Other Developments, Further Reading, and Coming Events (14 June 2021)

Antitrust, Bot, Coming Events, Competition, COVID-19, Cyber Crime, Cybersecurity, Data Protection, data security, DOJ, EDPB, EU, FISMA, FTC, Further Reading, GDPR, OMB, Other Developments, People's Republic of China, privacy, Ransomware, Section 230, Social Media, Technology, Telecommunications 36 Minutes

Subscribe to my newsletter, The Wavelength, if you want updates on global technology developments four times a week.

Other Developments

  • By a 68-32 vote, the Senate passed the “United States Innovation and Competition Act of 2021” (S.1260), a bill that could result in more than $250 billion to fund United States (U.S) research and development of technology to counter the People’s Republic of China (PRC). The bill now goes to the House which has yet to consider similar legislation. See here and here for more detail and analysis.) Also see the following press releases for varying degrees of detail and emphasis:
  • France’s Autorité de la concurrence issued a €220 million fine “to Google for favouring its own services in the online advertising sector.” The Autorité asserted:
    • Following referrals from News Corp Inc., Le Figaro group and the Rossel La Voix group, the Autorité de la concurrence issues today a decision sanctioning Google, up to 220 million euros, for having abused its dominant position in the advertising server market for website and  mobile applications publishers. The Autorité noted that Google granted preferential treatment to its proprietary technologies offered under the Google Ad Manager brand, both with regard to the operation of the DFP ad server (which allows publishers of sites and applications to sell their advertising space), and its SSP AdX sales platform (which organises the auction process allowing publishers to sell their “impressions” or advertising inventories to advertisers) to the detriment of its competitors and publishers.
    • The practices in question are particularly serious because they penalised Google’s competitors in the SSP market and publishers of mobile sites and applications. Among these, the press groups – including those who were at the origin of the referral to the Autorité – were affected even though their economic model is also strongly weakened by the decline in sales of print subscriptions and the decline in associated advertising revenue.
    • The Autorité recalls that a company in a dominant position is subject to a particular responsibility, that of not undermining, by conduct unrelated to competition on the merits, to an effective and undistorted competition.
    • Google, which did not dispute the facts, wished to benefit from the settlement procedure. The Autorité granted its request. Google proposed commitments to improve the interoperability of Google Ad Manager services with third-party ad server and advertising space sales platform solutions and end provisions that favour Google. The Autorité accepted these commitments and makes them binding in its decision.
  • The Office of Management and Budget (OMB) sent its annual Federal Information Security Modernization Act of 2014 (FISMA) report to Congress, detailing the state of United States government cybersecurity over the previous year. OMB summarized the previous fiscal year:
    • Cybersecurity remains a significant challenge in the Federal Information Technology (IT) landscape. In December 2020, it was discovered that a sophisticated supply chain attack was used to gain access to a large number of information systems across several Federal Government agencies and U.S.-based companies. Commonly associated with the SolarWinds software that was among those exploited, t his protracted attack was perpetrated by well-resourced actors spanning several months and is one of many reasons that the President has made cybersecurity one of the top priorities of his Administration. These events serve as a reminder that the Federal Government must continually invest in defensive capabilities in order to reduce the impact of cybersecurity incidents on our Nation.
    • Agencies reported 30,819 cybersecurity incidents in fiscal year (FY) 2020, an 8% increase over the 28,581 incidents that agencies reported in FY 2019. This trend highlights the ever-increasing threats within the digital landscape and the need for the Federal Government to take action to reduce the impact of cybersecurity incidents. With respect to this same time period, agencies reported six major incidents to the Office of Management and Budget (OMB), Cybersecurity and Infrastructure Security Agency (CISA), and Congress. The incidents covered in this document were reported to CISA during FY 2020, which spans October 1, 2019 to September 30, 2020. Incidents related to the compromise of SolarWinds software are not directly covered in this report because they were first reported in December 2020, after the FY 2020 reporting period. Those incidents, for which facts continue to evolve, will be more directly addressed in the FY 2021 FISMA report.
    • The coronavirus disease 2019 (COVID-19) pandemic National emergency was also a significant factor in information security during FY 2020. This report highlights successful agency efforts during FY 2020 to rapidly transition the Federal enterprise to a telework posture during the ongoing pandemic. Due to the consistency in reporting metrics between FY 2017 and FY 2020, this report is able to demonstrate the long-term improvement of cybersecurity hygiene across the Federal Government. This report also highlights Government-wide programs and initiatives as well as agencies’ progress to enhance Federal cybersecurity over the past year; however, the work of cybersecurity is never done, as adversaries constantly evolve and so must the defenders. Included in this report are a series of findings and actions for the Administration derived from data collected from departments and agencies.  In addition to the focus on cybersecurity, this report offers insight into agencies’ privacy performance through their responses to Senior Agency Official for Privacy (SAOP) metrics. While privacy and cybersecurity are independent and separate disciplines, coordination between them is critical to agencies’ efforts to protect the information entrusted to them.
    • OMB explained the “major incidents” reported during FY 2020:
      • Of the incidents reported by agencies in FY 2020, six incidents were determined by agencies to meet the threshold for major incidents in accordance with the definition in M-20-04. A summary of these major incidents is provided below:
      • Department of Defense:
      • On September 4 , 2020, Department of Defense reported a major incident at the Defense Manpower Data Center (DMDP) to Congress after a DMDC data analyst uploaded a dataset for secure internal delivery to a Navy civilian employee through the DMDC Request System (DMDCRS), a secure file transfer application. Due to analyst error, the incorrect dataset was uploaded for delivery and a secondary review process failed to identify this mistake. The dataset included names, social security numbers, dates of birth, home addresses, personnel information, gender, and race. Upon receipt of the dataset in DMDCRS, the Navy employee promptly notified DMDC of the error and immediately deleted the information downloaded. Although the Navy civilian employee had approved access to DMDCRS and the dataset was transmitted securely within the DoD enclave, the Navy employee did not have a need-to-know for this particular dataset. The entire DMDC Data Delivery team received supplementary Privacy Act training, specifically highlighting proper procedural requirements and a reminder of the importance of appropriate handling of PII. In addition to this training, the DMDCRS team is developing additional safeguard proposals in an effort to prevent future occurrences. An estimated 300,000 individuals were potentially affected.
