Other Developments, Further Reading, and Coming Events (15 April 2021)

You can receive all the content posted on my blog by subscribing to my free (for now) newsletter, the Wavelength, which covers the major events in the world of technology policy, politics, and law. I spent more than a decade working on these issues in Washington DC as both a staffer in Congress and a registered lobbyist, so I have a perspective not found elsewhere.

Subscribe today.

Other Developments

  • The Cybersecurity and Infrastructure Security Agency (CISA) has released two supplemental directions (here and here) on how civilian agencies of the United States (U.S.) government should be implementing CISA Emergency Directive (ED) 21-02, the order meant to mitigate and remedy federal vulnerabilities caused by the Microsoft Exchange hack.
    • In the first supplemental direction, CISA explained:
      • This document provides supplemental direction on the implementation of CISA Emergency Directive (ED) 21-02, including additional forensic triage requirements, server hardening requirements, and reporting requirements for agencies hosting on-premises Microsoft Exchange products.
      • This supplemental direction is provided pursuant to ED 21-021. All other provisions specified in ED 21-02 remain in effect. The following requirements apply to all operational Microsoft Exchange servers hosted2 by or on behalf of federal agencies that had been connected to the Internet (either directly or indirectly – i.e., connected to another device or network that is connected to the Internet) at any time since January 1, 2021.
      • Although federal agencies successfully responded to ED 21-02, which included initial efforts to forensically triage and rapidly update Microsoft Exchange servers hosted in the federal enterprise, CISA is directing additional actions to identify compromises that may remain undetected. Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening.
    • In the second supplemental direction, CISA stated:
      • This document provides supplemental direction on the implementation of Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive (ED) 21-02, including additional requirements for updating Microsoft Exchange servers.
      • This supplemental direction is provided pursuant to ED 21-02, issued on March 3, and the first Supplemental Direction issued on March 31, 2021. All other provisions specified in ED 21-02 and the first Supplemental Direction remain in effect. The following requirements apply to all operational on-premises Microsoft Exchange servers hosted by or on behalf of federal agencies.
      • On April 13, 2021, Microsoft released a software update to mitigate significant vulnerabilities that affect on-premises Exchange Servers 2013, 2016, and 2019. An attacker could use these vulnerabilities to gain access and maintain persistence on the target host. These vulnerabilities are different from the ones disclosed and fixed in March 2021 – the security updates released in March 2021 will not remediate against these vulnerabilities. Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity.
      • Though CISA is unaware of active exploitation of these vulnerabilities, once an update has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit.
      • CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.
      • Applying the update released on April 13 to Exchange servers is currently the only mitigation for these vulnerabilities (aside from removing affected servers from the network). CISA requires that agencies immediately apply the Microsoft April 2021 update to all affected Exchange Servers.
  • The United States (U.S.) Department of Justice (DOJ) announced it “executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States…[that] were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service.” The DOJ added:
    • Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access. Web shells are pieces of code or scripts that enable remote administration. Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized.
    • Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).
    • On March 2, Microsoft announced that a hacking group used multiple zero-day vulnerabilities to target computers running Microsoft Exchange Server software.  Various other hacking groups also have used these vulnerabilities to install web shells on thousands of victim computers, including those located the United States. Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells.
    • This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells. The Department strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10 Joint Advisory for further guidance on detection and patching.
    • The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim.
  • The Department of Commerce’s Bureau of Industry and Security (BIS) added seven more entities from the People’s Republic of China (PRC) to the Entity List it maintains under export control regulations that “have been determined by the U.S. Government to be acting contrary to the national security or foreign policy interests of the United States” according to the Federal Register notice. BIS explained:
    • The Entity List (supplement no. 4 to part 744 of the Export Administration Regulations (EAR)) identifies entities for which there is reasonable cause to believe, based on specific and articulable facts, that the entities have been involved, are involved, or pose a significant risk of being or becoming involved in activities contrary to the national security or foreign policy interests of the United States. The EAR (15 CFR parts 730-774) impose additional license requirements on, and limit the availability of most license exceptions for, exports, reexports, and transfers (in-country) to listed entities.
