive the mechanism of any protection capability due to their possible unlawful use and loss of trust in security controls. To this end, it should be clarified that nothing in the Proposal should be construed as an endorsement of weakening end-to-end encryption through “backdoors” or similar solutions.
  • The United States, Japan, Australia, and India once again resumed their Quadrilateral Security Dialogue virtually. The leaders of the four nations discussed issues of common concern, many of which centered on the People’s Republic of China’s role in the Pacific and Indian Ocean regions. President Joe Biden, Yoshihide Suga, Prime Minister Scott Morrison, and Prime Minister Narendra Modi issued a joint statement, in which they said:
    • We haveconvened to reaffirm our commitment to quadrilateral cooperation between Australia, India, Japan, and the United States.We bring diverse perspectives and are united in a shared vision for the free and open Indo-Pacific.We strive for a region that is free, open, inclusive, healthy, anchored by democraticvalues, and unconstrained by coercion
    • The four nations announced the formation of a number of working groups, including:
      • The Quad Critical and Emerging Technology Working Group
        • Quad leaders recognize that a free, open, inclusive, and resilient Indo-Pacific requires that critical and emerging technology is governed and operates according to shared interests and values. In that spirit, we will convene a Critical and Emerging Technology Working Group, which will:
        • Develop a statement of principles on technology design, development, and use;
        • Facilitate coordination on technology standards development, including between our national technology standards bodies and working with a broad range of partners;
        • Encourage cooperation on telecommunications deployment, diversification of equipment suppliers, and future telecommunications, including through close cooperation with our private sectors and industry;
        • Facilitate cooperation to monitor trends and opportunities related to developments in critical and emerging technology, including biotechnology;
        • Convene dialogues on critical technology supply chains.
  • The United Kingdom’s (UK) Secretary of State for the Department for Digital, Culture, Media and Sport (DCMS) and the Information Commissioner issued a Memorandum of Understanding, (MOU) “which recognises the roles and responsibilities of DCMS and the Information Commissioner’s Office (ICO) in carrying out adequacy assessments” per their press release. DCMS and ICO stated “[t]his MOU sets out an agreed understanding between the Parties on the role and responsibilities of the ICO in relation to UK Adequacy Assessment Work…[and] describes the agreed understanding between the Parties on the:
    • Working-level cooperation and consultation between DCMS and the ICO;
    • Status of the cooperation and consultation, including the status of the views of the ICO; and
    • Respective roles and responsibilities of DCMS and the ICO in the context of future decision-making by the Secretary of State in relation to UK Adequacy Regulations.
  • The Democratic and Republican leadership of the House Energy and Commerce Committee wrote five federal agencies requesting information on the SolarWinds attack: the Departments of Commerce, Energy, and Health and Human Services, the Environmental Protection Agency (EPA), and the National Telecommunications and Information Administration (NTIA). They stated:
    • We write to request information from your department related to the recent SolarWinds cybersecurity attack. In December 2020, FireEye discovered the SolarWinds attack, which we now know affected thousands of public and private sector entities, including the U.S. government. The Cybersecurity and Infrastructure Security Agency (CISA) has said that SolarWinds and potentially other supply chain compromises have affected the U.S. government, critical infrastructure entities, and private sector organizations by an advanced persistent threat since at least March 2020.
    • Over the past several years, the Committee on Energy and Commerce has done extensive work on cyber threats, including hearings and investigations examining the information security programs and controls over key computer systems and networks at multiple agencies under the Committee’s jurisdiction. Because the SolarWinds attack has potentially affected a wide array of federal agencies and programs, the Committee is seeking to gain a fuller understanding of the scope of the attack and actions being taken to mitigate its effects.
    • The Cyber Unified Coordination Group (UCG), believes the SolarWinds attack ‘was, and continues to be, a counterintelligence gathering effort.'” Therefore, it is critical that your department take steps to address this ongoing threat. While your department has provided Committee staff initial reports, we now request more details about your understanding of this intrusion and actions your department has taken in response.
    • They asked that the following questions be answered:
      • Has your department been impacted by the compromise? If yes, please explain the nature and extent of the compromise, including when your department was first compromised and when you detected such compromise, and your assessment of any actual or potential effects on your department and programs.
      • What actions is your department taking to investigate and respond to the compromise? Please identify your specific actions.
      • Is your department a sector-specific agency, as that term is defined in Presidential Policy Directive 21 (PPD-21), and does your department identify its most critical informational and operational infrastructure and take specific measures to protect that infrastructure?
      • What is your department’s schedule for mitigating the risks associated with the compromise?
      • Once a cyber threat has been detected, does your department notify other agencies in real time? In this instance, please identify which agencies or departments were notified and which ones were not.
      • How does your department assess vendors for cybersecurity risks? Please explain.
      • Does your department regularly audit vendors for cybersecurity risks? If so, please explain how often such audits take place.
      • Does your department have a specific plan to reduce the risks of future supply chain attacks? If so, please explain.
  • The European Commission (EC) started “at an online event, the European Innovation Council (EIC) with a budget of over €10 billion (in current prices) for 2021-2027 to develop and expand breakthrough innovations” as explained in its press release. The EC stated:
    • Building on a successful pilot programme under Horizon 2020, the new EIC is not only a novelty of Horizon Europe, but it is also unique in the world: it combines research on emerging technologies with an accelerator programme and a dedicated equity fund, the European Innovation Council Fund, to scale up innovative start-ups and small and medium-sized businesses (SMEs). Around €3 billion of the EIC’s budget will go towards the EIC Fund.
    • Furthermore, the first annual work programme of the EIC is published, opening funding opportunities worth over €1.5 billion in 2021. At the same time, two prizes for Women Innovators and the European Capital of Innovation are opened for applications.

