Other Developments, Further Reading, and Coming Events (16 August 2021)

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week before it’s posted here.

Other Developments

  • The European Commission (EC) opened “an in-depth investigation to assess the proposed acquisition of Kustomer by Facebook under the EU Merger Regulation” according to their press release. The EC continued:
    • The Commission is concerned that the proposed transaction would reduce competition in the market for the supply of Customer Relationship Management (CRM) software.
    • The Commission is also concerned that the proposed transaction would further strengthen Facebook’s market position in the online display advertising market by increasing the already significant amount of data available to Facebook for personalisation of the ads it displays.
    • Following its preliminary investigation, the Commission has concerns about the impact of the transaction:
    • a) On a broader market for the supply of CRM software and a narrower market for the supply of customer service and support CRM software.
    • In particular, the Commission is concerned that, as a result of its combination with Kustomer, Facebook may foreclose access to its business-to-consumer (“B2C”) over-the-top (“OTT”) messaging channels, namely WhatsApp, Messenger or Instagram. These channels account for a large portion of the B2C OTT messaging market, which is an important input for the supply of CRM software services. The preliminary investigation suggests that Facebook may have the ability, as well as a potential economic incentive, to engage in foreclosure strategies vis-à-vis Kustomer’s rivals, such as preventing these companies from using Facebook’s messaging channels or degrading access to these channels. Such foreclosure strategies could reduce competition in the market for the supply of CRM software and the market for the supply of customer service and support CRM software, leading to higher prices, lower quality and less innovation for business customers, which may in turn be passed on to consumers.
    • b) On the markets for the supply of online display advertising services, or segments thereof, where the Commission, at this stage of the investigation, considers that Facebook may hold a dominant market position in several Member States.
    • By acquiring Kustomer, Facebook could more easily obtain data from businesses making use of Kustomer’s CRM software, including (i) “customer transaction data” which includes customer data such as on gender, order and purchase history, and (ii) “other event data”, such as customer’s website views, adds to wishlist and store visits. The data that businesses store in Kustomer’s CRM software and which they may share with Facebook appears to provide an important advantage in the online display advertising market. By increasing the data advantage of Facebook in its ability to better personalise and target the ads it provides, it would be more difficult for rivals to match Facebook’s online advertising services. Thus, the transaction would raise barriers to entry and expansion for Facebook’s competitors for these services, to the ultimate detriment of advertisers and publishers that would face higher prices and have less choice. The Commission will now carry out an in-depth investigation into the effects of the transaction to determine whether its initial competition concerns are confirmed.
    • The Commission closely cooperated with competition authorities around the world during the initial investigation, and will continue such cooperation during the in-depth investigation. The Commission is also in close contact with the competition authorities of the Member States.
    • The proposed transaction was notified to the Commission on 25 June 2021. The Commission now has 90 working days, until 8 December* 2021, to take a decision. The opening of an in-depth inquiry does not prejudge the final result of the investigation.
  • The House Oversight and Reform Committee issued the 12th Federal Information Technology Acquisition Reform Act (FITARA) (P.L. 113-291) scorecard that grades each federal agency on how well it is meeting the FITARA metrics. The Government Operations Subcommittee held a hearing and “heard testimony from Clare Martorana, Federal Chief Information Officer at the Office of Management and Budget, Keith A. Bluestein, Chief Information Officer at the Small Business Administration, Sean Brune, Chief Information Officer at the Social Security Administration, and Carol C. Harris, Director of Information Technology and Cybersecurity at the Government Accountability Office.” In a memorandum, the Government Operations Subcommittee staff explained:
    • The FITARA Scorecard is a tool for Congress, CIOs, agency heads, and outside stakeholders to understand how federal agencies across the enterprise of government are performing in various IT-related categories. The Scorecard can be viewed as a way for Congress to hold federal agencies accountable for implementing basic and fundamental IT practices that improve the operation of the federal government.
