Other Developments, Further Reading, and Coming Events (21 July 2021)

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week before it’s posted here.

Other Developments

  • France’s Autorité de la concurrence fined Google “up to 500 million euros for having disregarded several injunctions issued in the context of its interim measures’ decision of April 2020 (decision 20-MC-01 of 9 April 2020 regarding requests for interim measures presented by Syndicat des éditeurs de la presse magazine, Alliance de la presse d’information générale e.a. and Agence France-Presse).” The Autorité “also orders Google to present a remuneration offer for the current use of their protected content to press publishers and agencies that have referred the case to the Autorité and to provide them with the necessary information for evaluating such offer, under periodic penalty payment of up to 900,000 euros per day of delay, if Google has not done so within two months.” This fine represents the latest development in a long running saga between the search engine giant and nations over what, if anything, it should pay for linking and using the articles and content of the news media. The Autorité explained:
    • As a reminder, in its interim measures decision 20-MC-01, the Autorité noted that following the adoption of Law No. 2019-775 of 24 July 2019 aiming to create a related right for the benefit of press agencies and publishers, transposing Directive No. 2019/790 of 17 April 2019 on copyright and related rights in the digital single market, Google had unilaterally decided that it would no longer display extracts from articles, photographs and videos within its various services, unless the editors give it permission free of charge. The Autorité considered that this behaviour could constitute an abuse of a dominant position and that it caused serious and immediate harm to the press sector. It had issued, pending a decision on the merits, seven injunctions against Google. This decision was confirmed by the Paris Court of Appeal in a ruling of 8 October 2020, and has become final (Google has not lodged an appeal before the French Supreme Court).
    • In particular, Google had been ordered to:
      • enter into negotiations in good faith with press publishers and agencies who so desire (Injunction No. 1) for a period of three months from the request of the publisher or the press agency (Injunction No. 4);
      • communicate the information necessary for the transparent assessment of the remuneration provided for in Article L. 218-4 of the Intellectual Property Code (the “CPI”) (Injunction No. 2);
      • ensure that a principle of strict neutrality is respected during negotiations, so as not to affect the indexing, classification and presentation of protected content taken up by Google on these services (injunction No. 5); the decision stated in this regard that: “This is to prevent publishers from suffering unfavourable consequences on the usual conditions of display, indexing and ranking of their content on Google, because or related to ongoing negotiations”. The Paris Court of Appeal in its ruling of 8 October 2020 clarified the scope of injunction No. 5, indicating that: “This injunction does not prevent improvements and innovations in the services offered by Google LLC companies, Google Ireland Ltd and Google France, provided that they do not lead, directly or indirectly, to any prejudicial consequence to the interests of the holders of related rights concerned by the negotiations provided for in Articles 1 and 2 of this decision”;
      • ensure respect for a principle of strict neutrality of negotiations on any other economic relationship that may exist between Google and press publishers and agencies (injunction No. 6); the decision specified in this regard that: “This is to prevent Google from voiding negotiations on related rights by offsetting the remuneration paid to publishers for related rights on other activities. It is also to prevent Google from using its dominant position in the market for general search services to force, during negotiations with press publishers and agencies, the use of some of its services”;
      • send the Autorité regular reports on the modalities of implementation of the decision (Injunction No. 7).
  • The National Institute of Standards and Technology (NIST) found “[t]he most accurate face recognition algorithms have demonstrated the capability to confirm airline passenger identities while making very few errors” and released “Face Recognition Vendor Test (FRVT) Part 7: Identification for Paperless Travel and Immigration (NISTIR 8381), [that] focus on face recognition (FR) algorithms’ performance under a particular set of simulated circumstances: matching images of travelers to previously obtained photos of those travelers stored in a database.” NIST added that “[a]mong the report’s findings are:
    • The seven top-performing algorithms can successfully identify at least 99.5% of passengers the first time around if the database contains one image of a passenger. If the database contains a single image of each individual, the study shows that for as many as 428 of 567 simulated flight boarding processes, with each flight carrying 420 passengers, the most accurate FR algorithm can identify passengers for boarding without any false negatives (meaning the software fails to match two images of the same person). Stated in terms of error rates, this corresponds to at least 99.87% of travelers being able to board successfully after presenting themselves one time to the camera. Six additional algorithms give better than 99.5% accuracy.
    • Performance improves dramatically if the database contains multiple images of a passenger. The database gallery can contain more than one image of a single passenger. When an average of six prior images of a passenger are in the gallery, then all algorithms realize large gains: The most accurate algorithm will check the identities of passengers on 545 of 567 flights without any errors, and at least 18 developers’ algorithms are effective at identifying more than 99.5% of travelers accurately with a single presentation to the camera.
