Other Developments, Further Reading, and Coming Events (5 April 2021)

Other Developments

  • United States (U.S.) and European Union (EU) negotiators continue to work towards a new arrangement that would once again allow the personal data of EU residents to be imported to the U.S. for processing under the General Data Protection Regulation (GDPR). The U.S. and EU have been in talks since last July when the Court of Justice for the European Union (CJEU) struck down the adequacy decision underlying the U.S.-EU Privacy Shield agreement, largely because of a lack of redress for EU residents in the U.S. and the latter’s extensive intelligence and surveillance programs (see here for more detail and analysis.) The joint statement suggested that talks had dragged or were not prioritized during the Trump Administration for unknown reasons. Perhaps the EU did not receive well the previous administration’s arguments on the path forward (see here for more detail and analysis.) Nonetheless, the two governments revealed they are looking to “enhance” the Privacy Shield in line with the CJEU’s ruling. Secretary of Commerce Gina Raimondo and European Commissioner for Justice Didier Reynders issued a statement:
    • The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case.
    • These negotiations underscore our shared commitment to privacy, data protection and the rule of law and our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies.
    • Our partnership on facilitating trusted data flows will support economic recovery after the global pandemic, to the benefit of citizens and businesses on both sides of the Atlantic. 
  • The National Institute of Standards and Technology (NIST) issued a draft NIST Interagency or Internal Report (IR) 8310, Cybersecurity Framework Election Infrastructure Profile, for comment. In the agency’s press release, NIST explained:
    • This Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to election infrastructure. The Profile is meant to supplement but not replace current cybersecurity standards and industry guidelines available to election officials.
    • This profile can be used in several ways, including the following: 
      • To highlight and communicate high priority security expectations,
      • To perform a self-assessment comparison of current risk management practices, or
      • As a baseline profile or example profile to reference when developing one’s own.
    • In the draft document, NIST provided this summary:
      • This document is a Cybersecurity Framework (CSF) Profile developed for voting equipment and information systems supporting elections. This Election Infrastructure Profile can be utilized by election administrators and IT professionals managing election infrastructure to reduce the risks associated with these systems. This Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to election infrastructure. The Profile is meant to supplement but not replace current cybersecurity standards and industry guidelines that the election administrators are already leveraging.
  • The Government Accountability Office (GAO) examined the risks to the United States’ (U.S.) electric grid to cyberattack, particularly the distribution system and found that neither the U.S. Department of Energy nor state regulators had strategies or policies in palace to protect this part of the grid. The GAO explained “[t]his report (1) describes the extent to which grid distribution systems are at risk from cyberattacks and the scale of potential impacts from such attacks, (2) describes selected state and industry actions to improve distribution systems’ cybersecurity and federal efforts to support those actions, and (3) examines the extent to which DOE has addressed risks to distribution systems in its plans for implementing the national cybersecurity strategy.” The GAO concluded:
    • The grid’s distribution systems, which carry to consumers the electricity essential to modern life, are increasingly at risk from cyberattacks. DOE, DHS, and other federal agencies have provided resources to states and industry to help them improve the cybersecurity of distribution systems. However, DOE’s plans for implementing the national cybersecurity strategy for the grid do not fully address risks to these systems. While a cyberattack on distribution systems may be less significant than one on the bulk power system, the impacts of such an attack could still result in outages of national significance. Unless DOE more fully addresses risks to the grid’s distribution systems in its updated plans, federal support intended to help states and industry improve distribution systems’ cybersecurity will likely not be effectively prioritized.
    • The GAO recommended that “[t]he Secretary of Energy, in coordination with DHS, states, and industry, should more fully address risks to the grid’s distribution systems from cyberattacks—including the potential impact of such attacks—in DOE’s plans to implement the national cybersecurity strategy for the grid.”
  • The European Council “adopted conclusions” on the European Commission’s (EC) “cybersecurity strategy for the digital decade” that “aims to bolster Europe’s collective resilience against cyber threats and ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools.” The Council stated:
    • The conclusions note that cybersecurity is essential for building a resilient, green and digital Europe. They set as a key objective achieving strategic autonomy while preserving an open economy. This includes reinforcing the ability to make autonomous choices in the area of cybersecurity, with the aim to strengthen the EU’s digital leadership and strategic capacities.
    • In its conclusions, the Council highlights a number of areas for action in the coming years, including:
      • the plans to create a network of security operation centres across the EU to monitor and anticipate signals of attacks on networks
      • the definition of a joint cyber unit which would provide clear focus to the EU’s cybersecurity crisis management framework
      • its strong commitment to applying and swiftly completing the implementation of the EU 5G toolbox measures and to continuing efforts made to guarantee the security of 5G networks and the development of future network generations
      • the need for a joint effort to accelerate the uptake of key internet security standards, as they are instrumental to increase the overall level of security and openness of the global internet while increasing the competitiveness of the EU industry
      • the need to support the development of strong encryption as a means of protecting fundamental rights and digital security, while at the same time ensuring the ability of law enforcement and judicial authorities to exercise their powers both online and offline
      • increasing the effectiveness and the efficiency of the cyber diplomacy toolbox giving special attention to preventing and countering cyberattacks with systemic effects that might affect supply chains, critical infrastructure and essential services, democratic institutions and processes and undermine economic security
      • the proposal on the possible establishment of a cyber intelligence working group to strengthen EU INTCEN’s dedicated capacity in this domain
      • the importance of strengthening cooperation with international organisations and partner countries in order to advance the shared understanding of the cyber threat landscape
      • the proposal to develop an EU external cyber capacity building agenda to increase cyber resilience and capacities worldwide
  • In concert with the Intelligence Community’s (IC) assessment of the 2020 election (see here for more detail and analysis), the Departments of Justice and Homeland Security issued a joint report titled “Foreign Interference Targeting Election Infrastructure or Political Organization, Campaign, or Candidate Infrastructure Related to the 2020 US Related to the 2020 US Federal Election.” The agencies were acting pursuant to a Trump Administration Executive Order, “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election” and explained that the scope omitted certain types of influence:
