Other Developments, Further Reading, and Coming Events (26 April 2021)

Other Developments

• The White House and the Department of Energy (DOE) announced “a 100-day plan to improve the cybersecurity of our nation’s electric infrastructure” “a pilot of the Administration’s broader cybersecurity initiative planned for multiple critical infrastructure sectors.” The Administration asserted:
  • This is a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA). Public-private partnership is paramount to the Administration’s efforts because protecting our Nation’s critical infrastructure is a shared responsibility of government and the owners and operators of that infrastructure. The 100-day plan includes aggressive but achievable milestones and will assist owners and operators as they modernize cybersecurity defenses, including enhancing detection, mitigation, and forensic capabilities.
  • DOE provided additional detail:
    • The electric power system is vital to the Nation’s energy security, supporting national defense, emergency services, critical infrastructure, and the economy. On January 20, 2021, Executive Order 13990, “Protecting Public Health and the Environment and Restoring Science to Tackle the Climate Crisis” (E.O. 13990), suspended Executive Order 13920, “Securing the United States Bulk-Power System” (E.O. 13920), for 90 days. During that time, the Department and the Office of Management and Budget identified opportunities for change, increased awareness, and strengthened protections against high-risk electric equipment transactions by foreign adversaries while providing additional certainty to the utility industry and the public.
    • On April 20, the Department announced a new request for information (RFI), “Ensuring the Continued Security of United States Critical Electric Infrastructure.” The RFI can be viewed on the Federal Register. The RFI is focused on preventing exploitation and attacks by foreign threats to the U.S. supply chain. Comments must be received on or before June 7, 2021.
    • The RFI is part of a larger coordinated effort, including the recent “America’s Supply Chains” EO 14017, to develop a strengthened and effective strategy to address the security of the U.S. energy sector. Effective April 20, 2021, the Department is revoking the December 2020 Prohibition Order to create a stable policy environment before the emergency declaration made by EO 13920 expires on May 1, 2021.
• The European Data Protection Board (EDPB) issued for consultation “Guidance on certification criteria assessment (Addendum to Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation)” and the Board explained:
  • This guidance should be read in line with the EDPB Guidelines 1/2018 on certification and identifying certification criteria according to Articles 42 and 43 of the Regulation and Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679). The aim of this additional guidance is to refine elements from EDPB Guidelines 1/2018 for helping:
    • –  stakeholders involved in the drafting of certification criteria in the context of GDPR certification and;
    • –  Supervisory Authorities (Sas) and the European Data Protection Board (EDPB) to be able to provide consistent evaluations in the context of certification criteria approval (for both national schemes and EU data protection seals).
  • The recommendations contained in this document must not be seen as exhaustive. The assessment of certification criteria will be carried out on a case-by-case basis, and specific certification mechanisms may require additional measures not covered by this guidance.
• Senator Ron Wyden (D-OR) released a discussion draft titled the “Protecting Americans’ Data from Foreign Surveillance Act” that “would create new safeguards against exporting sensitive personal information to foreign countries if doing so could harm U.S. national security.” Wyden explained “[t]he draft legislation:
  • Directs the Secretary of Commerce to lead an interagency process to identify categories of personal data that, if exported by third parties, could harm U.S. national security.
  • Directs the Secretary of Commerce to compile a list of countries to which exports of Americans’ personal data would not harm national security, and to require licenses for exports of the identified categories of personal data to other countries in bulk, based on:
    • the adequacy and enforcement of data protection, surveillance, and export control laws in the foreign country.
    • the circumstances under which the government of the foreign country can compel, coerce, or pay a person in that country to disclose personal data.
    • whether that government has conducted hostile foreign intelligence operations against the United States.
  • Exempts from the new export controls any data encrypted with NIST-approved algorithms, if the key protecting the data is not exported.
  • Ensures that the export rules do not apply to journalism and other speech protected by the First Amendment.
  • Applies export control penalties to senior executives who knew or should have known that employees below them were directed to illegally export Americans’ personal data. 
  • Creates a private right of action for individuals who have been physically harmed or arrested or detained in a foreign country as a result of the illegal export of personal data.
  • Requires the Commerce Department to publish quarterly reports on personal data exports.