      • Department of Education
      • On July 9, 2020, Department of Education reported a major incident at Financial Student Aid (FSA) to Congress following the discovery that a shared drive which included files with borrower personally identifiable information (PII) was open and accessible to users within the Department. Within 24 hours of discovery, the Department restored proper file permissions to a more limited number of employees that required access. The Department found no evidence of improper use or external unauthorized disclosure of the PII. An estimated 304,668 individuals were potentially affected.
      • Department of Justice
      • On January 10, 2020, the Department of Justice (DOJ) reported a major incident at United States Marshals Service (USMS) to Congress after the Justice Security Operations Center (JSOC) detected an intrusion of the Detention Services Network (DSNet) system. Names, addresses, birth dates, social security numbers, FBI numbers, and alien numbers of current and former prisoners were successfully electronically exfiltrated through an SQL injection attack. Firewall rules were changed to block access outside of the Continental United States (CONUS), improvements were made to logging and detection systems used by USMS, the JSOC required all user accounts to be revalidated before users could access the DSNet system again, and the application itself has been corrected to properly validate user input. An estimated 387,000 individuals were potentially affected.
      • Department of Homeland Security
      • On October 25, 2019, DHS reported a major incident at the Federal Emergency Management Agency (FEMA) to Congress that involved possible overshare of PII data with a third-party vendor. PII data included full name, home address, phone number, e-mail address, and several non-PII elements related to disaster aid. The information was erroneously sent to a vendor, which was in violation of the Information Sharing and Access Agreement (ISAA). The vendor has certified destruction of all email addresses. An estimated 307,000 individuals were potentially affected. 
      • On February 2, 2020, DHS reported a major incident at FEMA to Congress involving improper storage, processing, and transfer of PII from the Housing Inspection Services Program by authorized vendors to an unaccredited server. PII data in the vendors’ IT systems included names, addresses, telephone numbers, e-mail addresses, case numbers, professional license numbers, and fax numbers. The third-party assessor was unable to provide a breakdown of how many records within the respective vendor IT system contained PII, but it was able to determine that the unaccredited systems showed no indication of compromise. Remediation actions included: servers sanitization, data minimization, establishing external data transfer restrictions, and vendor contract modifications to address necessary compliance actions for applicable cybersecurity and data sharing policies. An estimated 6.8 million individuals were potentially affected.  On March 3 , 2020, DHS reported a major incident at FEMA to Congress involving PII data stored within the Risk Analysis and Mapping System (RAMS) had improper access. Assessments revealed that access controls and the use of non-Government Furnished Equipment (GFE), when transmitting and storing data between 2007 and present, was substandard. Of the six vendors that have contractual agreements with FEMA to access RAMS, only one vendor contains applicable cyber security and privacy clauses for proper access. A third-party IT security vendor’s analysis of this vendor’s facility housing the affected system found no evidence of breach or compromise of vendor systems and that no PII was located on the vendor-owned systems. An estimated 2.5 million individuals were potentially affected.
  • Deputy Attorney General Lisa Monaco issued guidance for all federal prosecutors titled “Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion.” This document further develops the United States (U.S.) Department of Justice’s approach to combatting ransomware in particular and cyber crime in general. Monaco stated:
    • A central goal of the recently launched Ransomware and Digital Extortion Task Force is to ensure that we bring to bear the full authorities and resources of the Department in confronting the many dimensions and root causes of this threat. We know that ransomware attacks and digital extortion schemes are often conducted by transnational criminal actors, spread without regard to geographic borders, and thrive on the abuse of online digital and financial infrastructure. Accordingly, the Department must make sure that its efforts in combating digital extortion are focused, coordinated, and appropriately resourced. To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking of investigations and prosecutions of ransomware groups and the infrastructure and networks that allow these threats to persist.
    • The United States Attorneys’ Offices, the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Money Laundering and Asset Recovery Section (MLARS), the National Security Division (NSD), and the Federal Bureau of Investigation (FBI), among other components across the Justice Department, play a critical role in identifying those who engage in these schemes and in developing lawful options to disrupt and dismantle the infrastructure and networks used to carry out these attacks. To ensure a coordinated Departmentwide approach, this Memorandum highlights certain existing Justice Manual requirements, and sets forth new requirements relating to ransomware or digital extortion attacks and investigations and cases with a nexus to ransomware and digital extortion. These new requirements are effective immediately.
  • The United States (U.S.) Department of Justice (DOJ) announced that “it has seized 63.7 bitcoins currently valued at approximately $2.3 million…[that] allegedly represent the proceeds of a May 8, ransom payment to individuals in a group known as DarkSide, which had targeted Colonial Pipeline, resulting in critical infrastructure being taken out of operation.” The DOJ released the warrant and affidavit used to execute this action. The DOJ claimed:
    • On or about May 7, Colonial Pipeline was the victim of a highly publicized ransomware attack resulting in the company taking portions of its infrastructure out of operation. Colonial Pipeline reported to the FBI that its computer network was accessed by an organization named DarkSide and that it had received and paid a ransom demand for approximately 75 bitcoins.
    • As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes. 