    • Demographic differences in the dataset have little effect. The team explored differences in performance on male versus female subjects and also across national origin, which were the two identifiers the photos included. National origin can, but does not always, reflect racial background. Algorithms performed with high accuracy across all these variations. False negatives, though slightly more common for women, were rare in all cases.
  • Senator Elizabeth Warren (D-MA) wrote Federal Trade Commission (FTC) Chair Lina Khan “calling for a “broad” and “meticulous” review of Amazon’s acquisition of Metro-Goldwyn-Mayer Studios (MGM) consistent with Section 7 of the Clayton Act, legislation that prohibits any acquisition whose effect “may be substantially to lessen competition, or to tend to create a monopoly” in “any line of commerce or in any activity affecting commerce.” Warren asserted:
    • This $8.45 billion deal would ostensibly help Amazon attract consumers to its subscription streaming services. But because this service is tied to a wide range of additional Amazon products and services that affect broad sectors of our
      economy, this transaction requires meticulous antitrust scrutiny. I support the Federal Trade Commission’s (FTC) review of this deal, which is consistent with your ongoing investigation into Amazon’s anticompetitive business practices.
    • On May 26, 2021, Amazon—which is worth $1.64 trillion—announced its intent to purchase the MGM movie studio for $8.45 billion. MGM holds the rights to around 4,000 films and 17,000 hours of television8 that would provide content for Amazon’s streaming video service, Amazon Prime Video. The problem is that this streaming service is only available to paid subscribers of Amazon Prime—a bundled service that includes streaming content in addition to exclusive deals and fast delivery on various products sold through Amazon’s online market platform and Whole Foods Market. Amazon’s streaming competitors are already at a disadvantage because of Amazon’s broad range of services that are tied to its streaming service through an annual $119 Prime membership “whose value proposition is to help you buy more products.”
    • As of April 2021, there were nearly 150 million Prime subscribers in the U.S. and 200 million Prime members worldwide, up from around 10 million members in 2012. A decade ago, analysts estimated that Amazon was operating at a loss in part because of Prime, but over the course of the COVID-19 pandemic, the company’s profits increased 220 percent—partially due to the addition of around 50 million Prime subscribers (nearly 30 million in the U.S.) who could easily make purchases on Amazon’s platform. The Prime membership is so sticky that “less than 1% of Prime members are likely to consider other mass-market retail sites,” and reports have estimated that households with a Prime membership spend about $3,000 a year on Amazon—more than double the amount spent by those that do not, which suggests a sizable competitive advantage for the bundled services that has only increased over time.
    • Amazon’s tactic to operate at a financial loss and use low prices to lure in customers and capture the market has worked before, and the FTC must determine whether this vertical acquisition is truly an entertainment strategy or merely another step towards unfettered monopolization. MGM is reportedly valued at $6.5 billion in equity, yet its acquisition by Amazon is valued at $8.45 billion—the second largest acquisition in Amazon’s history. This acquisition presents an important opportunity to ensure that the FTC approaches vertical transactions involving tech platforms with the proper dosage of antitrust scrutiny.
  • Staff at the United States (U.S.) Consumer Product Safety Commission submitted a Congressionally required report on its work on ensuring the flow of consumer products into the United States are being adequately inspected. The “Consolidated Appropriations Act, 2021” (P.L. 116-260) “directed CPSC to “identify the steps the Commission has taken and plans to take to mitigate [the risks associated with the reduction in Commission port inspection activity], such as recalls, inspections of product inventory, consumer warnings, and other appropriate measures.” Staff detailed the agency’s experience during the pandemic after it stopped sending inspectors to ports to physically examine imports. Staff asserted:
    • Although remote work reduced the number of shipments CPSC staff examined, CPSC staff developed a number of alternative means to protect the public during this period, including continual risk assessment of imported shipments, remote enforcement procedures, internet surveillance, recalls, and outreach to industry and government partners.
    • Furthermore, data from the first 6 months of the pandemic indicate that there was a significant drop in trade (see Section 2 of this report), and a corresponding reduction in the number of products flowing through traditional ports, a likely factor in the reduction of the number of inspections conducted during this period. At the same time, data indicate that there was a significant increase in eCommerce activity involving de minimis shipments arriving at express courier and other similar facilities, where CPSC has never had a presence (although as noted in Section 6, the agency seeks to do so as expeditiously as possible). Thus, potentially violative products that might have entered the country in this manner resulted from a lack of an established CPSC presence at these facilities rather than from the remote status of CPSC personnel who were unavailable at traditional ports.
