Big Tech CEOs Appear At Hearing

In a marathon hearing, Democrats make their case on why big tech is engaged in antitrust and anti-competitive practices. Whether this hearing and a future report change anything is an open question.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On  29 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee held its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” with the heads of Amazon, Apple, Google, and Facebook that lasted more than five hours. Democrats largely focused their questions on the documents and information provided by the companies to make the case each had engaged in practices that are at the least anti-competitive if not illegal under the Sherman and Clayton Antitrust Acts. On the other hand, Republicans largely avoided discussing anti-competitive or antitrust issues except in connection with lines of questioning regarding social media moderation of content that is allegedly biased against conservatives and the People’s Republic of China (PRC).

The subcommittee is expected to issue its report in the near term with possible recommendations on how to amend US law to address the problems turned up during the investigation. However, the Republican-controlled Senate and the White House will likely not be receptive to legislation to update the US’ antitrust or anti-competitive laws. And yet, a Democratic White House and Senate may prove more receptive and able to effect changes in these laws. It remains to be seen whether the US Department of Justice (DOJ) and the Federal Trade Commission (FTC) bring broad cases against these companies for potential violations. Likewise, groups of states are collectively investigating Google and Facebook, and the attorney general of California is looking into Amazon’s business practices. Finally, the European Commission (EC) is also investigating a number of this companies as its new leadership considers the size and power of tech companies a central issue in the European Union.

Subcommittee Chair David Cicilline (D-RI) asserted “[a]lthough these four corporations differ in important and meaningful ways, we have observed common patterns and competition problems over the course of our investigation:

  • First, each platform is a bottleneck for a key channel of distribution. Whether they control access to information or to a marketplace, these platforms have the incentive and ability to exploit this power. They can charge exorbitant fees, impose oppressive contracts, and extract valuable data from the people and businesses that rely on them.
  • Second, each platform uses its control over digital infrastructure to surveil other companies—their growth, business activity, and whether they might pose a competitive threat. Each platform has used this data to protect its power, by either buying, copying, or by cutting off access for any actual or potential rival.
  • Third, these platforms abuse their control over current technologies to extend their power. Whether it’s through self-preferencing, predatory pricing, or requiring users to buy additional products, the dominant platforms have wielded their power in destructive, harmful ways in order to expand.

Cicilline stated that

  • At today’s hearing we will examine how each of these companies has used this playbook to achieve and maintain dominance—and how their power shapes and affects our daily lives. Why does this matter? Many of the practices used by these companies have harmful economic effects. They discourage entrepreneurship, destroy jobs, hike costs, and degrade quality. Simply put: They have too much power. This power staves off new forms of competition, creativity, and innovation. And while these dominant firms may still produce some new innovative products, their dominance is killing the small businesses, manufacturing, and overall dynamism that are the engines of the American economy.
  • Several of these firms also harvest and abuse people’s data to sell ads for everything from new books to dangerous “miracle” cures. When everyday Americans learn how much of their data is being mined, they can’t run away fast enough. But in many cases, there is no escape from this surveillance because there is no alternative. People are stuck with bad options. Open markets are predicated on the idea that if a company harms people, consumers, workers, and business partners will choose another option. We are here today because that choice is no longer possible.

Cicilline stated “I am confident that addressing the problems we see in these markets will lead to a stronger, more vibrant economy…[b]ecause concentrated economic power also leads to concentrated political power, this investigation also goes to the heart of whether we, as a people, govern ourselves, or whether we let ourselves be governed by private monopolies.”

Subcommittee Ranking Member James Sensenbrenner (R-WI) lauded the technological innovations the four companies have provided Americans that made coping with the COVID-19 pandemic easier. He reiterated that “being big is not inherently bad” and asserted the opposite was true because in the US success should be rewarded. Sensenbrenner said the hearing is designed to help the subcommittee better understand the roles the companies play in the digital marketplace and the effect on consumers and the public at large. He said that data drives the marketplace and those who control the data, in essence, control the marketplace. Sensenbrenner said there are broader questions around data such as who owns it; do they share data with their customers or competitors; what is the fair market value of that data; is there anything monopolistic in acquiring this data; and what are the implications of monetizing data.

Sensenbrenner claimed that since the “tech investigation” began, “we have heard rumblings from many” who say your companies have grown too large. He stated that since the hearing was announced the complaints have gotten even louder. Sensenbrenner said he found these complaints informative, but he did not plan on litigating each complaint today. He asserted antitrust law and the consumer welfare standard have served the US well for over a century and have provided a framework for some of the US’s most successful and innovative companies. Sensenbrenner allowed that as the economy evolves, antitrust law may need updating to meet the needs of the nation and its consumers. He stated his concern that market dominance in this space is ripe for abuse, “particularly when it comes to free speech,” as Facebook, YouTube, and Twitter have become the public space of today as political debate unfolds in real time. Sensenbrenner said that reports of “dissenting views, often conservative views” are targeted or censored are seriously troubling. He stressed that “conservatives are consumers, too” and “they need the protection of antitrust laws.” He argued that the power to shape debate carries tremendous responsibility.

Sensenbrenner said facts should guide the inquiry. He noted the companies are large, successful, and powerful, all of which are fine. He asserted he wanted to leave the hearing with a better picture of how these qualities affect consumers.

Amazon CEO Jeff Bezos claimed

  • The global retail market we compete in is strikingly large and extraordinarily competitive. Amazon accounts for less than 1% of the $25 trillion global retail market and less than 4% of retail in the U.S. Unlike industries that are winner-take-all, there’s room in retail for many winners. For example, more than 80 retailers in the U.S. alone earn over $1 billion in annual revenue.
  • Like any retailer, we know that the success of our store depends entirely on customers’ satisfaction with their experience in our store. Every day, Amazon competes against large, established players like Target, Costco, Kroger, and, of course, Walmart—a company more than twice Amazon’s size. And while we have always focused on producing a great customer experience for retail sales done primarily online, sales initiated online are now an even larger growth area for other stores. Walmart’s online sales grew 74% in the first quarter.
  • And customers are increasingly flocking to services invented by other stores that Amazon still can’t match at the scale of other large companies, like curbside pickup and in-store returns. The COVID-19 pandemic has put a spotlight on these trends, which have been growing for years. In recent months, curbside pickup of online orders has increased over 200%, in part due to COVID19 concerns. We also face new competition from the likes of Shopify and Instacart—companies that enable traditionally physical stores to put up a full online store almost instantaneously and to deliver products directly to customers in new and innovative ways—and a growing list of omnichannel business models. Like almost every other segment of our economy, technology is used everywhere in retail and has only made retail more competitive, whether online, in physical stores, or in the various combinations of the two that make up most stores today. And we and all other stores are acutely aware that, regardless of how the best features of “online” and “physical” stores are combined, we are all competing for and serving the same customers. The range of retail competitors and related services is constantly changing, and the only real constant in retail is customers’ desire for lower prices, better selection, and convenience.
  • It’s also important to understand that Amazon’s success depends overwhelmingly on the success of the thousands of small and medium-sized businesses that also sell their products in Amazon’s stores. Back in 1999, we took what at the time was the unprecedented step of welcoming third-party sellers into our stores and enabling them to offer their products right alongside our own. Internally, this was extremely controversial, with many disagreeing and some predicting this would be the beginning of a long, losing battle. We didn’t have to invite third-party sellers into the store. We could have kept this valuable real estate for ourselves. But we committed to the idea that over the long term it would increase selection for customers, and that more satisfied customers would be great for both third-party sellers and for Amazon. And that’s what happened.
  • Within a year of adding those sellers, third-party sales accounted for 5% of unit sales, and it quickly became clear that customers loved the convenience of being able to shop for the best products and to see prices from different sellers all in the same store. These small and medium-sized third-party businesses now add significantly more product selection to Amazon’s stores than Amazon’s own retail operation. Third-party sales now account for approximately 60% of physical product sales on Amazon, and those sales are growing faster than Amazon’s own retail sales. We guessed that it wasn’t a zero sum game. And we were right—the whole pie did grow, third-party sellers did very well and are growing fast, and that has been great for customers and for Amazon. There are now 1.7 million small and medium-sized businesses around the world selling in Amazon’s stores. More than 200,000 entrepreneurs worldwide surpassed $100,000 in sales in our stores in 2019. On top of that, we estimate that third-party businesses selling in Amazon’s stores have created over 2.2 million new jobs around the world.

Apple CEO Tim Cook asserted

  • The smartphone market is fiercely competitive, and companies like Samsung, LG, Huawei and Google have built very successful smartphone businesses offering different approaches.
  • Apple does not have a dominant market share in any market where we do business. That is not just true for iPhone; it is true for any product category.
  • What motivates us is the continuous improvement of the user experience, and we focus relentlessly on and invest significantly in new breakthroughs, innovative features and deepening the principles that set us apart.
  • Privacy and security are key examples of this drive. This is true for the iPhone and for every device we make. We build products that, from the ground up, help users protect their fundamental right to the privacy of their personal data. This principle is foundational and touches everything else we do.
  • We created the App Store in 2008 as a feature of the iPhone. Launching with a little more than 500 apps, it was our ambitious attempt to dramatically expand the features and customizability of every user’s device. We wanted to create a safe and trusted place for users to discover apps—and a means of providing a secure and supportive way for developers to develop, test and distribute apps to iPhone users globally.
  • Apple continuously improves, and provides every developer with cutting-edge tools like compilers, programming languages, operating systems, frameworks and more than 150,000 essential software building blocks called APIs. These are not only powerful, but so simple to use that students in elementary schools can and do make apps.
  • The App Store guidelines ensure a high-quality, reliable and secure user experience. They are transparent and applied equally to developers of all sizes and in all categories. They are not set in stone. Rather, they have changed as the world has changed, and we work with developers to apply them fairly.
  • For the vast majority of apps on the App Store, developers keep 100% of the money they make. The only apps that are subject to a commission are those where the developer acquires a customer on an Apple device and where the features or services would be experienced and consumed on an Apple device.
  • Apple’ s commissions are comparable to or lower than commissions charged by the majority of our competitors. And they are vastly lower than the 50 to 70 percent that software developers paid to distribute their work before we launched the App Store.
  • In the more than a decade since the App Store debuted, we have never raised the commission or added a single fee. In fact, we have reduced them for subscriptions and exempted additional categories of apps. The App Store evolves with the times, and every change we have made has been in the direction of providing a better experience for our users and a compelling business opportunity for developers.
  • I am here today because scrutiny is reasonable and appropriate. We approach this process with respect and humility. But we make no concession on the facts.

Alphabet CEO Sundar Pichai contended

  • Google operates in highly competitive and dynamic global markets, in which prices are free or falling, and products are constantly improving. Today’s competitive landscape looks nothing like it did 5 years ago, let alone 21 years ago, when Google launched its first product, Google Search.
  • For example, people have more ways to search for information than ever before — and increasingly this is happening outside the context of only a search engine. Often the answer is just a click or an app away: You can ask Alexa a question from your kitchen; read your news on Twitter; ask friends for information via WhatsApp; and get recommendations on Snapchat or Pinterest. When searching for products online, you may be visiting Amazon, eBay, Walmart, or any one of a number of e-commerce providers, where most online shopping queries happen.
  • Similarly, in areas like travel and real estate, Google faces strong competition for search queries from many businesses that are experts in these areas.
  • A competitive digital ad marketplace gives publishers and advertisers, and therefore consumers, an enormous amount of choice. For example, competition in ads — from Twitter, Instagram, Pinterest, Comcast and others — has helped lower online advertising costs by 40% over the last 10 years, with these savings passed down to consumers through lower prices.
  • We also deliberately build platforms that support the innovation of others. Using Android — a product I worked on for many years — thousands of device makers and mobile operators build and sell devices without any licensing fees to us or any requirement to integrate our products. This greatly reduces device prices, and today billions of consumers around the globe are now able to afford cuing-edge smartphones, some for less than $50. And in doing so they are able to access new opportunities — whether it’s sharing a video with friends and family around the world, gaining an education for themselves or their children, or starting a business. Competition also sets higher standards for privacy and security. I’ve always believed that privacy is a universal right and should be available to everyone, and Google is committed to keeping your information safe, treating it responsibly, and putting you in control of what you choose to share. We also never sell user information to third parties. But more must be done to protect users across industries, which is why we’ve long supported the creation of comprehensive federal privacy laws.

