Other Developments, Further Reading, and Coming Events (12 April 2021)

Artificial Intelligence, Big Data, CISA, Coming Events, Cybersecurity, Data Protection, data security, DHS, DOC, EU, FCC, FTC, Further Reading, GDPR, Misinformation, NIST, NTIA, Other Developments, People's Republic of China, privacy, Privacy Bill, Russia, Section 230, Social Media, Technology, Telecommunications 26 Minutes

Other Developments

  • Secretary of Homeland Security Alejandro Mayorkas made remarks on his “Vision for Cybersecurity Resilience” and outlined how the Department of Homeland Security (DHS) and the Cybersecurity Infrastructure and Security Agency (CISA) will change their approach to public and private sector cybersecurity. Mayorkas provided a very high level preview of a previously promised forthcoming executive order to address a variety of vulnerabilities throughout the federal government’s networks and systems. He also detailed short term and long term actions the agency will take on its own authority, presumably in concert with how the White House wants to manage cybersecurity. Mayorkas stated:
    • “…[O]ne hard truth is that no one is immune from cyber attacks, including the federal government or our most advanced technology companies.  While one can reduce the frequency of incidents through modernized defenses, ultimately it is not a question of if you get hacked, but rather when. We must therefore also bolster our capacity to respond when incidents do happen.
    • To advance the federal government’s ability to prevent and respond to cyber incidents, the Administration is working on nearly a dozen actions for an upcoming Executive Order.  More details will be shared soon.  The U.S. government will improve in the areas of detection, information sharing, modernizing federal cybersecurity, federal procurement, and federal incident response. The federal government must lead by example at a time when the stakes are so high.
    • Relatedly, addressing the most important risks is a shared responsibility. We must strengthen collaboration between the private sector and government to generate the insights necessary to detect malicious cyber actors. If actionable, timely, and bidirectional information is not distributed quickly, malicious cyber actors will gain the advantage of more time to burrow into systems and inflict damage. 
  • Mayorkas outlined the actions DHS will take over the short-term (i.e, sprints) and the longer-term:
    • First, I am announcing today a series of 60-day “sprints,” each focused on the most important and most urgent priorities needed to achieve our goals. Second, we will focus on four medium-term priorities that will receive my sustained attention over the longer term.
  • Mayorkas explained the DHS and CISA sprints:
    • The series of sprints will mobilize action by elevating existing efforts, removing roadblocks, and launching new initiatives where necessary.
    • Each sprint has a dedicated action plan to drive action within the Department and energize our engagement with partners in the private and public sectors, both domestically and internationally.
    • The first sprint will focus on the fight against ransomware, a particularly egregious type of malicious cyber activity that usually does not discriminate whom it targets. It is malicious code that infects and paralyzes computer systems until a ransom has been paid. Individuals, companies, schools, even hospitals and other critical infrastructure have been among the victims.
      • Let me be clear: ransomware now poses a national security threat.
      • Last fall, CISA and its government partners issued a joint alert warning of increased ransomware attacks that could paralyze hospitals and other health care facilities. There are actors out there who maliciously use ransomware during an unprecedented and ongoing global pandemic, disrupting hospitals as hundreds of thousands die. This should shock everyone’s conscience.
      • Those behind these malicious activities should be held accountable for their actions. That includes governments that do not use the full extent of their authority to stop the culprits. We must condemn them for it and remind them that any responsible government must take steps to prevent or stop such activity.
      • We will do everything we can to prevent and respond to these horrendous acts. And we call on others around the world to do the same.
      • In the coming weeks, the Department will step up our efforts to tackle ransomware on both ends of the equation. With respect to preventing ransomware incidents, we will take action to minimize the risk of becoming a victim in the first place. We will launch an awareness campaign and engage with industry and key partners, like insurance companies. With respect to responding to ransomware attacks, we will strengthen our capabilities to disrupt those who launch them and the marketplaces that enable them.