    • It should also be noted that a similar gap in resources exists at traditional ports. Of the roughly 327 ports nationwide, CPSC maintains a physical presence at 18 of those ports, staffed by 32 fulltime equivalents (FTEs). Thus, although CPSC’s port inspection activity declined during the first 6 months of the pandemic, our overall lack of adequate resources for nationwide port coverage accounts for the small fraction of inspection activities we can undertake, even when fully staffed.
    • In addition to the need to increase staffing in the traditional and eCommerce port environments, CPSC must secure improved information technology (IT) and targeting capabilities to better risk assess shipments and to address the overlap between intellectual property (IP) infringements and safety violations. The funding recently appropriated to CPSC under the American Rescue Plan Act (ARPA) of 2021 has allowed the agency to begin meeting those needs. Specifically, the Commission has allocated ARPA funds to increase the number of traditional ports of entry where CPSC has a physical presence, as well as ports where large volumes of de minimis shipments arrive. It is an important first step toward addressing the risk posed by the influx of consumer products, especially those arriving by eCommerce.
  • In a blog post, Google responded to the most recent antitrust suit filed by state attorneys general over its allegedly anti-competitive App Store practices and drew distinctions between its practices and rules and those of Apple’s. Google asserted:
    • We built Android to create more choices in mobile technology. Today, anyone, including our competitors, can customize and build devices with the Android operating system — for free. 
    • We also built an app store, Google Play, that helps people download apps on their devices. If you don’t find the app you’re looking for in Google Play, you can choose to download the app from a rival app store or directly from a developer’s website. We don’t impose the same restrictions as other mobile operating systems do.
    • So it’s strange that a group of state attorneys general chose to file a lawsuit attacking a system that provides more openness and choice than others. This complaint mimics a similarly meritless lawsuit filed by the large app developer Epic Games, which has benefitted from Android’s openness by distributing its Fortnite app outside of Google Play.
    • Here’s more detail on how this lawsuit gets it wrong:
    • Google Play competes vigorously and fairly
    • The complaint limits its definition of the app marketplace to Android devices only. This completely ignores the competition we face from other platforms such as Apple’s incredibly successful app store, which accounts for the majority of mobile app store revenues according to third-party estimates. We compete for both developers and consumers, and if we’re not providing them with the best experience on Google Play, they have other alternatives to choose from.
    • Android increases competition and choice
    • This complaint alleges that consumers and developers have no option other than to use Google Play. But that’s not correct. Choice has always been a core tenet of Android. Device makers and carriers can preload competing app stores alongside Google Play on their devices. In fact, most Android devices ship with two or more app stores preloaded. And popular Android devices such as the Amazon Fire tablet come preloaded with a competitive app store and no Google Play Store.
    • Consumers can also “sideload” apps, meaning they can download them from a developer’s website directly without going through Google Play at all. People sideload successful apps like Fortnite, as well as entire app stores like the Amazon Appstore, neither of which are distributed through Google Play.
    • Contributing to this openness and choice, we also give developers more ways to interact with their customers compared to other operating systems. For example, Google Play allows developers to communicate with their customers outside the app about subscription offers or a lower-cost offering on a rival app store or the developer’s website.
  • The Federal Communications Commission’s (FCC) Wireline Competition Bureau (WCB) submitted a report to Commission on the Lifeline marketplace that “provides a summary of the state of the Lifeline marketplace as directed by FCC in the 2016 Lifeline Order.” The WCB explained:
    • This Report informs the Commission about the current state of the Lifeline marketplace, identifies areas for future Commission consideration regarding the continued transition of the Lifeline program from a program that primarily supports Lifeline voice services to one with a greater focus on supporting Lifeline broadband Internet access service, and offers potential considerations relevant to the Lifeline Program’s continued ability to ensure that low-income Americans have access to affordable communications services. In developing the Report, the Bureau relied on information about the Lifeline marketplace from the Lifeline administrator, the Universal Service Administrative Company (USAC), publicly available information about general market trends, and comments submitted by various Lifeline stakeholders.
    • [T]his Report details:  the data collection efforts undertaken by the Bureau; the current state of the Lifeline subscriber base; the pace of change in adoption of voice and broadband services; an assessment of the Lifeline minimum
      service standards; an examination of the phase-down in support for Lifeline voice-only services, including an assessment of the affordability of voice and broadband services; and an initial look at the interconnections between the Lifeline program and the recently launched EBB Program. Throughout this Report, the Bureau identifies issues for Commission consideration regarding these areas of discussion.