• The United Kingdom’s Department for Digital, Culture, Media & Sport’s (DCMS) Centre for
  Data Ethics and Innovation (CDEI) published a series of blog posts on artificial intelligence (AI) assurance (here, here, and here.) CDEI explained:
  • As these technologies are more widely adopted, there is an increasing need for a range of actors, including regulators, developers, executives, and frontline users, to check that these tools are functioning as expected, in a way that is compliant with standards (including regulation), and to demonstrate this to others. However, these actors often have limited information, or lack the appropriate specialist knowledge, to ensure that AI systems are trustworthy. To address this information gap, an effective AI assurance ecosystem is required. 
  • Assurance as a service draws originally from the accounting profession, but has since been adapted to cover many areas such as cyber security and quality management. In these areas, mature ecosystems of assurance products and services enable people to understand whether systems are trustworthy. These products and services include: process and technical standards; repeatable audits; certification schemes; advisory and training services. 
• Senate Majority Leader Chuck Schumer (D-NY) and Senator Todd Young (R-IN) reintroduced the “Endless Frontier Act” (S.1260). Representative Ro Khanna (D-CA), and Representative Mike Gallagher (R-WI) introduced the companion bill in the House (H.R.2731). They and their cosponsors explained the bill in a summary:
  • Create a new Directorate for Technology and Innovation at the National Science Foundation focused on basic research, commercialization, and innovation related to key technology areas with geostrategic implications for the United States.
  • Authorize $100 billion over five years for the new Directorate at the National Science Foundation.
  • Provide the new Directorate with highly flexible personnel, program management, and awarding authorities. The new Directorate would also be given DARPA-like authorities, with the option to utilize program managers for selecting awardees.
  • Schumer, Young, and others added “[t]he authorized activities of the Directorate include:
    • Increasing research spending at universities, including through cross-sector consortia, to advance U.S. progress in key technology areas, including the creation of university technology centers. Particular focus is paid to increasing federal research investment throughout more of the country and at historically Black colleges and universities, Tribal colleges or universities, other minority-serving institutions, community colleges, and institutions that participate in the NSF EPSCoR program.
    • Funding new undergraduate scholarships, community college advanced technological
      education programs, graduate fellowships and traineeships, and post-doctoral support in the key technology areas to develop a diverse STEM workforce.
    • Providing critical new funding for equipment used in test-bed and fabrication facilities.
    • Directing the creation of new programs to facilitate and accelerate the transfer of technologies from the lab to the marketplace.
    • Coordinating with state and local economic development stakeholders to build regional innovation ecosystems in communities across the country.
    • Collaborating with U.S. allies, partners, and international organizations on research in key technology areas to enhance national security.
• The Council of Europe’s Cybercrime Convention Committee (T-CY) is inviting comments on the draft “Second Additional Protocol to the Convention on Cybercrime on enhanced cooperation and disclosure of electronic evidence.” The T-CY stated:
  • While stakeholders previously submitted contributions or participated in discussions on individual articles, the first complete draft of the Protocol is now available, including the chapter on safeguards. Some sections of the Explanatory Report are still under preparation.
  • The T-CY has much appreciated contributions received in the previous five rounds of consultations. Many of them have been taken into account in the operative text or have led to additional clarifications in the Explanatory Report.
  • The drafters consider that, as a result, the current draft reconciles (a) the need for an effective criminal justice response to strengthen the rule of law and protect victims and their rights, and (b) the need for strong human rights and rule of law safeguards, including for the protection of personal data. As is the case with the Budapest Convention, the measures in the Protocol are designed for specific criminal investigations only.
  • The provisions of this Protocol will be of operational and policy benefit and will ensure that the Budapest Convention continues to stand for a free Internet where governments meet their obligation to protect individuals and their rights in cyberspace.
  • The preparation of the 2^nd Additional Protocol commenced in September 2017 to address criminal justice challenges in cyberspace and provide for more effective cooperation on cybercrime and electronic evidence. It is expected that the Protocol will be finalized and adopted in the course of 2021.
• Senator Josh Hawley (R-MO) released the “Bust Up Big Tech Act” “new legislation to restore accountability and competition to Big Tech.” He claimed his bill would:
  • Ban major companies in the business of offering search engines, marketplaces, and exchanges from competing with third-party vendors by selling, advertising, or promoting their own competing goods and services on their sites
  • Example: Amazon should not be able to own Amazon Marketplace and sell their own Amazon products on their marketplace against other competitors.
