Other Developments, Further Reading, and Coming Events (6 September 2021)

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week before it’s posted here. The Wavelength will transition to a subscription product early in 2022. Details to come.

Other Developments

  • The People’s Republic of China’s (PRC) National People’s Congress (NPC) Standing Committee passed the “Personal Information Protection Law” (PIPL), legislation experts are calling the PRC’s first comprehensive data protection law. Stanford University’s DigiChina Cyber Policy Center translated PIPL and asserted:
    • In digesting the new law, two overriding points are important to keep in mind. First, the PIPL is a framework law that is not intended to provide granular detail on the majority of the policy matters it covers, but rather sets out broad principles, objectives, mandates, and responsibilities. To make these generalities concrete and specific, regulators such as the Cyberspace Administration of China will draft and issue implementing regulations, and standards-setting organizations will issue technical standards and specifications. This is why the PIPL is much shorter and less detailed than its main international counterpart, the European General Data Protection Regulation (GDPR), and detailed answers to regulatory questions—let alone the question of how the law may be enforced—may be months or years away. Indeed, regulations issued this month on “critical information infrastructure” added missing detail to provisions of the Cybersecurity Law more than four years after it entered force.
    • Second, while the PIPL addresses many issues frequently discussed in the context of personal privacy worldwide, it does not directly address “privacy” (隐私), which is a separate concept in Chinese law. The law’s focus is on protecting individuals, society, and national security from harms stemming from abuse and mishandling of personal information—targeting both the private sector and government functions. 
  • The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a cybersecurity advisory “to highlight precautions and mitigation steps that public and private sector organizations can take to reduce their risk to ransomware and other cyber attacks, specifically leading up to holidays and weekends.” The agencies claimed “[t]his advisory is based on observations on the timing of high impact ransomware attacks that have occurred previously rather than a reaction to specific threat reporting.” CISA and the FBI argued:
    • Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.
    • In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
    • In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
    • In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.
  • Apple and plaintiffs have proposed a settlement in a suit brought on account of Apple’s App Store practices. This lawsuit was working in parallel fashion to the actions brought by Epic Games over many of the same claims in the United States, United Kingdom, European Union, and Australia. The judge still needs to rule on the settlement, however.
    • In its press release, Apple claimed the settlement does the following:
      • The agreement clarifies that developers can share purchase options with users outside of their iOS app; expands the price points developers can offer for subscriptions, in-app purchases, and paid apps; and establishes a new fund to assist qualifying US developers. The updates constitute the latest chapter of Apple’s longstanding efforts to evolve the App Store into an even better marketplace for users and developers alike.
    • However, the Coalition for App Fairness, a group that includes Epic Games wand was formed in response to Google and Apple’s app store practices, contended in a statement:
      • Apple’s sham settlement offer is nothing more than a desperate attempt to avoid the judgment of courts, regulators, and legislators worldwide. This offer does nothing to address the structural, foundational problems facing all developers, large and small, undermining innovation and competition in the app ecosystem. Allowing developers to communicate with their customers about lower prices outside of their apps is not a concession and further highlights Apple’s total control over the app marketplace. If this settlement is approved, app makers will still be barred from communicating about lower prices or offering competing payment options within their apps. We will not be appeased by empty gestures and will continue our fight for fair and open digital platforms.
    • The plaintiffs filed a motion in support of the proposed settlement and asserted:
      • Plaintiffs Donald Cameron and Pure Sweat Basketball, Inc. (“Developer Plaintiffs”), on behalf of themselves and other members of the proposed Settlement Class, are pleased to report their proposed Settlement with Apple Inc. The Settlement, if approved, would resolve the claims of a Settlement Class consisting of approximately 67,000 iOS developers earning more than $0 but less than $1 million from transactions annually in the App Store during the Class Period. Nearly all domestic iOS developers with paid app transactions—more than 99 percent—fall within the Settlement Class and would recover under the Settlement. These small developers are the backbone of the iOS app economy, developing apps of all types that improve the functionality and performance of iOS devices. And they all stand to recover substantial benefits under the Settlement, both from direct monetary payments and structural relief that, going forward, will make iOS app development a more productive enterprise.