    • The Lifeline program remains a key component of the Commission’s efforts to address broadband availability and affordability across the country. Over the past several years, the Commission has taken important steps to transition the Lifeline program to a program that supports access to broadband Internet access services, allowing Lifeline eligible consumers to benefit from these services in a modern world. This Report details the current state of the Lifeline program, how the transition to a more broadband-focused program was executed, the impacts to key stakeholder populations, and the potential intersection between the Lifeline program and the Emergency Broadband Benefit Program. While progress has been made to advance affordability, this Report offers several areas of consideration for the Commission.
  • The Senate Judiciary Committee’s Competition Policy, Antitrust, and Consumer Rights Subcommittee Ranking Member Mike Lee (R-UT) and the full committee Ranking Member Chuck Grassley (R-IA) introduced the “Tougher Enforcement Against Monopolies” (TEAM Act) (S.2039) that would:
    • The TEAM Act, in addition to consolidating our antitrust enforcement agencies into one, streamlined agency, strengthens our ability to prevent and correct antitrust harm in three main ways:
    • The TEAM Act strengthens antitrust laws. It includes a market share-based merger presumption, improves the HSR Act, codifies the consumer welfare standard, and makes it harder for monopolists to justify or excuse anticompetitive conduct.
    • The TEAM Act strengthens antitrust enforcers. In addition to consolidating federal antitrust enforcement at the Department of Justice, the bill also includes a version of the Merger Filing Fee Modernization Act, introduced by Senators Klobuchar and Grassley. And most significantly, the bill roughly doubles the amount of money appropriated to federal antitrust enforcement, ensuring that our antitrust enforcers have all of the resources they need to protect American consumers.
    • The TEAM Act strengthens antitrust remedies. The bill repeals Illinois Brick and Hanover Shoe, to ensure that consumers are able to recover damages from anticompetitive conduct. Even more significantly, the bill allows the Justice Department to recover trebled damages on behalf of consumers, and imposes civil fines for knowingly violating the antitrust laws.
  • Senate Armed Services Committee Ranking Member James Inhofe (R-OK) and Senators Tammy Duckworth (D-IL) and Mike Rounds (R-SD) introduced the “Recognizing and Ensuring Taxpayer Access to Infrastructure Necessary for GPS and Satellite Communications Act” (RETAIN GPS and Satellite Communications Act) (S.2166) and released a section-by-section summary. Inhofe, Duckworth, and Rounds claimed:
    • The April 2020 Ligado Order from the FCC recognized the likelihood of interference to GPS signals and requires Ligado to pay the federal government the costs for repairs. However, 99 percent of the more than 900 million GPS devices found in the United States are used by the private sector, consumers, as well as state and local governments; under the current Order, they—or their consumers—would have to bear the costs.
    • The bipartisan legislation will require Ligado to cover the cost for correcting any interference their operations create for the public or private sector. While the Ligado Order says that they must upgrade or replace government devices that are impacted by the order, it isn’t specific about what those costs are and is silent on the private sector. This bill specifically outlines that all the areas of potential costs that must be borne by Ligado, including but not limited to engineering, construction, site acquisition, research, personnel or contracting staff, labor costs, etc, and specifically notes that these apply to those impacted in the private sector as well.
    • In April 2020, Inhofe and the three other tops Members of the Armed Services Committees penned an op-ed, in which they claimed “the [FCC] has used the [COVID-19] crisis, under the cover of darkness, to approve a long-stalled application by Ligado Networks — a proposal that threatens to undermine our GPS capabilities, and with it, our national security.” They claimed:
      • So, we wanted to clarify things: domestic 5G development is critical to our economic competiveness against China and for our national security. The Pentagon is committed working with government and industry to share mid-band spectrum where and when it makes sense to ensure rapid roll-out of 5G.
      • The problem here is that Ligado’s planned usage is not in the prime mid-band spectrum being considered for 5G — and it will have a significant risk of interference with GPS reception, according to the National Telecommunications and Information Administration (NTIA). The signals interference Ligado’s plan would create could cost taxpayers and consumers billions of dollars and require the replacement of current GPS equipment just as we are trying to get our economy back on its feet quickly — and the FCC has just allowed this to happen.
  • Representatives Elaine Luria (D-VA) and John Katko (R-NY) introduced the “Ensuring Phone and Internet Access for SNAP Recipients Act of 2021” (H.R.4275) that “would lower the cost of phone and internet access for households that benefit from the Supplemental Nutrition Assistance Program (SNAP).” Luria explained in her press release:
    • SNAP recipients automatically qualify for the Federal Communications Commission’s (FCC) Lifeline Program, which offers discounted phone and internet service. Yet, only 15 percent of eligible Virginian households participated in the Lifeline Program, according to the Universal Service Administrative Company (USAC). Congresswoman Luria’s bill would require the FCC and U.S. Department of Agriculture (USDA) to survey SNAP recipients to learn if they are enrolled in the Lifeline Program. If SNAP recipients are not enrolled, the survey would encourage their participation. This survey would present a five-year projection on enrollment and would show how the FCC can improve its Lifeline Program’s outreach efforts.  