  • Ban major companies in the business of offering search engines, marketplaces, and exchanges from expanding their power and creating anticompetitive conflicts of interest by providing the online hosting and internet infrastructure services for third parties
  • Example: Amazon cannot continue to operate an overwhelmingly dominant retail business and simultaneously own an enormous share of the cloud computing technology upon which the internet itself is built.
  • Empower the Federal Trade Commission to hire sufficient staff to monitor compliance
  • Ensure the antitrust laws are actually enforced, by authorizing state attorneys general and private citizens to bring civil actions to ensure compliance
• The House Oversight and Reform Committee’s Economic and Consumer Policy Subcommittee Raja Krishnamoorthi (D-IL) wrote “YouTube requesting documents and information about the YouTube Kids platform amid concerns about content quality, advertisement practices, and the impact on children.” Krishnamoorthi posed a number of questions about YouTube’s practices aimed at children. He stated:
  • YouTube Kids, as the name suggests, serves an audience of children, but it appears to be serving up inappropriate, low-education, highly commercial content. I believe that may be ascribable to your advertisement-based business model and reliance on free uploads of user-generated videos without adequate quality control. YouTube profits from this disservice of children with more paid ads and more corporate revenue.
  • We understand that YouTube Kids intends to continue trying to maximize ad impressions, with that revenue stream remaining the basis of your business model. Even after its privacy changes, YouTube Kids continues to show ads to children, but is now basing ad selection on the context of the video being watched, rather than web-browsing and online activity data. Advertising has been very lucrative for YouTube, with the company bringing in over $15 billion in ad revenue in 2019. YouTube’s 2020 advertising revenue jumped even higher to nearly $20 billion, despite the company’s being forced to ditch targeted advertisements to children.
• The European Data Protection Supervisor (EDPS) issued its annual report that summarized his office’s actions over the previous year and offered this summary:
  • With the pandemic came a new reality. From the perspective of a data protection authority, it was first and foremost a test. It was a challenge to ensure compliance in the ever- growing igitalized world and to provide timely advice to authorities, controllers and citizens on the data protection aspects of measures taken due to the pandemic.
  • The EDPS answered promptly to this task, having established an internal COVID-19 taskforce, composed of members of all the EDPS’ units and sectors, to coordinate and proactively undertake actions related to the interplay between privacy and the pandemic. Believing in the EDPS’ specific role in the EU institutional landscape, we called for a pan-European approach to combat the virus, in particular in the context of contact tracing apps.
  • With the teleworking regime, the EDPS had to adjust its approach when it came to carrying out its core activities. We took this as an opportunity to engage in an even closer dialogue with stakeholders, including public authorities, civil society and academia. We continued to be active in the field of investigations. Among others, we concluded the inquiry into the use of large datasets by Europol and we issued our findings and recommendations following an investigation into EUIs’ use of Microsoft products and services, which we presented at the second meeting of the Hague Forum.
  • The “Schrems II” Judgement, a landmark decision of the Court of Justice of the European Union (CJEU), has contributed to what has already been a particularly eventful year for a data protection authority. The EDPS has actively participated in, and contributed to, the EDPB’s work resulting from the judgement, particularly regarding the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. At the same time, we prepared our own strategy aimed at ensuring the compliance of EUIs with the CJEU’s Judgement.
  • Looking ahead, in June 2020, we presented the EDPS strategy for 2020-2024 ‘Shaping a Safer Digital Future’, based on Foresight, Action and Solidarity. In this spirit, the EDPS proposed, among other initiatives, the Support Pool of Experts which aims to bring together the EDPB members’ efforts to address the need for a stronger enforcement of EU data protection laws.
  • We continued to act as a trusted advisor to the European Commission, the Council and the European Parliament on the many legislative and non-legislative proposals or other initiatives affecting the rights to privacy and data protection. This included, for example, our Opinions on the European strategy for data, on Artificial Intelligence or the proposed temporary derogations from the e-privacy framework. We also offered our expertise to the legislator with our own- initiative Opinions on the use of data for scientific research and health-related purposes, to name a few.
  • We have further developed our monitoring-related activities, analysing and acting as a reference point for clarifying technological issues related to privacy and data protection.