      • The proposed Settlement establishes a $100 million non-reversionary monetary fund from which Settlement Class members will receive direct distributions. Individual Settlement Class Members will receive a minimum payment of $250; higher payments will be tiered based on historic proceeds, with the highest minimum payment tier providing $30,000. The Settlement also contains valuable structural relief. It acknowledges (properly) that this lawsuit was one driver behind Apple’s 2021 launch of its Small Business Program, under which small developers qualify for a lower 15 percent commission rate. Under the Settlement, Apple has committed to maintain the Small Business Program’s 15 percent rate for at least another three years. Apple has also committed to revise its “anti-steering” Guidelines to permit app developers to communicate directly with their customers regarding alternative payment options. Apple has further agreed to institute and maintain a range of structural reforms that will enable developers to better create, distribute, and monetize their apps. These structural reforms are valuable. Developer Plaintiffs conservatively estimate that the Small Business Program element of the Settlement alone adds at least $35.44 million in value.
    • In its motion in support of the settlement, Apple claimed:
      • Apple is confident that if this litigation were to continue, Apple would defeat class certification and/or Apple would prevail at trial. The Court is aware from the Epic trial, including the testimony of Apple’s most senior executives, of Apple’s commitment to building and maintaining the App Store as a great place for both developers and consumers to transact in apps and in-app purchases. The evidence of record establishes that the practices challenged in this and other cases are both lawful and well-justified by business necessity—including the protection of Apple’s intellectual property, and protecting the security and privacy of Apple’s customers.
      • Nevertheless, Apple would rather work with developers than litigate against them. Accordingly, after extensive arms-length negotiations, Apple and the Developer Plaintiffs reached a solution that, if approved by the Court, will avoid the expense and distraction of further litigation while providing real assistance to the small developers who are so important to the burgeoning app economy.
  • A bill to tighten California’s laws regarding the collection and use of health information by non-healthcare providers has apparently stalled. AB-1436 “Information privacy: digital health feedback systems.” A key committee in the Senate may have paused the bill in late August. A summary of the legislation explained:
    • Certain information and transactions, however, are expressly exempt from the California Consumer Privacy Act of 2018 (CCPA). As related to health care, the CCPA does not apply to the following:
      • Medical information governed by the Confidentiality of Medical Information Act (CMIA) or protected health information (PHI) that is collected by a “covered entity” or “business associate,” as defined and governed by the privacy, security, and breach notification rules under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).
      • A provider of health governed by the CMIA or a covered entity governed by HIPAA.
      • Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects (Common Rule), pursuant to good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the U.S. Food and Drug Administration.
    • The bill’s sponsor, Assemblyman Ed Chau (D) explained the problem the bill is designed to solve:
      • These tech companies are after all sorts of personal medical information — your heart rate, your blood pressure, your sleep habit. As it stands, they’re circumventing medical privacy laws.
    • Per the most recent summary, AB 1436 “would prohibit a business that offers a “personal health record system” from knowingly using or disclosing the “personal health record information” of a person without first obtaining a signed authorization.” More specifically,
      • This bill would:
      • Prohibit a business that offers a personal health record system from knowingly using, disclosing, or permitting the use or disclosure of personal health record information without the individual having first signed an authorization.
      • Require the authorization to be in the same form as that required by an employer to disclose medical information, with “personal health record system” substituting “employer.” Specifically, the authorization must be all of the following:
        • Handwritten by the person who signs it or is in a typeface no smaller than 14-point type.
        • Clearly separate from any other language present on the same page and is executed by a signature that serves no purpose other than to execute the authorization.