  • The Electronic Privacy Information Center (EPIC) issued a report titled “What the FTC Could Be Doing (But Isn’t) To Protect Privacy: The FTC’s Unused Authorites.” EPIC contended:
    • Defenders of the FTC’s lack of effective privacy enforcement have argued that the agency does not have sufficient regulatory or penalty authorities to address the privacy threats posed by modern internet services. And it is true that there are significant limitations in the patchwork of data protection authorities at the FTC’s disposal. For example, the procedures by which the FTC can define unfair and deceptive practices are unnecessarily onerous, and the Commission is limited in its ability to penalize first-time data protection offenders. For these (and many other) reasons, Congress must move quickly to establish a strong, independent, and adequately funded data protection agency.
    • But the FTC’s failure to rein in the widespread misuse of personal data is not just a function of its limited statutory powers. Too often, the FTC has neglected to use the authority Congress has already given it. The Commission’s repeated failure to take meaningful enforcement action and to block harmful mergers has allowed abusive data practices by Facebook, Google, and other industry giants to flourish. Some statutory authorities, including the FTC’s power to promulgate trade rules, have simply never been used to advance the Commission’s data protection mission.
    • The purpose of this report is to highlight some of the unused and underused authorities in the FTC’s toolkit. Until Congress acts to create a modern data protection agency in the United States, is critical that the Commission deploy every available tool to safeguard privacy rights and stem the tide of exploitative data practices. This report is meant as a starting point for the FTC to make the most of the data protection authority it already has.
  • Amnesty International’s Security Labs issued the Forensic Methodology Report that “accompanies the release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories” of the NSO Group’s Pegasus spyware. The Security Labs alleged:
    • Amnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human rights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.
    • As laid out in the UN Guiding Principles on Business and Human Rights, NSO Group should urgently take pro-active steps to ensure that it does not cause or contribute to human rights abuses within its global operations, and to respond to any human rights abuses when they do occur. In order to meet that responsibility, NSO Group must carry out adequate human rights due diligence and take steps to ensure that HRDs and journalists do not continue to become targets of unlawful surveillance.
    • In this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source mobile forensics tool and detailed technical indicators, in order to assist information security researchers and civil society with detecting and responding to these serious threats.
    • This report documents the forensic traces left on iOS and Android devices following targeting with the Pegasus spyware. This includes forensic records linking recent Pegasus infections back to the 2016 Pegasus payload used to target the HRD Ahmed Mansoor.
    • The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021. These also include so-called “zero-click” attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful “zero-click” attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.
  • Wyoming enacted a bill, HB0085, establishing “the crime of unlawful dissemination of an intimate image” The Wyoming legislature provided this summary of the bill:
    • The bill draft creates a crime for the nonconsensual dissemination of an intimate image.
    • The bill provides definitions for relevant terms including: “displaying sexual acts”; “disseminate”; “image”; “intimate image”; “intimate parts”; “sexual acts” and “social media”.
    • The bill criminalizes the acts of a person eighteen (18) years of age or older who:
      • Disseminates an intimate image of another person;
      • Knew or should have known that the depicted person had a reasonable expectation that the image would remain private and did not expressly give consent to the dissemination; and
      • Intended to humiliate, harm, harass, threaten or coerce another, or disseminated the image for sexual gratification or arousal of others.
    • The bill provides that unlawful dissemination of an intimate image is a misdemeanor, punishable by not more than one (1) year imprisonment, a fine of not more than five thousand dollars ($5,000.00) or both.
    • The bill provides that the newly created crime shall not be construed to impose criminal liability on the provider of an interactive computer service, an information service or a telecommunications service for content provided by another person.
  • In Maine, a law was enacted restricting how state agencies may use facial recognition technology (FRT), one of the first state-wide limitations on FRT. LD 1585/HP 1174 stipulates that except for limited circumstances, “a department, public employee or public official may not:
    • (1)  Obtain, retain, possess, access, request or use a facial surveillance system or information derived from a search of a facial surveillance system;
    • (2)  Enter into an agreement with a 3rd party for the purpose of obtaining, retaining, possessing, accessing or using, by or on behalf of a department, public employee or public official, a facial surveillance system or information derived from a search of a facial surveillance system; or
    • (3)  Issue a permit or enter into any other agreement that authorizes a 3rd party to obtain,  retain,  possess,  access  or  use  a  facial  surveillance  system  or  information derived from a search of a facial surveillance system.