Facebook CEO Mark Zuckerberg asserted

  • Our story would not have been possible without U.S. laws that encourage competition and innovation. I believe that strong and consistent competition policy is vital because it ensures that the playing field is level for all. At Facebook, we compete hard, because we’re up against other smart and innovative companies that are determined to win. We know that our future success is not guaranteed, especially in a global tech industry defined by rapid innovation. The history of technology is often the history of failure, and even industry leading tech companies fail if they don’t stay competitive. This is why we’re focused on delivering better services for people and businesses, and competing as vigorously as we can within the rules.
  • Although people around the world use our products, Facebook is a proudly American company. We believe in values — democracy, competition, inclusion and free expression — that the American economy was built on. Many other tech companies share these values, but there’s no guarantee our values will win out. For example, China is building its own version of the internet focused on very different ideas, and they are exporting their vision to other countries. As Congress and other stakeholders consider how antitrust laws support competition in the U.S., I believe it’s important to maintain the core values of openness and fairness that have made America’s digital economy a force for empowerment and opportunity here and around the world.
  • Like many companies, we’ve both built our own products from the ground up, and we’ve moved others forward through mergers and acquisitions. Our acquisitions have helped drive innovation for people who use our own products and services and for the broader startup community. Acquisitions bring together different companies’ complementary strengths. When you acquire a company, you can benefit from their technology and talent, and when you are acquired you get access to resources and people you otherwise might never have been able to tap into.
  • Facebook has made Instagram and WhatsApp successful as part of our family of apps. Instagram and WhatsApp have been able to grow and operate their services using Facebook’s bespoke, lower-cost infrastructure and tackle spam and harmful content with Facebook’s integrity teams and technology.
  • Following its acquisition, Instagram was able to get help stabilizing infrastructure and controlling runaway spam. It also benefited from the ability to plug into Facebook’s self-serve ads system, sales team and existing advertiser relationships to drive monetization, and was able to build products including IG Direct and IG Video that used Facebook’s technology and infrastructure. Before it was acquired, WhatsApp was a paid app with a reputation for secure communications; together we built on that by introducing end-to-end encryption and making it free to use. Since its acquisition, WhatsApp has also been able to develop products such as voice and video calling that were built on Facebook’s technology stack.
  • These benefits came about as a result of our acquisition of those companies, and would not have happened had we not made those acquisitions. We have developed new products for Instagram and WhatsApp, and we have learned from those companies to bring new ideas to Facebook. The end result is better services that provide more value to people and advertisers, which is a core goal of Facebook’s acquisition strategy.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Jorge Guillen from Pixabay

Further Reading, Other Developments, and Coming Events (24 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  •  On 28 July, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee will hold a hearing titled “Secure, Safe, and Auditable: Protecting the Integrity of the 2020 Elections” with these witnesses:
    • Mr. David Levine, Elections Integrity Fellow, Alliance for Securing Democracy, German Marshall Fund of the United States
    • Ms. Sylvia Albert, Director of Voting and Elections, Common Cause
    • Ms. Amber McReynolds, Chief Executive Officer, National Vote at Home Institute
    • Mr. John Gilligan, President and Chief Executive Officer, Center for Internet Security, Inc.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • Slack filed an antitrust complaint with the European Commission (EC) against Microsoft alleging that the latter’s tying Microsoft Teams to Microsoft Office is a move designed to push the former out of the market. A Slack vice president said in a statement “Slack threatens Microsoft’s hold on business email, the cornerstone of Office, which means Slack threatens Microsoft’s lock on enterprise software.” While the filing of a complaint does not mean the EC will necessarily investigate, under its new leadership the EC has signaled in a number of ways its intent to address the size of some technology companies and the effect on competition.
  • The National Institute of Standards and Technology (NIST) has issued for comment NIST the 2nd Draft of NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). NIST claimed this guidance document “promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches…[and] contains the same main concepts as the initial public draft, but their presentation has been revised to clarify the concepts and address other comments from the public.” Comments are due by 21 August 2020.
  • The United States National Security Commission on Artificial Intelligence (NSCAI) published its Second Quarter Recommendations, a compilation of policy proposals made this quarter. NSCAI said it is still on track to release its final recommendations in March 2021. The NSCAI asserted
    • The recommendations are not a comprehensive follow-up to the interim report or first quarter memorandum. They do not cover all areas that will be included in the final report. This memo spells out recommendations that can inform ongoing deliberations tied to policy, budget, and legislative calendars. But it also introduces recommendations designed to build a new framework for pivoting national security for the artificial intelligence (AI) era.
    • The NSCAI stated it “has focused its analysis and recommendations on six areas:
    • Advancing the Department of Defense’s internal AI research and development capabilities. The Department of Defense (DOD) must make reforms to the management of its research and development (R&D) ecosystem to enable the speed and agility needed to harness the potential of AI and other emerging technologies. To equip the R&D enterprise, the NSCAI recommends creating an AI software repository; improving agency- wide authorized use and sharing of software, components, and infrastructure; creating an AI data catalog; and expanding funding authorities to support DOD laboratories. DOD must also strengthen AI Test and Evaluation, Verification and Validation capabilities by developing an AI testing framework, creating tools to stand up new AI testbeds, and using partnered laboratories to test market and market-ready AI solutions. To optimize the transition from technological breakthroughs to application in the field, Congress and DOD need to reimagine how science and technology programs are budgeted to allow for agile development, and adopt the model of multi- stakeholder and multi-disciplinary development teams. Furthermore, DoD should encourage labs to collaborate by building open innovation models and a R&D database.
    • Accelerating AI applications for national security and defense. DOD must have enduring means to identify, prioritize, and resource the AI- enabled applications necessary to fight and win. To meet this challenge, the NSCAI recommends that DOD produce a classified Technology Annex to the National Defense Strategy that outlines a clear plan for pursuing disruptive technologies that address specific operational challenges. We also recommend establishing mechanisms for tactical experimentation, including by integrating AI-enabled technologies into exercises and wargames, to ensure technical capabilities meet mission and operator needs. On the business side, DOD should develop a list of core administrative functions most amenable to AI solutions and incentivize the adoption of commercially available AI tools.
    • Bridging the technology talent gap in government. The United States government must fundamentally re-imagine the way it recruits and builds a digital workforce. The Commission envisions a government-wide effort to build its digital talent base through a multi-prong approach, including: 1) the establishment of a National Reserve Digital Corps that will bring private sector talent into public service part-time; 2) the expansion of technology scholarship for service programs; and, 3) the creation of a national digital service academy for growing federal technology talent from the ground up.
    • Protecting AI advantages for national security through the discriminate use of export controls and investment screening. The United States must protect the national security sensitive elements of AI and other critical emerging technologies from foreign competitors, while ensuring that such efforts do not undercut U.S. investment and innovation. The Commission proposes that the President issue an Executive Order that outlines four principles to inform U.S. technology protection policies for export controls and investment screening, enhance the capacity of U.S. regulatory agencies in analyzing emerging technologies, and expedite the implementation of recent export control and investment screening reform legislation. Additionally, the Commission recommends prioritizing the application of export controls to hardware over other areas of AI-related technology. In practice, this requires working with key allies to control the supply of specific semiconductor manufacturing equipment critical to AI while simultaneously revitalizing the U.S. semiconductor industry and building the technology protection regulatory capacity of like-minded partners. Finally, the Commission recommends focusing the Committee on Foreign Investment in the United States (CFIUS) on preventing the transfer of technologies that create national security risks. This includes a legislative proposal granting the Department of the Treasury the authority to propose regulations for notice and public comment to mandate CFIUS filings for investments into AI and other sensitive technologies from China, Russia and other countries of special concern. The Commission’s recommendations would also exempt trusted allies and create fast tracks for vetted investors.
    • Reorienting the Department of State for great power competition in the digital age. Competitive diplomacy in AI and emerging technology arenas is a strategic imperative in an era of great power competition. Department of State personnel must have the organization, knowledge, and resources to advocate for American interests at the intersection of technology, security, economic interests, and democratic values. To strengthen the link between great power competition strategy, organization, foreign policy planning, and AI, the Department of State should create a Strategic Innovation and Technology Council as a dedicated forum for senior leaders to coordinate strategy and a Bureau of Cyberspace Security and Emerging Technology, which the Department has already proposed, to serve as a focal point and champion for security challenges associated with emerging technologies. To strengthen the integration of emerging technology and diplomacy, the Department of State should also enhance its presence and expertise in major tech hubs and expand training on AI and emerging technology for personnel at all levels across professional areas. Congress should conduct hearings to assess the Department’s posture and progress in reorienting to address emerging technology competition.
    • Creating a framework for the ethical and responsible development and fielding of AI. Agencies need practical guidance for implementing commonly agreed upon AI principles, and a more comprehensive strategy to develop and field AI ethically and responsibly. The NSCAI proposes a “Key Considerations” paradigm for agencies to implement that will help translate broad principles into concrete actions.
  • The Danish Defence Intelligence Service’s Centre for Cyber Security (CFCS) released its fifth annual assessment of the cyber threat against Denmark and concluded:
    • The cyber threat pose a serious threat to Denmark. Cyber attacks mainly carry economic and political consequences.
    • Hackers have tried to take advantage of the COVID-19 pandemic. This constitutes a new element in the general threat landscape.
    • The threat from cyber crime is VERY HIGH. No one is exempt from the threat. There is a growing threat from targeted ransomware attacks against Danish public authorities and private companies.  The threat from cyber espionage is VERY HIGH.
    • The threat is especially directed against public authorities dealing with foreign and security policy issues as well as private companies whose knowledge is of interest to foreign states. 
    • The threat from destructive cyber attacks is LOW. It is less likely that foreign states will launch destructive cyber attacks against Denmark. Private companies and public authorities operating in conflict-ridden regions are at a greater risk from this threat. 
    • The threat from cyber activism is LOW. Globally, the number of cyber activism attacks has dropped in recent years,and cyber activists rarely focus on Danish public authorities and private companies. The threat from cyber terrorism is NONE. Serious cyber attacks aimed at creating effects similar to those of conventional terrorism presuppose a level of technical expertise and organizational resources that militant extremists, at present, do not possess. Also, the intention remains limited. 
    • The technological development, including the development of artificial intelligence and quantum computing, creates new cyber security possibilities and challenges.

Further Reading

  • Accuse, Evict, Repeat: Why Punishing China and Russia for Cyberattacks Fails” – The New York Times. This piece points out that the United States (US) government is largely using 19th Century responses to address 21st Century conduct by expelling diplomats, imposing sanctions, and indicting hackers. Even a greater use of offensive cyber operations does not seem to be deterring the US’s adversaries. It may turn out that the US and other nations will need to focus more on defensive measures and securing its valuable data and information.
  • New police powers to be broad enough to target Facebook” – Sydney Morning Herald. On the heels of a 2018 law that some argue will allow the government in Canberra to order companies to decrypt users communications, Australia is considering the enactment of new legislation because of concern among the nation’s security services about end-to-end encryption and dark browsing. In particular, Facebook’s proposed changes to secure its networks is seen as fertile ground of criminals, especially those seeking to prey on children sexually.
  • The U.S. has a stronger hand in its tech battle with China than many suspect” – The Washington Post. A national security writer makes the case that the cries that the Chinese are coming may prove as overblown as similar claims made about the Japanese during the 1980s and the Russian during the Cold War. The Trump Administration has used some levers that may appear to impede the People’s Republic of China’s attempt to displace the United States. In all, this writer is calling for more balance in viewing the PRC and some of the challenges it poses.
  • Facebook is taking a hard look at racial bias in its algorithms” – Recode. After a civil rights audit that was critical of Facebook, the company is assembling and deploying teams to try to deal with the biases in its algorithms on Facebook and Instagram. Critics doubt the efforts will turn out well because economic incentives are aligned against rooting out such biases and the lack of diversity at the company.
  • Does TikTok Really Pose a Risk to US National Security?” – WIRED. This article asserts TikTok is probably no riskier than other social media apps even with the possibility that the People’s Republic of China (PRC) may have access to user data.
  • France won’t ban Huawei, but encouraging 5G telcos to avoid it: report” – Reuters. Unlike the United States, the United Kingdom, and others, France will not outright ban Huawei from their 5G networks but will instead encourage their telecommunications companies to use European manufacturers. Some companies already have Huawei equipment on the networks and may receive authorization to use the company’s equipment for up to five more years. However, France is not planning on extending authorizations past that deadline, which will function a de facto sunset. In contrast, authorizations for Ericsson or Nokia equipment were provided for eight years. The head of France’s cybersecurity agency stressed that France was not seeking to move against the People’s Republic of China (PRC) but is responding to security concerns.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (22 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 22 July, the Senate Homeland Security & Governmental Affairs Committee will markup a number of bills and nominations, including:
    • The nomination of Derek Kan to the Office of Management and Budget’s Deputy Director
    • The “Federal Emergency Pandemic Response Act” (S.4204)
    • The “Securing Healthcare and Response Equipment Act of 2020” (S.4210)
    • The “National Response Framework Improvement Act of 2020” (S.4153)
    • The “National Infrastructure Simulation and Analysis Center Pandemic Modeling Act of 2020” (S.4157)
    • The “PPE Supply Chain Transparency Act of 2020” (S.4158)
    • The “REAL ID Act Modernization Act” (S.4133)
    • The “Safeguarding American Innovation Act” (S.3997)
    • The “Information Technology Modernization Centers of Excellence Program Act” (S.4200)
    • The “Telework for U.S. Innovation Act” (S.4318)
    • The “GAO Database Modernization Act” (S.____)
    • The “CFO Vision Act of 2020” (S.3287)
    • The “No Tik Tok on Government Devices Act” (S. 3455)
    • The “Cybersecurity Advisory Committee Authorization Act of 2020” (S. 4024)
  • On 23 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing on “The State of U.S. Spectrum Policy” with the following witnesses:
    • Mr. Tom Power, Senior Vice President and General Counsel, CTIA
    • Mr. Mark Gibson, Director of Business Development, CommScope
    • Dr. Roslyn Layton, Visiting Researcher, Aalborg University
    • Mr. Michael Calabrese, Director, Wireless Future Project, Open Technology Institute at New America
  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures – The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules – The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules – The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service – The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
    • Inmate Calling Services – The Commission will consider a Report and Order on Remand and a Fourth Further Notice of Proposed Rulemaking that would respond to remands by the U.S. Court of Appeals for the District of Columbia Circuit and propose to comprehensively reform rates and charges for the inmate calling services within the Commission’s jurisdiction.  (WC Docket No. 12-375)