    • The purpose of this report was solely to evaluate the impact of foreign government activity on the security or integrity of the covered infrastructure. It did not address the effect of foreign government activity on public perception or the behavior of any voters, nor did it address the impact of non-state foreign actors like cybercriminals.
    • The departments’ key findings tracked the IC’s findings, but they made the following recommendations:
      • Physical Security and Cyber Hygiene. Since 2018, election officials, political organizations, and campaigns implemented significant defensive measures to enhance the security of their infrastructure and limit the disruptive potential of an intrusion. Implementing defensive measures such as firewalls, up-to-date patching, and multifactor authentication, pre-election testing of voting equipment, federal and state certification of such equipment, cybersecurity training for government personnel, and separation of election-specific systems from other computer networks all helped to protect the integrity of infrastructure. Implementing redundancy measures like paper pollbooks backups, auditable ballots, and post-election audits ensures election officials could limit the impact of a cyber incident with minimal disruption to voting, conduct credible recounts, and stay alert to potential manipulation or errors. We recommend that the US Government continue to help election officials, political organizations, and campaigns adopt best practices for infrastructure and election security.
      • Third-Party Vendor Security and Supply Chain Risk Management. Recent supply chain compromises highlight the dependencies and vulnerabilities shared across vendor and client networks. State, local, and private sector election partners continue to lean on the federal government to share best practices for supply chain risk management. Since 2018, election officials and vendors have begun to incorporate software bill of goods and breach notification requirements into acquisition and contract management activities. We recommend that the US Government continue assisting election officials, political organizations, and campaigns with establishing and refining supply chain risk management procedures.
      • Engagement and Collaboration. Since 2018, federal, state, local, and private sector partners nationwide worked together in unprecedented ways to combat foreign interference efforts, to support state and local officials in safeguarding election infrastructure, and to assist political organizations, campaigns, and candidates in protecting their own infrastructure. The US Government sought to foster an environment in which state and local officials, political organizations, campaigns, and candidates could share information on malicious or suspicious cyber activities, ultimately receiving and sharing information efficiently with all 50 US states and nearly 3,000 local jurisdictions. We recommend continued US Government focus on actively engaging with and fostering collaboration and coordination with federal, state, local, and private sector partners.
      • Public Messaging and Education. Since 2018, the US Government significantly increased public messaging and education to provide accurate and timely information about cyber threats pertaining to elections. This included public attribution to help educate the public about adversary goals, defensive steps to improve cybersecurity, warning of potential threat activities to mitigate their effects, and fact checks to control the proliferation of misinformation. However, the resonance of baseless claims concerning foreign interference after the election demonstrates the need to bolster public confidence in reliable sources of information, such as state and local election officials. We recommend the US Government continue to increase the quantity and quality of public messaging and education.
  • United States Trade Representative (USTR) Katherine Tai published the “2021 National Trade Estimate (NTE) Report” that “provid[es] a detailed inventory of significant foreign barriers to U.S. exports of goods and services, investment, and electronic commerce” according to the press release. Tai added:
    • Digital Trade:  The 2021 NTE Report details restrictive data policies in India, China, Korea, Vietnam, and Turkey, among other countries; local software pre-installation requirements in Russia, Indonesian tariffs on digital products, and existing or proposed local content requirements for online streaming services in Australia, Brazil, Canada, China, EU, Mexico, Ukraine, and Vietnam; and discriminatory tax measures in Austria, India, Italy, Spain, Turkey, and the UK. USTR will continue to engage foreign governments on digital policies that threaten the regulatory landscape for U.S. exporters of digital products and services and undermine U.S. manufacturers’ and service suppliers’ ability to move data across borders.
  • The Campaign for a Commercial-Free Childhood (CCFC) and the Center for Digital Democracy (CDD) wrote the Federal Trade Commission (FTC) “to update and renew their request, filed December 19, 2018, that the FTC investigate whether the Google Play Store is violating Section 5 of the Federal Trade Commission Act by representing that children’s apps on its platform are safe and appropriate for children when they are not.” The organizations asserted:
    • The FTC’s failure to take earlier action has permitted Google Play to continue promoting apps for children that are not safe or appropriate because they do not comply with the COPPA Rule. Stopping Google Play’s misrepresentations is even more critical today because children are spending even more time on mobile devices using apps due to the COVID-19 pandemic.
    • Because of the pandemic, children are using more mobile apps and for longer periods of time. Google Play touts its Teacher approved apps as helping parents find “the good stuff” for their kids during the pandemic. Its policies also require that apps that target children, even as only part of their audience, must be appropriate for children and comply with COPPA. Yet, three recent studies, as well as facts uncovered in three class action lawsuits, strongly suggest that some of these apps do not comply with the COPPARule. Thus, we urge the FTC to investigate Google’s practices and the truthfulness of its representations and act to protect parents from being misled and children from playing apps that are not appropriate and violate their privacy.
  • The European Data Protection Board (EDPB) adopted final guidelines on connected vehicles and processing personal data under the General Data Protection Regulation (GDPR) that seeks to cover almost all currently contemplated uses of personal data in cars. The EDPB explained:
    • The scope of this document focuses in particular on the personal data processing in relation to the non-professional use of connected vehicles by data subjects: e.g., drivers, passengers, vehicle owners, other road users, etc. More specifically, it deals with the personal data: (i) processed inside the vehicle, (ii) exchanged between the vehicle and personal devices connected to it (e.g., the user’s smartphone) or (iii) collected locally in the vehicle and exported to external entities (e.g., vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing.
    • The connected vehicle definition has to be understood as a broad concept in this document. It can be defined as a vehicle equipped with many electronic control units (ECU) that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle. As such, data can be exchanged between the vehicle and personal devices connected to it, for instance allowing the mirroring of mobile applications to the car’s in-dash information and entertainment unit. Also, the development of standalone mobile applications, meaning independent of the vehicle (for example, relying on the sole use of the smart phone) to assist drivers is included in the scope of this document since they contribute to the vehicle’s connectivity capacities even though they may not effectively rely on the transmission of data with the vehicle per se.

