Other Developments, Further Reading, and Coming Events (19 April 2021)

Other Developments

  • Google prevailed against Oracle in their borderline epic legal battle over whether Google’s use of 11,500 lines of Oracle’s Java code represented infringement of a copyright or fair use. Oracle had won in a federal appeals court, which left Google facing $8 billion in liability. The Supreme Court of the United States (SCOTUS) reversed the appeals court and ruled for Google, holding that Google’s use of Java programming code in the building of the Android platform, especially its application programming interfaces, is fair use regardless of whether Oracle had copyrighted Java.
  • President Joe Biden and senior administration officials held the “White House CEO Summit on Semiconductor and Supply Chain Resilience.” The White House issued this statement on the event:
    • The semiconductor shortage, which is impacting American workers and families right now, is a top and immediate priority for the President and his senior most advisors on economic and national security. The White House heard directly from industry leaders on the impact of the chip shortage and discussed short and long-term approaches to address it. Participants emphasized the importance of improving transparency in the semiconductor supply chain to help mitigate current shortages and improving demand forecasting across the supply chain to help mitigate future challenges. They also discussed the importance of encouraging additional semiconductor manufacturing capacity in the United States to make sure we never again face shortages. Finally, they discussed how the President’s infrastructure investments in the American Jobs Plan strengthen America’s competitiveness and national security by building the infrastructure of tomorrow and strengthening supply chain resilience — ensuring that the United States remains a global leader in critical technologies and the transition to a clean energy future. 
  • For the first time, the United States Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued “guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America’s workers” per the agency’s statement. This guidance is in the form of high level best practices, the type cybersecurity professionals and executives with cognizance of cybersecurity are probably are familiar with. Moreover, this guidance may have been issued as direct result of a recent Government Accountability Office (GAO) titled “Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans.” Senate Health, Education, Labor, and Pensions Committee Chair Patty Murray (D-WA), House Education and Labor Committee Chair Bobby Scott (D-VA), and Senator Maggie Hassan (D-NH) had asked the GAO “to review issues related to the cybersecurity of retirement plans,” and the GAO recommended “[t]he Secretary of Labor should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks that outline the specific requirements that should be taken by all entities involved in administering private sector employer-sponsored defined contribution retirement plans.” However, the DOL did not heed the GAO’s other recommendation: “formally state whether cybersecurity for private sector employer-sponsored defined contribution retirement plans is a plan fiduciary responsibility under Employee Retirement Income Security Act (ERISA.)” Nonetheless, the DOL asserted:
    • The guidance announced today complements EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.
    • Today’s guidance comes in three forms:
      • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
      • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
  • A bipartisan group of Senators wrote President Joe Biden asking that his administration include $3 billion for a pair of programs established in the FY 2021 National Defense Authorization Act (NDAA) (P.L. 116-283) aimed at countering the People’s Republic of China’s (PRC) growing technological prowess. The Senators asked for “$1.5 billion each for both the Public Wireless Supply Chain Innovation Fund and the Multilateral Telecommunications Security Fund.” The letter was signed by Senate Intelligence Committee Chair Mark Warner (D-VA) and Ranking Member Marco Rubio (R-FL), Senate Finance Committee Chair Ron Wyden (D-OR), and other Senators. They asserted:
    • These Funds provide critical foundations for robust, secure, and efficient fifth-generation (5G) networks, and will be integral to the ability of the United States and its allies to adopt Open Radio Access Network (Open RAN) equipment at a scale necessary to compete with the equipment vendors of our strategic rivals, including China.
    • Current RAN infrastructure relies on closed, end-to-end hardware solutions that are expensive to operate and dominated by foreign companies. For example, Huawei, a company with inextricable links to the Chinese government and a history of disregard for the intellectual property rights of U.S. companies, offers end-to-end RAN hardware, which poses significant counterintelligence concerns. For years, we have called on telecommunications providers in the U.S., as well as our allies and partners, to reject Huawei 5G technology, but we have not provided competitively-priced, innovative alternatives that would address their needs.