    • Closely related to this first sprint, is the second sprint focusing on the cybersecurity workforce. We cannot tackle ransomware and the broader cybersecurity challenges without talented and dedicated people who can help protect our schools, hospitals, critical infrastructure, and communities.
      • During the workforce sprint, which we will launch next month, we will focus on several elements. Front and center is support for our current workforce, who have done a heroic job protecting the election and now responding to two major incidents.
      • In addition, we will set an example and launch a DHS Honors Program with an initial focus on cybersecurity. We will also start publishing DHS’s DEI data and step up our internal DEI strategy to ensure we are attracting, developing, and retaining the best diverse talent.
      • Beyond DHS, we will champion DEI across the cyber workforce of the entire federal government.
      • To this end, I am excited that we are partnering with the Girl Scouts today and exploring additional opportunities for us to collaborate in the future. To further help inspire the next generation of diverse cyber talent, we will also expand our cybersecurity education and training program that has reached over 25,000 teachers so far. 
    • Later this summer, we will launch our third sprint focused on mobilizing action to improve the resilience of industrial control systems. The cybersecurity incident at the water treatment facility in Florida last month was a powerful reminder of the substantial risks we need to address.
    • The last three sprints for the coming year will focus on better protecting our transportation systems, safeguarding election security, and advancing international capacity-building.
  • Mayorkas then explained the longer term plans:
    • While the series of sprints will drive action over the coming year, we will also focus on several medium- to long-term priorities that will have my sustained personal attention. 
    • First, we need to cement the resilience of our democratic infrastructures. We have made great progress to protect the integrity of elections, which we will need to continue to safeguard in the years to come. We must also improve the resilience of the other infrastructure our democracy depends upon. Several high-profile attacks against our allies and partners are warning signs that we must focus on securing all our democratic institutions, including those outside of the executive branch.
    • Second, following last year’s supply chain compromise targeting the federal government, we must build back better. This cannot be done in a sprint, as it will take months or even years to fully implement. We are grateful to Congress for the support provided to CISA through the American Rescue Plan, which is a down payment to address this urgent challenge.
    • Third, the exploitation of SolarWinds highlighted that we need to think about supply chain risks holistically. While some risks are clearly associated with certain foreign companies and governments, we need a risk-based approach to ensure we address all systemic supply chain risks. Bearing in mind that 100% cybersecurity is not possible, this includes considering zero trust architectures where needed to reach the level of resilience required.
    • Finally, we must ensure that our work is not driven only by the crisis of the day. We must get ahead of the curve and think long term. It is imperative to dedicate senior leadership attention to strategic, on-the-horizon issues.
    • For example, the transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption. While the former is already ongoing, planning for the latter remains in its infancy. We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future.
    • This is a priority and DHS will start developing a plan for how it can help facilitate this transition. Considering the scale, implementation will be driven by the private sector, but the government can help ensure the transition will occur equitably, and that nobody will be left behind.
  • Senator Brian Schatz (D-HI) and 17 Democratic colleagues ranging the ideological spectrum from Senators Bernie Sanders (I-VT) and Joe Manchin (D-WV) have reintroduced the “Data Care Act” (S.919). Schatz and many of the cosponsors introduced two previous iterations with the same title in the last Congress based on the proposition that professions such the medical and legal fields have duties to their clients to safeguard and use responsibly personal data. Schatz and his cosponsors would transplant this concept to many other entities by making them fiduciaries of people’s private information (see here for more detail and analysis on last year’s bills.) On first blush, it spears this year’s bill hews to last year’s bills. In their press release, Schatz and cosponsors claimed:
    • Doctors, lawyers, and bankers are legally required to exercise special care to protect their clients and not misuse their information. While online companies also hold personal and sensitive information about the people they serve, they are not required to protect consumers’ data. This leaves users in a vulnerable position; they are expected to understand the information they give to providers and how it is being used – an unreasonable expectation for even the most tech-savvy consumer. By establishing an explicit duty for online providers, Americans can trust that their online data is protected and used in a responsible way.