        • Signed and dated by the patient, the patient’s legal representative, or the beneficiary or personal representative of a deceased patient.
        • State the limitations, if any, on the types of medical information to be disclosed. o State the name or functions of the personal health record system or person authorized to disclose the medical information.
        • State the names or functions of the persons or entities authorized to receive the medical information.
        • State the limitations, if any, on the use of the medical information by the persons or entities authorized to receive the medical information.
        • State a specific date after which the personal health record system is no longer authorized to disclose the medical information.
        • Advise the person who signed the authorization of the right to receive a copy of the authorization.
      • Require a business that possesses an authorization to furnish a true copy of the authorization upon demand by the patient or the person who signed the authorization.
      • Require a business that offers a personal health record system to communicate to the person or entity to which it discloses the medical information or personal health record information any limitations in the authorization regarding the use of the medical information or personal health record information. A good faith attempt by a business to comply with this requirement would protect the business from liability for any unauthorized use of the medical information or personal health record information by the person or entity to which the business disclosed the medical information or personal health record information.
      • Provide that this bill is not to be construed to prevent a person who could sign the authorization from canceling or modifying an authorization and that any cancellation or modification is effective only after received in writing by the business.
      • Prohibit a recipient of medical information or personal health record information pursuant to an authorization from further disclosing that medical information or personal health record information unless in accordance with a new authorization or as specifically required or permitted by law.
      • Subject a business that offers a personal health record system or a recipient of medical information or personal health record information to specified administrative fines and civil penalties for any violation of the provisions of this bill.
      • Define “personal health record system” to mean a product or device, commercial website, online service, or mobile application that is used by an individual and that is specifically designed to collect and transmit, directly or indirectly, the individual’s personal health record information.
      • Define “personal health record information” to mean individually identifiable information, in electronic or physical form, about an individual’s mental or physical condition that is collected by a personal health record system through a direct measurement of an individual’s mental or physical condition or through user input regarding an individual’s mental or physical condition into a personal health record system for the purposes of allowing the individual to manage their information or for the diagnosis, treatment, or management of a medical condition of the individual.
  • The Department of Homeland Security (DHS) will be conducting a “pathfinder assessment” to determine the degree to which DHS contractors are meeting the Cyber Hygiene clauses in contracts.  DHS explained:
    • In 2015, DHS incorporated Cyber Hygiene clauses into its contracts and agreements to require contractor compliance with certain cyber standards and protections.  In light of recent events, DHS seeks to advance our process in assessing industry compliance with Cyber Hygiene clause requirements.  DHS has been closely monitoring the Department of Defense’s implementation of the Cybersecurity Maturity Model Certification (CMMC) program to identify lessons learned and best practices for consideration by DHS as we advance our process.  Our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award. This process is a critical step in our progress towards protecting the Homeland.
    • As an immediate first step, DHS is conducting a pathfinder assessment to establish a path forward. Upon conclusion of the pathfinder effort, the Department will have further information and next steps to share. We look forward to continuing to collaborate with you on this matter.
  • The Defense Department (DOD) the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) published a final rule “to implement the U.S. Access Board’s revisions by strengthening [the Federal Acquisition Regulation (FAR)] requirements for accessibility to electronic and information technology (now generally referred to as “information and communication technology” or “ICT”) provided by the Federal Government.” The agencies explained:
    • This rule does not create new solicitation provisions or contract clauses or impact any existing provisions or clauses. This rule amends FAR part 39, Acquisition of Information Technology, and other references to Government requirements for information and communication technology. The objective of the rule is to update the FAR text to align with the accessibility standards revisions made by the Access Board at 36 CFR 1194.1. The accessibility standards are currently applicable to all information and communication technology acquisitions. As such, determinations and findings under 41 U.S.C. 1905 to 1907 regarding the applicability of this rule to acquisitions at or below the Simplified Acquisition Threshold (SAT) or to acquisitions for commercial and Commercially Available Off-the-Shelf (COTS) items are not required.