    • Government Accountability Office (GAO) Information Technology and Cybersecurity Director Carol Harris stated:
      • In our March 2021 high-risk update, we emphasized that federal
        agencies’ ability to respond to cyber threats or attacks are limited without urgent actions to address four major cybersecurity challenges. These actions include (1) developing and executing a more comprehensive federal strategy for national cybersecurity and global cyberspace, (2) mitigate global supply chain risks, and (3) addressing weaknesses in information security programs. Overall, since 2010 we have made about 3,700 recommendations related to our high-risk area focused on enhancing our nation’s cybersecurity efforts.
      • For more than a decade, we have been reporting on the importance of a comprehensive strategy and clearly defined leadership to address national cybersecurity issues. For example, in July 2010 we reported that the government faced a number of challenges that impeded its ability to formulate and implement a coherent approach to addressing the global aspects of cybersecurity
      • In December 2020, we reported on 23 civilian agencies’15 implementation of foundational practices for managing information and communication technology (ICT) supply chain risks. In that report, we identified the seven practices from the National Institute of Standards and Technology’s guidance that are foundational for an organization-wide approach to ICT supply chain risk management. These practices include, among other things, establishing executive oversight of ICT activities, developing an agency-wide ICT strategy, and ensuring suppliers are adequately addressing risks associated with ICT products and services.
      • We have also reported that agencies need to address information security program weaknesses by, for example, fully establishing risk management programs. Specifically, in July 2019, we reported on key practices for establishing an agency-wide cybersecurity risk management program that include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency’s enterprise risk management program.
      • In our March 2021 high-risk update, we stressed the importance of the
        Office of Management and Budget (OMB) and other federal agencies fully implementing critical actions we recommended to better manage tens of billions of dollars in IT investments. We also emphasized that sustained leadership, among other things, can improve IT management.
  • The Department of Defense’s National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance” that “details threats to Kubernetes environments and provides configuration guidance to minimize risk” per their joint statement. The NSA and CISA stated:
    • Kubernetes is an open source system that automates the deployment, scaling, and management of applications run in containers. Kubernetes clusters are often hosted in a cloud environment, and provide increased flexibility from traditional software platforms.
    • Kubernetes is commonly targeted for three reasons: data theft, computational power theft, or denial of service. Data theft is traditionally the primary motivation; however, cyber actors may attempt to use Kubernetes to harness a network’s underlying infrastructure for computational power for purposes such as cryptocurrency mining.
    • The report details recommendations to harden Kubernetes systems. Primary actions include the scanning of containers and Pods for vulnerabilities or misconfigurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing.
    • To ensure the security of applications, system administrators should follow the guidance in the Cybersecurity Technical Report and keep up to date with patches, updates, and upgrades to minimize risk. NSA and CISA also recommend periodic reviews of Kubernetes settings and vulnerability scans to ensure appropriate risks are accounted for and security patches are applied.
  • The National Security Agency’s (NSA) Office of the Inspector General (OIG) announced that “it is conducting a  review  related  to  recent  allegations  that  the  NSA  improperly  targeted  the  communications  of  a member  of  the  U.S.  news  media.” The OIG made this announcement because Fox News’ Tucker Carlson claimed on air that the NSA “has been monitoring our electronic communications and is planning to leak them in an effort to take this show off the air.” Carlson further asserted:
    • The NSA. captured that information without our knowledge and did it for political reasons, The Biden administration is spying on us. We have confirmed that.
  • Germany’s competition regulator, the Bundeskartellamt, “presented the results of its sector inquiry into mobile apps to examine consumer rights.” The agency explained:
    • The Bundeskartellamt thoroughly analysed and evaluated the following problem areas for mobile end devices run on the Android or iOS operating system:
      • Lack of information about data being accessed when using apps: In the case of a large number of apps, users are not adequately informed of the extent to which third companies such as Facebook or Google obtain personal data and specifically what data are obtained from the use of apps. Neither the app descriptions in the app stores nor the privacy policies of the app publishers provide sufficient information on this aspect. Preferably, users should be able to search more selectively for consumer-friendly apps (e.g. without trackers or advertisements) via an improved app store search function.