Other Developments

  • Acting Office of Management and Budget (OMB) Director Russell Vought was confirmed by the Senate by a 51-45 vote. OMB has been without a Senate-confirmed Director since Mick Mulvaney resigned at the end of March, but he was named acting White House Chief of Staff in January 2019, resulting in Vought serving as the acting OMB head since that time.
  • Former Vice President and Democratic candidate for President Joe Biden issued a statement on Russian interference with the 2020 election that laid out his plan to respond and retaliate against these ongoing activities. His very high-level plan is a list of currently used methods of combatting cyber-attacks, much of which he would be able to undertake without Congressional assent. Biden contended “[d]espite the exposure of Russia’s malign activities by the U.S. Intelligence Community, law enforcement agencies, and bipartisan Congressional committees, the Kremlin has not halted its efforts to interfere in our democracy.” Biden said “[i]n spite of President [Donald] Trump’s failure to act, America’s adversaries must not misjudge the resolve of the American people to counter every effort by a foreign power to interfere in our democracy, whether by hacking voting systems and databases, laundering money into our political system, systematically spreading disinformation, or trying to sow doubt about the integrity of our elections.” He vowed:
    • If elected president, I will treat foreign interference in our election as an adversarial act that significantly affects the relationship between the United States and the interfering nation’s government.
    • I will direct the U.S. Intelligence Community to report publicly and in a timely manner on any efforts by foreign governments that have interfered, or attempted to interfere, with U.S. elections.
    • I will direct my administration to leverage all appropriate instruments of national power and make full use of my executive authority to impose substantial and lasting costs on state perpetrators.
    • These costs could include financial-sector sanctions, asset freezes, cyber responses, and the exposure of corruption.
    • A range of other actions could also be taken, depending on the nature of the attack.
    • I will direct our response at a time and in a manner of our choosing.
    • In addition, I will take action where needed to stop attempts to interfere with U.S. elections before they can impact our democratic processes.
    • In particular, I will direct and resource the Department of Defense, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of State, and the Federal Bureau of Investigation’s Foreign Interference Task Force to develop plans for disrupting foreign threats to our elections process.
    • This will be done, wherever possible, in coordination with our allies and partners, so that we are isolating the regimes that seek to undermine democracies and civil liberties.
  • Top Democrats in Congress have written the Director of the Federal Bureau of Investigation (FBI) requesting “a defensive counterintelligence briefing to all Members of the House of Representatives and the Senate regarding foreign efforts to interfere in the 2020 U.S. presidential election.” Speaker of the House Nancy Pelosi (D-CA), Senate Minority Leader Chuck Schumer (D-NY), House Intelligence Committee Chair Adam Schiff (D-CA), and Senate Intelligence Committee Ranking Member Mark Warner (D-VA) sent a letter to FBI Director Christopher Wray in which they claimed “that Congress appears to be the target of a concerted foreign interference campaign, which seeks to launder and amplify disinformation in order to influence congressional activity, public debate, and the presidential election in November.”
  • District of Columbia Attorney General Karl Racine (D) has inserted himself into the struggle raging over the Trump Administration’s remaking of the United States (US) Agency for Global Media (USAGM), in part, by installing Michael Pack as the head of USAGM. He filed suit “to resolve a dispute between two dueling Boards of Directors that has paralyzed the Open Technology Fund (OTF), a District nonprofit…which supports encryption and anti-censorship tools for people living in repressive societies…an independent nonprofit corporation organized and created under District law that receives grant funding from the USAGM” per his press release. Racine claimed:
    • The USAGM CEO does not have authority over OTF’s Board or officers: OTF is an independent D.C. nonprofit corporation, which governs itself under local law and under its own bylaws. While USAGM provides grant funding for OTF’s work, it does not have authority over OTF’s governance. OAG asserts that OTF’s bylaws are clear and that only the organization’s Board of Directors—not USAGM, its leadership, or any other body—has the authority to appoint or remove OTF directors.
    • Dueling Boards have paralyzed OTF: Two Boards are currently claiming authority over OTF, and without clarity as to which Board is properly in place, the organization is effectively leaderless. It is also unable to authorize decisions necessary for carrying out its functions, including decisions to authorize funding partner organizations have already been promised, and decisions related to potential new partnership. The leadership crisis has also left employees of the organization at risk of losing their jobs.
    • The original Board of Directors is the valid Board: OAG asserts that because Pack did not have authority under either District law or OTF’s bylaws to dismiss OTF’s Board of Directors, the Court should recognize OTF’s original Board as valid.
    • Any actions taken on behalf of OTF by Michael Pack or his replacement Board should be voided: Michael Pack did not have authority as USAGM CEO to dismiss or appoint Directors on behalf of OTF. As a result, any actions Pack or the replacement Board have taken on behalf of OTF should be invalidated.
  • The Department of Commerce’s (DOC) Bureau of Industry and Security (BIS) has announced further action against entities from the People’s Republic of China (PRC) by adding “to the Entity List 11 Chinese companies implicated in human rights violations and abuses in the implementation of the PRC’s campaign of repression, mass arbitrary detention, forced labor, involuntary collection of biometric data, and genetic analyses targeted at Muslim minority groups from the Xinjiang Uyghur Autonomous Region (XUAR)” according to the agency’s press release. DOC claimed “[t]oday’s action will result in these companies facing new restrictions on access to U.S.-origin items, including commodities and technology…[and] will supplement BIS’s two tranches of Entity List designations in October 2019 and June 2020, actions that together added 37 parties engaged in or enabling PRC’s repression in Xinjiang.”

Further Reading

  • Google Promises Privacy With Virus App but Can Still Collect Location Data” – The New York Times. Google’s version of the contact racing app developed with Apple has a feature the other company does not: it prompts users to turn on the Android device’s location setting. This feature would seem to be contrary to the claims made by Google and Apple that their Bluetooth tracing system does not collect sensitive location data. In fact, the companies refused to request of the governments of the United Kingdom and France, among others, to change settings on their smartphones to allow for centralized information collection on possible COVID-19 transmission. A number of European nations have pressed Google to remove this feature, and a Google spokesperson claimed the Android Bluetooth tracing capability did not use location services, begging the question why the prompt appears.
  • Inside the Federal Trade Commission’s Facebook probe” – Axios. The anonymous sources inside the Federal Trade Commission (FTC) cautioning that the agency will not likely pursue an anti-trust action against Facebook before next year may be part of an inner-agency quarrel slowing down the inquiry. Allegedly, the FTC’s Bureau of Competition and its Office of Policy Planning are at odds over the drafting of guidance that will govern the Facebook and other anti-trust investigations. The latter wants to keep the current standards of harm to consumers in terms of price changes, which the former thinks are inapplicable in the provision of free services. How this struggle plays out may well inform the agency’s approach to Facebook and other tech companies.
  • Beware the ‘But China’ Excuses” – The New York Times. This article cautions people from putting too much stock in the claims by the Trump Administration and technology companies that the People’s Republic of China (PRC) is the seeming threat they say it is. If the PRC is such a threat, the United States might consider investing more in basic research and development (R&D) and in some critical tech sectors to develop and build their products in the US. Also the notion advanced by some tech sector CEOs that breaking up the tech giants will ultimately benefit PRC competitors is scrutinized.
  • DHS Authorizes Domestic Surveillance to Protect Statues and Monuments” – Lawfare. One of my law school professors and a colleague examine a Department of Homeland Security’s (DHS) Office of Intelligence & Analysis (I&A) that authorizes intelligence and information collection on those who present threats to monuments, memorials, and statues that seems like a Trojan Horse by which DHS could surveil and mobilize protestors in the streets of American cities. The surveillance cannot be electronic surveillance, but then DHS could ask a sister agency to conduct such activity if needed.
  • Two more cyber-attacks hit Israel’s water system” – ZDNet. It appears Iran has responded to Israel’s cyber attacks that led to a number of problems at facilities in Tehran. This is the latest in an ongoing battle between the two Middle Eastern enemies that may escalate further.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading and Other Developments (17 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Speaking of which, the Technology Policy Update is being published daily during the week, and here are the Other Developments and Further Reading from this week.