    • Section 508 requirements will continue to apply when acquiring ICT through contracts at or below the SAT, or contracts for the acquisition of commercial items, including COTS items.
    • The Access Board completed a multiyear effort to “refresh” its initial, existing set of accessibility standards under section 508 to address advances in ICT, harmonize with accessibility standards developed by standards organizations worldwide, and ensure consistency with the Access Board’s regulations that had been promulgated since the late 1990s. The revised section 508 Accessibility Standards support the access needs of individuals with disabilities, while also considering the costs of procuring ICT that complies with section 508.
    • The Access Board’s final rule was published in the Federal Register at 82 FR 5790 on January 18, 2017. This final rule updates the FAR to ensure that the updated standards are appropriately considered in Federal ICT acquisitions. The final rule includes a “safe harbor” provision for existing (i.e., legacy) ICT, which considers legacy ICT in existence on or before January 18, 2018, to be compliant if it meets the earlier standard issued pursuant to section 508 of the Rehabilitation Act of 1973 (see E202.2 of Revised Standards) and the legacy ICT is not altered after January 18, 2018. In other words, such “untouched” ICT need not be modified or upgraded to conform to the revised 508 standards as long as it already conforms to the original 508 standards. However, ICT acquired on or before January 18, 2018, will need to be upgraded or modified to conform to the new standard if such ICT is altered after January 18, 2018, or does not comply with the original 508 standards. In addition, ICT acquired after January 18, 2018, must be upgraded or modified to conform to the new standard. The upgrades and modifications would be included in requirements documents issued by the agency
  • The United States (U.S.) Department of Homeland Security (DHS) is encouraging U.S. state and local governments to sign up for the .gov top level domain (TLD) the Cybersecurity and Infrastructure Security Agency (CISA) is now administering. CISA asserted:
    • Using a .gov domain for your online services helps the public quickly identify your website as a trusted government source. This is different from other well-known TLDs, where anyone in the world can register for a fee.
    • Malicious actors know this, and have sought to impersonate election organizations using non .gov domains.
    • Additionally, using .gov increases your security:
      • Multi-factor authentication is enforced on all accounts in the .gov registrar, which may not be the case for other commercial registrars.
      • .gov domains are ‘preloaded’, which requires browsers to use only a secure HTTPS connection with your website. This helps protect your visitors’ privacy and helps ensure the content you publish is exactly what’s received.
      • You can add a security contact for your domain, making it easier for the public to tell you about a potential security issue with your online services.
  • The Center for Countering Digital Hate (CCDH) published a report titled “Failure to Protect: How social media firms fail to act on user reports of antisemitism,” in which the CCDH claimed “that social media platforms took no action on 84% of posts containing antisemitic conspiracies, extremism and abuse reported to them using their own tools for reporting malignant content, despite promises to crack down on anti-Jewish hatred.” As explained he CCDH made these findings:
    • CCDH researchers collected and reported 714 posts containing anti-Jewish hatred. Collectively, they had been viewed at least 7.3 million times. Posts were collected from Facebook, Instagram, TikTok, Twitter & YouTube between May-June.
    • 84% of posts containing anti-Jewish hatred were not acted upon by social
      media companies. Facebook performed worst, failing to act on 89%, despite
      announcing new rules to tackle the problem.
    • Platforms fail to act on 89% of antisemitic conspiracy theories about 9/11, the Covid pandemic and Jewish control of world affairs.
    • Extremist anti-Jewish hate is not acted on: platforms failed to act on 80% of posts containing Holocaust denial, 74% of posts alleging the blood libel, 70% of racist caricatures of Jewish people and 70% of neo-Nazi posts.
    • Instagram, TikTok and Twitter allow hashtags used for antisemitic content such as #rothschild, #fakejews and #killthejews that were used in posts identified by our report that gained over 3.3 million impressions.