• The Facebook and the Facebook Oversight Board announced a major change in its authority by opening the appeals process to users who wish to appeal a decision by Facebook or Instagram to keep up content they believe violates the terms of service. Upon establishment of the Board, the decision was made to exclude these appeals, but in a statement, the Facebook Oversight Board explained “users will be able to appeal content to the Oversight Board which they want removed from Facebook and Instagram.” The Board pointed people interested in the “technical details” of the appeals process to a blog posting on Facebook’s site. The Facebook Oversight Board summarized the changes:
  • Where users have exhausted Facebook’s appeals process, they can challenge the company’s decision by appealing eligible content to the Oversight Board.
  • So far, users have been able to appeal content to the Board which they think should be restored to Facebook or Instagram. Now, users can also appeal content to the Board which they think should be removed from Facebook or Instagram. The Board will use its independent judgment to decide what to leave up and what to take down. Our decisions will be binding on Facebook.
  • From today, this option is being rolled out and will be available to all users over the coming weeks. This phased approach is important for ensuring there are no technical issues with the new functionality available to users, and is a standard part of releasing any new product or feature.
• The European Commission (EC) announced agreement on the technical aspects of the Digital Green Certificate, the European Union’s potential vaccine passports. The EC explained:
  • One month after the Commission’s proposal for a Digital Green Certificate, Member States representatives in the eHealth Network agreed on guidelines describing the main technical specifications for the implementation of the system. This is a crucial step for the establishment of the necessary infrastructure at EU level. In parallel Member States are encouraged to deploy the needed technical solutions at national level. It is of utmost importance to advance the work on the technical implementation, in parallel to the ongoing legislative process, to ensure a roll-out of Digital Green Certificates across the EU by June 2021.
• The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) ICT Supply Chain Risk Management (SCRM) Task Force has released a pair of reports:
  • The Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists, provides organizations a list of criteria and factors that can be used to inform an organization’s decision to build or rely on a qualified list for the acquisition of information and communications technology (ICT) products and services.
  • The Vendor SCRM Template provides a set of questions regarding an ICT supplier/provider’s implementation and application of industry standards and best practices that can help guide supply chain risk planning in a standardized way. The template provides organizations clarity for reporting and vetting processes when purchasing ICT hardware, software, and services.

Further Reading

• “The NYPD Has Misled The Public About Its Use Of Facial Recognition Tool Clearview AI” By Caroline Haskins — BuzzFeed News. Even though the New York City Police Department (NYPD) denied any sort of formal or informal relationship with facial recognition company, Clearview AI, a public records request shows the opposite. Infact, portions of the NYPD entered into a trial that ostensibly ended in March 2019 even though evidence shows police officers continued using the services through the beginning of 2020. Additionally, data sent from the NYPD to Clearview show a hit rate of less than 50%. As the records provided end in February 2020, it is unclear whether the relationship has continued.
• “A recruiter joined Facebook to help it meet its diversity targets. He says its hiring practices hurt people of color.” By Elizabeth Dwoskin and Nitasha Tiku — The Washington Post. Facebook employees are alleging the social media and messaging giant paid lip service to diversity goals and frequently ruled out minority applicants on the basis of not being a “cultural fit.” The Equal Employment Opportunity Commission (EEOC) is investigating these complaints, and the company alleges it did nothing wrong and is, in fact, increasing diversity in its workforce.
• “Amazon’s livestreaming service Twitch will police users’ behavior outside of its platform” By Shannon Liao — The Washington Post. Perhaps reflecting the next frontier in content moderation, Amazon’s Twitch will now act against violations of its policy that happen offline and elsewhere online. The rationale seems to be that stronger measures are needed to police the misogyny and extremism endemic to the gaming world. This move raises questions about the sort of offline actions that could result in online punishment or banishment.
• “Despite A Ban, Facebook Continued To Label People As Interested In Militias For Advertisers” By Ryan Mac — BuzzFeed News. Contrary to Facebook’s claims, advertisers were still apparently able to target people with an interest in right wing extremism. The social media giant had taken steps to stop this use of its platform, but researchers said they were still finding evidence the practice continued, which they claimed is a means of radicalizing people and encouraging violence offline. The upshot seems to be either Facebook made a good faith effort and tackling even this sort of content is a huge challenge or the platform made a minimal effort for public relations for limiting this type of advertising would cut its revenue.