Other Developments

  • Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Foreign Relations Committee Chair Jim Risch (R-ID), and Senators Chris Coons (D-DE) and John Cornyn (R-TX) wrote Secretary of Commerce Wilbur Ross and Secretary of Defense Mike Esper “to ask that the Administration take immediate measures to bring the most advanced digital semiconductor manufacturing capabilities to the United States…[which] are critical to our American economic and national security and while our nation leads in the design of semiconductors, we rely on international manufacturing for advanced semiconductor fabrication.” This letter follows the Trump Administration’s May announcement that the Taiwan Semiconductor Manufacturing Corporation (TSMC) agreed to build a $12 billion plant in Arizona. It also bears note that one of the amendments pending to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would establish a grants program to stimulate semiconductor manufacturing in the US.
  • Senators Mark R. Warner (D-VA), Mazie K. Hirono (D-HI) and Bob Menendez (D-NJ) sent a letter to Facebook “regarding its failure to prevent the propagation of white supremacist groups online and its role in providing such groups with the organizational infrastructure and reach needed to expand.” They also “criticized Facebook for being unable or unwilling to enforce its own Community Standards and purge white supremacist and other violent extremist content from the site” and posed “a series of questions regarding Facebook’s policies and procedures against hate speech, violence, white supremacy and the amplification of extremist content.”
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published the Pipeline Cyber Risk Mitigation Infographic that was “[d]eveloped in coordination with the Transportation Security Administration (TSA)…[that] outlines activities that pipeline owners/operators can undertake to improve their ability to prepare for, respond to, and mitigate against malicious cyber threats.”
  • Representative Kendra Horn (D-OK) and 10 other Democrats introduced legislation “requiring the U.S. government to identify, analyze, and combat efforts by the Chinese government to exploit the COVID-19 pandemic” that was endorsed by “[t]he broader Blue Dog Coalition” according to their press release. The “Preventing China from Exploiting COVID-19 Act” (H.R.7484) “requires the Director of National Intelligence—in coordination with the Secretaries of Defense, State, and Homeland Security—to prepare an assessment of the different ways in which the Chinese government has exploited or could exploit the pandemic, which originated in China, in order to advance China’s interests and to undermine the interests of the United States, its allies, and the rules-based international order.” Horn and her cosponsors stated “[t]he assessment must be provided to Congress within 90 days and posted in unclassified form on the DNI’s website.”
  • The Supreme Court of Canada upheld the “Genetic Non-Discrimination Act” and denied a challenge to the legality of the statute brought by the government of Quebec, the Attorney General of Canada, and others. The court found:
    • The pith and substance of the challenged provisions is to protect individuals’ control over their detailed personal information disclosed by genetic tests, in the broad areas of contracting and the provision of goods and services, in order to address Canadians’ fears that their genetic test results will be used against them and to prevent discrimination based on that information. This matter is properly classified within Parliament’s power over criminal law. The provisions are supported by a criminal law purpose because they respond to a threat of harm to several overlapping public interests traditionally protected by the criminal law — autonomy, privacy, equality and public health.
  • The U.S.-China Economic and Security Review Commission published a report “analyzing the evolution of U.S. multinational enterprises (MNE) operations in China from 2000 to 2017.” The Commission found MNE’s operations in the People’s Republic of China “may indirectly erode the  United  States’  domestic industrial competitiveness  and  technological  leadership relative  to  China” and “as U.S. MNE activity in China increasingly focuses on the production of high-end technologies, the risk  that  U.S.  firms  are  unwittingly enabling China to  achieve  its industrial  policy and  military  development objectives rises.”
  • The Federal Communications Commission (FCC) and Huawei filed their final briefs in their lawsuit before the United States Court of Appeals for the Fifth Circuit arising from the FCC’s designation of Huawei as a “covered company” for purposes of a rule that denies Universal Service Funds (USF) “to purchase or obtain any equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain.” Huawei claimed in its brief that “[t]he rulemaking and “initial designation” rest on the FCC’s national security judgments..[b]ut such judgments fall far afield of the FCC’s statutory  authority  and  competence.” Huawei also argued “[t]he USF rule, moreover, contravenes the Administrative Procedure Act (APA) and the Due Process Clause.” The FCC responded in its filing that “Huawei challenges the FCC’s decision to exclude carriers whose networks are vulnerable to foreign interference, contending that the FCC has neither statutory nor constitutional authority to make policy judgments involving “national security”…[but] [t]hese arguments are premature, as Huawei has not yet been injured by the Order.” The FCC added “Huawei’s claim that the Communications Act textually commits all policy determinations with national security implications to the President is demonstrably false.”
  • European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski released his Strategy for 2020-2024, “which will focus on Digital Solidarity.” Wiewiórowski explained that “three core pillars of the EDPS strategy outline the guiding actions and objectives for the organisation to the end of 2024:
    • Foresight: The EDPS will continue to monitor legal, social and technological advances around the world and engage with experts, specialists and data protection authorities to inform its work.
    • Action: To strengthen the EDPS’ supervision, enforcement and advisory roles the EDPS will promote coherence in the activities of enforcement bodies in the EU and develop tools to assist the EU institutions, bodies and agencies to maintain the highest standards in data protection.
    • Solidarity: While promoting digital justice and privacy for all, the EDPS will also enforce responsible and sustainable data processing, to positively impact individuals and maximise societal benefits in a just and fair way.
  • Facebook released a Civil Rights Audit, an “investigation into Facebook’s policies and practices began in 2018 at the behest and encouragement of the civil rights community and some members of Congress.” Those charged with conducting the audit explained that they “vigorously advocated for more and would have liked to see the company go further to address civil rights concerns in a host of areas that are described in detail in the report” including but not limited to
    • A stronger interpretation of its voter suppression policies — an interpretation that makes those policies effective against voter suppression and prohibits content like the Trump voting posts — and more robust and more consistent enforcement of those policies leading up to the US 2020 election.
    • More visible and consistent prioritization of civil rights in company decision-making overall.
    • More resources invested to study and address organized hate against Muslims, Jews and other targeted groups on the platform.
    • A commitment to go beyond banning explicit references to white separatism and white nationalism to also prohibit express praise, support and representation of white separatism and white nationalism even where the terms themselves are not used.
    • More concrete action and specific commitments to take steps to address concerns about algorithmic bias or discrimination.
    • They added that “[t]his report outlines a number of positive and consequential steps that the company has taken, but at this point in history, the Auditors are concerned that those gains could be obscured by the vexing and heartbreaking decisions Facebook has made that represent significant setbacks for civil rights.”
  • The National Security Commission on Artificial Intelligence (NSCAI) released a white paper titled “The Role of AI Technology in Pandemic Response and Preparedness” that “outlines a series of investments and initiatives that the United States must undertake to realize the full potential of AI to secure our nation against pandemics.” NSCAI noted its previous two white papers:
  • Secretary of Defense Mark Esper announced that Chief Technology Officer Michael J.K. Kratsios has “been designated to serve as Acting Under Secretary of Defense for Research and Engineering” even though he does not have a degree in science. The last Under Secretary held a PhD. However, Kratsios worked for venture capitalist Peter Thiel who backed President Donald Trump when he ran for office in 2016.
  • The United States’ Department of Transportation’s Federal Railroad Administration (FRA) issued research “to develop a cyber security risk analysis methodology for communications-based connected railroad technologies…[and] [t]he use-case-specific implementation of the methodology can identify potential cyber attack threats, system vulnerabilities, and consequences of the attack– with risk assessment and identification of promising risk mitigation strategies.”
  • In a blog post, a National Institute of Standards and Technology (NIST) economist asserted cybercrime may be having a much larger impact on the United States’ economy than previously thought:
    • In a recent NIST report, I looked at losses in the U.S. manufacturing industry due to cybercrime by examining an underutilized dataset from the Bureau of Justice Statistics, which is the most statistically reliable data that I can find. I also extended this work to look at the losses in all U.S. industries. The data is from a 2005 survey of 36,000 businesses with 8,079 responses, which is also by far the largest sample that I could identify for examining aggregated U.S. cybercrime losses. Using this data, combined with methods for examining uncertainty in data, I extrapolated upper and lower bounds, putting 2016 U.S. manufacturing losses to be between 0.4% and 1.7% of manufacturing value-added or between $8.3 billion and $36.3 billion. The losses for all industries are between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion. The lower bound is 40% higher than the widely cited, but largely unconfirmed, estimates from McAfee.
  • The Government Accountability Office (GAO) advised the Federal Communications Commission (FCC) that it needs a comprehensive strategy for implementing 5G across the United States. The GAO concluded
    • FCC has taken a number of actions regarding 5G deployment, but it has not clearly developed specific and measurable performance goals and related measures–with the involvement of relevant stakeholders, including National Telecommunications and Information Administration (NTIA)–to manage the spectrum demands associated with 5G deployment. This makes FCC unable to demonstrate whether the progress being made in freeing up spectrum is achieving any specific goals, particularly as it relates to congested mid-band spectrum. Additionally, without having established specific and measurable performance goals with related strategies and measures for mitigating 5G’s potential effects on the digital divide, FCC will not be able to assess the extent to which its actions are addressing the digital divide or what actions would best help all Americans obtain access to wireless networks.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Time Guidance for Network Operators, Chief Information Officers, and Chief Information Security Officers” “to inform public and private sector organizations, educational institutions, and government agencies on time resilience and security practices in enterprise networks and systems…[and] to address gaps in available time testing practices, increasing awareness of time-related system issues and the linkage between time and cybersecurity.”
  • Fifteen Democratic Senators sent a letter to the Department of Defense, Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS), Federal Bureau of Investigations (FBI), and U.S. Cyber Command, urging them “to take additional measures to fight influence campaigns aimed at disenfranchising voters, especially voters of color, ahead of the 2020 election.” They called on these agencies to take “additional measures:”
    • The American people and political candidates are promptly informed about the targeting of our political processes by foreign malign actors, and that the public is provided regular periodic updates about such efforts leading up to the general election.
    • Members of Congress and congressional staff are appropriately and adequately briefed on continued findings and analysis involving election related foreign disinformation campaigns and the work of each agency and department to combat these campaigns.
    • Findings and analysis involving election related foreign disinformation campaigns are shared with civil society organizations and independent researchers to the maximum extent which is appropriate and permissible.
    • Secretary Esper and Director Ratcliffe implement a social media information sharing and analysis center (ISAC) to detect and counter information warfare campaigns across social media platforms as authorized by section 5323 of the Fiscal Year 2020 National Defense Authorization Act.
    • Director Ratcliffe implement the Foreign Malign Influence Response Center to coordinate a whole of government approach to combatting foreign malign influence campaigns as authorized by section 5322 of the Fiscal Year 2020 National Defense Authorization Act.
  • The Information Technology and Innovation Foundation (ITIF) unveiled an issue brief “Why New Calls to Subvert Commercial Encryption Are Unjustified” arguing “that government efforts to subvert encryption would negatively impact individuals and businesses.” ITIF offered these “key takeaways:”
    • Encryption gives individuals and organizations the means to protect the confidentiality of their data, but it has interfered with law enforcement’s ability to prevent and investigate crimes and foreign threats.
    • Technological advances have long frustrated some in the law enforcement community, giving rise to multiple efforts to subvert commercial use of encryption, from the Clipper Chip in the 1990s to the San Bernardino case two decades later.
    • Having failed in these prior attempts to circumvent encryption, some law enforcement officials are now calling on Congress to invoke a “nuclear option”: legislation banning “warrant-proof” encryption.
    • This represents an extreme and unjustified measure that would do little to take encryption out of the hands of bad actors, but it would make commercial products less secure for ordinary consumers and businesses and damage U.S. competitiveness.
  • The White House released an executive order in which President Donald Trump determined “that the Special Administrative Region of Hong Kong (Hong Kong) is no longer sufficiently autonomous to justify differential treatment in relation to the People’s Republic of China (PRC or China) under the particular United States laws and provisions thereof set out in this order.” Trump further determined “the situation with respect to Hong Kong, including recent actions taken by the PRC to fundamentally undermine Hong Kong’s autonomy, constitutes an unusual and extraordinary threat, which has its source in substantial part outside the United States, to the national security, foreign policy, and economy of the United States…[and] I hereby declare a national emergency with respect to that threat.” The executive order would continue the Administration’s process of changing policy to ensure Hong Kong is treated the same as the PRC.
  • President Donald Trump also signed a bill passed in response to the People’s Republic of China (PRC) passing legislation the United States and other claim will strip Hong Kong of the protections the PRC agreed to maintain for 50 years after the United Kingdom (UK) handed over the city. The “Hong Kong Autonomy Act” “requires the imposition of sanctions on Chinese individuals and banks who are included in an annual State Department list found to be subverting Hong Kong’s autonomy” according to the bill’s sponsor Representative Brad Sherman (D-CA).
  • Representative Stephen Lynch, who chairs House Oversight and Reform Committee’s National Security Subcommittee, sent letters to Apple and Google “after the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI) confirmed that mobile applications developed, operated, or owned by foreign entities, including China and Russia, could potentially pose a national security risk to American citizens and the United States” according to his press release. He noted in letters sent by the technology companies to the Subcommittee that:
    • Apple confirmed that it does not require developers to submit “information on where user data (if any such data is collected by the developer’s app) will be housed” and that it “does not decide what user data a third-party app can access, the user does.”
    • Google stated that it does “not require developers to provide the countries in which their mobile applications will house user data” and acknowledged that “some developers, especially those with a global user base, may store data in multiple countries.”
    • Lynch is seeking “commitments from Apple and Google to require information from application developers about where user data is stored, and to make users aware of that information prior to downloading the application on their mobile devices.”
  • Minnesota Attorney General Keith Ellison announced a settlement with Frontier Communications that “concludes the three major investigations and lawsuits that the Attorney General’s office launched into Minnesota’s major telecoms providers for deceptive, misleading, and fraudulent practices.” The Office of the Attorney General (OAG) stated
    • Based on its investigation, the Attorney General’s Office alleged that Frontier used a variety of deceptive and misleading practices to overcharge its customers, such as: billing customers more than they were quoted by Frontier’s agents; failing to disclose fees and surcharges in its sales presentations and advertising materials; and billing customers for services that were not delivered.