    • TikTok removes just 5% of accounts that directly racially abuse Jewish users for example by sending them messages denying the Holocaust.
    • Earlier reports by CCDH show platforms have similarly failed to act on
      dangerous Covid and vaccine misinformation reported by users.
    • CCDH made these recommendations:
      • 1. Introduce financial penalties to incentivize proper moderation. Platforms have profited from the proliferation of hate and misinformation on their platforms. Financial incentives will ensure they no longer invest the bare minimum in content moderation.
      • 2. Hire, train and support moderators to remove hate. Current efforts by tech companies to moderate their platforms are clearly inadequate.
      • 3. Remove groups dedicated to antisemitism. CCDH identified groups dedicated to sharing antisemitism with a total of 38,000 members.
      • 4. Instagram, Tiktok and Twitter must act on antisemitic hashtags that their own analytics show have been used for content viewed millions of times.
      • 5. Ban accounts that send racist abuse directly to Jewish users.
  • House Foreign Affairs Committee Ranking Member Michael McCaul (R-TX) wrote “to Commerce Secretary Gina Raimondo asking that the End-User Review Committee (ERC) designate Honor Device Co. Ltd. to the Department of Commerce Entity List.” He and 13 other Republicans asserted “Honor Device Co. was formerly a part of Huawei, and was spun off in an effort to evade U.S. export control policies meant to keep U.S. technology and software out of the hands of the Chinese Communist Party (CCP) and their military, the People’s Liberation Army (PLA).” McCaul and his colleagues argued:
    • With its access to U.S. technology and software cut off, Honor was sold to a PRC state-led consortium, including majority ownership by the Shenzhen government. Analysts have noted that selling Honor gave it access to the semiconductor chips and software it relied on and would have presumably been blocked had the divestiture not gone through. The Center for Strategic and International Studies suggests that the PRC state with guidance from the Chinese Communist Party (CCP) stepped in as an “investor of first resort” to rescue a national asset in a strategic sector from U.S. sanctions. The visible hand of the Party-state intervened to shield Honor from U.S. export controls.
    • This coordinated divesture and acquisition reveal the extent to which nominally private entities, such as Honor, are deeply embedded within a PRC ecosystem that leverages interconnections among the CCP, state owned banks, local governments, and venture capital for strategic objectives. The sale of Honor was not a market-based outcome, but rather orchestrated by the Party-state. The same concerns about technology exports to Honor when it was part of Huawei should apply under its current state-backed ownership structure. If we move too slowly and focus only on discrete entities rather than networks and ecosystems, the CCP’s novel Party-state economy can outmaneuver U.S. sanctions.
  • The United States (U.S.) The Securities and Exchange Commission (SEC) announced that “that Pearson plc, a London-based public company that provides educational publishing and other services to schools and universities, agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses, and had inadequate disclosure controls and procedures.” The agency stated:
    • The SEC’s order finds that Pearson made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. And in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The order also finds that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.
    • “As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
    • The SEC’s order found that Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder. Without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay a $1 million civil penalty.
  • The Office of the Inspector General (OIG) for the United States Postal Service (USPS) issued a report titled “Step into Tomorrow: The U.S. Postal Service and Emerging Technology” and explained:
    • Since 2011, the U.S. Postal Service Office of Inspector General (OIG) has produced over 30 white papers on emerging technologies to analyze their potential impact on and application for the Postal Service. Our research focused on four technology categories: mail innovations, data analytics, autonomous technologies, and intelligent infrastructure.
    • In this paper, we revisit some of the technological developments discussed in our previous work to assess which remain relevant today, where the Postal Service has implemented or piloted new technology, and which are important for the Postal Service to consider for implementation in the future.
    • We found that, over the past decade, the Postal Service has focused its technology development efforts on two areas: mail innovations and data analytics. Postal experts agreed that advancements in these areas will continue to lead transformation in the postal industry going forward.