    • In the conference report to the FY 2021 NDAA it was explained:
      • The Senate amendment contained a series of provisions (secs. 1091–1093) that would establish a Public Wireless Supply Chain Innovation Fund and Multilateral Telecommunications Security Fund and direct the Secretary of State, the Secretary of Commerce, and the Chairman of the Federal Communications Commission, or their designees, to consider how to enhance representation of the United States at international forums that set standards for fifth generation (5G) networks and for future generations of wireless communications networks. These provisions would also require a series of reports.
  • Ireland’s Data Protection Commission (DPC) opened an inquiry into to the posting of over half a billion Facebook users’ personal data online. The DPC explained in its statement that it “launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet.” The DPC has come under criticism from other EU data protection authorities (DPA) for its enforcement of the General data Protection Regulation, most recently over its management of the Schrems cases which emanated from Ireland and proposed fine of Twitter for  data breaches. The DPC stated regarding the Facebook breach:
    • The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses.
    • The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data.
    • Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect.
  • The Irish Council for Civil Liberties (ICCL) issued a report on Ireland’s Data Protection Commission (DPC) in conjunction with its testimony to a committee of the Parliament of Ireland. The ICCL offered these insights:
    • Despite asserting its lead role in 196 EU-wide cases since the GDPR was applied 34 months ago, the DPC has delivered only 4 decisions.
    • The DPC is the bottleneck of GDPR enforcement against Google, Facebook, Microsoft, and Apple, everywhere in the EU.
    • The European Court described the DPC’s failure to act in a major case involving Facebook as “persistent administrative inertia”.
    • The European Parliament passed a resolution saying it is “particularly concerned ‚Ķ that cases referred to Ireland in 2018 have not even reached the stage of a draft decision”.
    • Authorities in Germany, France, Spain, Italy, the Netherlands, Austria, and Hungary formally criticised how the DPC handled the only ‘big tech’ case that it has completed as lead authority so far.
    • 1,000 days since it was formally notified, the DPC has failed to act to end the largest data breach ever recorded.
    • The DPC has failed to implement an essential internal reform, five years after announcing that it was necessary in order to prepare for its GDPR role.
    • The ICCL concluded:
      • Government investment in the DPC has slowed since the GDPR. However, the DPC’s problems may be due to more than lack of investment.
      • Two new commissioners should be appointed. A broadly scoped independent review should investigate how the DPC can be reformed and strengthened.
      • The DPC’s failure to uphold the fundamental rights of individuals now carries an additional strategic economic risk to Ireland. Ireland may lose its position as the centre of data regulation in Europe.
  • Australia’s Productivity Commission, an agency of the Ministry of Treasury, has issued its interim report on supply chain vulnerabilities. Australia’s Treasurer Josh Frydenberg had asked the Productivity Commission to study Australia’s supply chain vulnerabilities in light of the effect of the pandemic on the world’s supply chains. The Commission is accepting input right now.
    • The Commission explained:
      • Australia’s supply chains proved generally resilient in response to the COVID-19 pandemic, but the experience with COVID-19, following the devastating 2019-20 bushfires has highlighted Australia’s potential vulnerability to supply chain disruptions. Panic buying of some goods, notably personal protective equipment, and the imposition of export restrictions on these products by some countries added a degree of urgency to the unfolding situation.
      • In this febrile environment, understanding the nature of possible disruptions received relatively little attention, but it did prompt a host of views on Australia’s degree of self-sufficiency and strident opinions on how best to manage the risks involved. The Economist Intelligence Unit, a research advisory service, projected global value chains may become shorter, less fragmented and more regional. Others were less equivocal. For example, Andrew Liveris, then special adviser to the National COVID-19 Commission, said that: ‘Australia drank the free-trade juice and decided that off-shoring was OK. Well, that era is gone … We’ve got to now realise we’ve got to really look at onshoring key capabilities.’
      • Regardless of the response, managing the risks of supply chain disruptions — whatever their origin — inescapably entails costs on businesses, consumers and governments. These costs vary substantially and depend on the choice of mitigation strategy — stockpiling, supplier diversification, contingent contracting, developing domestic capability, among others. They also depend on the state of preparedness of firms and governments to assume responsibility, and to make effective decisions, on the level and manner of risk management to take.