    • Agencies may use FRT if investigating a serious crime or to identify missing or deceased people
    • Moreover, FRT cannot establish probable cause “justifying arrest, search or seizure” without other evidence.

Further Reading

  • Here is Forbidden Stories website with all the partner publications’ articles on the NSO Groups’ Pegasus spyware. Below are the artciles in English that have been published thus far.
  • Private Israeli spyware used to hack cellphones of journalists, activists worldwide.” By Dana Priest, Craig Timberg, and Souad Mekhennet — The Washington Post. Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners. The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have beenclients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.
  • Jamal Khashoggi’s wife targeted with spyware before his death” By Dana Priest, Souad Mekhennet, and Arthur Bouvart — The Washington Post. NSO Group’s Pegasus spyware was used to secretlytargetthe smartphones of the two women closest tomurdered Saudi columnist Jamal Khashoggi, according to digital forensic analysis. The Android phone of his wife, Hanan Elatr, was targeted by a Pegasus user six months before his killing, but the analysis could not determine whether the hack was successful. The iPhone of his fiancee, Hatice Cengiz, was penetrated by spyware days after the murder, the forensics showed.
  • Despite the hype, iPhone security no match for NSO spyware” By Craig Timberg, Reed Albergotti, and Elodie Guéguen — The Washington Post. The text delivered last month to the iPhone 11 of Claude Mangin, the French wife of a political activist jailed in Morocco, made no sound. It produced no image. It offered no warning of any kind as an iMessage from somebody she didn’t know delivered malware directly onto her phone — and past Apple’s security systems. Once inside, the spyware, produced by Israel’s NSO Groupand licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International’s Security Lab. It found thatbetween October and June, her phone was hacked multiple times with Pegasus, NSO’s signature surveillance tool, during a time when she was in France.
  • ‘Somebody has to do the dirty work’: NSO founders defend the spyware they built” By Elizabeth Dwoskin and Shira Rubin — The Washington Post. It was a proposition that would change everything. Two 20-something Israeli entrepreneurs who had been running a small customer service start-up for mobile phones were at a client meeting in Europe in 2009 when they received a visit from law enforcement officials. The entrepreneurs’ first instinct was fear. Maybe they had done something wrong that they weren’t aware of, Shalev Hulio and Omri Lavie recalled in interviews this week with The Washington Post.
  • Key question for Americans overseas: Can their phones be hacked?” By Craig Timberg, John Hudson, and Kristof Clerix — The Washington Post. Israeli spyware company NSO Group has said repeatedly that its surveillance tools do not work against smartphones based in the United States, but Americans traveling overseas and using foreign cellphones may not enjoy that protection. A list of more than 50,000 phone numbers that included some for documented surveillance targets also included the overseas phone numbers for about a dozen Americans, including journalists, aid workers, diplomats and others, according to an investigation by The Washington Post and 16 other news organizations.
  • NSO Group vows to investigate potential spyware abuse following Pegasus Project investigation” By Drew Harwell and Craig Timberg — The Washington Post. The head of the Israeli surveillance giant NSO Group pledged Sunday to investigate potential cases of human rights abuses following a sweeping report by The Washington Post and other media organizations that uncovered how NSO’s government clients had deployed its spyware tool Pegasus against activists, journalists and private citizens around the world. The company has raced to address growing outrage from human rights activists, technology executives, political dissidents and the general public over the widespread hacking and surveillance revealed in the Pegasus Project, an investigation by The Post and 16 international media partners. By Monday, government and political opposition leaders from the European Union and France, India, Hungary and other countries had expressed fury and demanded answers as to whether the surveillance system had been abused.
  • Revealed: leak uncovers global abuse of cyber-surveillance weapon” By Stephanie Kirchgaessner, Paul Lewis, David Pegg,Sam Cutler,Nina Lakhani and Michael Safi — The Guardian. Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak. The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.
  • French minister’s phone shows traces linked to NSO spyware” By Angelique Chrisafis and Stephanie Kirchgaessner — The Guardian. The mobile phone of a serving French minister showed digital traces of activity associated with NSO Group’s spyware, according to forensic analysis undertaken by the Pegasus project investigation. François de Rugy, who was environment minister at the time of the activity, said he was “astonished” by the disclosure, which raises fresh questions over the use of spyware by customers of NSO, an Israeli surveillance company. His details appeared on a leaked database, which also included mobile numbers for the French president, Emmanuel Macron, and the majority of his 20-strong cabinet, along with the then prime minister Édouard Philippe.