    • The End-User Review Committee (ERC) determined that the seven subject entities are engaging in or enabling activities contrary to U.S. national security and foreign policy interests, as follows:
      • The “National Supercomputing Center Jinan,” “National Supercomputing Center Shenzhen,” “National Supercomputing Center Wuxi,” “National Supercomputer Center Zhengzhou,” “Shanghai High-Performance Integrated Circuit Design Center,” “Sunway Microelectronics,” and “Tianjin Phytium Information Technology” are being added to the Entity List on the basis of their procurement of U.S.-origin items for activities contrary to the national security and foreign policy interests of the United States. Specifically, these entities are involved in activities that support China’s military actors, its destabilizing military modernization efforts, and/or its weapons of mass destruction (WMD) programs.
    • In a statement, Secretary of Commerce Gina Raimondo asserted:
      • Supercomputing capabilities are vital for the development of many – perhaps almost all – modern weapons and national security systems, such as nuclear weapons and hypersonic weapons. The Department of Commerce will use the full extent of its authorities to prevent China from leveraging U.S. technologies to support these destabilizing military modernization efforts
  • The Federal Trade Commission (FTC) wants input ahead of its 29 April Bringing Dark Patterns to Light: An FTC Workshop. In its press release, the FTC said it “is seeking comment on topics related to the use of digital “dark patterns,” a range of potentially deceptive or unfair user interface designs used on websites and mobile apps” including:
    • The definition of dark patterns;
    • The prevalence of dark patterns in the marketplace;
    • The use of artificial intelligence and machine learning to design and deliver dark patterns;
    • The effectiveness of dark patterns at influencing consumer choice, decision-making, or behavior;
    • The harms dark patterns pose to consumers or competition; and
    • Ways to prevent, mitigate, and remediate the harmful effects of dark patterns.
  • The New York State Department of Financial Services (NYDFS) provided an update to its February 2021 Cyber Fraud Alert that “identif[ied] a systemic and aggressive cybercrime campaign to steal Nonpublic Information (“NPI”), including driver’s license numbers (“DLNs”), from public-facing Instant Quote Websites.” The NYDFS stated it has “received many additional reports of data theft” and urged “all personal lines insurers and other financial services companies to take aggressive action to prevent the further loss of consumer information.” The agency added “[a]ll financial services companies should immediately check for any evidence of this cybercrime and ensure that they have implemented of the robust access controls required by NYDFS’s cybersecurity regulation, 23 NYCRR 500 et seq.” The NYDFS explained:
    • The best way to prevent NPI from being stolen from public-facing websites is to not display NPI—even in redacted form.  We urge personal lines insurers and other financial services companies to avoid displaying prefilled NPI on public-facing websites considering the serious risk of theft and consumer harm.  We note that many of the auto insurers targeted by this cybercrime campaign have recently disabled all NPI prefill on their public-facing websites. 
    • Insurance agent portals hosted by insurers often allow access to consumer NPI and have been aggressively targeted by cybercriminals in recent weeks.  Agent portals should be protected by the robust access controls required by NYDFS’s cybersecurity regulation.  And agent portals should not provide access to consumer NPI beyond what is strictly necessary for the agent’s business.
    • Regulated entities should remediate security flaws immediately and are reminded to report Cybersecurity Events pursuant to 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest.  Cybersecurity Events should be reported through NYDFS’s reporting portal.  NYDFS also asks that any attempt to steal NPI from any public-facing website be promptly reported to DFS.  Reports of unsuccessful attacks have been useful in identifying techniques used by attackers and enabling NYDFS to respond quickly to new threats and continue to protect consumers and the financial services industry.