    • The Data Care Act establishes reasonable duties that will require providers to protect user data and will prohibit providers from using user data to their detriment:
      • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information;
      • Duty of Loyalty – May not use individual identifying data in ways that harm users;
      • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data;
      • Federal and State Enforcement – A violation of the duties will be treated as a violation of an Federal Trade Commission (FTC) rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene. States and the FTC may go after both first- and third-party data collectors; and
      • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.
  • The United States Government Accountability Office (GAO) assessed the software development program for the Department of Defense’s (DOD) most expensive procurement, the F-35 Lightning II Joint Strike Fighter. The GAO found the DOD’s timeline for the Block 4 modernization program too optimistic based on prior F-35 development schedules and warns it is unclear when the F-35 program will finally have key capabilities. This is but the most recent negative assessment of the troubled effort to develop, build, and deliver 5th generation fighters to the Air Force, Marines, Navy, and international partners that Obama Administration Under Secretary of Defense for Acquisition, Technology and Logistics (AT&L) Frank Kendall III called acquisition malpractice. The GAO noted:
    • The Department of Defense (DOD) is now in the third year of a $14 billion modernization effort—known as Block 4—to upgrade the hardware and software systems of the F-35. DOD intends for Block 4 to modernize the aircraft and address new threats that have emerged since the aircraft’s original requirements were established in 2000. DOD is using a different development approach for Block 4, referred to as Continuous Capability Development and Delivery (C2D2), which is loosely based on Agile software development processes. With this approach, DOD intends to deliver capabilities to the warfighter faster than it did during the original development program.
    • The program wrapped up development of the F-35’s original capabilities in 2018 and is undergoing operational testing to verify that the aircraft adequately provide those baseline capabilities. According to program officials, prior to October 2020, the program expected to complete this testing in January 2021 and hold a full-rate production decision—which would formally authorize DOD’s transition from development to full production—in March 2021. As the program moves toward completing this testing and evaluating the results, it still faces risks ahead of the full- rate production decision. We reported on these and other program risks in the past and made recommendations for improvement. DOD has taken action to address some, but not all, of our recommendations.
    • The GAO concluded:
      • The F-35 is expected to serve key roles in U.S. and allied air fleets for years to come, and many updated capabilities are expected to flow from the Block 4 modernization effort. While we recognize the challenges with transitioning to Agile development, after 3 years of effort the F-35 program continues to have issues with effectively implementing the C2D2 approach to develop and deliver Block 4 capabilities. The airframe contractor continues to deliver capabilities late, and the remaining schedule contains significant risk and is not achievable based on the pace of past performance. While the program office is committed to delivering capabilities more quickly to the warfighter, the program has not delivered on its initial iterative plan. Without an achievable schedule informed by historical performance, the program is likely to continue falling short of its expectations, and the warfighter will have to wait longer for the promised capabilities.
      • Underlying these challenges, the F-35 program office has stated that it does not have the information on the airframe contractor’s Block 4 software development performance it needs to more effectively manage the effort. While the F-35 program is taking steps toward collecting the additional metrics, only time will tell if the program office identifies the right metrics to obtain the information it needs to improve its management of Block 4 development. We will continue to monitor Block 4 software development metrics and include our observations in future reports.
      • Further, without requiring automated tools to access real-time contractor performance data, the program will lack timely updates on the new metrics, will lack quality program data, and will operate with old or potentially erroneous data, possibly resulting in delayed delivery to the warfighter. Finally, as the program office engages the contractor to identify the full range of needed metrics, the program has the opportunity to include software development performance targets for critical software quality metrics in the next contract to better ensure the contractor meets the program’s objectives.