    • The Special Prosecutions Section and Asset Forfeiture Unit of the U.S. Attorney’s Office for the Northern District of California is handling the seizure, with significant assistance from the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section, and the National Security Division’s Counterintelligence and Export Control Section. The Department components who worked on this seizure coordinated their efforts through the Department’s Ransomware and Digital Extortion Task Force, which was created to combat the growing number of ransomware and digital extortion attacks.
    • The Task Force prioritizes the disruption, investigation, and prosecution of ransomware and digital extortion activity by tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes. The Task Force also strategically targets the ransomware criminal ecosystem as a whole and collaborates with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat.
  • The European Commission (EC) “proposed a framework for a European Digital Identity which will be available to all EU citizens, residents, and businesses in the EU.” The EC stated:
    • Citizens will be able to prove their identity and share electronic documents from their European Digital Identity wallets with the click of a button on their phone. They will be able to access online services with their national digital identification, which will be recognised throughout Europe. Very large platforms will be required to accept the use of European Digital Identity wallets upon request of the user, for example to prove their age. Use of the European Digital Identity wallet will always be at the choice of the user.
    • Under the new Regulation, Member States will offer citizens and businesses digital wallets that will be able to link their national digital identities with proof of other personal attributes (e.g. driving licence, diplomas, bank account). These wallets may be provided by public authorities or by private entities, provided they are recognised by a Member State.
    • The new European Digital Identity Wallets will enable all Europeans to access services online without having to use private identification methods or unnecessarily sharing personal data. With this solution they will have full control of the data they share.
    • The European Digital Identity will be:
      • Available to anyone who wants to use it: Any EU citizen, resident, and business in the Union who would like to make use of the European Digital Identity will be able to do so.
      • Widely useable: The European Digital Identity wallets will be useable widely as a way either to identify users or to prove certain personal attributes, for the purpose of access to public and private digital services across the Union.
      • Users in control of their data: The European Digital Identity wallets will enable people to choose which aspects of their identity, data and certificates they share with third parties, and to keep track of such sharing. User control ensures that only information that needs to be shared will be shared.
    • To make it a reality as soon as possible, the proposal is accompanied by a Recommendation. The Commission invites Member States to establish a common toolbox by September 2022 and to start the necessary preparatory work immediately. This toolbox should include the technical architecture, standards and guidelines for best practices.
    • In parallel to the legislative process, the Commission will work with Member States and the private sector on technical aspects of the European Digital Identity. Through the Digital Europe Programme, the Commission will support the implementation of the European Digital Identity framework, and many Member States have foreseen projects for the implementation of the e-government solutions, including the European Digital Identity in their national plans under the Recovery and Resilience Facility.
    • The Commission’s 2030 Digital Compass sets out a number of targets and milestones which the European Digital Identity will help achieve. For example, by 2030, all key public services should be available online, all citizens will have access to electronic medical records; and 80% citizens should use an eID solution.
    • For this initiative, the Commission builds on the existing cross-border legal framework for trusted digital identities, the European electronic identification and trust services initiative (eIDAS Regulation). Adopted in 2014, it provides the basis for cross-border electronic identification, authentication and website certification within the EU. Already about 60% of Europeans can benefit from the current system.
    • However, there is no requirement for Member States to develop a national digital ID and to make it interoperable with the ones of other Member States, which leads to high discrepancies between countries. The current proposal will address these shortcomings by improving the effectiveness of the framework and extending its benefits to the private sector and to mobile use.
  • The Federal Trade Commission (FTC) reached a settlement with MoviePass regarding allegations that the now defunct company “took steps to block subscribers from using the service as advertised, while also failing to secure subscribers’ personal data.” The FTC explained it “voted 3-1 to issue the administrative complaint and to accept the proposed consent agreement…[and] Commissioner Noah Joshua Phillips voted no and issued a dissenting statement. Commissioner Christine S. Wilson issued a concurring statement. ”The FTC contended:
    • Under the proposed settlement, MoviePass, Inc., its parent company Helios and Matheson Analytics, Inc. (Helios), and their principals, Mitchell Lowe and Theodore Farnsworth, will be barred from misrepresenting their business and data security practices. In addition, any businesses controlled by MoviePass, Helios, or Lowe must implement comprehensive information security programs.
    • In its complaint, the FTC alleges that MoviePass, Inc.—along with its CEO, Lowe, as well as Helios and Farnsworth, CEO of Helios—deceptively marketed its “one movie per day” service promised to subscribers who paid for its $9.95 monthly service. The FTC alleges that MoviePass employed three tactics to prevent subscribers from using the service as advertised.
    • First, according to the FTC, MoviePass’s operators invalidated subscriber passwords while falsely claiming to have detected “suspicious activity or potential fraud” on the accounts. MoviePass’s operators did this even though some of its own executives raised questions about the scheme, according to the complaint.
    • Second, MoviePass’s operators launched a ticket verification program to discourage use of the service. This program required subscribers to take and submit pictures of their physical movie ticket stubs for approval through the MoviePass app within a certain timeframe. Subscribers who failed to submit their tickets could not view future movies and could have their subscriptions canceled if they failed to verify their tickets more than once. The program blocked thousands of subscribers from using the service because of problems with the verification system, according to the complaint.
    • Third, MoviePass’s operators used “trip wires” that blocked certain groups of users—typically those who viewed more than three movies per month—from utilizing the service after they collectively hit certain thresholds based on their monthly cost to the company, the FTC alleges.
    • The Commission’s complaint details how Lowe and Farnsworth were personally involved in this scheme. For example, Lowe is alleged to have personally ordered subscribers’ passwords to be disrupted, and even chose the number of consumers to be targeted. As for Farnsworth, the complaint alleges that an employee sent an email on Farnsworth’s behalf proposing a misleading consumer notice about the password disruption. Both executives knew their scheme was deceptive and harmful to consumers, according to the complaint.