    • The OAG “also alleged that Frontier sold Minnesotans expensive internet services with so-called “maximum speed” ratings that were not attainable, and that Frontier improperly advertised its service as “reliable,” when in fact it did not provide enough bandwidth for customers to consistently receive their expected service.”
  • The European Data Protection Board (EDPB) issued guidelines “on the criteria of the Right to be Forgotten in the search engines cases under the GDPR” that “focuses solely on processing by search engine providers and delisting requests  submitted by data subjects” even Article 17 of the General Data Protection Regulation applies to all data controllers. The EDPB explained “This paper is divided into two topics:
    • The first topic concerns the grounds a data subject can rely on for a delisting request sent to a search engine provider pursuant to Article 17.1 GDPR.
    • The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR.
  • The Australian Competition & Consumer Commission (ACCC) “is seeking views on draft Rules and accompanying draft Privacy Impact Assessment that authorise third parties who are accredited at the ‘unrestricted’ level to collect Consumer Data Right (CDR) data on behalf of another accredited person.” The ACCC explained “[t]his will allow accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers.” In a March explanatory statement, the ACCC stated “[t]he CDR is an economy-wide reform that will apply sector-by-sector, starting with the banking sector…[and] [t]he objective of the CDR is to provide individual and business consumers (consumers) with the ability to efficiently and conveniently access specified data held about them by businesses (data holders), and to authorise the secure disclosure of that data to third parties (accredited data recipients) or to themselves.” The ACCC noted “[t]he CDR is regulated by both the ACCC and the Office of the Australian Information Commissioner (OAIC) as it concerns both competition and consumer matters as well as the privacy and confidentiality of consumer data.” Input is due by 20 July.
  • Office of the Inspector General (OIG) for the Department of the Interior (Interior) found that even though the agency spends $1.4 billion annually on cybersecurity “[g]uarding against increasing cybersecurity threats” remains one of Interior’s top challenges. The OIG asserted Interior “continues to struggle to implement an enterprise information technology (IT) security program that balances compliance, cost, and risk while enabling bureaus to meet their diverse missions.”
  • In a summary of its larger investigation into “Security over Information Technology Peripheral Devices at Select Office of Science Locations,” the Department of Energy’s Office of the Inspector General (OIG) that “identified weaknesses related to access controls and configuration settings” for peripheral devices (e.g. thumb drives, printers, scanners and other connected devices)  “similar in type to those identified in prior evaluations of the Department’s unclassified cybersecurity program.”
  • The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee Ranking Member John Katko (R-NY) “a comprehensive national cybersecurity improvement package” according to his press release, consisting of these bills:
    • The “Cybersecurity and Infrastructure Security Agency Director and Assistant Directors Act:”  This bipartisan measure takes steps to improve guidance and long-term strategic planning by stabilizing the CISA Director and Assistant Directors positions. Specifically, the bill:
      • Creates a 5-year term for the CISA Director, with a limit of 2 terms. The term of office for the current Director begins on date the Director began to serve.
      • Elevates the Director to the equivalent of a Deputy Secretary and Military Service Secretaries.
      • Depoliticizes the Assistant Director positions, appointed by the Secretary of the Department of Homeland Security (DHS), categorizing them as career public servants. 
    • The “Strengthening the Cybersecurity and Infrastructure Security Agency Act of 2020:” This measure mandates a comprehensive review of CISA in an effort to strengthen its operations, improve coordination, and increase oversight of the agency. Specifically, the bill:
      • Requires CISA to review how additional appropriations could be used to support programs for national risk management, federal information systems management, and public-private cybersecurity and integration. It also requires a review of workforce structure and current facilities and projected needs. 
      • Mandates that CISA provides a report to the House and Senate Homeland Committees within 1-year of enactment. CISA must also provide a report and recommendations to GSA on facility needs. 
      • Requires GSA to provide a review to the Administration and House and Senate Committees on CISA facilities needs within 30-days of Congressional report. 
    • The “CISA Public-Private Talent Exchange Act:” This bill requires CISA to create a public-private workforce program to facilitate the exchange of ideas, strategies, and concepts between federal and private sector cybersecurity professionals. Specifically, the bill:
      • Establishes a public-private cyber exchange program allowing government and industry professionals to work in one another’s field.
      • Expands existing private outreach and partnership efforts. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is ordering United States federal civilian agencies “to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours.” CISA stated “[t]he software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.” CISA Director Christopher Krebs explained “due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.”
  • The United States (US) Department of State has imposed “visa restrictions on certain employees of Chinese technology companies that provide material support to regimes engaging in human rights abuses globally” that is aimed at Huawei. In its statement, the Department stated “Companies impacted by today’s action include Huawei, an arm of the Chinese Communist Party’s (CCP) surveillance state that censors political dissidents and enables mass internment camps in Xinjiang and the indentured servitude of its population shipped all over China.” The Department claimed “[c]ertain Huawei employees provide material support to the CCP regime that commits human rights abuses.”
  • Earlier in the month, the US Departments of State, Treasury, Commerce, and of Homeland Security issued an “advisory to highlight the harsh repression in Xinjiang.” The agencies explained
    • Businesses, individuals, and other persons, including but not limited to academic institutions, research service providers, and investors (hereafter “businesses and individuals”), that choose to operate in Xinjiang or engage with entities that use labor from Xinjiang elsewhere in China should be aware of reputational, economic, and, in certain instances, legal, risks associated with certain types of involvement with entities that engage in human rights abuses, which could include Withhold Release Orders (WROs), civil or criminal investigations, and export controls.
  • The United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications  Security Establishment (CSE), United States’ National Security Agency (NSA) and the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security  Agency (CISA) issued a joint advisory on a Russian hacking organization’s efforts have “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.” The agencies named APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’), “a cyber espionage group, almost certainly part of the Russian intelligence services,” as the culprit behind “custom malware known as ‘WellMess’ and ‘WellMail.’”
    • This alert follows May advisories issued by Australia, the US, and the UK on hacking threats related to the pandemic. Australia’s Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre (ACSC) issued “Advisory 2020-009: Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services” that asserted “APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally.” CISA and NCSC issued a joint advisory for the healthcare sector, especially companies and entities engaged in fighting COVID-19. The agencies stated that they have evidence that Advanced Persistent Threat (APT) groups “are exploiting the COVID-19 pandemic as part of their cyber operations.” In an unclassified public service announcement, the Federal Bureau of Investigation (FBI) and CISA named the People’s Republic of China as a nation waging a cyber campaign against U.S. COVID-19 researchers. The agencies stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.”
  • The National Initiative for Cybersecurity Education (NICE) has released a draft National Institute of Standards and Technology (NIST) Special Publication (SP) for comment due by 28 August. Draft NIST Special Publication (SP) 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework) that features several updates, including:
    • an updated title to be more inclusive of the variety of workers who perform cybersecurity work,
    • definition and normalization of key terms,
    • principles that facilitate agility, flexibility, interoperability, and modularity,
    • introduction of competencies,
  • Representatives Glenn Thompson (R-PA), Collin Peterson (D-MN), and James Comer (R-KY) sent a letter to Federal Communications Commission (FCC) “questioning the Commission’s April 20, 2020 Order granting Ligado’s application to deploy a terrestrial nationwide network to provide 5G services.”
  • The European Commission (EC) is asking for feedback on part of its recently released data strategy by 31 July. The EC stated it is aiming “to create a single market for data, where data from public bodies, business and citizens can be used safely and fairly for the common good…[and] [t]his initiative will draw up rules for common European data spaces (covering areas like the environment, energy and agriculture) to:
    • make better use of publicly held data for research for the common good
    • support voluntary data sharing by individuals
    • set up structures to enable key organisations to share data.
  • The United Kingdom’s Parliament is asking for feedback on its legislative proposal to regulate Internet of Things (IoT) devices. The Department for Digital, Culture, Media & Sport explained “the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative.” The Department is also “developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation.” The Department also touted the publishing of the European Telecommunications Standards Institute’s (ETSI) “security baseline for Internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes.”
  • Facebook issued a white paper, titled “CHARTING A WAY FORWARD: Communicating Towards People-Centered and Accountable Design About Privacy,” in which the company states its desire to be involved in shaping a United States privacy law (See below for an article on this). Facebook concluded:
    • Facebook recognizes the responsibility we have to make sure that people are informed about the data that we collect, use, and share.
    • That’s why we support globally consistent comprehensive privacy laws and regulations that, among other things, establish people’s basic rights to be informed about how their information is collected, used, and shared, and impose obligations for organizations to do the same, including the obligation to build internal processes that maintain accountability.
    • As improvements to technology challenge historic approaches to effective communications with people about privacy, companies and regulators need to keep up with changing times.
    • To serve the needs of a global community, on both the platforms that exist now and those that are yet to be developed, we want to work with regulators, companies, and other interested third parties to develop new ways of informing people about their data, empowering them to make meaningful choices, and holding ourselves accountable.
    • While we don’t have all the answers, there are many opportunities for businesses and regulators to embrace modern design methods, new opportunities for better collaboration, and innovative ways to hold organizations accountable.
  • Four Democratic Senators sent Facebook a letter “about reports that Facebook has created fact-checking exemptions for people and organizations who spread disinformation about the climate crisis on its social media platform” following a New York Times article this week on the social media’s practices regarding climate disinformation. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars. Senators Elizabeth Warren (D-WA), Tom Carper (D-DE), Sheldon Whitehouse (D-R.I.) and Brian Schatz (D-HI) argued “[i]f Facebook is truly “committed to fighting the spread of false news on Facebook and Instagram,” the company must immediately acknowledge in its fact-checking process that the climate crisis is not a matter of opinion and act to close loopholes that allow climate disinformation to spread on its platform.” They posed a series of questions to Facebook CEO Mark Zuckerberg on these practices, requesting answers by 31 July.
  • A Canadian court has found that the Canadian Security Intelligence Service (CSIS) “admittedly collected information in a manner that is contrary to this foundational commitment and then relied on that information in applying for warrants under the Canadian Security Intelligence Service Act, RSC 1985, c C-23 [CSIS Act]” according to a court summary of its redacted decision. The court further stated “[t]he Service and the Attorney General also admittedly failed to disclose to the Court the Service’s reliance on information that was likely collected unlawfully when seeking warrants, thereby breaching the duty of candour owed to the Court.” The court added “[t]his is not the first time this Court has been faced with a breach of candour involving the Service…[and] [t]he events underpinning this most recent breach were unfolding as recommendations were being implemented by the Service and the Attorney General to address previously identified candour concerns.” CSIS was found to have illegally collected and used metadata in a 2016 case ion its conduct between 2006-2016. In response to the most recent ruling, CSIS is vowing to implement a range of reforms. The National Security and Intelligence Review Agency (NSIRA) is pledging the same.
  • The United Kingdom’s National Police Chiefs’ Council (NPCC) announced the withdrawal of “[t]he ‘Digital device extraction – information for complainants and witnesses’ form and ‘Digital Processing Notice’ (‘the relevant forms’) circulated to forces in February 2019 [that] are not sufficient for their intended purpose.” In mid-June, the UK’s data protection authority, the Information Commissioner’s Office (ICO) unveiled its “finding that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” This withdrawal was also due, in part, to a late June Court of Appeal decision.  
  • A range of public interest and advocacy organizations sent a letter to Speaker of the House Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) noting “there are intense efforts underway to do exactly that, via current language in the House and Senate versions of the FY2021 National Defense Authorization Act (NDAA) that ultimately seek to reverse the FCC’s recent bipartisan and unanimous approval of Ligado Networks’ regulatory plans.” They urged them “not endorse efforts by the Department of Defense and its allies to veto commercial spectrum authorizations…[and][t]he FCC has proven itself to be the expert agency on resolving spectrum disputes based on science and engineering and should be allowed to do the job Congress authorized it to do.” In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”
  • The European Data Protection Supervisor (EDPS) rendered his opinion on the European Commission’s White Paper on Artificial Intelligence: a European approach to excellence and trust and recommended the following for the European Union’s (EU) regulation of artificial intelligence (AI):
    • applies both to EU Member States and to EU institutions, offices, bodies and agencies;
    • is designed to protect from any negative impact, not only on individuals, but also on communities and society as a whole;
    • proposes a more robust and nuanced risk classification scheme, ensuring any significant potential harm posed by AI applications is matched by appropriate mitigating measures;
    • includes an impact assessment clearly defining the regulatory gaps that it intends to fill.
    • avoids overlap of different supervisory authorities and includes a cooperation mechanism.
    • Regarding remote biometric identification, the EDPS supports the idea of a moratorium on the deployment, in the EU, of automated recognition in public spaces of human features, not only of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, so that an informed and democratic debate can take place and until the moment when the EU and Member States have all the appropriate safeguards, including a comprehensive legal framework in place to guarantee the proportionality of the respective technologies and systems for the specific use case.
  • The Bundesamt für Verfassungsschutz (BfV), Germany’s domestic security agency, released a summary of its annual report in which it claimed:
    • The Russian Federation, the People’s Republic of China, the Islamic Republic of Iran and the Republic of Turkey remain the main countries engaged in espionage activities and trying to exert influence on Germany.
    • The ongoing digital transformation and the increasingly networked nature of our society increases the potential for cyber attacks, worsening the threat of cyber espionage and cyber sabotage.
    • The intelligence services of the Russian Federation and the People’s Republic of China in particular carry out cyber espionage activities against German agencies. One of their tasks is to boost their own economies with the help of information gathered by the intelligence services. This type of information-gathering campaign severely threatens the success and development opportunities of German companies.
    • To counteract this threat, Germany has a comprehensive cyber security architecture in place, which is operated by a number of different authorities. The BfV plays a major role in investigating and defending against cyber threats by detecting attacks, attributing them to specific attackers, and using the knowledge gained from this to draw up prevention strategies. The National Cyber Response Centre, in which the BfV plays a key role, was set up to consolidate the co-operation between the competent agencies. The National Cyber Response Centre aims to optimise the exchange of information between state agencies and to improve the co-ordination of protective and defensive measures against potential IT incidents.