    • The GAO recommended:
      • The Undersecretary of Defense for Acquisition and Sustainment should direct the F-35 program office to update its Block 4 schedule to reflect historical performance, to develop more achievable time frames for Block 4 modernization capability development and delivery, and to provide an accurate baseline for comparing future cost estimates. (Recommendation 1)
      • The Undersecretary of Defense for Acquisition and Sustainment should direct the F-35 program office to identify and implement automated tools to enable access to real-time data for software development metrics to inform program decisions and ensure the quality of data is reliable. (Recommendation 2)
      • The Undersecretary of Defense for Acquisition and Sustainment should direct the F-35 program office to set software performance target values for critical software quality metrics as it takes steps to identify additional software development metrics. (Recommendation 3)
  • Reporters Without Borders (RSF) filed suit against Facebook in France, alleging “’deceptive commercial practices’ on the grounds that the social media company’s promises to provide a ‘safe’ and ‘error-free’ online environment are contradicted by the large-scale proliferation of hate speech and false information on its networks” according to RSF’s press release. If RSF prevailed, Facebook could face a judgment requiring payment of 10% of its annual worldwide should it lose the case. RSF asserted:
    • Using expert analyses, personal testimony and statements from former Facebook employees, RSF’s lawsuit demonstrates that the California-based company’s undertakings to its consumers are largely mendacious, and that it allows disinformation and hate speech to flourish on its network (hatred in general and hatred against journalists), contrary to the claims made in its terms of service and through its ads.
    • To condemn this large-scale, unprecedented phenomenon, RSF filed a lawsuit in France, where consumer law is especially well suited to deal with the issue and where Facebook has a huge number of consumers – 38 million overall users, including 24 million who use it every day. As Facebook’s terms of service are the same all over the world, a court ruling in France on its deceptive practices has the potential for a global impact. RSF is considering filing similar lawsuits in other countries.
    • This suit concerns Facebook France and Facebook Ireland. Under articles L121-2 to L121-5 of the French consumer code, a commercial practice is considered deceptive “if it is based on false claims, statements or representations or is likely to mislead,” especially with regard to “the essential characteristics of the goods or service” or “the extent of the advertiser’s promises”. This offence is punishable by a fine up to 10% of annual turnover (article L132-2 of the consumer code).
  • The Australian Senate’s Environment and Communications Legislation Committee issued its report on a pair of bills that would reform Australia’s oversight of online content moderation that reflect its assessment of the legislation based on 135 submissions and a hearing. This is the most recent of significant bills the government in Canberra has proposed that put it at the fore of western governments in remaking their laws to address the digital age. The government started its consultation process on the Online Safety Bill 2021 [Provisions] and Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021 [Provisions] last year. The bills passed the House of Representatives and are now in the Senate. The committee summarized the two bills:
    • The Online Safety Bill 2021 (the OS Bill) key provisions
    • In the time available, this report focuses on Parts 3-6 and 8-9 of the OS Bill which provide for the key proposals that were developed throughout the reform process:
    • retention of the provisions in the EOS Act that have proven effective in protecting Australians from online harms
      • Part 3 would establish a complaints system for ‘cyber-bullying material targeted at an Australian child’, the non-consensual sharing of intimate images, ‘cyber-abuse material targeted at an Australian adult’, and the online content scheme;
    • articulation of a set of core basic online safety expectations
      • Part 4 would provide for the Minister to determine basic online safety expectations (BOSE) for social media services, relevant electronic services and designated internet services;
    • expansion of the cyber-bullying scheme for children to capture harms that occur on services other than social media
      • Part 5 would enable the Commissioner to give notices requiring the removal of cyber-bullying material targeted at an Australian child from a service, a post or a host site;
    • creation of a new complaints-based, removal notice scheme for cyber-abuse targeted at an adult
      • Part 6 would enable the Commissioner to give notices requiring the removal of cyber-abuse material targeted at an Australian adult from a service, a post or a host site;
    • creation of a specific and targeted power for the Commissioner to request or require internet service providers (ISPs) to block access to material that promotes, incites, instructs in or depicts ‘abhorrent violent conduct’, for time-limited periods (Part 8)
    • creation of a modern online content scheme, to replace the current Online Content Scheme in Schedules 5 and 7 of the Broadcasting Services Act 1992
      • Part 9 would enable the Commissioner to give notices requiring providers to remove, cease hosting, cease providing a link to certain material, or cease enabling end-users to download an app that facilitates the posting of certain material;
      • the new online content scheme will clearly include providers of app distribution services and internet search engine services;
    • reduction of the timeframe for service providers to respond to a removal notice from the Commissioner from 48 to 24 hours.