    • The FTC alleges that MoviePass’s operators also violated the Restore Online Shoppers’ Confidence Act (ROSCA). ROSCA requires that firms be truthful with consumers when marketing negative option services—such as subscriptions—over the Internet. This means disclosing all material terms, and obtaining consumers’ informed consent before charging them.
    • As detailed in the Commission’s complaint, MoviePass’s operators failed to live up to both requirements. They pitched consumers on a “one movie per day” subscription, while hiding the ball about their elaborate efforts to prevent consumers from taking advantage of this service. And because consumers were not aware that the “one movie per day” promise was illusory, MoviePass’s operators failed to obtain their informed consent. 
    • In addition, MoviePass’s operators also failed to take reasonable steps to secure personal information it collected from subscribers, such as their names, email addresses, birth dates, credit card numbers, and geolocation information, the FTC alleges. For example, the company stored consumers’ personal data including financial information and email addresses in plain text and failed to impose restrictions on who could access personal data.
    • MoviePass noted in its privacy policy that it used reasonable measures to protect personal information including encrypting customer emails and payment information, according to the complaint. Despite these claims, MoviePass’s operators left a database containing large amounts of subscribers’ personal information unencrypted and exposed, leading to unauthorized access.
    • Lowe, Farnsworth, MoviePass, and its parent company are all bound by the proposed order. Under the proposed order, MoviePass’s operators are prohibited from misrepresenting the services they provide and must implement a comprehensive security program requiring them—and any businesses controlled by MoviePass, Helios, or Lowe—to identify external and internal security risks and take steps to address those risks. In addition, MoviePass’s operators must obtain biennial assessments of its information security program by a third party, which the FTC has authority to approve, to examine the effectiveness of the program. Finally, MoviePass’s operators are required to notify the FTC of any future data breaches, and a senior executive must certify annually that MoviePass’s operators are complying with the data security requirements of the settlement. The order does not include monetary relief for consumers. Both MoviePass and its parent company, Helios, have filed for bankruptcy.
    • In his dissent, FTC Commissioner Phillips argued:
      • The Commission’s decision in this case to plead a novel theory of liability under the Restore Online Shoppers’ Confidence Act of 2010 (“ROSCA”) accomplishes nothing for consumers and reduces clarity for businesses seeking to follow the law.
      • The novelty here is that, for the first time, the Commission is treating a deception about the characteristics of the underlying product—not the negative option feature—as a violation of ROSCA. To date, all the complaints filed by the Commission that allege ROSCA violations in the negative option context with a first party seller have involved defendants hiding a negative option feature, not obtaining express informed consent before charging the consumer, or failing to provide a simple mechanism for cancelling the recurring charge. Instead of examining whether consumers understood the negative option feature, had given consent to that, or were able to cancel in a simple way, this complaint instead looks to the characteristics of the product that MoviePass sold to its some of its consumers. The Commission is thus announcing that it may seek civil penalties against all businesses that use online negative option features where the Commission determines that there has been any material deception, whether relating to the negative option feature or a characteristic of the underlying product.
    • In her concurring statement, FTC Commissioner Wilson stated:
      • I support the complaint and consent in this matter challenging the respondents’ marketing of its movie subscription product. Specifically, the respondents offered subscribers “unlimited movies” but deployed a variety of tactics to prevent consumers from enjoying unlimited benefits, as recounted in the complaint, rendering the representations deceptive. I also concur with the inclusion of a count challenging violations of the Restore Online Shoppers’ Confidence Act, 15 U.S.C. § 8403 (ROSCA). The conduct alleged in this case, in my view, violates the plain language of the statute.
      • I am mindful that this settlement marks the first time the Commission has alleged a violation of ROSCA where the undisclosed material terms do not relate specifically to the negative option feature but instead to the underlying good or service marketed through that feature. But I believe that the facts of this case fall well within the bounds of the conduct that Congress contemplated challenging when promulgating the statute. In fact, the conduct described in the complaint fits neatly within the plain language of the statue. Given the inaugural use of ROSCA for this purpose, it is appropriate that the Commission is foregoing civil penalties. Businesses need predictability about the manner in which laws will be enforced and should be afforded the ability to contest new uses of authority. This case will serve as notice to the market, and future violations of this type may well warrant civil penalties.
  • The European Data Protection Board (EDPB) published its Annual Report 2020. The EDPB summarized its actions during 2020:
    • During the COVID-19 pandemic, EEA Member States began taking measures to monitor, contain and mitigate the spread of the virus. The EDPB issued guidance on, amongst others, location and contact-tracing apps; processing health data for scientific research; restrictions on data subject rights in a state of emergency and data processing in the context of reopening borders. 
    • The Court of Justice of the European Union’s ruling in Schrems II had significant implications for EEA-based entities that transfer data to the U.S. and other third countries. The EDPB issued an FAQ document, followed later by Recommendations for Supplementary Measures when using International transfer tools, to ensure compliance with the level of protection required under EU law, and Recommendations on European Essential Guarantees contributing to the assessment of surveillance measures allowing access to personal data by public authorities in third countries. The Recommendations for Supplementary Measures were subject to a public consultation. The EDPB received over 200 contributions from various stakeholders, which it is currently analysing. 
    • During 2020, the EDPB defined its Strategy for 2021-2023, which covers four main pillars with strategic objectives: 
      • Advancing harmonisation and facilitating compliance; 
      • supporting effective enforcement and efficient cooperation between national supervisory authorities; 
      • a fundamental rights approach to new technologies and
      • the global dimension. For each of the pillars, a set of key actions are defined to help achieve these objectives. In early 2021, the EDPB adopted its two-year work programme for 2021-2022. The work programme follows the priorities set out in the EDPB 2021-2023 Strategy and will put the EDPB’s strategic objectives into practice.