  • Macron orders multiple inquiries into leaked Pegasus project data” By Angelique Chrisafis — The Guardian. The French president, Emmanuel Macron, has ordered multiple investigations to be carried out after his phone number, as well as those of his former prime minister and the majority of his 20-strong cabinet, appeared in the leaked database at the heart of the Pegasus project. The French prime minister, Jean Castex, said on Wednesday the Elysée had “ordered a series of investigations”, after vowing to “shed all light on the revelations”. But Castex said it was too early to comment or announce any new security measures or other action without knowing “exactly what happened”. He said: “We are going to look at this very closely, given the potential seriousness.”
  • UAE linked to listing of hundreds of UK phones in Pegasus project leak” By Dan Sabbagh, David Pegg, Paul Lewis and Stephanie Kirchgaessner —  The Guardian. A member of the House of Lords is among more than 400 people whose UK mobile phone numbers appear in a leaked list of numbers identified by NSO Group’s client governments between 2017 and 2019, the Guardian can reveal. The principal government responsible for selecting the UK numbers appears to be the United Arab Emirates, according to analysis of the data. The UAE is one of 40 countries that had access to the NSO spyware that is able to hack into and secretly take control of a mobile phone. Dubai, the emirate city ruled by Sheikh Mohammed bin Rashid al-Maktoum, is also believed to have been an NSO client.
  • Dubai suspected after Princess Haya listed in leaked Pegasus project data” By David Pegg and Paul Lewis — The Guardian. As her plane touched down in April 2019, Princess Haya bint al-Hussein, who was accompanied by her two children, might have hoped she was beyond the reach of her ex-husband, the emir of Dubai, Sheikh Mohammed bin Rashid al-Maktoum. Similarly, when he commenced custody proceedings in the high court of justice the following month, she might have imagined that the dispute would be settled in a courtroom, purely on the basis of its legal merits. She did not know, however, it was likely mobile phone numbers belonging to her, her closest aides, advisers and friends, were being entered into a computer system operated by agents of the emirate of Dubai, one of the clients of spyware manufacturer NSO Group.
  • Data leak raises new questions over capture of Princess Latifa” By Dan Sabbagh — The Guardian. For a few days Princess Latifa had dared to think she could relax. An extraordinary plan to escape from a father she said had once ordered her “constant torture” was looking as if it might work, as she sat on a 30-metre yacht on the Indian Ocean, her home city of Dubai further and further away. Yet the daughter of Sheikh Mohammed bin Rashid al-Maktoum, the ruler of the glittering Emirati city, still wanted to connect with home, to tell family and friends something of her new-found freedom, sending emails, WhatsApp messages and posting on Instagram from what she thought were two secure, brand new “burner” pay-as-you-go mobile phones.
  • Ban Amnesty over Pegasus leaks role, Indian politician urges” By Hannah Ellis-Petersen — The Guardian. The chief minister of the Indian state of Assam has called for Amnesty International to be banned in the country and accused it of a conspiracy to “defame” the prime minister, Narendra Modi, over its role in the explosive Pegasus leaks, which have put heavy pressure on Modi’s government. Himanta Biswa Sarma, the chief minister of the state of Assam and a member of Modi’s Bharatiya Janata party (BJP), claimed that Amnesty’s role in the investigation into numbers of citizens and political leaders in countries across the world, including India, appearing on a leaked data list was part of a “long history of hatching conspiracies against India’s democratic fabric and its leadership”. He alleged that Amnesty International worked “to encourage leftwing terrorism in India and defame India and PM Modi” as well as “create dissatisfaction among the sections of Indian society”.
  • Modi accused of treason by opposition over India spyware disclosures” By Hannah Ellis-Petersen and Michael Safi — The Guardian. Narendra Modi’s government has been accused of treason and “unforgivable sacrilege” by the political opposition in India following a series of reports by the Pegasus project revealing several journalists, activists and an opposition election strategist had their phone numbers included in a data leak of more than 50,000 numbers that, since 2016, are believed to have been selected as those of persons of interests by government clients of NSO Group. The stories, published in the Guardian and in partner media outlets around the world on Sunday and Monday, revealed details of hundreds of verified Indian phone numbers that appear in leaked records of numbers. They include two phone numbers belonging to India’s most prominent political opposition figure, Rahul Gandhi, who led the Congress party to defeat in the 2019 elections. The leaked records show his number was selected as a possible target the year before and in the months after the vote.