      • Lack of transparency about contractual partners: Consumers are not adequately informed about who they actually conclude a contract with when downloading an app. There is no clear guidance on whether the respective app store operator or app publisher is to be contacted for warranty claims. To some extent conditions of use, online help pages and presentations in app stores contradict one another in this respect.
      • Lack of possibilities to control data processing: Consumers’ wishes for more control over the processing of their personal data are only rudimentarily addressed in iOS and Android operating system settings. In spite of some innovations in the area of data protection, there is still much room for improvement. Clear and comprehensive information must go hand in hand with simple setting options. This way consumers should be able to effectively deny access to their data via apps and delete all non-system relevant apps.
  • The Australian Competition and Consumer Commission (ACCC) revealed that it “instituted separate proceedings in the Federal Court against each of Telstra Corporation Ltd (Telstra), Optus Internet Pty Limited (Optus), and TPG Internet Pty Ltd (TPG) for making alleged false or misleading representations in their promotions of some 50Mbps and 100Mbps NBN plans, in breach of the Australian Consumer Law.” The ACCC published its concise statements against Telstra, Optus, and TPG. The ACCC explained:
    • The ACCC alleges that the companies made representations to some consumers on Fibre to the Node (FTTN) connections that they would test the maximum speed of their connections, notify the impacted consumer of their maximum speed if their line was underperforming, and offer them remedies if the maximum speed was below their plan’s stated speed, but failed to do so for many customers.
    • It is also alleged Telstra, Optus and TPG wrongly accepted payments from certain customers for NBN plans when they were not provided with the promised speeds.
  • Facebook stated it was shutting down a New York University researchers Laura Edelson and Damon McCoy who run “Cybersecurity for Democracy, a research-based, nonpartisan, and independent effort to expose online threats to our social fabric and to recommend how to counter them” according to their statement.
    • Facebook contended:
      • For months, we’ve attempted to work with New York University to provide three of their researchers the precise access they’ve asked for in a privacy protected way. Today, we disabled the accounts, apps, Pages and platform access associated with NYU’s Ad Observatory Project and its operators after our repeated attempts to bring their research into compliance with our Terms. NYU’s Ad Observatory project studied political ads using unauthorized means to access and collect data from Facebook, in violation of our Terms of Service. We took these actions to stop unauthorized scraping and protect people’s privacy in line with our privacy program under the FTC Order. 
    • Edelson, McCoy, and Columbia University’s Knight First Amendment Center countered:
      • After months of negotiations, late yesterday evening, Facebook abruptly shut down the accounts of New York University researchers Laura Edelson and Damon McCoy, blocking their research into political ads and the spread of misinformation on the platform. Two weeks before the 2020 presidential election, Facebook sent Edelson and McCoy a cease-and-desist letter, demanding that they discontinue use of the research tool they developed, called Ad Observer, and that they take down the results of their prior research. Facebook threatened to shut down their public interest research–a move that prompted public outcry in support of the project by researchers, journalism organizations, and civil society groups. The Knight First Amendment Institute at Columbia University and First Amendment specialists at Ballard Spahr are representing Edelson and McCoy in their personal capacities in this matter. 
  • The Federal Trade Commission’s (FTC) Acting Director of the Bureau of Consumer Protection Samuel Levine wrote Facebook CEO Mark Zuckerberg after the company shut down New York University researchers who collected data on ads on the platform, in part, because the company claimed it violated the 2020 consent decree. Levine argued:
    • I write concerning Facebook’s recent insinuation that its actions against an academic research project conducted by NYU’s Ad Observatory were required by the company’s consent decree with the Federal Trade Commission. As the company has since acknowledged, this is inaccurate. The FTC is committed to protecting the privacy of people, and efforts to shield targeted advertising practices from scrutiny run counter to that mission.