  • Three Senate Committee chairs and colleagues wrote eight digital advertising exchanges “about the possible sale of Americans’ personal information to foreign-owned companies” according to their press release. Senate Finance Committee Chair Ron Wyden (D-OR), Senator Bill Cassidy (R-LA), Senator Kirsten Gillibrand (D-NY), Senate Intelligence Committee Chair Mark Warner (D-VA), Senate Banking, Housing, and Urban Affairs Committee Chair Sherrod Brown (D-OH), and Senator Elizabeth Warren (D-MA) sent the same letter to AT&T, Index Exchange, Google, Magnite, OpenX, PubMatic, Twitter and Verizon. The Senators stated:
    • Many of the ads we see on our phones, computers, and smart TVs are curated through a process called real time bidding. In the milliseconds before digital ads are displayed, an auction takes place in which hundreds of companies are able to bid for their ad to be shown. While only one company will win the auction, hundreds of firms participating receive sensitive information about the potential recipient of the ad—device identifiers and cookies, web browsing and location data, IP addresses, and unique demographic information such as age and gender. Your company operates a major advertising auction service.
    • Few Americans realize that some auction participants are siphoning off and storing “bidstream” data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments.
    • The Senators asked the companies to answer these questions:
      • Please identify the specific data elements about users, their devices, the websites they are accessing, and apps they are using that you provide to auction participants.
      • Please identify each company, foreign or domestic, to whom your firm has provided bidstream data in the past three years that is not contractually prohibited from sharing, selling, or using the data for any purpose unrelated to bidding on and delivering an ad.
      • If your firm has contractual restrictions in place prohibiting the sharing, sale, or secondary use of bidstream data, please detail all efforts to audit compliance with these contractual restrictions and the results of those audits.
      • Please identify each foreign-headquartered or foreign-majority owned company to whom your firm has provided bidstream data from users in the United States and their devices in the past three years. 
  • The Department of Energy’s Office of the Inspector General (OIG) assessed the department’s unclassified cybersecurity program as required under the “Federal Information Security Modernization Act of 2014.” The OIG concluded “[w]ithout improvements to address the weaknesses identified in our report, the Department’s information systems and data may be at a  higher-than-necessary risk of compromise, loss, and/or modification.” The OIG found:
    • We determined that opportunities existed for the Department, including the National Nuclear Security Administration, to improve the protection of unclassified information systems and data. The Department had taken actions throughout FY 2020 to address previously identified weaknesses related to its cybersecurity program. In particular, programs and sites made progress remediating weaknesses identified in our FY 2019 evaluation, which resulted in the closure of 42 of 54 (78 percent) prior year recommendations. Although these actions were positive, our current evaluation identified weaknesses in areas, including, but not limited to, system integrity of web applications, configuration management, vulnerability management, access controls, and contingency planning, many of which were consistent with our prior reports. In addition, although the types of deficiencies identified were mostly consistent with our prior evaluations, our FY 2020 review disclosed weaknesses at several new locations. For example, we found the following:
    • Weaknesses related to system integrity of web applications were identified at fourlocations. The weaknesses included applications that accepted malicious input data and files that could have been used to launch attacks against legitimate application users. Weaknesses, such as these, could have allowed an attacker to gain unauthorized access to an application, make unauthorized changes to data, and disclose sensitive information.
    • Configuration management weaknesses existed at two sites. For instance, firewall rules at one location were not configured properly and allowed certain systems to inappropriately access an industrial control system and related devices at the site. At the same location, we also found several devices that were configured with default credentials and others that were configured to allow connections without authentication. The use of secure configurations that emphasize hardening of systems against flaws can result in greater levels of security and protection from future vulnerabilities.
    • Seven locations reviewed had critical- and/or high-risk vulnerabilities on the workstations and servers tested. For example, we determined that 293 of 1,449 (20 percent) workstations tested and 23 of 308 (7 percent) servers tested were operating systems and/or applications with missing patches/updates that had not been applied within each location’s established timeframes. At one location, we determined that there were 12,256 high-risk vulnerabilities related to missing security patches or software no longer supported by the vendor on at least 145 of the 365 workstations included in our sample at that location. Because our testing only included a sample of workstations and servers, it is likely that the locations reviewed had many more vulnerabilities than our test results demonstrated.