    • The Postal Service’s recently released “Delivering for America: Our Vision and Ten-Year Plan to Achieve Financial Sustainability and Service Excellence” indicates that these technologies are and will continue to be a priority going into the future.
    • Other emerging technologies that have not yet had a major impact on the Postal Service, either in terms of revenue or cost efficiencies, are blockchain, Internet of Things, and autonomous vehicles. The Postal Service’s engagement
      with these technologies has been limited to research and testing so far. Experts, however, believe these innovations will become increasingly impactful in the coming years.
    • Despite facing constraints that other competitors in the postal marketplace do not, the Postal Service has managed to integrate many of the latest technological innovations into its business practices to improve the efficiency and quality of the service it provides to its customers. Its size prevents it from being as nimble as smaller players in the postal industry. In addition, the Postal Service faces legal, technical, financial, and regulatory hurdles. However, these challenges can be mitigated within the boundaries of the Postal Service’s current regulatory, operational, and financial framework.
    • Making effective use of new and emerging technologies, as well as successfully addressing the challenges to innovation will enable the Postal Service to become a more efficient organization that exceeds its customers’ expectations.
  • The Offices of Inspector General (OIG) for the Department of Defense (DOD) and the National Security Agency (NSA) announced “a joint evaluation…to assess the National Security Agency’s integration of artificial intelligence into signals intelligence operations in accordance with DOD and Intelligence Community guidance for artificial intelligence.”
  • The National Institute of Standards and Technology (NIST) issued a number of crosswalks between its Privacy Framework and some of the most influential privacy laws:
  • Consumer Reports asserted the Uniform Law Commission’s (ULC) “finalized Uniform Personal Data Protection Act (UPDPA), approved last month, misses the mark” even though the ULC “has been working on a model privacy law for several years.” Consumer Reports issued an analysis of the UPDPA and contended:
    • The model law would do little to reform companies’ inappropriate data collection and sharing behaviors — including by explicitly exempting behavioral advertising from the protections in the bill. If such a bill were to be implemented, it could be worse than doing nothing at all, as it could forestall future  privacy legislation that is more beneficial to consumers and holds companies accountable.
    • The model law would do little to reform companies’ inappropriate data collection and sharing behaviors — including by explicitly exempting behavioral advertising from the protections in the bill. If such a bill were to be implemented, it could be worse than doing nothing at all, as it could forestall future privacy legislation that is more beneficial to consumers and holds companies accountable.
    • American consumers have few protections with respect to the data collection, use, and sharing of their personal information, especially as there is no federal privacy law providing baseline protections over data privacy and security. Consumers need strong legislation that limits collection, use, and sharing of data to what is reasonably necessary to provide the service requested by the consumer, with strong enforcement to back it up. In the absence of federal action, states like California and Colorado have stepped in and adopted baseline privacy legislation that gives consumers the right to access, delete, and stop the sale of personal information, spurring interest in legislation across the country. But industry has pushed back. Companies have used bad faith interpretations to ignore the CCPA’s opt out with respect to targeted advertising, further highlighting the need for clear guidelines and strong enforcement. While Virginia also signed into law a privacy bill, the legislation is weaker than the CCPA thanks to pressure from industry, making it more difficult for consumers to control their data. 
  • The University of Toronto’s Citizen Lab issued a new report on government surveillance with the new one focused on Bahrain. Citizen Lab listed its key findings and summarized the report titled “From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits:”
    • We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.
    • The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society).
    • At least four of the activists were hacked by LULU, a Pegasus operator that we attribute with high confidence to the government of Bahrain, a well-known abuser of spyware. One of the activists was hacked in 2020 several hours after they revealed during an interview that their phone was hacked with Pegasus in 2019.
    • Two of the hacked activists now reside in London, and at least one was in London when they were hacked. In our research, we have only ever seen the Bahrain government spying in Bahrain and Qatar using Pegasus; never in Europe. Thus, the Bahraini activist in London may have been hacked by a Pegasus operator associated with a different government.