• “‘Misleading’ Facebook data leak claims questioned” By Vincent Manancourt — Politico EU. Data security experts are pushing back on Facebook’s claims that the breach of more than half a billion users’ personal data resulted from bad actors scraping publicly available data on its platform. These experts are zeroing in on a contacts feature Facebook used to apparently mine the phone numbers of a person’s friends and acquaintances, for there are a number of people saying they never gave Facebook the phone number that has been subsequently leaked in the hack.

Coming Events

• On 27 April, the Senate Homeland Security and Governmental Affairs Committee’s Emerging Threats and Spending Oversight Subcommittee will hold a hearing titled “Controlling Federal Legacy IT Costs and Crafting 21st Century IT Management Solutions.”
• The Senate Commerce, Science, and Transportation Committee’s Consumer Protection, Product Safety, and Data Security Subcommittee will hold a hearing titled “Curbing COVID Cons: Warning Consumers about Pandemic Frauds, Scams, and Swindles” on 27 April.
• On 27 April, the Senate Commerce, Science, and Transportation Committee’s Surface Transportation, Maritime, Freight, and Ports Subcommittee will hold a hearing titled “Driving Innovation: the Future of Automotive Mobility, Safety, and Technology.”
• The Senate Judiciary Committee’s Privacy, Technology, and the Law Subcommittee will hold a hearing titled “Algorithms and Amplification: How Social Media Platforms’ Design Choices Shape Our Discourse and Our Minds” on 27 April.
• On 27 April, the House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will hold a hearing titled “The Consumer Protection and Recovery Act: Returning Money to Defrauded Consumers.”
• On 27 April, the House Natural Resources Committee’s Water, Oceans, and Wildlife Subcommittee will hold a hearing titled “Wildlife Trafficking and the Growing Online Marketplace.”
• On 28 April, the House Science, Space, and Technology Committee’s Research and Technology Subcommittee will hold a hearing titled “National Science Foundation: Advancing Research for the Future of U.S. Innovation.”
• On 28 April, the Senate Commerce, Science, and Transportation Committee will mark up the following bills:
  •  S.120, Safe Connections Act; Sponsors: Sens. Brian Schatz (D-HI), Deb Fischer (R-NE), Rick Scott (R-FL), Richard Blumenthal (D-CT), Jacky Rosen (D-NV), Shelley Moore Capito (R-WV)
  • S.163, Telecommunications Skilled Workforce Act; Sponsors: Sens. John Thune, (R-SD) Jon Tester (D-MT), Gary Peters (D-MI), Roger Wicker (D-MS), Jerry Moran (R-KS)
  • S.198, Data Mapping to Save Mom’s Lives Act; Sponsors: Sens. Jacky Rosen (D-NV), Deb Fischer (R-NE), Todd Young (IN), Brian Schatz (D-HI), Ed Markey (D-MA), Richard Blumenthal (D-CT), Amy Klobuchar (D-MN), Gary Peters (D-MI)
  • S.326, Measuring the Economic Impact of Broadband Act; Sponsors: Sens. Amy Klobuchar (D-MN), Shelley Moore Capito (R-WV), Dan Sullivan (R-AK)
  • S.735, Advanced Technological Manufacturing Act; Sponsors: Sens. Roger Wicker (R-MS), Maria Cantwell (D-WA), Jacky Rosen (D-NV)
  • S.1260, Endless Frontier Act; Sponsors: Sens. Chuck Schumer (D-NY), Todd Young (R-IN)
• On 28 April, the Senate Appropriations Committee’s Military Construction, Veterans Affairs, and Related Agencies Subcommittee will hold a hearing titled “VA Telehealth Program: Leveraging Recent Investments to Build Future Capacity.”
• On 29 April, the Senate Armed Services Committee will hold open and closed hearings on worldwide threats.             
• On 29 April, the Commerce, Science, and Transportation Committee will consider the nomination of Eric Lander to be Director of the Office of Science and Technology Policy (OSTP).
• The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
• The Department of Commerce’s National Telecommunications and Information Administration (NTIA) will hold “a virtual meeting of a multistakeholder process on promoting software component transparency” on 29 April
• On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alexander Popov on Unsplash