    • While I appreciate that Facebook has now corrected the record, I am disappointed by how your company has conducted itself in this matter. Only last week, Facebook’s General Counsel, Jennifer Newstead, committed the company to “timely, transparent communication to BCP staff about significant developments.” Yet the FTC received no notice that Facebook would be publicly invoking our consent decree to justify terminating academic research earlier this week.
    • Had you honored your commitment to contact us in advance, we would have pointed out that the consent decree does not bar Facebook from creating exceptions for good-faith research in the public interest. Indeed, the FTC supports efforts to shed light on opaque business practices, especially around surveillance-based advertising. While it is not our role to resolve individual disputes between Facebook and third parties, we hope that the company is not invoking privacy – much less the FTC consent order – as a pretext to advance other aims.
  • The Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) announced “a series of publications, animated videos, webinars, as well as a brand-new “Children Privacy” thematic website to provide a one-stop online resource centre for teachers, parents and children” per its press statement. The Privacy Commissioner for Personal Data, Hong Kong, Ada Chung Lai-ling, said:
    • Everyone’s privacy should be protected and respected regardless of age. Children generally are less vigilant of protecting their personal data privacy and the potential privacy risks relating to online activities. We strive to step up the PCPD’s education and publicity efforts in this regard, so that children can learn to protect their personal data privacy, while teachers and parents can also make the best use of the educational resources provided by the PCPD to assist children in safeguarding their personal data privacy.
  • The National Institute of Standards and Technology (NIST) is proposing to withdraw three guidance documents. The agency explained:
    • In May 2021, NIST initiated a review of several publications, including the following NIST Special Publications (SP):
      • SP 800 15, MISPC Minimum Interoperability Specification for PKI Components, Version 1,
      • SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, and
      • SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure.
    • NIST proposes to withdraw all three publications. Public comments on this proposal may be submitted to cryptopubreviewboard@nist.gov by September 3, 2021.
    • Rationale for Proposed Decision
      • SP 800-15, Minimum Interoperability Specification for PKI Components (MISPC), Version 1, was published in January 1998 and was developed in cooperation with industry through a Cooperative Research and Development Agreement (CRADA). The document specifies information about the contents of certificates and CRLs and also specifies protocols for transactions between Public-Key Infrastructure (PKI) components. All of the information provided is now out-of-date.
      • SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, published in October 2000, was written at a time when the adoption of public-key technology within agencies was far more limited than it is today. The document was written before the issuance of Homeland Security Presidential Directive 12 (HSPD-12), which led to the development of the PIV Card, and before OMB issued directives for agencies to buy PKI services rather than operating their own certification authorities. The document is similarly now out-of-date.
      • SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure, published in February 2001, has some overlap with SP 800-25. As with SP 800-25, the information in SP 800-32 is out-of-date. The Federal PKI has changed substantially over the past 20 years, and as previously mentioned, this document predates the issuance of HSPD-12 and OMB directives for agencies to outsource PKI services. The document is similarly now out-of-date.
  • The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) published an updated version of digital identity trust framework. Minister for Digital Infrastructure Matt Warman explained in the ministerial foreword:
    • This early prototype of the rules and standards for digital identity and attribute solutions was knowingly published unfinished to give interested parties the earliest opportunity to input, comment and shape its development. Thanks to that feedback, today I am pleased to publish this update, as well as announce the opening of expressions of interest for organisations to take part in the first live tests of the trust framework.
    • I was gladdened by the response from industry to both our approach and the first draft of the trust framework itself. Businesses are welcoming the direction of travel and investing time and expertise in helping us to get this right. It is clear that digital identity is being pushed up the agenda across a variety of sectors and services, and I will continue to ensure the government shows clear leadership in this space. The pace of progress means that the framework was recently complemented by our consultation on the legislation and governance needed to underpin the rules of the road. The consultation is open for responses until 13 September.