    • In addition to the key provisions proposed in the OS Bill, the Ancillary Bill proposes amendments in respect of the Criminal Code Act 1995 (Criminal Code), as foreshadowed in the Keeping Australians Safe Online policy.
    • The Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021 (the Ancillary Bill) would:
      • repeal the existing maximum penalty of three years’ imprisonment for the offence of using a carriage service to menace, harass or cause offence, and substitute a maximum penalty of five years’ imprisonment; and
      • repeal the maximum penalty of five years for the offence in the existing standard aggravated offence involving private sexual material—using a carriage service to menace, harass or cause offence, and substitute with a maximum penalty of six years.
  • European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski issued his “Formal Comments on a package of three legislative proposals for a European Health Union” according to his press release. Wiewiórowski stated that “[h]e welcomes a European unified approach to tackle cross-border health threats while respecting the role and competences of European Union (EU) Member States’ national health systems” and “takes note of the positive steps taken by the Commission to further strengthen a coordinated approach on health matters and, in particular, to broaden the European Medicines Agency’s and the European Centre for Disease Prevention and Control’s tasks.” Wiewiórowski stated:
    • Proposal for a Regulation on a reinforced role for the European Medicines Agency (EMA) in crisis preparedness and management for medicinal products and medical device
    • The EDPS recommends that specific provisions on the application of data protection law are included in the proposal. Likewise, the role of the entities involved under data protection law should also be covered in the proposal. More specifically on the processing of ‘electronic health data outside of clinical studies’ and ‘real-time data’, a clear definition of the ‘data generated outside the scope of clinical trials’ should be included; and the meaning of “real world data” should be clarified, specifying, at least, examples of the type of data concerned and the purpose for which this data will be used. 
    • Proposal on establishing a European Centre for Disease Prevention and Control (ECDC)
    • The EDPS provides a series of recommendations. In particular, he advises that: 
      • the categories of individuals who will have their personal data processed should be clearly demarcated alongside a description of the specific measures to protect the rights and freedoms of the individuals involved, in line with data protection legislation; 
      • to clearly identify the situations where the tasks, under the ECDC’s remit, will entail the processing of personal data and to set up a strong data governance mechanism which requires the clear identification of the main actors involved in the processing of personal data.
    • As for the new tasks of the ECDC regarding digital platforms and applications supporting epidemiological surveillance, the EDPS notes that these applications are likely to present high risks for  the rights and freedoms of individuals and, thus, require a data protection impact assessment (DPIA) to be conducted prior to their deployment. Moreover, the EDPS insists that contact tracing applications use privacy-enhancing technologies. 
    • In relation to the ECDC’s task of establishing and operating a network of national blood and transplant services and the national authorities of this network, the EDPS encourages the development of a Code of Conduct for the processing of personal data as an effective enabler of cross-border exchange of this data, which would bring further clarity and trust in the new system.
    • Proposal for a Regulation on serious cross-border threats to health 
    • The EDPS recommends providing for further implementing or delegated acts that would lay down the roles of the actors involved in the processing of personal data via the use of IT tools and systems envisaged in the proposal.