Further Reading

  • Trump confirms cyberattack on Russian trolls to deter them during 2018 midterms” – The Washington Post. In an interview with former George W. Bush speechwriter Marc Thiessen, President Donald Trump confirmed he ordered a widely reported retaliatory attack on the Russian Federation’s Internet Research Agency as a means of preventing interference during the 2018 mid-term election. Trump claimed this attack he ordered was the first action the United States took against Russian hacking even though his predecessor warned Russian President Vladimir Putin to stop such activities and imposed sanctions at the end of 2016. The timing of Trump’s revelation is interesting given the ongoing furor over reports of Russian bounties paid to Taliban fighters for killing Americans the Trump Administration may have known of but did little or nothing to stop.
  • Germany proposes first-ever use of EU cyber sanctions over Russia hacking” – Deutsche Welle. Germany is looking to use the European Union’s (EU) cyber sanctions powers against Russia for its alleged 2015 16 GB exfiltration of data from the Bundestag’s systems, including from Chancellor Angela Merkel’s office. Germany has been alleging that Fancy Bear (aka APT28) and Russia’s military secret service GRU carried out the attack. Germany has circulated its case for sanctions to other EU nations and EU leadership. In 2017, the European Council declared “[t]he EU diplomatic response to malicious cyber activities will make full use of measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures…[and] [a] joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.”
  • Wyden Plans Law to Stop Cops From Buying Data That Would Need a Warrant” – VICE. Following on a number of reports that federal, state, and local law enforcement agencies are essentially sidestepping the Fourth Amendment through buying location and other data from people’s smartphones, Senator Ron Wyden (D-OR) is going to draft legislation that would seemingly close what he, and other civil libertarians, are calling a loophole to the warrant requirement.
  • Amazon Backtracks From Demand That Employees Delete TikTok” – The New York Times. Amazon first instructed its employees to remove ByteDance’s app, TikTok, on 11 July from company devices and then reversed course the same day, claiming the email had been erroneously sent out. The strange episode capped another tumultuous week for ByteDance as the Trump Administration is intensifying pressure in a number of ways on the company which officials claim is subject to the laws of the People’s Republic of China and hence must share information with the government in Beijing. ByteDance counters the app marketed in the United States is through a subsidiary not subject to PRC law. ByteDance also said it would no longer offer the app in Hong Kong after the PRC change in law has extended the PRC’s reach into the former British colony. TikTok was also recently banned in India as part of a larger struggle between India and he PRC. Additionally, the Democratic National Committee warned staff about using the app this week, too.
  • Is it time to delete TikTok? A guide to the rumors and the real privacy risks.” – The Washington Post. A columnist and security specialist found ByteDance’s app vacuums up information from users, but so does Facebook and other similar apps. They scrutinized TikTok’s privacy policy and where the data went, and they could not say with certainty that it goes to and stays on servers in the US and Singapore. 
  • California investigating Google for potential antitrust violations” – Politico. California Attorney General Xavier Becerra is going to conduct his own investigation of Google aside and apart from the investigation of the company’s advertising practices being conducted by virtually every other state in the United States. It was unclear why Becerra opted against joining the larger probe launched in September 2019. Of course, the Trump Administration’s Department of Justice is also investigating Google and could file suit as early as this month.
  • How May Google Fight an Antitrust Case? Look at This Little-Noticed Paper” – The New York Times. In a filing with the Australian Competition and Consumer Commission (ACCC), Google claimed it does not control the online advertising market and it is borne out by a number of indicia that argue against a monopolistic situation. The company is likely to make the same case to the United States’ government in its antitrust inquiry. However, similar arguments did not gain tractions before the European Commission, which levied a €1.49 billion for “breaching EU antitrust rules” in March 2019.
  •  “Who Gets the Banhammer Now?” – The New York Times. This article examines possible motives for the recent wave of action by social media platforms to police a fraction of the extreme and hateful speech activists and others have been asking them to take down for years. This piece makes the argument that social media platforms are businesses and operate as such and expecting them to behave as de facto public squares dedicated to civil political and societal discourse is more or less how we ended up where we are.
  • TikTok goes tit-for-tat in appeal to MPs: ‘stop political football’ – The Australian. ByteDance is lobbying hard in Canberra to talk Ministers of Parliament out of possibly banning TikTok like the United States has said it is considering. While ByteDance claims the data collected on users in Australia is sent to the US or Singapore, some experts are arguing just to maintain and improve the app would necessarily result in some non-People’s Republic of China (PRC) user data making its way back to the PRC. As Australia’s relationship with the PRC has grown more fraught with allegations PRC hackers infiltrated Parliament and the Prime Minister all but saying PRC hackers were targeting hospitals and medical facilities, the government in Canberra could follow India’s lead and ban the app.
  • Calls for inquiry over claims Catalan lawmaker’s phone was targeted” – The Guardian. British and Spanish newspapers are reporting that an official in Catalonia who favors separating the region from Spain may have had his smartphone compromised with industrial grade spyware typically used only by law enforcement and counterterrorism agencies. The President of the Parliament of Catalonia Roger Torrent claims his phone was hacked for domestic political purposes, which other Catalan leaders argued, too. A spokesperson for the Spanish government said “[t]he government has no evidence that the speaker of the Catalan parliament has been the victim of a hack or theft involving his mobile.” However, the University of Toronto’s CitizenLab, the entity that researched and claimed that Israeli firm NSO Group’s spyware was deployed via WhatsApp to spy on a range of journalists, officials, and dissidents, often by their own governments, confirmed that Torrent’s phone was compromised.
  • While America Looks Away, Autocrats Crack Down on Digital News Sites” – The New York Times. The Trump Administration’s combative relationship with the media in the United States may be encouraging other nations to crack down on digital media outlets trying to hold those governments to account.
  •  “How Facebook Handles Climate Disinformation” – The New York Times. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars.
  • Here’s how President Trump could go after TikTok” – The Washington Post. This piece lays out two means the Trump Administration could employ to press ByteDance in the immediate future: use of the May 2019 Executive Order “Securing the Information and Communications Technology and Services Supply Chain” or the Committee on Foreign Investment in the United States process examining ByteDance of the app Music.ly that became TikTok. Left unmentioned in this article is the possibility of the Federal Trade Commission (FTC) examining its 2019 settlement with ByteDance to settle violations of the “Children’s Online Privacy Protection Act” (COPPA).
  • You’re Doomscrolling Again. Here’s How to Snap Out of It.” – The New York Times. If you find yourself endlessly looking through social media feeds, this piece explains why and how you might stop doing so.
  • UK selling spyware and wiretaps to 17 repressive regimes including Saudi Arabia and China” – The Independent. There are allegations that the British government has ignored its own regulations on selling equipment and systems that can be used for surveillance and spying to other governments with spotty human rights records. Specifically, the United Kingdom (UK) has sold £75m to countries non-governmental organizations (NGO) are rated as “not free.” The claims include nations such as the People’s Republic of China (PRC), the Kingdom of Saudi Arabia, Bahrain, and others. Not surprisingly, NGOs and the minority Labour party are calling for an investigation and changes.
  • Google sued for allegedly tracking users in apps even after opting out” – c/net. Boies Schiller Flexner filed suit in what will undoubtedly seek to become a class action suit over Google’s alleged continuing to track users even when they turned off tracking features. This follows a suit filed by the same firm against Google in June, claiming its browser Chrome still tracks people when they switch to incognito mode.
  • Secret Trump order gives CIA more powers to launch cyberattacks” – Yahoo! News. It turns out that in addition to signing National Security Presidential Memorandum (NSPM) 13 that revamped and eased offensive cyber operations for the Department of Defense, President Donald Trump signed a presidential finding that has allowed the Central Intelligence Agency (CIA) to launch its own offensive cyber attacks, mainly at Russia and Iran, according to unnamed former United States (US) officials according to this blockbuster story. Now, the decision to commence with an attack is not vetted by the National Security Council; rather, the CIA makes the decision. Consequently, there have been a number of attacks on US adversaries that until now have not been associated with the US. And, the CIA is apparently not informing the National Security Agency or Cyber Command of its operations, raising the risk of US cyber forces working at cross purposes or against one another in cyberspace. Moreover, a recently released report blamed the lax security environment at the CIA for a massive exfiltration of hacking tools released by Wikileaks. 
  • Facebook’s plan for privacy laws? ‘Co-creating’ them with Congress” – Protocol. In concert with the release of a new white paper, Facebook Deputy Chief Privacy Officer Rob Sherman sat for an interview in which he pledged the company’s willingness to work with Congress to co-develop a national privacy law. However, he would not comment on any of the many privacy bills released thus far or the policy contours of a bill Facebook would favor except for advocating for an enhanced notice and consent regime under which people would be better informed about how their data is being used. Sherman also shrugged off suggestions Facebook may not be welcome given its record of privacy violations. Finally, it bears mention that similar efforts by other companies at the state level have not succeeded as of yet. For example, Microsoft’s efforts in Washington state have not borne fruit in the passage of a privacy law.
  • Deepfake used to attack activist couple shows new disinformation frontier” – Reuters. We are at the beginning of a new age of disinformation in which fake photographs and video will be used to wage campaigns against nations, causes, and people. An activist and his wife were accused of being terrorist sympathizers by a university student who apparently was an elaborate ruse for someone or some group looking to defame the couple. Small errors gave away the ruse this time, but advances in technology are likely to make detection all the harder.
  • Biden, billionaires and corporate accounts targeted in Twitter hack” – The Washington Post. Policymakers and security experts were alarmed when the accounts of major figures like Bill Gates and Barack Obama were hacked yesterday by some group seeking to sell bitcoin. They argue Twitter was lucky this time and a more ideologically motivated enemy may seek to cause havoc, say on the United States’ coming election. A number of experts are claiming the penetration of the platform must have been of internal controls for so many high profile accounts to be taken over at the same time.
  • TikTok Enlists Army of Lobbyists as Suspicions Over China Ties Grow” – The New York Times. ByteDance’s payments for lobbying services in Washington doubled between the last quarter of 2019 and thirst quarter of 2020, as the company has retained more than 35 lobbyists to push back against the Trump Administration’s rhetoric and policy changes. The company is fighting against a floated proposal to ban the TikTok app on national security grounds, which would cut the company off from another of its top markets after India banned it and scores of other apps from the People’s Republic of China. Even if the Administration does not bar use of the app in the United States, the company is facing legislation that would ban its use on federal networks and devices that will be acted upon next week by a Senate committee. Moreover, ByteDance’s acquisition of the app that became TikTok is facing a retrospective review of an inter-agency committee for national security considerations that could result in an unwinding of the deal. Moreover, the Federal Trade Commission (FTC) has been urged to review ByteDance’s compliance with a 2019 settlement that the company violated regulations protecting the privacy of children that could result in multi-billion dollar liability if wrongdoing is found.
  • Why Google and Facebook Are Racing to Invest in India” – Foreign Policy. With New Delhi banning 59 apps and platforms from the People’s Republic of China (PRC), two American firms have invested in an Indian giant with an eye toward the nearly 500 million Indians not yet online. Reliance Industries’ Jio Platforms have sold stakes to Google and Facebook worth $4.5 billion and $5.7 billion that gives them prized positions as the company looks to expand into 5G and other online ventures. This will undoubtedly give a leg up to the United States’ online giants in vying with competitors to the world’s second most populous nation.
  • “Outright Lies”: Voting Misinformation Flourishes on Facebook” – ProPublica. In this piece published with First Draft, “a global nonprofit that researches misinformation,” an analysis of the most popular claims made about mail voting show that many of them are inaccurate or false, thus violating the platforms terms of services yet Facebook has done nothing to remove them or mark them as inaccurate until this article was being written.
  • Inside America’s Secretive $2 Billion Research Hub” – Forbes. Using contract information obtained through Freedom of Information requests and interviews, light is shined on the little known non-profit MITRE Corporation that has been helping the United States government address numerous technological problems since the late 1950’s. The article uncovers some of its latest, federally funded projects that are raising eyebrows among privacy advocates: technology to life people’s fingerprints from social media pictures, technology to scan and copy Internet of Things (IoT) devices from a distance, a scanner to read a person’s DNA, and others.
  • The FBI Is Secretly Using A $2 Billion Travel Company As A Global Surveillance Tool” – Forbes. In his second blockbuster article in a week, Forbes reporter Thomas Brewster exposes how the United States (US) government is using questionable court orders to gather travel information from the three companies that essentially provide airlines, hotels, and other travel entities with back-end functions with respect to reservations and bookings. The three companies, one of whom, Sabre is a US multinational, have masses of information on you if you have ever traveled, and US law enforcement agencies, namely the Federal Bureau of Investigation, is using a 1789 statute to obtain orders all three companies have to obey for information in tracking suspects. Allegedly, this capability has only been used to track terror suspects but will now reportedly be used for COVID-19 tracking.
  • With Trump CIA directive, the cyber offense pendulum swings too far” – Yahoo! News. Former United States (US) National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke argues against the Central Intelligence Agency (CIA) having carte blanche in conducting cyber operations without the review or input of other federal agencies. He suggests that the CIA in particular, and agencies in general, tend to push their authority to the extreme, which in this case could lead to incidents and lasting precedents in cyberspace that may haunt the US. Clarke also intimated that it may have been the CIA and not Israel that launched cyber attacks on infrastructure facilities in Tehran this month and last.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading and Other Developments (29 June)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The Senate Commerce, Science, and Transportation Committee held an oversight hearing on the Federal Communications Commission (FCC) with the FCC Chair and four Commissioners.
  • New Zealand’s Parliament passed the “Privacy Act 2020,” a major update of its 1993 statute that would, according to New Zealand’s Privacy Commissioner, do the following:
    • Mandatory notification of harmful privacy breaches. If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.
    • Introduction of compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result a fine of up to $10,000.
    • Binding access determinations. If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
    • Controls on the disclosure of information overseas. Before disclosing New Zealanders’ personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
    • New criminal offences. It will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it.  The maximum fine for these offences is $10,000.
    • Explicit application to businesses whether or not they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with the New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
  • The United States’ National Archives’ Information Security Oversight Office (ISOO) submitted its annual report to the White House and found:
    • Our Government’s ability to protect and share Classified National Security Information and Controlled Unclassified Information (CUI) continues to present serious challenges to our national security. While dozens of agencies now use various advanced technologies to accomplish their missions, a majority of them still rely on antiquated information security management practices. These practices have not kept pace with the volume of digital data that agencies create and these problems will worsen if we do not revamp our data collection methods for overseeing information security programs across the Government. We must collect and analyze data that more accurately reflects the true health of these programs in the digital age.
    • However, ISOO noted progress on efforts to better secure and protect CUI but added “[f]ull implementation will require additional resources, including dedicated funds and more full-time staff.”
    • Regarding classified information, ISOO found “Classified National Security Information policies and practices remain outdated and are unable to keep pace with the volume of digital data that agencies create.”
  • The Australian Strategic Policy Institute’s International Cyber Policy Centre released its most recent “Covid-19 Disinformation & Social Media Manipulation” report titled “ID2020, Bill Gates and the Mark of the Beast: how Covid-19catalyses existing online conspiracy movements:”
    • Against the backdrop of the global Covid-19 pandemic, billionaire philanthropist Bill Gates has become the subject of a diverse and rapidly expanding universe of conspiracy theories. As an example, a recent poll found that 44% of Republicans and 19% of Democrats in the US now believe that Gates is linked to a plot to use vaccinations as a pretext to implant microchips into people. And it’s not just America: 13% of Australians believe that Bill Gates played a role in the creation and spread of the coronavirus, and among young Australians it’s 20%. Protests around the world, from Germany to Melbourne, have included anti-Gates chants and slogans.
    • This report takes a close look at a particular variant of the Gates conspiracy theories, which is referred to here as the ID2020 conspiracy (named after the non-profit ID2020 Alliance, which the conspiracy theorists claim has a role in the narrative), as a case study for examining the dynamics of online conspiracy theories on Covid-19. Like many conspiracy theories, that narrative builds on legitimate concerns, in this case about privacy and surveillance in the context of digital identity systems, and distorts them in extreme and unfounded ways.
  • The Pandemic Response Accountability Committee (PRAC) released “TOP CHALLENGES FACING FEDERAL AGENCIES:  COVID-19 Emergency Relief and Response Efforts” for those agencies that received the bulk of funds under the “Coronavirus Aid, Relief, and Economic Security (CARES) Act” (P.L. 116-136). PRAC is housed within the Council of the Inspectors General on Integrity and Efficiency (CIGIE) is comprised of “21 Offices of Inspector General (OIG) overseeing agencies who received the bulk of the emergency funding.” PRAC stated
    • CIGIE previously has identified information technology (IT) security and management as a long-standing, serious, and ubiquitous challenge that impacts agencies across the government, highlighting agencies’ dependence on reliable and secure IT systems to perform their mission-critical functions.  Key areas of concern have included safeguarding federal systems against cyberattacks and insider threats, modernizing and managing federal IT systems, ensuring continuity of operations, and recruiting and retaining a highly skilled cybersecurity workforce.  
    • These concerns remain a significant challenge, but are impacted by (1) widespread reliance on maximum telework to continue agency operations during the pandemic, which has strained agency networks and shifted IT resources, and (2) additional opportunities and targets for cyberattacks created by remote access to networks and increases in online financial activity.
  • Following the completion of a European Union-People’s Republic of China summit, European Commission President Ursula von der Leyen pointed to a number of ongoing technology-related issues between the EU and the PRC, including:
    • [W]e continue to have an unbalanced trade and investment relationship. We have not made the progress we aimed for in last year’s Summit statement in addressing market access barriers. We need to follow up on these commitments urgently. And we also need to have more ambition on the Chinese side in order to conclude negotiations on an investment agreement. These two actions would address the asymmetry in our respective market access and would improve the level playing field between us. In order to conclude the investment agreement, we would need in particular substantial commitments from China on the behaviour of state-owned enterprises, transparency in subsidies, and transparency on the topic of forced technology transfers.
    • We have raised these issues at the same time with President Xi and Premier Li that we expect that China will show the necessary level of ambition to conclude these negotiations by the end of this year. I think it is important that we have now a political, high-level approach on these topics.
    • I have also made it clear that China needs to engage seriously on a reform of the World Trade Organization, in particular on the future negotiations on industrial subsidies. This is the relevant framework where we have to work together on the topic – and it is a difficult topic – but this is the framework, which we have to establish to have common binding rules we agree on.
    • And we must continue to work on tackling Chinese overcapacity, for example in the steel and metal sectors, and in high technology. Here for us it is important that China comes back to the international negotiation table, that we sit down there and find solutions.
    • We also pointed out the importance of the digital transformation and its highly assertive approach to the security, the resilience and the stability of digital networks, systems and value chains. We have seen cyberattacks on hospitals and dedicated computing centres. Likewise, we have seen a rise of online disinformation. We pointed out clearly that this cannot be tolerated.
  • United States Secretary of State Mike Pompeo issued a statement titled “The Tide Is Turning Toward Trusted 5G Vendors,” in which he claimed:
    • The tide is turning against Huawei as citizens around the world are waking up to the danger of the Chinese Communist Party’s surveillance state. Huawei’s deals with telecommunications operators around the world are evaporating, because countries are only allowing trusted vendors in their 5G networks. Examples include the Czech Republic, Poland, Sweden, Estonia, Romania, Denmark, and Latvia. Recently, Greece agreed to use Ericsson rather than Huawei to develop its 5G infrastructure.
  • Germany’s highest court, the Bundesgerichtshof (BGH), ruled against Facebook’s claim that the country’s antitrust regulator was wrong in its finding that it was abusing its dominant position in combining data on German nationals and residents across its platforms. Now the matter will go down to a lower German court that is expected to heed the higher court’s ruling and allow the Bundeskartellamt’s restrictions to limit Facebook’s activity.
  • France’s Conseil d’État upheld the Commission nationale de l’informatique et des libertés’ (CNIL) 2019 fine of €50 million of Google under the General Data Protection Regulation (GDPR) “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
  • A Virginia court ruled against House Intelligence Committee Ranking Member Devin Nunes (R-CA) in his suit against Twitter and Liz Mair, a Republican consultant, and Twitter accounts @devincow and @DevinNunesMom regarding alleged defamation.
  • The California Secretary of State has listed the ballot initiative to add the “California Privacy Rights Act” to the state’s law, in large part, to amend the “California Consumer privacy Act” (CCPA) (AB 375) as having qualified for November’s ballot.