    • Although the Department had corrected previously identified weaknesses related to access controls, new issues were identified at four locations. For instance, our test work identified weaknesses related to inappropriate database role assignments. In addition, we identified inappropriately implemented password requirements and session lock settings.
    • Weaknesses related to the implementation of information system contingency planning requirements existed at six locations. Specifically, one location had not adequately protected the confidentiality and integrity of system backup information, nor had officials appropriately designed and documented necessary components related to contingency plan testing. At the same location, training for personnel with contingency plan roles and responsibilities did not fully address contingency plan elements. Another site had not updated its business impact assessment since 2013, including identification of information technology resources considered critical to the site’s mission. A third site did not have processes in place to develop and implement business impact assessments, contingency plan testing, or information system backup and storage that included the use of alternate storage and processing sites. Further, as noted in our report, Contingency Planning Efforts for Information Technology Mission Support Systems at Selected Department of Energy Locations (DOE-OIG-21-08, December 2020), we found that three of the four sites reviewed had not fully developed information system contingency plans in accordance with Federal requirements.
  • The top Republicans on the House and Senate subcommittees with jurisdiction over antitrust and competition matters have written the CEOs of Apple, Amazon, and Google “demanding answers on the actions their companies took against Parler” according to the press release issued by Representative Ken Buck (R-CO) and Senator Mike Lee (R-UT). They asked for a range of information related to their actions to kick Parler out of the App Store and Play Store and to stop the hosting of Parler on Amazon Web Services. Buck and Lee asserted:
    • As detailed in the timeline below, the timing of steps taken against the Parler social network by your companies and that the actions seem to lack any of the procedural fairness typically afforded in the case of an alleged breach of contract create the appearance of close coordination.
    • According to public sources:
      • On January 8, 2021 Apple sent Parler notice of expulsion from the App Store. Parler was provided only 24 hours to remediate. Google sent Parler notice of expulsion from the Play Store, reportedly within hours of Apple’s notice. Parler was not provided a remediation option. Later in the day, Google removed Parler from the Play Store.
      • On January 9, 2021Apple removed Parler from the App Store. Amazon sent Parler a notice of suspension of their cloud services. No remediation option was provided.
      • On January10, 2021 Amazon suspended service to Parler. In just three days, Apple and Google effectively cut off Parler’s primary distribution channel, and Amazon cut off Parler’s access to critical computing services, leaving the company completely unable to serve its 15 million users. These actions were against a company that is not alleged to have violated any law. In fact, information provided by Parler to the House Oversight Committee revealed that Parler was assisting law enforcement even in advance of January 6th.
  • Representatives Doris Matsui (D-CA) and Jim Langevin (D-RI) wrote Secretary of Education Miguel Cardona asking him “to issue guidance that will allow K-12 schools to make needed investments in increased cybersecurity measures.” They are asking that the Department of Education allow states and schools to use funding provided in COVID-19 relief packages to bolster the cybersecurity of schools, especially in light of the continued use of online education. Matsui and Langevin contended:
    • While the shift to online interaction has helped keep students engaged, it has also highlighted a growing threat – cyber-incidents targeting schools that are increasing in regularity and sophistication. In December, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a Joint Cybersecurity Advisory warning that “cyber actors are targeting K-12 educational institutions,” and that “these issues will be particularly challenging for K-12 schools that face resource limitations.” Though this public health crisis has revealed preexisting vulnerabilities, the underlying cyber threat facing K-12 schools will remain even after we have crushed the coronavirus. In light of this well-documented threat, we believe that the Department must be doing everything it can to support schools in protecting the confidentiality of students’ data and ensuring the availability of information technology systems essential for learning.
    • The Coronavirus Aid, Relief, and Economic Security (CARES) Act and the Coronavirus Response and Relief Supplemental Appropriations Act, 2021 (CRRSA) Act both included funding streams to support school operations during the pandemic. Specifically, the Elementary and Secondary School Emergency Relief (ESSER) Fund and the Governor’s Emergency Education Relief (GEER) Fund allow for the purchase of “educational technology (including hardware, software, and connectivity) for students.” While schools can reasonably interpret this text to indicate cybersecurity costs would be considered eligible expenses, written guidance from the Department to that effect will ensure schools have the information they need to make informed decisions about how to use these funds.