    • In 2020, the EDPB adopted 10 Guidelines on topics such as the concepts of controller and processor; and targeting of social media users, as well as three Guidelines in their final, post-consultation versions (on video devices, the right to be forgotten and data protection by design and default). 
    • In addition to providing guidance, ensuring consistency in enforcement and cooperation between national authorities is a key task of the EDPB. In 2020, the EDPB issued 32 Opinions under Art. 64 GDPR. Most of these Opinions concern draft accreditation requirements for a code of conduct monitoring body or a certification body, as well as Controller Binding Corporate Rules for various companies.
    • On 9 November 2020, the EDPB adopted its first dispute resolution decision on the basis of Art. 65 GDPR. The binding decision addressed the dispute that arose after the Irish SA, acting as Lead SA, issued a draft decision regarding Twitter International Company and the subsequent relevant and reasoned objections expressed by a few Concerned SAs. 
    • The GDPR requires the EEA SAs to cooperate closely to ensure the consistent application of the GDPR and protection of individuals’ data protection rights across the EEA. 
      • Between 1 January and 31 December 2020, there were 628 cross-border cases out of which 461 originated from a complaint, while 167 had other origins, such as investigations, legal obligations and/or media reports. 
      • The One-Stop-Shop mechanism demands cooperation between the LSA and the CSAs. The LSA leads the investigation and plays a key role in the process of reaching consensus between the CSAs, in addition to working towards reaching a coordinated decision about the data controller or processor. Between 1 January 2020 and 31 December 2020, there were 203 draft decisions, of which 93 resulted in final decisions.
      • The mutual assistance procedure allows SAs to ask for information from other SAs or to request other measures for effective cooperation, such as prior authorisations or investigations. Between 1 January 2020 and 31 December 2020, SAs initiated 246 formal mutual assistance procedures. They initiated 2,258 informal mutual assistance procedures. Mutual assistance is also used by the SAs requesting the competent SA to handle complaints they received which do not relate to cross-border processing as defined by the GDPR. 
  • Canada’s federal and provincial information and privacy regulators have issued a Joint resolution: Reinforcing Privacy and Access to Information Rights During and After a Pandemic that calls on the governments of Canada “to respect Canadians’ quasi-constitutional rights to privacy and access to information.” The regulators wants these governments “apply the following principles in the implementation and the necessary modernization of governance regimes around freedom of information and protection of privacy:
    • In terms of Access:
      • Federal, provincial and territorial institutions must recognize the importance of transparency, and uphold the right of access to information during an emergency by ensuring business continuity plans include measures for processing requests for access.
      • Institutional leaders must provide clear guidance and direction on the ongoing importance of information management in this new operating environment, which may include working remotely. Properly documenting institutional decisions and any resulting actions, and organizing and storing such documentation in a manner that enables timely access to such documentation are central to principles of open, transparent and responsible government.
      • Governments should emphasize both the proactive and voluntary disclosure of government information – particularly, information of significant public interest related to policy-making, public health, public safety, economy, procurements and benefits.
      • Respecting the privacy of individuals is critically important. Public bodies must be open and transparent with non-personal or aggregate-level information that the public needs to know to make informed choices and decisions about how to protect themselves and to ensure fair distribution of risks and benefits among all members of society, including the most vulnerable and marginalized groups.
      • Federal and provincial institutions should leverage technology and innovation now and in the future to advance the principle of transparency in a manner that meets the public interest and accords with the modern needs of a digital society. The modernization of access-to-information systems must focus on innovative approaches and new information technologies, supported by adequate human resources.
    • In terms of Privacy:
      • To appropriately address digital transformation, privacy laws must be interpreted so as to recognize the fundamental nature of the right to privacy and apply it in a modern, sustainable way, by allowing for responsible innovation that is in the public interest and prohibiting uses of technology that are incompatible with our rights and values.
      • Exceptions exist in privacy laws to enable the collection, use and disclosure of personal information for public health purposes during a pandemic and other emergencies. Privacy laws should not be characterized by those subject to them as a barrier to appropriate collection, use and sharing of information. Instead, privacy laws, norms and best practices should be viewed as a way to ensure responsible data use and sharing that supports public health and promotes trust in our healthcare system and governments.
      • Emergency measures, including those related to economic and social recovery, should incorporate principles of “privacy by design” to ensure the collection, use and disclosure of personal information is done fairly, lawfully, and securely, in a transparent manner that promotes demonstrable accountability.
      • Emergency response and recovery measures involving the exceptional collection, use and disclosure of personal information without consent must be necessary and proportionate in scope, meaning they must be evidence-based, necessary for the specific purpose identified, not overbroad and time-limited.
      • Personal information collected in support of emergency measures should be destroyed when the crisis ends, except where the purpose for which the information was collected extends beyond the end of the crisis, or for narrow purposes such as research, ongoing healthcare, or ensuring accountability for decisions made during the emergency, particularly decisions about individuals and marginalized groups.
      • Public and private entities must respect principles of data minimization and use limitation, and be required to use de-identified or aggregate-level data, whenever possible, when informing others of information they need to know to keep safe, including the general public.
  • Privacy International, Amnesty International, and The Centre for Research on Multinational Corporations (SOMO) issued a briefing titled “Operating from the Shadows: Inside NSO Group’s Corporate Structure.” These groups stated:
    • In this briefing, Amnesty International, PI and The Centre for Research on Multinational Corporations (SOMO) discuss the corporate structure of NSO group, one of the surveillance industry’s well-known participants. The lack of transparency around NSO Group’s corporate structure and the lack of information about the relevant jurisdictions within which it operates are significant barriers in seeking prevention of, and accountability for, human rights violations reportedly linked to NSO Group’s products and services. The aim of this report is to give researchers, journalists, lawyers and HRDs information on NSO Group’s corporate structure. By documenting its structure, we shed light on the workings of this company, and provide an illustrative case study of the risks and corporate dynamics that characterise the broader surveillance industry.