  • Israel ‘creating task force’ to manage response to Pegasus project” By Bethan McKernan and Paul Lewis — The Guardian. Israel’s government is reportedly setting up a task force to manage the fallout from Pegasus project revelations about the use of spying tools sold to authoritarian governments by the Israeli surveillance firm NSO Group. A team including representatives from the defence ministry, ministry of justice, foreign ministry, military intelligence and the Mossad, the national intelligence agency, is poised to conduct an investigation into whether “policy changes” are needed regarding sensitive cyber exports, several Israeli media outlets reported on Tuesday night, quoting unnamed officials. The reports come as diplomatic pressure mounts on Israel over concerns the government has enabled abuses by repressive states around the world by granting NSO export licences for the spyware.
  • Telegram founder listed in leaked Pegasus project data” By Shaun Walker — The Guardian. Amid the varied cast of people whose numbers appear on a list of individuals selected by NSO Group’s client governments, one name stands out as particularly ironic. Pavel Durov, the enigmatic Russian-born tech billionaire who has built his reputation on creating an unhackable messaging app, finds his own number on the list. Durov, 36, is the founder of Telegram, which claims to have more than half a billion users. Telegram offers end-to-end encrypted messaging and users can also set up “channels” to disseminate information quickly to followers. It has found popularity among those keen to evade the snooping eyes of governments, whether they be criminals, terrorists or protesters battling authoritarian regimes. In recent years, Durov has publicly rubbished the security standards of competitors, particularly WhatsApp, which he has claimed is “dangerous” to use. By contrast, he has positioned Telegram as a plucky upstart determined to safeguard the privacy of its users at all costs.
  • FT editor among 180 journalists identified by clients of spyware firm” By David Pegg and Paul Lewis, Michael Safi, and Nina Lakhani — The Guardian. The editor of the Financial Times is one of more than 180 editors, investigative reporters and other journalists around the world who were selected as possible candidates for surveillance by governmentclients of the surveillance firm NSO Group, the Guardian can reveal. Roula Khalaf, who became the first female editor in the newspaper’s history last year, was selected as a potential target throughout 2018.
  • Dalai Lama’s inner circle listed in Pegasus project data” By Michael Safi — The Guardian. China’s nearest observation posts are hundreds of miles from Dharamsala, the city in the foothills of the Indian Himalayas that hosts Tibet’s government-in-exile and its highest spiritual leader, the Dalai Lama. Still, Tibetans there have often felt closely watched. Suspected Chinese spies have regularly been detected in the hill station. A decade ago, a digital security specialist watched in disbelief as sensitive files on Tibetan government computers were extracted on the screen before his eyes – activity that led to the unearthing of a massive cyber-espionage network, known as GhostNet, which was largely traced to Chinese servers. Surveillance technology has evolved, and leaked data points to another possible interest in Tibetan communications – this time from a less obvious source.

Coming Events

  • 27 July
  • 28 July
    • The House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will mark up its portion of the committee’s FY 2022 National Defense Authorization Act (H.R.4395).
  • 5 August
    • The Federal Communications Commission (FCC) will hold its monthly open meeting with this tentative agenda:
      • Establishing Two New Innovation Zones. The Commission will consider a Public Notice that would create two new Innovation Zones for Program Experimental Licenses and the expansion of an existing Innovation Zone. (ET Docket No. 19-257)
      • Numbering Policies for Modern Communications. The Commission will consider a Further Notice of Proposed Rulemaking to update the Commission’s rules regarding direct access to numbers by interconnected Voice over Internet Protocol providers to safeguard the nation’s finite numbering resources, curb illegal robocalls, protect national security, and further promote public safety. (WC Docket Nos. 13-97, 07-243, 20-67; IB Docket No. 16-155)
      • Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions. The Commission will consider a Report and Order that would establish a process for the Commission to review decisions of the private STIR/SHAKEN Governance Authority that would have the effect of placing voice service providers out of compliance with the Commission’s STIR/SHAKEN implementation rules. (WC Docket Nos. 17-97, 21-291)
      • Modernizing Telecommunications Relay Service (TRS) Compensation. The Commission will consider a Notice of Proposed Rulemaking on TRS Fund compensation methodology for IP Relay service. (CG Docket No. 03-123; RM-11820)
      • Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Notice of Proposed Rulemaking to update outmoded political programming rules. (MB Docket No. 21-293)
      • Review of the Commission’s Part 95 Personal Radio Services Rules. The Commission will consider a Memorandum Opinion and Order on Reconsideration that would grant three petitions for reconsideration of the Commission’s May 2017 Part 95 Personal Radio Services Rules Report and Order. (WT Docket No. 10-119)
  • 1 September
    • The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Felix Mittermeier on Unsplash

Photo by Federico Beccari on Unsplash

Photo by cottonbro from Pexels

Photo by SCREEN POST from Pexels

Photo by mentatdgt from Pexels

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s