Further Reading

  • Five Tech Commandments to a Safer Digital Life” By Brian X. Chen — The New York Times. The wise person with an online presence uses strong passwords (ie., long, complex, and a variety of characters), always opts for multi-factor authentication, limits what she shares through turning off the photo location feature and not sharing risqué or explicit photos, skips sharing the contact information of friends and contacts, and remains ever skeptical about communications and companies pushing her to share more data.
  • Amazon Called Out for Denying Workers Go to Bathroom in Bottles” By Matt Stieb — New York Magazine. Amazon engaged in an unforced error by denying a claim on Twitter by Representative Mark Pocan (D-WI) that its workers were relieving themselves in bottles and bags to avoid being penalized for not being productive by actually visiting a bathroom. The many documented instances of Amazon workers were promptly adduced on Twitter. The company has even tried to address and reduce the practice with its employees except in the way that would probably be most effective: giving them bathroom breaks that do not affect their much measured productivity numbers.
  • Substack Is a Scam in the Same Way That All Media Is” By Eric Levitz — New York Magazine. This piece takes on the argument that Substack is exploiting its writers through dreams of riches big writers joining the platform are earning. And by riches, I mean $250,000 a year. The writer ties the transplantation of the influencer model on social media to the decline of traditional media as online advertising has sucked the life out of media revenue.
  • New wave of ‘hacktivism’ adds twist to cybersecurity woes” By Joseph Menn — Reuters. The United States (U.S.) government and its multinationals face a new hacking foe, hactivists, people motivated by ideology as opposed to profit. They are currently targeting right wing and white nationalist extremists and companies whose practices they do not like. The U.S. government considers them threats and is moving to prosecute at least one for their role in hacking Verdaka, a video and artificial intelligence surveillance company, that had footage from 150,000 cameras leaked.
  • Amazon Illegally Interrogated Worker Who Led First COVID-19 Strikes, NLRB Says” By Lauren Kaori Gurley — Vice’s Motherboard. The National Labor Relations Board (NLRB) asserted, and not for the first time, that Amazon violated federal law in seeking to foil labor organizing activities. In this case, a former Federal Bureau of Investigation agent now owkring for Amazon illegally detained, questioned, and tried to intimidate a leader of the effort at the beginning of the pandemic to walk out of Amazon facilities until certain safety measures were implemented. The company settled the claim without admitting guilt.

Coming Events

  • The Federal Communications Commission (FCC) will hold an open meeting on 22 April. No agenda has been announced as of yet.
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Susan Flynn on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s