    • As a form of government surveillance, government hacking presents unique and grave threats to our privacy and security. It has the potential to be far more intrusive than any other surveillance technique, permitting the government to remotely and surreptitiously access our personal devices and all the intimate information they store. It also permits the government to conduct novel forms of real-time surveillance, by covertly turning on a device’s microphone, camera, or GPS-based locator technology, or by capturing continuous screenshots or seeing anything input into and output from the device.
    • Although it is possible that some governments manufacture tools to conduct targeted digital surveillance themselves, many states buy the sophisticated technology enabling such surveillance from private companies. They justify the procurement of these technologies as essential for maintaining law and order. Some of these surveillance companies manufacture and sell spyware or other such tools to state actors, who have, in addition to legitimate purposes, used surveillance to shrink the space for dissent by targeting human rights defenders, in violation of their internationally recognised human rights.
    • Little is known about the surveillance industry, as it operates from the shadows despite repeated calls for more transparency and accountability. This lack of transparency is a foundational challenge to human rights accountability. Without more information being made publicly available about the surveillance industry – for example identities and ownership of the companies facilitating government surveillance; the capabilities on offer; the scale of deployment; or details of company due diligence or remediation efforts – the international community is unable to ascertain the full scope of the human rights risks presented, mitigate those risks, or seek remedy when abuses occur.
    • PI, Amnesty International and SOMO recommend that states:
      • (a) implement the UN Special Rapporteur’s call for an immediate moratorium on the global sale and transfer of the products of the private surveillance industry until rigorous human rights safeguards are put in place to regulate such practices;
      • (b) adopt and enforce a legal framework requiring private surveillance companies to conduct human rights due diligence in their global operations, supply chains and in relation to the use of their products and services;
      • (c) adopt and enforce a legal framework requiring transparency in the key areas noted above by private surveillance companies;
      • (d) disclose contracts with such companies and implement human rights-based procurement standards;
      • (e) effectively regulate the export of surveillance technologies in a manner that prevents human rights abuses;
      • (f) adopt and enforce domestic legal frameworks that create human rights safeguards against surveillance abuses and accountability mechanisms for victims of such abuses; and
      • (g) participate in key multilateral efforts (e.g. in support of the UN Special Rapporteur’s call for an immediate moratorium on the sale, transfer and use of surveillance technology) to integrate human rights standards in the development, sale and transfer, and use of surveillance technology.
  • The Democratic leadership on the House Energy and Commerce Committee wrote Facebook, Twitter, and Google and “demanded answers from the CEOs of Facebook, Twitter, and Google today as part of their investigation into the tech companies’ continued mishandling of COVID-19 disinformation.” Chair Frank Pallone, Jr. (D-NJ), Health Subcommittee Chair Anna G. Eshoo (D-CA), Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), Communications and Technology Subcommittee Chair Mike Doyle (D-PA), and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) sent the letters because “recent reports that COVID-19 vaccine disinformation continues to persist on their platforms following a joint subcommittee hearing in March.” They further asserted:
    • Throughout the March hearing, and in Facebook, Twitter, and Google’s individual submissions to the Committee, each company referenced specific company policies against COVID-19 misinformation and actions taken by the companies to remove such content.
    • Despite these assurances, the Committee leaders pointed to a subsequent report issued in April that found that, in the month since the March hearing, the Disinformation Dozen have posted at least 105 pieces of content that violate platform service agreements for Facebook, Instagram, or Twitter. This content generated up to 29 million potential impressions from the existing followers of these accounts. The report also found that of the 12 individuals, at least nine continue to have active accounts on Facebook and Instagram and ten have active accounts on Twitter.  
    • The Committee leaders also pointed to a recent news report that indicates that while Google has taken action to remove some COVID-19 vaccine misinformation from its platform, YouTube, these actions have not been entirely effective. Videos containing disinformation about COVID-19 and vaccines created by at least one member of the Disinformation Dozen continue to be available on YouTube. 

Further Reading

  • Spectrum is forcing full-price plans on people seeking FCC benefit” By Issie Lapowsky — Protocol. Spectrum is forcing customers who are eligible for a new federal subsidy for internet service to opt in to full-price plans once the subsidy runs out. The policy appears to skirt rules set forth by the Federal Communications Commission, which is running the Emergency Broadband Benefit program.
  • The U.S. Is Back in the 5G Game” By Stu Woo — The Wall Street Journal. The U.S. government has upended the $35 billion-a-year cellular-equipment industry, ushering in a new era of competition and giving U.S. companies a shot at re-entering a sector they vacated years ago. In the past five years, only China’s Huawei Technologies Co., Sweden’s Ericsson and Finland’s Nokia Corp. captured more than a 20% share of revenue in the wireless-equipment market, according to Dell’Oro Group, a research firm. No other competitor consistently cracked even 10%.
  • Google Strikes Deal With Hospital Chain to Develop Healthcare Algorithms” By Melanie Evans — The Wall Street Journal. Alphabet Inc.’s GOOG Google and national hospital chain HCA Healthcare Inc. have struck a deal to develop healthcare algorithms using patient records, the latest foray by a tech giant into the $3 trillion healthcare sector. HCA, which operates across about 2,000 locations in 21 states, would consolidate and store with Google data from digital health records and internet-connected medical devices under the multiyear agreement. Google and HCA engineers will work to develop algorithms to help improve operating efficiency, monitor patients and guide doctors’ decisions, according to the companies.