Further Reading

  • Wrongfully Accused by an Algorithm” – The New York Times. In what should have been predictable and foreseeable given the error rate of many facial recognition algorithms at identifying correctly people of color, an African American was wrongly identified by this technology, causing him to be released. Those in the field and experts stress positive identifications are supposed to only be one piece of evidence, but in this case, it was the only evidence police had. After a store loss specialists agreed a person in low grade photo was the likely shoplifter, police arrested the man. Eventually, the charges were dismissed, initially with prejudice leaving open the possibility of future prosecution but later the district attorney cleared all charges and expunged the arrest.
  • Pentagon Says it Needs ‘More Time’ Fixing JEDI Contract“ – Nextgov. The saga of the Department of Defense’s Joint Enterprise Defense Infrastructure cloud contract continues. Amazon and Microsoft will need to submit revised bids for the possibly $10 billion procurement as the Department of Defense (DOD) is trying to cure the problems turned up by a federal court in the suit brought by Amazon. These bids would be evaluated later this summer, according to a recent DOD court filing. The next award of this contract could trigger another bid protest just as the first award caused Amazon to challenge Microsoft’s victory.
  • EU pushing ahead with digital tax despite U.S. resistance, top official says” – Politico. In an Atlantic Council event, European Commission Executive Vice President Margrethe Vestager stated the European Union will move ahead with an EU-wide digital services tax despite the recent pullout of the United States from talks on such a tax. The Organization for Economic Co-operation and Development had convened multi-lateral talks to resolve differences on how a global digital services tax will ideally function with most of the nations involved arguing for a 2% tax to be assessed in the nation where the transaction occurs as opposed to where the company is headquartered. EU officials claim agreement was within reach when the US removed itself from the talks. An EU-wide tax is of a piece with a more aggressive stance taken by the EU towards US technology companies, a number of which are currently under investigation for antitrust and anti-competitive behaviors.
  • Verizon joins ad boycott of Facebook over hateful content” – Associated Press. The telecommunications company joined a number of other companies in pulling their advertising from Facebook organized by the ADL (the Anti-Defamation League), the NAACP, Sleeping Giants, Color Of Change, Free Press and Common Sense. The #StopHateforProfit “asks large Facebook advertisers to show they will not support a company that puts profit over safety,” and thus far, a number of companies are doing just that, including Eddie Bauer, Patagonia, North Face, Ben & Jerry’s, and others. In a statement, a Facebook spokesperson stated “[o]ur conversations with marketers and civil rights organizations are about how, together, we can be a force for good.” While Facebook has changed course due to this and other pressure regarding content posted or ads placed on its platform by most recently removing a Trump campaign ad with Nazi imagery, the company has not changed its position on allowing political ads with lies.
  • The UK’s contact tracing app fiasco is a master class in mismanagement” – MIT Technology Review. This after-action report on the United Kingdom’s National Health Service’s efforts to build its own COVID-19 contact tracing app is grim. The NHS is basically scrapping its work and opting for the Google/Apple API. However, the government in London is claiming “we will now be taking forward a solution that brings together the work on our app and the Google/Apple solution.” A far too ambitious plan married to organizational chaos led to the crash of the NHS effort.
  • Trump administration sees no loophole in new Huawei curb” – Reuters. Despite repeated arguments by trade experts the most recent United States Department of Commerce regulations on Huawei will not cut off access to high technology components, Secretary of Commerce Wilbur Ross claimed “[t]he Department of Commerce does not see any loopholes in this rule…[and] [w]e reaffirm that we will implement the rule aggressively and pursue any attempt to evade its intent.”
  • Defense Department produces list of Chinese military-linked companies” – Axios. Likely in response to a letter sent last year by Senate Minority Leader Chuck Schumer (D-NY) and Senator Tom Cotton (R-AR), the Department of Defense has finally fulfilled a requirement in the FY 1999 National Defense Authorization Act to update a list of “those persons operating directly or indirectly in the United States or any of its territories and possessions that are Communist Chinese military companies.” The DOD has complied and compiled a list of People’s Republic of China (PRC) entities linked to the PRC military. This provision in the FY 1999 NDAA also grants the President authority to “exercise International Emergency Economic Powers Act (IEEPA) authorities” against listed entities, which could include serious sanctions.
  • Andrew Yang is pushing Big Tech to pay users for data” – The Verge. Former candidate for the nomination of the Democratic Party for President Andrew Yang has stated the Data Dividend Project, “a movement dedicated to taking back control of our personal data: our data is our property, and if we allow companies to use it, we should get paid for it.” Additionally, “[i]ts primary objective is to establish and enforce data property rights under laws such as the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.” California Governor Gavin Newsom proposed a similar program in very vague terms in a State of California speech but never followed up on it, and Senator John Kennedy (R-LA) has introduced the “Own Your Own Data Act” (S. 806) to provide people with rights to sell their personal data.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Retha Ferguson from Pexels

Further Reading and Other Developments (20 June)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The House Financial Services Committee’s National Security, International Development, and Monetary Policy Subcommittee held a virtual hearing titled “Cybercriminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic.”
  • The Senate Appropriations Committee’s Financial Services and General Government Subcommittee held a hearing titled “Oversight of FCC Spectrum Auctions Program.”
  • The Commerce, Science, and Transportation Committee held a hearing on a number of nominations, including a re-nomination of Federal Communications Commission Commissioner Michael O’Reilly for another full term.
  • The Department of Commerce’s Industry and Security Bureau released an interim final rule to amend “the Export Administration Regulations (EAR) to authorize the release of certain technology to Huawei and its affiliates on the Entity List without a license if such release is made for the purpose of contributing to the revision or development of a “standard” in a “standards organization.” The Department added in its press release “The rule returns U.S. industry to the status quo ante, from an Entity List perspective, with respect to disclosures of such technology to Huawei and its affiliates in legitimate standards development contexts only, and not for commercial purposes. Disclosures for commercial purposes remain “subject to the EAR” and are still subject to recordkeeping and all other applicable EAR requirements.” Comments are due on 17 August 2020.
  • The National Transportation Safety Board (NTSB) released its “Safety Recommendation Report” that “called for a change in air cargo shipping requirements for some types of lithium-ion batteries” following its investigation “into the shipment of lithium-ion batteries that ignited while in transport on a delivery truck in Canada.” The NTSB recommended that the Pipeline and Hazardous Materials Safety Administration:
    • Propose to the International Civil Aviation Organization to remove its special provision A88 from its Technical Instructions for the Safe Transport of Dangerous Goods by Air allowing special permits for low-production or prototype lithium-ion cells or batteries shipped by airplane and eliminate any exceptions to the testing of United Nations Manual of Tests and Criteria, Part III, Sub-section 38.3 requirements for all lithium-ion batteries before transport by air.( A-20-31)
    • Once the International Civil Aviation Organization removes special provision A88 from the Technical Instructions for the Safe Transport of Dangerous Goods by Air, remove the exemption from United Nations Manual of Tests and Criteria, Part III, Sub-section 38.3 testing from Title 49 Code of Federal Regulations 173.185(e) for low-production or prototype lithium-ion batteries, when transported by air. (A-20-32)
  • The Carnegie Endowment for International Peace’s Partnership for Countering Influence Operations (PCIO) released “The Challenges of Countering Influence Operations” with these “Key Takeaways:”
    • Influence operations defy easy categorization. Influence operations often fail to fit neatly into boxes outlined by individual policies or legislation. They are run in a complex environment where actors overlap, borders are easily crossed and blurred, and motives are mixed—making enforcement challenging. In this case study, actors share highly politicized online content but also appear to benefit financially from their actions, making it difficult to ascertain whether their motives are primarily political, commercial, or both.
    • Relevant policies by social media platforms tend to be a patchwork of community standards that apply to individual activities of an influence campaign, not the operation as a whole. Policies published by social media companies often focus on individual components of influence operations. This approach attempts to neatly categorize and distinguish actors (foreign versus domestic), motives (political influence and profit), activities (including misrepresentation, fraud, and spamming behavior), and content (such as misinformation, hate speech, and abuse). This piecemeal approach to enforcement raises questions about whether officials within social media platforms fully understand how influence operations work and how such campaigns are more than the individual behaviors that compose them.
    • Social media networks have more opportunities to counter influence operations through their platform policies than governments do with existing legislation. Social media companies have implemented various policies to govern how their platforms are used, providing opportunities for combating influence operations. They also have greater access to information about how their platforms are used and have domain-specific expertise that allows them to create more tailored solutions. Fewer avenues exist for countering such influence operations using government-led legal mechanisms. This is not only because of the relative paucity of laws that govern online activity but also because law enforcement requires attribution before they can act, and such attribution can be difficult to ascertain in these cases. This means that governments have generally done little to help private industry actors determine what kinds of influence operations are unacceptable and should be combated. In the absence of such guidance, industry actors are de facto drawing those lines for society. Governments could do more to help guide industry players as they determine the boundaries of acceptable behavior by participating in multi-stakeholder efforts—some of which have been set up by think tanks and nonprofits—and by considering legal approaches that emphasize transparency rather than criminalization.
    • The influence operations uncovered by media scrutiny are not always as easy to counter as those writing about them might hope. Savvy influence operators understand how to evade existing rules, so that their activities and content do not breach known policies or legislation. Media coverage that showcases examples of influence operations seldom explains whether and how these operators violate existing platform policies or legislation. This is a problem because distasteful influence operations do not always overtly violate existing policies or laws—raising questions about where the lines are (and should be) between what is tolerable and what is not, and, moreover, who should be determining those lines. Even when existing policies clearly do apply, these questions persist. Stakeholders should more clearly assess what constitutes problematic behavior before rushing to demand enforcement.
  • A number of privacy and civil liberties groups released “principles to protect the civil rights and privacy of all persons, especially those populations who are at high risk for the virus and communities of color, when considering the deployment of technological measures in response to the COVID-19 crisis.” These groups also sent these principles in letters to both the House and the Senate.
  • The Technology Coalition, formed 15 years ago “when industry leaders came together to fight online child sexual exploitation and abuse (CSEA),” announced “Project Protect: A plan to combat online child sexual abuse – a renewed investment and ongoing commitment to our work seeking to prevent and eradicate online CSEA” with these elements:
    • Execute a Strategic “Five Pillar” Plan to reinforce the cross-industry approach to combating CSEA, putting in place the structure, membership models, and staffing needed to support the Technology Coalition’s long term objectives.
    • Establish a multi-million dollar Research and Innovation Fund to build crucial technological tools needed to more effectively prevent and work to eradicate CSEA.
    • Commit to publishing an Annual Progress Report on industry efforts to combat CSEA.
    • Create an annual Forum for CSEA experts bringing together industry, governments, and civil society to share best practices and drive collective action.
  • Amnesty International’s Security Lab named Bahrain, Kuwait and Norway as having “some of the most invasive COVID-19 contact tracing apps around the world, putting the privacy and security of hundreds of thousands of people at risk.”
  • The Knight Foundation and Gallup released “Free Expression, Harmful Speech, and Censorship in a Digital World,” “a study to gauge Americans’ opinions on [social media companies, the internet, and the role of government], delving specifically into two potential paths forward — amending Section 230 of the Communications Decency Act, which largely shields internet companies from legal liability for content shared on their sites, and the relatively new notion of content oversight boards” with these topline findings:
    • Americans prefer social media apps and sites to be places of open expression.
    • Even as Americans voice a preference for open expression, there are several forms of online content that many say should be restricted or never allowed
    • Many Americans have personally been targeted by harmful online behavior.
    • Americans are somewhat divided on Section 230 of the Communications Decency Act, which largely shields major internet companies from liability for content posted on their websites and apps by third parties.
    • A majority of Americans do not trust social media companies to make the right decisions about what content appears on their sites or apps.
    • Despite misgivings about major internet companies making the right decisions related to harmful online content, Americans are more likely to favor the companies, rather than government, setting policies to regulate such content
    • Americans’ opinions of content oversight boards are largely favorable, tending to prefer them to social media companies or the government to make decisions about what can and cannot appear on social media websites and apps. 
    • Americans’ favorability toward content oversight boards increases when they know more about them.
    • The most important content oversight board attributes for Americans are transparency and diversity, followed closely by independence — i.e., who appoints board members. Less valuable is the board’s ability to compel social media companies to enact its decisions or guidelines.
    • Americans’ trust in a social media company will not automatically increase solely because the company adopts a content oversight board. Rather, trust can be gained based on the board’s features relating to its independence, transparency, diversity and ability to enforce decisions.
  • Graphika released a report titled “Exposing Secondary Infektion: Forgeries, interference, and attacks on Kremlin critics across six years and 300 sites and platforms,” “a long-running Russian information operation, encompassing multiple campaigns on social media run by a central entity, which was already active in 2014 and that was still running in early 2020.”
  • The University of Toronto’s Citizen Lab and Amnesty International released a report on “nine Indian lawyers, activists, and journalists….targeted in 2019 in a coordinated malware campaign” with “NetWire, a commercially available spyware.”

Further Reading

  • The Economy Is Reeling. The Tech Giants Spy Opportunity.” – The New York Times. All of the large technology companies are continuing the same pace of acquisition and product roll outs as last year. Critics fear that companies’ expansion through buying new businesses, technologies, and platforms will further cement their dominance of the United States (US) and world economies. Moreover, these companies have also been rolling out new services to compete with upstarts (e.g. Google’s meeting service to try to grab market share from Zoom.) It remains to be seen whether antitrust and anti-competitive actions in the US, European Union and elsewhere will stop or even reverse the continued growth of Google, Apple, Amazon, and others.
  • Amazon’s Ring has 29 new police agreements since the killing of George Floyd” – Protocol. In spite of its pledge to hold off on selling its facial recognition technology to police departments for a year, Amazon has continued to sign up local law enforcement for participation in partnerships using its Ring and Neighbors technology platforms. These systems make available to police footage from the camera/doorbell system Amazon is marketing as a security must have. Critics of the system and how Amazon operates it argue it has already disproportionately affected African Americans and other minorities in gentrifying areas and offers a workaround to warrant requirements for officers would not need to go to court to obtain this footage since private parties are not bound by the Fourth Amendment like government agencies.
  • Big Tech’s Pandemic Power Grab” – The Atlantic. This article foresees government regulation of large technology companies in the United States (US) that solidifies their preeminence, in large part, because these companies have been partnering with and working for the US government. And, in making this bargain, these companies are using every lever and all the leverage at their disposal to strike the type of bargain they want. There may be pushback against this impulse to grow, but it is worth keeping in mind that the trustbusting era in the US may have divided up corporate giants like Standard Oil but their progeny are still very powerful (e.g. Exxon Mobil.)
  • New York lawmakers want to outlaw geofence warrants as protests grow” – Protocol. A bill introduced in April to address the law enforcement practice of requesting geofencing data from technology companies receives renewed scrutiny in the New York State legislature in the midst of protests against racism and police violence in the United States. The article cites a Google filing in a Virginia lawsuit alleging “Between 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.” Technology companies with troves of data on where people are at virtually every hour of the day are treading carefully as critics of geofence requests and warrants are pushing to ban law enforcement agencies from using these data.
  • Australian leader says unnamed state increasing cyberattacks” – Associated Press. Australia’s Prime Minister Scott Morrison told reporters “Australian organizations are currently being targeted by a sophisticated state-based cyber actor.” He contended “[t]his activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure.” In concert with Morrison’s statement, the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs issued an advisory describing “the tactics, techniques and procedures (TTPs) identified during the ACSC’s investigation of a cyber campaign targeting Australian networks.” Some experts are saying it must be the People’s Republic of China (PRC), especially after Canberra named the PRC as the entity that hacked into Parliament.
  • Eric Schmidt: Huawei has engaged in unacceptable practices” – BBC News. The former Google head claims the People’s Republic of China (PRC) has accessed Huawei’s routers to exfiltrate information. Schmidt conceded that Huawei’s products are superior to other offerings on the market, which poses a challenge for networks and nations. He also flagged the research and development budgets Huawei and other PRC companies have that eclipse other multinationals.
  • French Court Strikes Down Most of Online Hate Speech Law” – The New York Times. A French court struck down the core of President Emmanuel Macron’s new statute to police offensive online speech, finding two provisions would impinge freedom of expression. Macron’s party has vowed to take another run at such legislation.
  • Europe threatens digital taxes without global deal, after U.S. quits talks” – Reuters. After the United States withdrew from Organisation for Economic Cooperation and Development (OECD) talks on digital taxes, prompting promises from the European Union to proceed with such taxes.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading (11 April)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here.