Further Reading

  • Alan Rusbridger says Oversight Board will ask to see Facebook’s algorithm” By Alex Hern — The Guardian. The former editor of The Guardian who sits on the Facebook Oversight Board told a committee of Britain’s Parliament he feels frustrated about the limitations placed on the body’s scope of work and its powers. He also said they may seek to obtain Facebook’s algorithm. The Communications and Digital Committee is conducting an inquiry on “the media, digital and the creative industries.” Alan  Rusbridger stated:
    • I agree with Kate that the board will want to expand in its scope. We are already a bit frustrated by just saying, “Take it down” or “Leave it up”. What happens if you want to make something less viral? What happens if you want to put in an interstitial? What happens if, without commenting on any current high-profile cases, you did not want to ban somebody for life but you wanted to have a sin bin, so that, if they misbehaved, you could chuck them back in again, like a yellow card?All these things are things which the board may ask Facebook for in time, but we have to get our feet under the table first and prove that we can do what we want. At some point, I feel sure that we will ask to see the algorithm, whatever that means. Whether we can understand it when we see it is a different matter.
  • Amazon Has Become a Prime Revolving-Door Destination in Washington” By David Corn and Dan Spinelli — Mother Jones. As has been standard practice among companies in Washington, Amazon has been hiring an unknown number of former government officials so the tech giant can better understand and navigate the landscape to its benefit. A LinkedIn search yielded nearly 250 hires over the last ten years and likely even more. To on surprise, there is no database that covers former government officials who now work for companies in positions where they can help their new employer shape and make policy. Not all of these people lobby for Amazon, and they have probably been brought on board to help the company understand arcane government procedures and regulations. And of course, Amazon is a major government contractor as many agencies use Amazon Web Services’ cloud platform.
  • YouTube CEO: Trump to be reinstated once ‘risk of violence’ passes” By Leah Nylen and Cristiano Lima — Politico. The Google-owned gorilla in the short video streaming market is now saying it might reinstate former President Donald Trump’s account if there is no longer a risk of violence associated with his posts. This is break from Twitter’s permanent ban and Facebook’s ban that has been kicked over to its Oversight Board. One wonders about the metric’s YouTube will use to determine the risk of violence.
  • Amazon and the Breaking of Baltimore” By Alex MacGillis — The New York Times. This piece places the rise of big technology companies in the larger context of what has been happening in the United States over the last 40 years as deindustrialization has ravaged formerly prosperous areas and coastal areas have enjoyed boom years.
  • Former Rep. Katie Hill’s lawsuit pits 1st Amendment against revenge-porn law” By Seema Mehta — The Los Angeles Times. Former Representative Katie Hill (D-CA) is suing a Republican political operative and her former husband under California’s revenge porn laws, but the First Amendment protection of the media may block her legal action. The defendants are arguing, among other defenses, that they were relating information of public concern (i.e. compromising photos of Hill) given it pertained to a sitting Member of Congress.

Coming Events

  • The Federal Communications Commission (FCC) will hold an open meeting on 22 April. No agenda has been announced as of yet.
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by JJ Ying on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s