  • Russia Raises Heat on Twitter, Google and Facebook in Online Crackdown” By Adam Satariano and Oleg Matsnev — The New York Times. Russia is increasingly pressuring Google, Twitter and Facebook to fall in line with Kremlin internet crackdown orders or risk restrictions inside the country, as more governments around the world challenge the companies’ principles on online freedom. Russia’s internet regulator, Roskomnadzor, recently ramped up its demands for the Silicon Valley companies to remove online content that it deems illegal or restore pro-Kremlin material that had been blocked. The warnings have come at least weekly since services from Facebook, Twitter and Google were used as tools for anti-Kremlin protests in January. If the companies do not comply, the regulator has said, they face fines or access to their products may be throttled.
  • Why Apple and Google’s Virus Alert Apps Had Limited Success” By Natasha Singer — The New York Times. Sarah Cavey, a real estate agent in Denver, was thrilled last fall when Colorado introduced an app to warn people of possible coronavirus exposures. Based on software from Apple and Google, the state’s smartphone app uses Bluetooth signals to detect users who come into close contact. If a user later tests positive, the person can anonymously notify other app users whom the person may have crossed paths with in restaurants, on trains or elsewhere. Ms. Cavey immediately downloaded the app. But after testing positive for the virus in February, she was unable to get the special verification code she needed from the state to warn others, she said, even after calling Colorado’s health department three times.
  • The bipartisan consensus on broadband is a mirage” By Rebecca Heilweil — recode. There’s a tense fight in Washington between Republicans and Democrats over President Biden’s infrastructure plan, from the amount of funding in it to the very definition of infrastructure. But on the question of addressing the internet and bridging the digital divide, there appears to be resounding agreement that broadband is very, very important and very, very bipartisan. This is a mirage. Earlier this week, Vice President Kamala Harris met with members of Congress from both parties to hammer out the logistics of funding broadband through the infrastructure package, saying the subject is one Americans see as nonpartisan. Sen. Amy Klobuchar told local media in Minnesota that discussion was just focused on “nuts and bolts.”
  • Biden vacancies delay Big Tech reckoning” By Kim Hart — Axios. President Biden still hasn’t named permanent leaders at the key agencies overseeing the tech and telecom industries, giving him a late start on confronting powerful U.S. companies.
  • U.S. agency not doing its job to halt tech to China’s military -congressional report” By Karen Freifeld — Reuters. The U.S. Commerce Department is failing to do its part to protect national security and keep sensitive technology out of the hands of China’s military, according to a U.S. congressional advisory report seen by Reuters. The U.S.-China Economic and Security Review Commission report, due to be published on Tuesday, said the Commerce Department had been slow to create a list of sensitive technology that should be scrutinized before export to China.
  • British military seeks briefings from Australia over security concerns about Israeli battle management technology” By Andrew Greene — ABC News. Security concerns about Israeli military technology supplied to the Australian Army are drawing the attention of a key intelligence-sharing ally. The ABC can reveal the British military last year approached the Australian Defence Force to learn more about possible risks associated with a Battle Management System (BMS) developed by Elbit Systems.
  • A Rural-Urban Broadband Divide, but Not the One You Think Of” By Eduardo Porter — The New York Times. Whom should the government help get superfast internet access? The question is not addressed directly in President Biden’s multibillion-dollar infrastructure plan, which devotes tens of billions of dollars to expanding access to broadband but does not provide much detail about how the money will be spent. But veterans of the nation’s decade-long efforts to extend the nation’s broadband footprint worry that the new plan carries the same bias of its predecessors: Billions will be spent to extend the internet infrastructure to the farthest reaches of rural America, where few people live, and little will be devoted to connecting millions of urban families who live in areas with high-speed service that they cannot afford.
  • Amazon’s Sidewalk feature will share your internet connection. Here’s how to opt out.” By Brett Molina — USA Today. Amazon is planning to automatically enroll owners of its devices in a program that would share a slice of their internet connection with neighbors. Amazon confirmed in an email to USA TODAY that the program will launch on eligible Echo devices starting June 8. Amazon Sidewalk is a low-bandwidth shared network the tech giant says will not only allow your devices to work better, but help locate lost items.
  • Italy gives Vodafone 5G deal with Huawei conditional approval – sources” By Elvira Pollina and Giuseppe Fonte — Reuters. Vodafone’s (VOD.L) Italian unit has secured conditional approval from Rome to use equipment made by China’s Huawei in its 5G radio access network, two sources close to the matter said. Italy can block or impose tough conditions on deals involving non EU vendors under “golden powers”, which have been used three times since 2012 to block foreign interest in industries deemed to be of strategic importance.
  • Australia’s Nine signs Facebook, Google deals under new licensing regime” By Byron Kaye — Reuters. Australian broadcaster and publisher Nine Entertainment Co Holdings Ltd said it signed multi-year content-supply deals with Google and Facebook Inc (FB.O), harnessing tough new licencing laws to bolster profit. The step means that all of Australia’s three largest media firms now have deals with U.S. tech giants that had until this year fiercely opposed laws making them negotiate over the fees they pay for the links driving clicks to their platforms.
  • Instagram making changes to its algorithm after it was accused of censoring pro-Palestinian content” By Kim Lyons — The Verge. Facebook-owned Instagram has made changes to its algorithm after a group of its employees reportedly complained that pro-Palestinian content was not viewable for users during the conflict in Gaza. Instagram typically surfaces original content in its stories before reposted content, but will now begin to give equal weighting to both, the company confirmed to The Verge on Sunday. As reported by BuzzFeed News and the Financial Times, the Instagram employee group had made numerous appeals about content that had been censored by Instagram’s automated moderation, such as posts about the al-Asqa mosque being mistakenly removed. The employees didn’t believe the censorship was deliberate, according to FT, but one said that “moderating at scale is biased against any marginalized groups.”