    • Many schools are already in the process of allocation decisions, and ongoing ambiguity about cybersecurity as an allowable use will prevent them from expending these funds quickly as Congress intended. As the FBI, CISA, and MS-ISAC have warned, cyber incidents targeting schools are an urgent and growing threat that must be addressed. We encourage you to issue immediate guidance to clarify that cybersecurity expenses are allowed under ESSER and GEER. We appreciate your attention to this important issue and look forward to working with you to improve K-12 cybersecurity moving forward.
  • Google’s Threat Analysis Group (TAG) updated its previous research on an apparently North Korean hacking campaign targeting researchers. TAG explained:
    • On March 17th, the same actors behind those attacks set up a new website with associated social media profiles for a fake company called “SecuriElite.”
    • The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits. Like previous websites we’ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page. In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered.
    • At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution.
    • Following our January blog post, security researchers successfully identified these actors using an Internet Explorer 0-day. Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days. We encourage anyone who discovers a Chrome vulnerability to report that activity through the Chrome Vulnerabilities Rewards Program submission process.

Further Reading

  • US report details SolarWinds hacking tools” By Sean Lyngass — cyberscoop. This is the curious tale of how the Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Command teased the release of a “malware analysis report” on the SolarWinds hack that would highlight 18 pieces of malicious code Russian hackers used. But then the release was pushed back and then cancelled altogether. Given the hack has already been exposed and security firms and the U.S. government has put plenty of the technical details into the public sphere, it is a bit of a mystery as to why CISA and Cyber Command thought better of releasing this report.
  • Australians flagged in Shanghai security files which shed light on China’s surveillance state and monitoring of Uyghurs” By Sean Rubinsztein-Dunlop and Echo Hui — ABC News. So-called “activists” hacked Shanghai’s Public Security Bureau (PSB) and removed a trove of data on the PSB’s surveillance and tracking activities. The PSB was watching tens of thousands of people, many of which are Uighur, and some of which are foreigners of some note. Some people entered the database by simply having layovers in Shanghai while others visited the city for business or leisure. In any event, all these data seem to have been fed into national surveillance systems.
  • Apple to let repairers in Australia and New Zealand sign up to spare parts program” By Josh Taylor — The Guardian. Apple will let certain approved repairers in Australia and New Zealand repair Apple products using certified Apple parts. Critics claim Apple is merely trying to release the pressure on the right to repair movement that demands legislation allowing consumers to use third parties to repair their devices using third party aftermarket parts that are many times cheaper than Apple’s parts. It is probably no coincidence Australia has been allowed the join this program given that its Productivity Commission is currently conducting an inquiry into the right to repair with a draft final report due in June 2021, presumably with recommendations on action the government can take and possible legislation.
  • Beijing Asks Alibaba to Shed Its Media Assets” By Jing Yang — The Wall Street Journal. Even Beijing is cracking down on its tech giants although for reasons different than western governments. In this case, the People’s Republic of China (PRC) is worried that Alibaba may have too much sway, especially over the media, and so the company is being forced to divest its media subsidiaries. PRC regulators allegedly grew alarmed when they came to understand the breadth of Alibaba’s media portfolio which spans print, broadcast, and digital media. Alibaba founder Jack Ma reportedly has $8 billion in total investment in PRC entities, some of which are listed on United States (U.S.) stock exchanges. Last year, PRC head Xi Jinping personally intervened to block Alibaba’s Ant Group’s initial public offering, in part because of worries about increasing system financial risk in the PRC and also Ma’s criticisms of the government in Beijing. Alibaba is also facing a reported $975 million fine for the alleged anti-competitive practices of its e-commerce platform.