      Given the potential risks associated with the use of surveillance systems and artificial intelligence, the EDPS recommends that the ECDC conducts a DPIA prior to the deployment of a digital platform. The EDPS also points out that, unless the data controller takes measures to mitigate the risk in cases where the DPIA reveals that the processing of personal data would entail a high risk for individuals’ rights and freedoms, there is an obligation to consult the supervisory authority under Article 40 of Regulation (EU) 2018/1725
    • In a similar way, but in relation to the Early Warning and Response System (EWRS), the EDPS reiterates that a DPIA should be carried out before processing personal data using innovative technologies if the processing is likely to result in high risk for individuals’ rights and freedoms. Moreover, the EDPS draws the EU legislators’ attention to the EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak which provide useful guidance and clarifications on the conditions and principles surrounding the use of location data and contact tracing tools in a proportionate way. 
    • Finally, in relation to the three proposals, the EDPS reiterates that transfers of personal data to third countries or international organisations must comply with Regulation (EU) 2018/1725, including Chapter V of this Regulation.  
  • The National Institute of Standards and Technology (NIST) has released NIST Interagency Report (NISTIR) 8212 that “provides an operational approach to the assessment of an organization’s Information Security Continuous Monitoring (ISCM) program.” NIST asserted “[t]he ISCM assessment (ISCMA) approach is consistent with the ISCM Program Assessment described in NIST SP 800-137A, Assessing Information Security Continuous Monitoring Programs: Developing an ISCM Program Assessment.” NIST added:
    • Included with the ISCMA approach in this report is the ISCMAx tool, a free, publicly available, working implementation of ISCMA that can be tailored to fit the needs of an organization. The ISCMAx tool is a Microsoft Excel application that runs on Windows-based systems only. This report includes instructions for using ISCMAx as provided and for tailoring it, if desired.
    • ISCMAx is suited for self-assessment by organizations of any size or complexity. Organizations choose the desired breadth and depth of the assessment. Breadth options are provided for organizations ranging from those that already have functioning ISCM programs to those that are just starting. Depth options allow organizations to focus on the more critical aspects of the program, followed by details and nuances.
  • Facebook announced “actions we took against a group of hackers in China known in the security industry as Earth Empusa or Evil Eye — to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet.” Facebook stated “[t]hey targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries…[and] used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance.” Facebook contended:
    • This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. On our platform, this cyber espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself. We saw this activity slow down at various times, likely in response to our and other companies’ actions to disrupt their activity. 
    • We identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:
      • Selective targeting and exploit protection: This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser and country and language settings.
      • Compromising and impersonating news websites: This group set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites. They also appeared to have compromised legitimate websites frequently visited by their targets as part of watering hole attacks. A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices. Some of these web pages contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised.
      • Social engineering: This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.
      • Using fake third party app stores: We found websites set up by this group that mimic third-party Android app stores where they published Uyghur-themed applications, including a keyboard app, prayer app, and dictionary app. These apps were trojanized (contained malware that misled people of its true intent) with two Android malware strains —ActionSpy or PluginPhantom.
      • Outsourcing malware development: We’ve observed this group use several distinct Android malware families. Specifically, our investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies, are the developers behind some of the Android tooling deployed by this group. Our assessment of one of them benefited from research by FireEye, a cybersecurity company. These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security. 
      • Industry tracking: Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa, or Evil Eye, or PoisonCarp. Our investigation confirmed that the activity we are disrupting today closely aligns with the first two — Earth Empusa or Evil Eye. While PoisonCarp shares some TTPs including targeting and use of some of the same vendor-developed malware, our on-platform analysis suggests that it is a separate cluster of activity.
  • The government in New Zealand is proposing legislation that would address the sharing of non-consensual pornography (aka revenge porn). The Parliament is accepting feedback on the “Harmful Digital Communications (Unauthorised Posting of Intimate Visual Recording) Amendment Bill” that “seeks to make it an offence to share intimate digital images or videos of another person without their consent.” In the press release, it is explained:
    • This Member’s bill aims to prevent the harm caused by unauthorised digital sharing of intimate recordings. Sometimes referred to as ‘revenge pornography’, distributing intimate images or videos of another person without their consent is considered a form of sexual abuse and can cause serious and long-lasting harm to victims.