  • Twitter May Start Labeling Your Tweets Based on How Wrong You Are” By Alyse Stanley — Gizmodo. Twitter is one of many social media companies that’s struggled to keep misinformation from running rampant on its platform over the years. Its latest attempt to move the needle looks to be a tiered warning label system that changes based on how wrong you are, according to app researcher Jane Manchun Wong. So far, there are three levels of misinformation warning labels: “Get the latest,” “Stay Informed,” and “Misleading,” Wong tweeted on Monday. How accurate a tweet is determines if Twitter’s systems tack on one of these three labels, each of which includes a prompt directing users to additional information. Ostensibly, these would link to a Twitter-curated page or external vetted source, as is the case for Twitter’s covid-19 and U.S. presidential election misinformation labels.
  • Facebook Takes on Superspreaders” By Shira Ovide — The New York Times. Big internet companies are finally taking misinformation “superspreaders” seriously. (All it took was a global health crisis and the great lie of a rigged election.) I’ve written about influential people, including former President Donald J. Trump, who have been instrumental in spreading false information online about important topics like election integrity and vaccine safety. Some of those same people have repeatedly twisted our beliefs — and internet companies have largely given them a pass.
  • Google hit with $123M antitrust fine in Italy over Android Auto” By Natasha Lomas — Tech Crunch. Google has been fined just over €100 million (~$123M) by Italy’s antitrust watchdog for abuse of a dominant market position. The case relates to Android Auto, a modified version of Google’s mobile OS intended for in-car use, and specifically to how Google restricted access to the platform to an electric car charging app, called JuicePass, made by energy company Enel X Italia.

Coming Events

  • On 14 June, the California Privacy Protection Agency Board will hold its inaugural meeting.
  • The House Financial Services Committee’s Financial Technology Task Force will hold a 15 June hearing titled “Digitizing the Dollar: Investigating the Technological Infrastructure, Privacy, and Financial Inclusion Implications of Central Bank Digital Currencies.”
  • On 15 June, the House Homeland Security Committee’s Transportation & Maritime Security  and Cybersecurity, Infrastructure Protection, & Innovation Subcommittees will hold a joint hearing titled “Cyber Threats in the Pipeline: Lessons from the Federal Response to the Colonial Pipeline Ransomware Attack” with these witnesses:
    • Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security
    • Sonya Proctor, Assistant Administrator for Surface Operations, Transportation Security Administration (TSA), U.S. Department of Homeland Security
  • On 16 June, the Senate Homeland Security and Governmental Affairs Committee will consider the nominations of Robin Carnahan to be Administrator of General Services, Jen Easterly to be Director of the Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, and Chris Inglis to be National Cyber Director.
  • On 17 June, the Senate Homeland Security and Governmental Affairs Committee’s Emerging Threats and Spending Oversight Subcommittee will hold a hearing titled “Addressing Emerging Cybersecurity Threats to State and Local Government.”
  • On 17 June the Senate Appropriations Committee will hold a hearing on the Department of Defense’s FY 2022 budget request.
  • The Federal Communications Commission (FCC) will hold its June meeting on 17 June with this tentative agenda:
    • Protecting Against National Security Threats to the Communications Supply Chain through the Equipment Authorization and Competitive Bidding Programs.
      The Commission will consider a Notice of Proposed Rulemaking and Notice of Inquiry seeking comments on steps it could take to secure the nation’s critical communications networks through its equipment authorization and competitive bidding programs. (ET Docket No. 21-232; EA Docket No. 21-233)
    • Allowing Earlier Equipment Marketing and Importation Opportunities. The Commission will consider a Report and Order that would adopt changes to the equipment authorization rules to allow expanded marketing and importation of radiofrequency devices prior to certification, with conditions. (ET Docket No. 20-382)
    • Improving the Emergency Alert System and Wireless Emergency Alerts. The Commission will consider a Report and Order and Further Notice of Proposed Rulemaking to implement section 9201 of the National Defense Authorization Act for Fiscal Year 2021, which is intended to improve the way the public receives emergency alerts on their mobile phones, televisions, and radios. (PS Docket Nos. 15-94, 15-91)
    • Improving Robocall and Spoofing Input from Private Entities. The Commission will consider a Report and Order to implement Section 10(a) of the TRACED Act by adopting a streamlined process that will allow private entities to alert the FCC’s Enforcement Bureau about suspected unlawful robocalls and spoofed caller ID. (EB Docket No. 20-374)
    • Promoting Telehealth for Low-Income Consumers. The Commission will consider a Second Report and Order that would provide guidance on the administration of the Connected Care Pilot Program and further instructions to program participants. (WC Docket No. 18-213)
    • Exploring Spectrum Options for Devices Used to Mark Fishing Equipment. The Commission will consider a Notice of Proposed Rulemaking that would satisfy the Commission’s statutory obligation in Section 8416 of the National Defense Authorization Act for Fiscal Year 2021 to initiate a rulemaking proceeding to explore whether to authorize devices that can be used to mark fishing equipment for use on Automatic Identification System (AIS) channels consistent with the core purpose of the AIS to prevent maritime accidents. (WT Docket No. 21-230)
    • Improving Low Power FM Radio. The Commission will consider an Order on Reconsideration of a proceeding to modernize the LPFM technical rules. (MB Docket No. 19-193)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Ilnur Kalimullin on Unsplash

Photo by Soroush Karimi on Unsplash

Photo by Alexander Shatov on Unsplash

Photo by Pablo Heimplatz on Unsplash

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s