    • We have also taken on board the feedback from the online survey that accompanied the publication of the alpha version. This has been bolstered by extensive engagement sessions across the public and private sectors, civil society, and other experts. The result of this is the updated version today, which is expanded to detail the approach to certification; clarifies our intention for roles and relationships; and is better adapted to the needs of different services and use cases.
    • Also of note were the responses received from members of the public, which included concerns and misconceptions about the government’s intentions for the framework. Their voices have been heard and we recognise their concerns must be addressed. In order to do so, we must go further in our communications to explain how our work differs from the centralised databases and identity cards of other nations; why a rules based approach will improve security rather than increase risks; and how the framework seeks to ensure transparency and control for people over how their data is used. Testing real world services will also demonstrate how abstract rules become a reality and help us ensure our principles are protected under the framework.
    • This updated trust framework enables us to move forward with these testing plans. The next stage of alpha testing will look to the finer details of the content and processes around joining. This will involve working with eventual users of the trust framework to undergo a preliminary assessment against it, with opportunities for a range of organisations to participate and help shape the beta publication. Please see the alpha testing page for more information and submit the expression of interest form by Sunday 5 September if you want to be involved.
  • Facebook released its first quarterly update on the Facebook Oversight Board. In its press release, the company stated:
    • Facebook teams with expertise on our content policies, our enforcement processes, and cultural context from regions around the world review the candidate cases and provide feedback on their significance and difficulty. We refer the most significant and difficult content decisions to the board, and the board has sole discretion to accept or decline those cases. As with appeals, the board’s decisions are binding. From November 2020 through March 31, 2021, we referred 26 content decisions to the board, and the board selected three: a case about supposed COVID-19 cures; a case about a veiled threat based on religious beliefs; and a case about the decision to indefinitely suspend former US President Donald Trump’s account.
    • In the first quarter of 2021, the board issued 18 recommendations in six cases. We are implementing fully or in part 14 recommendations, still assessing the feasibility of implementing three, and taking no action on one. The size and scope of the board’s recommendations go beyond the policy guidance that we first anticipated when we set up the board, and several require multi-month or multi-year investments. The board’s recommendations touch on how we enforce our policies, how we inform users of actions we’ve taken and what they can do about it, and additional transparency reporting. We welcome these recommendations — the changes they have sparked make Facebook more transparent with users and the public, more consistent with our policy applications, and more proportional in our enforcement.

Further Reading

  • “‘UK should be concerned at Chinese gene data harvesting, lawmaker says” By Alistair Smout — Reuters. Britain should be concerned about the harvesting of genetic data from millions of women by a Chinese company through prenatal tests, a senior British lawmaker told Reuters. A Reuters review of scientific papers and company statements found that BGI Group developed the tests in collaboration with the Chinese military and is using them to collect genetic data around the world for research on the traits of populations.
  • Amazon to pay shoppers hurt by others’ products, does not admit liability” — Reuters. Amazon.com Inc on Tuesday said it would pay customers who suffer injuries or property damage from defective goods others sell on its U.S. platform, in a new policy that could reduce litigation. For years, consumers have sued the world’s largest online retailer, arguing it is liable when a merchant sells bad products on Amazon.com. A woman in Pennsylvania, for instance, in 2016 sought to blame Amazon for a merchant’s retractable dog leash that blinded her eye when it snapped.
  • Ministers to update NHS Covid app to ‘reduce disruption’” By Jessica Elgot — The Guardian. Ministers are to radically alter the NHS Covid-19 app in order to reduce the number of people instructed to isolate after they have been in contact with someone who tests positive, in the latest move to combat the numbers of people in quarantine. From Monday, the app will instruct contacts to isolate only if they have been close to someone in the two days leading up to a positive test, rather than the current five-day threshold.