      • The purpose of this study is to help further Australia’s preparedness to deal with possible global supply chain disruptions. The report considers the factors that make supply chains vulnerable, with a focus on the international linkages and dependencies from trade. Importantly, we have developed and piloted a framework for identifying those supply chains and products that are vulnerable to disruption and critical to the effective functioning of the economy, using imports and production data. We then explore effective risk management strategies for governments and businesses and provide policy guidance on the roles for governments.
  • The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) uspdated its FedRAMP Incident Communications Procedures document that “provides step-by-step guidance on both the roles and responsibilities of each FedRAMP stakeholder and the appropriate timeframes for reporting information concerning security incidents” according to its blog posting. This new guidance affects all authorized cloud providers, including Amazon, Google, IBM, Microsoft, Oracle, and others. FedRAMP explained:
    • FedRAMP requires Cloud Service Providers (CSPs) to report any incident (suspected or confirmed) that results in the actual or potential loss of confidentiality, integrity, or availability of the cloud service or the data/metadata that it stores, processes, or transmits. Reporting real and suspected incidents allows agencies and other affected customers to take steps to protect important data, to maintain a normal level of efficiency, and to ensure a full resolution is achieved in a timely manner.
    • Reporting incidents or suspected incidents, as well as responses to Emergency Directives to the appropriate FedRAMP stakeholders does not result in punitive actions against the CSP. However, failure to report incidents will result in escalation actions against a CSP as defined in the Continuous Monitoring Performance Management Guide. A collaborative approach to reporting incidents between CSPs and the FedRAMP stakeholders allows all parties to be aware of and successfully manage the risk associated with an incident and to classify and resolve suspected incidents.
  • The Competition and Markets Authority (CMA) asserted that its action “results in Facebook going further to combat the trading in fake and misleading reviews on Facebook.com and Instagram.com.” CMA claimed:
    • In response to CMA action, Facebook has gone further to combat the trade of fake and misleading reviews on its sites (Facebook.com and Instagram.com). Facebook has agreed further changes to its systems for identifying, removing and preventing such content on its social media platforms to ensure it is fulfilling commitments previously provided to the CMA in 2020. This followed a CMA investigation of these websites, which found evidence that the illegal trade in fake and misleading reviews was still taking place on both Facebook and Instagram.
    • These changes include:
      • suspending or banning users who are repeatedly creating Facebook groups and Instagram profiles that promote, encourage or facilitate fake and misleading reviews
      • introducing new automated processes that will improve the detection and removal of this content
      • making it harder for people to use Facebook’s search tools to find fake and misleading review groups and profiles on Facebook and Instagram
      • putting in place dedicated processes to make sure that these changes continue to work effectively and stop the problems from reappearing
  • Facebook issued its “March 2021 Coordinated Inauthentic Behavior (CIB) Report,” its monthly detailing of the efforts of governments, groups, and people to use the platform to mislead others. As Facebook explained in its press release, “[a]s part of our regular CIB reports, we’re sharing information about all networks we take down over the course of a month to make it easier for people to see progress we’re making in one place.” Facebook has defined CIB as “when groups of pages or people work together to mislead others about who they are or what they’re doing.” And so it appears the monitoring of CIB only addresses content that is not honest about its origin or purpose, which would seem to omit content objectionable as hate speech or being abusive so long as the poster did not lie about who she is and what her purposes are. In its press release on the March edition, Facebook provided a fuller definition:
    • When we find domestic, non-government campaigns that include groups of accounts and Pages seeking to mislead people about who they are and what they are doing while relying on fake accounts, we remove both inauthentic and authentic accounts, Pages and Groups directly involved in this activity.
    • Facebook summarized its findings and action:
      • Our teams continue to focus on finding and removing deceptive campaigns around the world — whether they are foreign or domestic. In March, we removed 14 networks from 11 countries. Five networks — from Albania, Iran, Spain, Argentina, and Egypt — targeted primarily people outside of their countries. Nine others — from Israel, Benin, Comoros, Georgia, and Mexico — focused on domestic audiences in their respective countries. We have shared information about our findings with industry partners, researchers, law enforcement and policymakers.