    • Research by Netsafe suggests that 5 percent of New Zealanders have had intimate recordings of them shared online, or threatened to be shared, without their consent. Women, young people, and the rainbow community may be more likely to experience this kind of abuse.
    • This bill seeks to add a new section into the Harmful Digital Communications Act 2015. The new section would clarify the Act as it relates to intimate visual recordings by:
      • making it an offence to share an intimate visual recording of another person without their express consent
      • imposing a penalty of up to three years’ imprisonment, or a fine of up to $50,000, for an individual convicted of this offence; or for a company, a fine of up to $200,000
      • allowing the courts to issue orders to remove or disable intimate recordings that have been shared without consent.
    • The current Act requires that in order for a digital communication to be considered an offence, there must be proof of intent to cause harm, and the victim must have experienced a certain level of harm. The bill excludes this test in the case of intimate visual recordings, so that unauthorised sharing of this content would be an offence regardless of the level of harm that was intended or caused.

Further Reading

  • AP sources: SolarWinds hack got emails of top DHS officials” By Alan Suderman — Associated Press. It now appears the Russian hackers that compromised SolarWinds and used the company’s services to access public and private sector systems in the United States were able to access the email and calendars of former acting Secretary of Homeland Security Chad Wolf, former Secretary of Energy Dan Brouillette, and senior officials at both agencies. The article also makes a cryptic reference to senior Department of Homeland Security staff that handles “hunting threats from foreign countries” whose email and calendars were also compromised, suggesting the leadership of the Cybersecurity Infrastructure and Security Agency or the Office of Intelligence and Analysis. One can be sure there will be other revelations of how deeply the hackers got into the U.S. government.
  • Google found to be hosting sickening antisemitic reviews of Auschwitz” By Sophie Wilkinson — The Guardian. Only after the newspaper contacted Google did it take plainly antisemitic content from the reviews of the museum at Auschwitz-Birkenau, some of which had been posted for years despite complaints.
  • Amazon started a Twitter war because Jeff Bezos was pissed” By Jason Del Rey ­— recode. Turns out the company’s ultimately counterproductive tweets may have come from pressure applied by CEO Jeff Bezos.
  • FCC Chief in Charge of America’s 5G Rollout Confronts a Long To-Do List” By Drew FitzGerald — The Wall Street Journal. This article provides an overview of the issues and challenges facing the Federal Communications Commission (FCC) in quarterbacking the United States’ (U.S.) transition to 5G.
  • AT&T lies about Calif. net neutrality law, claiming it bans “free data”” By Jon Brodkin — Ars Technica. AT&T is deciding to play hardball after California’s net neutrality law takes effect and trying to tell consumers it will no longer offer its HBO Max for streaming without incurring data usage (aka zero rating) because “under the California law we are now prohibited from providing certain data features to consumers free of charge.” But that is not quite accurate. More to the point, AT&T can no longer charge fees to rival streaming services for allowing consumers to also enjoy zero rating on AT&T. Under SB 822, AT&T may zero rate an entire category of service (i.e., streaming video) but cannot make other companies pay for doing so. Consequently, AT&T has pulled the plug on zero rating HBO Max across the entire United States.
  • Elon Musk and Amazon Are Battling to Put Satellite Internet in Your Backyard” By Christopher Mims — The Wall Street Journal. We may be much closer to internet beamed from low level satellites than previously believed if the providers jostling to give you this type of service can clear some not inconsiderable obstacles, including the cost of satellite dishes, the cost and logistics of putting a sufficient number of satellites in orbit, and possible interference and spectrum issues.
  • Microsoft could reap more than $150 million in new U.S. cyber spending, upsetting some lawmakers” By Joseph Menn, Christopher Bing, and Raphael Satter — Reuters. The Cybersecurity Infrastructure and Security Agency was given $650 million to remedy the massive hacks that have rocked the United States government, including the Microsoft Exchange hack allegedly perpetrated by hackers affiliated with the People’s Republic of China (PRC). However, the notion that Microsoft might receive a significant cut of these funds, possibly as much as $150 million, as some agencies will upgrade to Microsoft’s cloud offerings is rankling some on Capitol Hill. Additionally, access to and abuse of some of Microsoft’s other products made the SolarWinds hack possible. Whether anything changes in terms of Microsoft’s products not being used or wider changes in acquisition, as a result, is an open question.