    • We shared a list of the targeted phone numbers we identified with Forbidden Stories. They confirmed that numbers associated with five of the hacked devices were contained on the Pegasus Project’s list of potential targets of NSO Group’s customers, data that Forbidden Stories and Amnesty International describe as dating from 2016 up to several years ago.

Further Reading

  • China’s Microsoft Hack May Have Had A Bigger Purpose Than Just Spying” By Dina Temple-Raston — NPR. Steven Adair hunts hackers for a living. Back in January, in a corner-of-his-eye, peripheral kind of way, he thought he saw one in his customer’s networks — a shadowy presence downloading emails. Adair is the founder of a cybersecurity company called Volexity, and he runs traps to corner intruders all the time. So he took a quick look at a server his client was using to run Microsoft Exchange and was stunned to “see requests that we’re not expecting,” he said. There were requests for access to specific email accounts, requests for confidential files.
  • Apple loosens rules for developers in major concession amid antitrust pressure” By Rachel Lerman, Cat Zakrzewski, and Heather Kelly — The Washington Post. Apple announced it would make major changes to its App Store as part of a proposed lawsuit settlement with developers, following years of mounting regulatory scrutiny and legal challenges. The company will let developers tell its iPhone and iPad customers about ways to pay outside the official App Store, it said in a news release late Thursday. It also expands the types of prices that developers can offer for subscriptions, in-app purchases and paid apps, among other initiatives. The settlement still needs to be approved by the court. The change is in response to a suit brought by small app developers, in which they alleged Apple’s pricing tiers and lack of outside purchasing options were monopolistic. Apple is also expecting an imminent judgment in a suit by Epic Games over similar allegations in front of the same judge in federal court in the Northern District of California.
  • This vulnerability puts the future of U.S. warfighting at risk” By Shaun Waterman — ReadMe. The U.S. military is betting on technological revolution to win the wars of the 21st century. Pentagon futurists are working toward a digitally managed battlefield where commanders use cloud-based software tools to direct autonomous weapons systems anywhere on the globe and even launch coordinated attacks by land, sea and air with the swipe of a finger. It’s been called the Uber-ization of warfare, but officially the Department of Defense dubs this vision Joint All-Domain Command and Control, or JADC2. And it’s going to fundamentally rewire the military — not just their IT systems, but their guns and bombs, too. Later this year, the Joint Chiefs of Staff will publish new requirements that all weapons systems must be compatible with JADC2 networking requirements to receive funding.
  • Stop using Zoom, Hamburg’s DPA warns state government” By Natasha Lomas — Tech Crunch. Hamburg’s state government has been formally warned against using Zoom over data protection concerns. The German state’s data protection agency (DPA) took the step of issuing a public warning yesterday, writing in a press release that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR) since user data is transferred to the U.S. for processing.
  • Facebook used facial recognition without consent 200,000 times, says South Korea’s data watchdog” By Laura Dobberstein — The Register. Facebook, Netflix and Google have all received reprimands or fines, and an order to make corrective action, from South Korea’s government data protection watchdog, the Personal Information Protection Commission (PIPC). The PIPC announced a privacy audit last year and has revealed that three companies – Facebook, Netflix and Google – were in violations of laws and had insufficient privacy protection.
  • New York man sentenced to 3 years for stealing students’ nude photos after hacking their accounts” By Tonya Riley — cyberscoop. A federal judge sentenced a New York man to three years in federal prison for hacking the accounts of dozens of female college students to access private nude photos, the Justice Department said Thursday. Nicholas Farber, of Rochester, pleaded guilty in February to working with a co-conspirator between 2017 to 2019 to access the school emails of dozens of female SUNY Plattsburgh students. He then leveraged access to those accounts in order to access students’ Facebook, Snapchat and cloud accounts from which he stole private nude photographs and movies. Farber then traded the images online with an unnamed number of individuals.