      • Here are a few notable highlights:
      • Early detection and continuous enforcement: The vast majority of the networks we removed in March had limited following or were in the early stages of building their audiences when we removed them. The small Iranian network is a good example: the threat actor behind it attempted to re-create their presence after we disrupted their operation targeting Israel in October 2020. Late last year and in early 2021, they began creating Pages and accounts, some of which were detected and disabled by our automated systems. About a month after their first Page was created our teams began investigating the rest of the network. Ongoing enforcement against these threat actors across the internet has made these operations less effective in building their following. With each removal, we set back the actors behind these networks, forcing them to re-build their operations and slowing them down.
      • A deep dive into a troll farm: In addition to these newer networks, we also investigated and disrupted a long-running operation from Albania that targeted primarily Iran. While not successful in building significant audiences over several years of operation, this campaign was run by what appears to be a tightly organized troll farm linked to an exiled militant opposition group from Iran, Mojahedin-e Khalq (MEK). To shine light on how such operations manifest on our platform, we’re adding a detailed research and analysis section at the end of this report. We’ve shared our findings with other platforms and researchers to contribute to additional discoveries into similar activity on the broader internet.
      • AI-generated images: We’ve removed three CIB networks that made use of profile photos likely generated using machine learning technologies capable of creating realistic images. Since 2019, we have now disrupted seven operations that used such synthetic photos. Notably, although the use of GAN-generated images can make an account look authentic to an external observer, it doesn’t materially change the deceptive behavior patterns that we look for to identify inauthentic activity.

Further Reading

  • Why Do We Let Corporations Profit From Rape Videos?” By Nicholas Kristof — The New York Times. This article makes a very strong argument for peeling back Section 230 protection to fight the scourge of non-consensual, child, rape, and revenge porn hosted on sites like XVideos, a Czech companies with a number of such sites. Companies like Google seem to be half-hearted in policing web searches that take people to this type of material, but, as the author notes, searching for how to poison one’s husband or how to commit suicide does not populate with the worst the internet has to offer. But, search for illicit and illegal material, and they do.
  • Surveillance Nation” By Ryan Mac, Caroline Haskins, Brianna Sacks, and Logan McDonald — BuzzFeed News. Looks like BuzzFeed is working with a whistleblower from Clearview AI who leaked data showing that more than 1800 United States (U.S.) agencies have used the platforms facial recognition technology for a variety of purposes, most arguably related to law enforcement purposes. It appears as if Clearview AI is continuing to offer its platform for free, the massive database of allegedly 3 billion photos it amassed through a number of means, including scraping public websites. Sometimes, the officials at these agencies did not even know their employees were using the product through a free trial. Clearview AI is being sued in multiple states, and Google, Twitter, Facebook, and LinkedIn have sent cease and desist letters regarding its scraping their sites. Articles like these will likely drive federal and state lawmakers to consider limits on the use of this technology, as some jurisdiction have already with some outright banning its use.
  • Decrypted Messages Lead to Seizure of 27 Tons of Cocaine in Europe” By Gabriel Geiger — Vice. European law enforcement has again cracked encrypted communications to infiltrate and disrupt drug trafficking networks. This time it was Sky ECC, a now defunct telecommunications provider which offered encrypted communications alleged drug dealers found useful. Sky ECC is claiming Belgian authorities did not actually decrypt their communications network but rather tricked people into downloading a compromised app.
  • China builds advanced weapons systems using American chip technology” By Ellen Nakashima and Gerry Shih — The Washington Post. This article provides backstory and context to the recent United States (U.S.) Department of Commerce decision to place Phytium Technology (aka Tianjin Phytium Information Technology) and six other entities from the People’s Republic of China (PRC) on its Entity List. This article also explains the limits of current U.S. efforts to choke off the flow of the advanced semi-conductors the PRC cannot yet manufacture and foretells possible Biden Administration efforts to get to the foreign owned and operated chip foundries still doing business with the PRC entities.