Coming Events

  • The Senate Appropriations Committee’s Commerce, Justice, Science, and Related Agencies Subcommittee may hold a hearing on FY 2022 budget request for the National Science Foundation and the competitiveness of the United States on 13 April.
  • The Senate Appropriations Committee’s Defense Subcommittee may hold a hearing on the Department of Defense’s innovation and research on 13 April.
  • On 14 April, the Senate Intelligence Committee will hold open and closed hearings with the heads of the major United States intelligence agencies and Director of National Intelligence Avril Haines on worldwide threats.
  • The House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will hold a hearing on the Department of Veterans Affairs” Electronic Health Record Modernization Program on 14 April.
  • On 14 April, the Senate Armed Services Committee’s Cyber Subcommittee will hold a hearing on future cybersecurity architectures with these witnesses:
    • Mr. Robert Joyce, Director of Cybersecurity National Security Agency
    • Mr. David McKeown, Senior Information Security Officer/ Chief Information Officer for Cybersecurity Department of Defense
    • Rear Admiral William Chase III, Senior Military Advisor for Cyber Policy to the Under Secretary of Defense for Policy/Deputy Principal Cyber Advisor to the Secretary of Defense Secretary of Defense
  • On 15 April, the House Intelligence Committee will hold a hearing with the heads of the major United States intelligence agencies and Director of National Intelligence Avril Haines on worldwide threats.
  • The House Oversight and Reform Committee’s Government Operations Subcommittee will hold a hearing to assess agency compliance with the Federal Information Technology Acquisition Reform Act (FITARA) on 16 April.
  • The Federal Communications Commission (FCC) will hold an open meeting on 22 April with this draft agenda:
    • Text-to-988. The Commission will consider a Further Notice of Proposed Rulemaking to increase the effectiveness of the National Suicide Prevention Lifeline by proposing to require covered text providers to support text messaging to 988. (WC Docket No. 18-336)
    • Commercial Space Launch Operations. The Commission will consider a Report and Order and Further Notice of Proposed Rulemaking that would adopt a new spectrum allocation for commercial space launch operations and seek comment on additional allocations and service rules. (ET Docket No. 13-115)
    • Wireless Microphones. The Commission will consider a Notice of Proposed Rulemaking that proposes to revise the technical rules for Part 74 low-power auxiliary station (LPAS) devices to permit a recently developed, and more efficient, type of wireless microphone system. (RM-11821; ET Docket No. 21-115)
    • Improving 911 Reliability. The Commission will consider a Third Notice of Proposed Rulemaking to promote public safety by ensuring that 911 call centers and consumers receive timely and useful notifications of disruptions to 911 service. (PS Docket Nos. 13-75, 15-80; ET Docket No. 04-35
    • Concluding the 800 MHz Band Reconfiguration. The Commission will consider an Order to conclude its 800 MHz rebanding program due to the successful fulfillment of this public safety mandate. (WT Docket No. 02-55)
    • Enhancing Transparency of Foreign Government-Sponsored Programming. The Commission will consider a Report and Order to require clear disclosures for broadcast programming that is sponsored, paid for, or furnished by a foreign government or its representative. (MB Docket No. 20-299)
    • Imposing Application Cap in Upcoming NCE FM Filing Window. The Commission will consider a Public Notice to impose a limit of ten applications filed by any party in the upcoming 2021 filing window for new noncommercial educational FM stations. (MB Docket No. 20-343)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • The Department of Commerce’s National Telecommunications and Information Administration (NTIA) will hold “a virtual meeting of a multistakeholder process on promoting software component transparency” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Dan Freeman on Unsplash

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s