  • Google hit with more than 20,000 geofence warrants from 2018 to 2020” By Richard Nieva — c/net. Google received more than 20,000 geofence warrants in the US in the last three calendar years, making up more than a quarter of all warrants the tech giant received in that time, the company said Thursday. With geofence warrants, a controversial law enforcement tool, police can carve out a specific area and time period and ask Google to gather information about the devices that were present during that window. The information is anonymous, but police can analyze it and narrow it down to a few devices they think might be relevant to the investigation. Then Google reveals those users’ names and other data.
  • Google Dragnets Gave Cops Data On Phones Located At Kenosha Riot Arsons” By Thomas Brewster — Forbes. A year after the Kenosha riots, following the police shooting of Black citizen Jacob Blake, Google has handed over data on any phones that were located in the vicinity of two arson attacks during the public disorder, even though some protesters were trying to stop the fires. In the latest example of police applying for a so-called digital dragnet, just-unsealed court orders reveal that Google was ordered to hand over data from users of any of its location services who were near a Kenosha library and museum that were set on fire during the August 2020 unrest. Known as geofence or reverse location warrants, they asked Google to scoop up information on any device at the sites over a period of two hours at the public library and 25 minutes at the Kenosha Dinosaur Discovery Museum.
  • Disinfection robots and thermal body cameras: welcome to the anti-Covid office” By Kate Connolly — The Guardian. Not so long ago it may have seemed more like a futuristic vision of the workplace – or a hospital. But the hands-free door handles, self-cleaning surfaces, antimicrobial paint, air-monitoring display tools, UV light disinfection robots, and 135 other measures at an office block in Bucharest are here to stay, say the creators behind what they are touting as one of the world’s most virus-resilient workplaces, which they hope will become the new normal in office design.
  • The State Department Has Reportedly Been Hacked” By Jody Serrano — Gizmodo. The U.S. State Department was purportedly the victim of a serious cyber attack in recent weeks, according to a Fox News report published on Saturday. The extent of breach and when it was discovered are currently unknown. Citing an unnamed source, the outlet stated that the Department of Defense’s Cyber Command had issued notifications of a possibly serious breach. Although it’s unclear whether the State Department’s operations have been affected by the attack, Fox reported that the department’s work to evacuate thousands of Americans and Afghans from Kabul, Afghanistan amid the withdrawal of U.S. forces had not been affected.
  • Damning COVIDSafe report shows government ignored contact tracer frustrations, app’s major shortfalls” By Sarah Basford Canales — Canberra Times. The federal government has defended its COVIDSafe app as playing a “very important” role in the pandemic despite being handed a damning report warning it was adding up to two hours to contact tracing workloads for little-to-no benefit. A secret report on the $8 million COVIDSafe app, handed to Health Minister Greg Hunt in March this year, warned contact tracers were finding the government’s early technological solution to controlling outbreaks was not helping.
  •  

Coming Events 

  • 7 September
  • 8 September
    • Australia’s Select Committee on Australia as a Technology and Financial Centre will hold a hearing on its inquiry.
  • 9 September
  • 10 September
  • 14 September
  • 28 September
    • The Information Security and Privacy Advisory Board (ISPAB) will hold an open meeting and “The agenda is expected to include the following items:
      • —Board Discussion on Executive Order 14028, Improving the Nation’s Cybersecurity (May 12, 2021) deliverables and impacts to date,
      • —Presentation by NIST, the Department of Homeland Security, and the General Services Administration on upcoming work specified in Executive Order 14028,
      • —Presentation by the Office of Management and Budget on Executive Order 14028 directions and memoranda to U.S. Federal Agencies,
  • 30 September
    • The Federal Communications Commission (FCC) will hold an open meeting. No agenda has been announced as of yet.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Ivan Liu Hu on Unsplash

Photo by Thamara Maura on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s