  • Google Has a Secret Blocklist that Hides YouTube Hate Videos from Advertisers—But It’s Full of Holes” and “Google Blocks Advertisers from Targeting Black Lives Matter YouTube Videos” By Leon Yin and Aaron Sankin — The Markup. This very thorough investigation of Google and YouTube’s strange practices of banning targeted advertising on YouTube through keywords related to mainstream, left wing movements like Black Lives Matter while allowing this practice to flourish based on terms like White Power. After The Markup contacted Google, many of the white nationalist and supremacist keywords were blocked, but then the platform blocked the means by which the journalists had checked the platform’s practices. Moreover, Google’s advertising practices are a complete black box with no explanation or process for understanding why some terms are banned while others are not. I suspect this is not the sort of “shadow banning” that has some in Congress outraged. In any event, Google responded on Twitter that it does not ban Black Lives Matter keyword advertising.
  • British firm Arm says new chip tech could be licensed to Huawei, potentially easing the telecoms giant’s supply chain woes” By Che Pan — South China Morning Post and Bloomberg.

Coming Events

  • On 20 April, the Senate Commerce, Science, and Transportation Committee will hold a hearing titled “Strengthening the Federal Trade Commission’s (FTC) Authority to Protect Consumers” with the four FTC commissioners.
  • The House Agriculture Committee will hold a hearing titled “Rural Broadband – Examining Internet Connectivity Needs and Opportunities in Rural America” on 20 April.
  • On 21 April, the Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing titled “Improving Access and Inclusivity in the Patent System: Unleashing America’s Economic Engine.”
  • The Senate Judiciary Committee’s Competition Policy, Antitrust, and Consumer Rights Subcommittee will hold a hearing titled “Antitrust Applied: Examining Competition in App Stores” on 21 April.
  • The House Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled “Leading the Wireless Future: Securing American Network Technology” on 21 April.
  • On 21 April, the Senate Armed Services Committee’s Personnel Subcommittee will hold a hearing “on the current and future cyber workforce of the Department of Defense and the military services.”
  • On 21 April, the Senate Armed Services Committee’s Emerging Threats and Capabilities Subcommittee will hold a hearing “on science and technology, technology maturation, and technology transition activities.”
  • The Federal Communications Commission (FCC) will hold an open meeting on 22 April with this draft agenda:
    • Text-to-988. The Commission will consider a Further Notice of Proposed Rulemaking to increase the effectiveness of the National Suicide Prevention Lifeline by proposing to require covered text providers to support text messaging to 988. (WC Docket No. 18-336)
    • Commercial Space Launch Operations. The Commission will consider a Report and Order and Further Notice of Proposed Rulemaking that would adopt a new spectrum allocation for commercial space launch operations and seek comment on additional allocations and service rules. (ET Docket No. 13-115)
    • Wireless Microphones. The Commission will consider a Notice of Proposed Rulemaking that proposes to revise the technical rules for Part 74 low-power auxiliary station (LPAS) devices to permit a recently developed, and more efficient, type of wireless microphone system. (RM-11821; ET Docket No. 21-115)
    • Improving 911 Reliability. The Commission will consider a Third Notice of Proposed Rulemaking to promote public safety by ensuring that 911 call centers and consumers receive timely and useful notifications of disruptions to 911 service. (PS Docket Nos. 13-75, 15-80; ET Docket No. 04-35
    • Concluding the 800 MHz Band Reconfiguration. The Commission will consider an Order to conclude its 800 MHz rebanding program due to the successful fulfillment of this public safety mandate. (WT Docket No. 02-55)
    • Enhancing Transparency of Foreign Government-Sponsored Programming. The Commission will consider a Report and Order to require clear disclosures for broadcast programming that is sponsored, paid for, or furnished by a foreign government or its representative. (MB Docket No. 20-299)
    • Imposing Application Cap in Upcoming NCE FM Filing Window. The Commission will consider a Public Notice to impose a limit of ten applications filed by any party in the upcoming 2021 filing window for new noncommercial educational FM stations. (MB Docket No. 20-343)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.
  • On 29 April, the Commerce, Science, and Transportation Committee will consider the nomination of Eric Lander to be Director of the Office of Science and Technology Policy (OSTP).
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • The Department of Commerce’s National Telecommunications and Information Administration (NTIA) will hold “a virtual meeting of a multistakeholder process on promoting software component transparency” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Henrique Craveiro on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s