  • How tech workers feel about China, AI and Big Tech’s tremendous power” By Emily Birnbaum and Issie Lapowsky — Protocol. In its first ever survey of more than 1500 tech employees across the United States (U.S.), the authors found out 78% of respondents think tech has too much power, 40% said tech does more harm than good, 44% do not want tech companies to work with law enforcement, 35% think U.S. measures against the People’s Republic of China (PRC) have gone too far, 38% think a cold war with the PRC could cripple U.S. tech companies, and 73% think artificial intelligence (AI) needs to be regulated.
  • Amazon Is Pushing Readers Down A “Rabbit Hole” Of Conspiracy Theories About The Coronavirus” By Craig Silverman and Jane Lytvynenko — BuzzFeed News. Those banned from online platforms for spewing disinformation are apparently welcome to sell their books on Amazon. The e-commerce giant is allowing known disseminators of disinformation to sell their books, which is not the problem. Rather, Amazon’s algorithms may be promoting material that is contrary to accepted science and fact. According to one team of researchers, Amazon’s algorithm leads users to conspiracy minded material.

Coming Events

  • On 15 April, the House Intelligence Committee will hold a hearing with the heads of the major United States intelligence agencies and Director of National Intelligence Avril Haines on worldwide threats.
  • The Senate Commerce, Science, and Transportation Committee’s Communications, Media, and Broadband will hold a hearing on 15 April titled “Shot of Truth: Communicating Trusted Vaccine Information” that will “examine the ways in which media is disseminating vaccine safety and COVID-health related information to encourage Americans, particularly those in rural areas and in communities of color, to get vaccinated…[and] explore what more can be done to encourage media outlets, including television, radio, and online platforms, to promote reliable and trustworthy vaccine information.”
  • The House Oversight and Reform Committee’s Government Operations Subcommittee will hold a hearing to assess agency compliance with the Federal Information Technology Acquisition Reform Act (FITARA) on 16 April.
  • On 20 April, the Senate Commerce, Science, and Transportation Committee will hold a hearing titled “Strengthening the Federal Trade Commission’s (FTC) Authority to Protect Consumers” with the four FTC commissioners.
  • The Federal Communications Commission (FCC) will hold an open meeting on 22 April with this draft agenda:
    • Text-to-988. The Commission will consider a Further Notice of Proposed Rulemaking to increase the effectiveness of the National Suicide Prevention Lifeline by proposing to require covered text providers to support text messaging to 988. (WC Docket No. 18-336)
    • Commercial Space Launch Operations. The Commission will consider a Report and Order and Further Notice of Proposed Rulemaking that would adopt a new spectrum allocation for commercial space launch operations and seek comment on additional allocations and service rules. (ET Docket No. 13-115)
    • Wireless Microphones. The Commission will consider a Notice of Proposed Rulemaking that proposes to revise the technical rules for Part 74 low-power auxiliary station (LPAS) devices to permit a recently developed, and more efficient, type of wireless microphone system. (RM-11821; ET Docket No. 21-115)
    • Improving 911 Reliability. The Commission will consider a Third Notice of Proposed Rulemaking to promote public safety by ensuring that 911 call centers and consumers receive timely and useful notifications of disruptions to 911 service. (PS Docket Nos. 13-75, 15-80; ET Docket No. 04-35
    • Concluding the 800 MHz Band Reconfiguration. The Commission will consider an Order to conclude its 800 MHz rebanding program due to the successful fulfillment of this public safety mandate. (WT Docket No. 02-55)
    • Enhancing Transparency of Foreign Government-Sponsored Programming. The Commission will consider a Report and Order to require clear disclosures for broadcast programming that is sponsored, paid for, or furnished by a foreign government or its representative. (MB Docket No. 20-299)
    • Imposing Application Cap in Upcoming NCE FM Filing Window. The Commission will consider a Public Notice to impose a limit of ten applications filed by any party in the upcoming 2021 filing window for new noncommercial educational FM stations. (MB Docket No. 20-343)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • The Department of Commerce’s National Telecommunications and Information Administration (NTIA) will hold “a virtual meeting of a multistakeholder process on promoting software component transparency” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by NeONBRAND on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s