  • The TikTok spiral” By Avani Dias, Jeanavive McGregor, and Lauren Day, triple j Hack and Four Corners — ABC News. Lauren Hemmings’s TikTok feed started like anyone else’s. Short videos of families dancing, a comedy skit about the pandemic, baking cakes. Like almost a billion people around the world, she downloaded the app for entertainment. “It was more of an innocent hope of just getting a good laugh really,” the 19-year-old says. As she scrolled through video after video, Lauren’s feed became darker. The app would change the direction of her life and warp her perceptions of the world and herself.
  • TikTok: Data mining, discrimination and dangerous content on the world’s most popular app” — ABC Four Corners. TikTok: Data mining, discrimination and dangerous content on the world’s most popular app. “TikTok has penetrated the cultural and social spheres in Australia, and you get a sense that TikTok is part of the zeitgeist.” Digital media researcher. TikTok is the phenomenally successful social media platform that has taken the world by storm. More than a billion users scroll through its endless feeds and it has turned everyday Australians into international stars. “I think every young kid’s dream is to be successful online.” TikTok content creator. Famous for viral dance moves and comedy skits, the app has morphed into a platform that users anchor their lives around.
  • Police Are Telling ShotSpotter to Alter Evidence From Gunshot-Detecting AI” By Todd Feathers — Vice. On May 31 last year, 25-year-old Safarain Herring was shot in the head and dropped off at St. Bernard Hospital in Chicago by a man named Michael Williams. He died two days later. Chicago police eventually arrested the 64-year-old Williams and charged him with murder (Williams maintains that Herring was hit in a drive-by shooting). A key piece of evidence in the case is video surveillance footage showing Williams’ car stopped on the 6300 block of South Stony Island Avenue at 11:46 p.m.—the time and location where police say they know Herring was shot.
  • Facebook and tech giants to target attacker manifestos, far-right militias in database” By Elizabeth Culliford — Reuters. A counterterrorism organization formed by some of the biggest U.S. tech companies including Facebook and Microsoft is significantly expanding the types of extremist content shared between firms in a key database, aiming to crack down on material from white supremacists and far-right militias, the group told Reuters.
  • The Metaverse Has Always Been a Dystopian Idea” By Brian Merchant — Vice. A big shift is apparently underway in Silicon Valley. The company that operates the world’s largest and most profitable social media network will not, according to its CEO, be a social media company much longer. In an announcement that inspired a fervid wave of speculation, analysis, and mockery, Mark Zuckerberg proclaimed that Facebook is going to become a “metaverse company” instead.
  • Sky News Australia banned from YouTube for seven days over Covid misinformation” By Amanda Meade — The Guardian. Sky News Australia has been banned from uploading content to YouTube for seven days after violating its medical misinformation policies by posting numerous videos which denied the existence of Covid-19 or encouraged people to use hydroxychloroquine or ivermectin. The ban was imposed by the digital giant on Thursday afternoon, the day after the Daily Telegraph ended Alan Jones’s regular column amid controversy about his Covid-19 commentary which included calling the New South Wales chief health officer Kerry Chant a village idiot on his Sky News program.
  • The Spyware Threat to Journalists” By Steve Coll — The New Yorker. Khadija Ismayilova, an investigative reporter from Azerbaijan, is an icon among the subtribe of journalists who work to expose cross-border financial corruption. She has broken big stories about money laundering and dodgy banking, despite being targeted by President Ilham Aliyev’s authoritarian regime. Operatives planted cameras in her home in Baku and, in 2012, released a video of her having sex with her boyfriend. In 2014, she was arrested on trumped-up charges that included tax evasion; a court sentenced her to seven and a half years in prison. The human-rights lawyer Amal Clooney, among others, took up Ismayilova’s cause, and she was released after eighteen months, but the government prohibited her from leaving the country for five years.

Coming Events 

  • 1 September
    • The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).
  • 30 September
    • The Federal Communications Commission (FCC) will hold an open meeting. No agenda has been announced as of yet.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Luan Rezende from Pexels

Photo by Alexander Shatov on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s