  • Taiwan joins Canada in banning Zoom for government video conferencing” – CBC and “Video service Zoom taking security seriously: U.S. government memo” – Reuters. The island nation joined Canada in banning the use of popular web conferencing app, Zoom, even though the company is allegedly addressing security concerns turned up over the last few weeks. Taiwan’s Cabinet cited “security concerns” without identifying those concerns in its statement recommending the use of other apps. However, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Federal Risk and Authorization Management Program reportedly issued a memorandum finding the government version of Zoom safe to use, which is different from its free or business versions. Citizen Lab has issued a report calling into question Zoom’s security, among other things, however.
  • We Saw NSO’s Covid-19 Software in Action, and Privacy Experts Are Worried” – Vice’s Motherboard. Israel’s NSO Group and Italy’s Cy4Gate have pitched systems to their respective governments and possibly others that would use people’s phones to track them in the name of preventing and tracing COVID-19. NSO Group’s system allegedly uses the contacts in one’s phone to suss out who a person has contacted or is liable to contact. Cy4Gate would rely more on location data to much the same aims. Questions have been raised from the perspective of civil liberties and privacy and effectiveness. Thus far, as far as is known, it has just been government agencies using location data although there is possibly help from private sector companies.
  • The Far-Right Helped Create The World’s Most Powerful Facial Recognition Technology” – HuffPost. A long read on Clearview AI and its ties to white supremacists, Neo-Nazis, and Peter Thiel, who has invested in Clearview and owns a large stake in Palantir which contracts with numerous federal agencies to provide data analytics. This epic examination of all the interconnections is worth the time.
  • The Humble Phone Call Has Made a Comeback” – The New York Times. In a somewhat surprising development, Verizon is saying that boring, vanilla wireless calls have risen by 50% and AT&T says the same on their networks has increased 35%. Everyone quoted in the article claims this is because sheltering-in-place Americans are looking for connection in the form of voice. The article hints that over the top call services like WhatsApp are also experiencing surges, and, of course, the now ubiquitous Zoom has experienced phenomenal growth. However, something the article touches on but does not develop is the possibility that internet capacity issues may be limiting video calls and so phone calls are a more appealing option.
  • As School Moves Online, Many Students Stay Logged Out” – The New York Times. As should not be a surprise for anyone with even just a rudimentary grasp of the Digital Divide, more affluent children are participating in distance learning programs at a much higher rate due to a variety of reasons, including a household’s inability to afford broadband service, an area’s spotty or non-existent coverage, or new duties foist on children by parents who still need to work outside the home. It would seem absent dramatic, even miraculous, changes in federal and state programs and funding, the gap between the digital haves and haves not will only grow with the differences in the education of American children growing as well.
  • Mass school closures in the wake of the coronavirus are driving a new wave of student surveillance” – The Washington Post. Another feature of digital life that has accelerated during the COVID-19 pandemic: online proctors for tests. However, allowing these proctors to access laptop cameras, microphones, and screens present all sorts of privacy issues, in addition to the other software and apps universities and high schools are using to surveil their students. More dramatically, some companies use facial recognition technology, eye-tracking software, and even predictive software to determine whether a student is cheating. Moreover, these companies get access to all sorts of sensitive student data in the name of ensuring the person taking the test is actually who she claims to be. And, many students have to pay fees for the service they are being forced to use.
  • WhatsApp to impose new limit on forwarding to fight fake news” – The Guardian. The popular messaging app is trying to slow the spread of COVID-19 misinformation and lies by setting new limits on the forwarding of certain messages. Now, if a message has been forwarded five or more times, a user will only be able to send it on to one person or chat at a time. In 2018, WhatsApp instituted a five person/chat forward limit in India where the mass forwarding of rumors and fake news led to the lynchings of more than 30 people who were allegedly kidnapping children. This limit was extended to the rest of the world in 2019. Presently, there are WhatsApp messages indicating that 5G is the cause of COVID-19 and all manner of pseudo-science and incorrect medical advice being sent via WhatsApp.

U.S. and Other Governments Respond To Privacy and Data Implications of COVID-19

Federal agencies have continued to respond to the changing conditions presented by the increased number of COVID-19. However, while the U.S. government has not weighed in officially on the legality and appropriateness of using people’s location data from phones in order to combat the spread of the virus, European authorities have.

Last week, the Federal Trade Commission (FTC) sought to assure businesses and other regulated entities that the agency would look kindly on some activities that might otherwise be anti-competitive if the ultimate goal is to help consumers get by and survive COVID-19. Yet, the agency made clear that it would continue to police unfair and deceptive practices.

FTC Chair Joe Simons issued a statement explaining that “FTC staff in the Bureau of Consumer Protection remain hard at work protecting consumers from deceptive and unfair commercial practices” but “the FTC will remain flexible and reasonable in enforcing compliance requirements that may hinder the provision of important goods and services to consumers.” Simons added “[t]o be clear, by being flexible and reasonable, I am not suggesting that we will tolerate companies deceiving consumers, using tactics that violate well-established consumer protections, or taking unfair advantage of these uniquely challenging times…[and] [a]t all times, good faith efforts undertaken to provide needed goods and services to consumers will be taken into account in making enforcement decisions.” He stated “[t]he FTC is ready to assist businesses that may seek guidance about compliance obligations on consumer protection issues during this unprecedented time.”

On April 3, the FTC and the Federal Communications Commission (FCC) transmitted letters “ to threecompanies providing Voice over Internet Protocol (VoIP) services,warning them that routing and transmitting illegal robocalls, including Coronavirus-related scam calls, is illegal and may lead to federal law enforcement against them” per the agencies’ press release.

The FTC and FCC noted “a separate letter to USTelecom – The Broadband Association (USTelecom), a trade association that represents U.S.-based telecommunications-related businesses…thanks USTelecom for identifying and mitigating fraudulent robocalls that are taking advantage of the Coronavirus national health crisis, and notes that the USTelecom Industry Traceback Group has helped identify various entities that appear to be responsible for originating or transmitting Coronavirus-related scam robocalls.” The agencies stated:

The letter further notifies USTelecom that if, after 48 hours of the release of the letter, any of the specified gateway or originating providers continue to route or transmit the specified originators’ robocalls on its network, the FCC will: 1) authorize other U.S. providers to block all calls coming from that gateway or originating provider; and 2) authorize other U.S. providers to take any other steps as needed to prevent further transmission of unlawful calls originating from the originator.

Last week, FTC staff sent “letters to nine Voice over Internet Protocol (VoIP) service providers and other companies warning them that “assisting and facilitating” illegal telemarketing or robocalls related to the coronavirus or COVID-19 pandemic is against the law” according to the agency’s press release. The FTC argued that “[m]any of these calls prey upon consumers’ fear of the virus to perpetrate scams or sow disinformation.”

Earlier in March, according to the agencies’ press release, the FTC and Food and Drug Administration (FDA) “sent warning letters to seven companies allegedly selling unapproved products that may violate federal law by making deceptive or scientifically unsupported claims about their ability to treat coronavirus (COVID-19) [that]…are the first issued by the agencies alleging unapproved and/or unsupported claims that products can treat or prevent coronavirus: 1) Vital Silver, 2) Quinessence Aromatherapy Ltd., 3) N-ergetics, 4) GuruNanda, LLC, 5) Vivify Holistic Clinic, 6) Herbal Amy LLC, and 7) The Jim Bakker Show.” The agencies alleged “[t]he recipients are companies that advertise products—including teas, essential oils, and colloidal silver—as able to treat or prevent coronavirus…[but] [a]ccording to the FDA, however, there are no approved vaccines, drugs, or investigational products currently available to treat or prevent the virus.”

The FTC also joined the Department of Justice (DOJ) in a statement “to make clear to the public that there are many ways  firms,  including  competitors,  can  engage  in  procompetitive  collaboration  that  does  not  violate the antitrust laws.”

Internationally, agencies with data protection and privacy responsibilities have also moved to remind public and private sector entities of how latitude they have under national law to use personal data to fight COVID-19. The European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski responded to a request from the European Union’s Directorate‑General for Communications Networks, Content and Technology “on the monitoring of the spread of the COVID-19 outbreak,” presumably through the use of location data and metadata to track EU citizens to monitor health and compliance. One of the EDPS’ primary duties is to enforce data protection laws on EU agencies.

Wiewiórowski explained

  • Firstly, let me underline that data protection rule currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics. I am aware of the discussions taking place in some Member States with telecommunications providers with the objective of using such data to track the spread of the COVID-19 outbreak.
  • I share and support your call for an urgent establishment of a coordinated European approach to handle the emergency in the most efficient, effective and compliant way possible.
  • There is a clear need to act at the European level now.

Wiewiórowski stated that “[o]n the basis of the information provided in your letter and in absence of a more specific data model, please find below some elements for your consideration:

  • Data anonymization
    • It is clear from your letter that you intend to use only anonymous data to map movements of people with the objective of ensuring the stability of the internal market and coordinating crisis response. Effectively anonymised data fall outside of the scope of data protection rules
    • At the same time, effective anonymisation requires more than simply removing obvious identifiers such as phone numbers and IMEI numbers. In your letter, you also mention that data would be aggregated, which can provide an additional safeguard.
    • I understand that the Health Security Committee established by Decision (EU) 1082/2013 you make explicit reference to would be the relevant forum for exchanges with the Member States in this case. The Commission should ensure that the data model would enable it to respond to the needs of the users of these analyses. Moreover, the Commission should clearly define the dataset it wants to obtain and ensure transparency towards the public, to avoid any possible misunderstandings. I would appreciate if you could share with me a copy of the data model, once defined, for information.
  • Data security and data access
    • As mentioned above, to the extent the data obtained by the Commission would be anonymous, it falls outside the scope of data protection rules. Nonetheless, information security obligations under Commission Decision 2017/464still apply, as do confidentiality obligations under the Staff Regulations for any Commission staff processing the information. Should the Commission rely on third parties to process the information, these third parties have to apply equivalent security measures and be bound by strict confidentiality obligations and prohibitions on further use as well. I would also like to stress the importance of applying adequate measures to ensure the secure transmission of data from the telecom providers. It would also be preferable to limit access to the data to authorised experts in spatial epidemiology, data protection and data science.
  • Data retention
    • I also welcome that the data obtained from mobile operators would be deleted as soon as the current emergency comes to an end. It should be also clear that these special services are deployed because of this specific crisis and are of temporary character. The EDPS often stresses that such developments usually do not contain the possibility to step back when the emergency is gone. I would like to stress that such solution should be still recognised as extraordinary.

Wiewiórowski added that he wanted “to recall the importance of full transparency to the public on the purpose and procedure of the measures to be enacted…[and] I would also encourage you to keep your Data Protection Officer involved throughout the entire process to provide assurance that the data processed had indeed been effectively anonymised.” Wiewiórowski stressed that “should the Commission feel compelled at any point in the future to change the envisaged modalities for processing, a new consultation of the EDPS would be necessary…[and] [t]he EDPS is ready not only to consult the plans but also to actively involve its resources in the process of development of products and services that may have significant value to the public.”

The Office of the Privacy Commissioner of Canada (OPC) issued guidance “to help organizations subject to federal privacy laws understand their privacy-related obligations during the COVID-19 outbreak” according to the agency’s press release. OPC explained that “[d]uring a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.” OPC stated that “[t]he new document provides general guidance on applying the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law, in the context of the current outbreak.” OPC added that “[a]ll organizations must continue to operate with lawful authority and exercise good judgment…[and] [g]overnment institutions will need to apply the principles of necessity and proportionality, whether in applying existing measures or in deciding on new actions to address the current crisis.” OPC declare it “will continue to protect the privacy of Canadians, while adopting a flexible and contextual approach in its application of the law.”

On April 1, the Office of the Australian Information Commissioner (OAIC) issued a press release announcing “privacy guidance for agencies and private sector employers to help keep workplaces safe and handle personal information appropriately as part of the COVID-19 response. This includes:

  • Using and disclosing individuals’ personal information, including sensitive health information, on a ‘need-to-know’ basis
  • Only collecting, using or disclosing the minimum amount of personal information reasonably necessary to prevent or manage COVID-19
  • Advising staff about how their personal information will be handled in responding to any potential or confirmed COVID-19 cases in the workplace
  • Taking reasonable steps to keep personal information secure, including where employees are working remotely.

OAIC asserted it and “state and territory privacy regulators have convened a National COVID-19 Privacy Team to respond to proposals with national implications.”

FTC Demands Ten Years of Information From Big Tech On Mergers and Acquisitions

The Federal Trade Commission (FTC) has issued an order to a number of large technology companies with an eye towards determining if the current threshold for federal examination of mergers and acquisitions is too high for a number of technology-related acquisitions. However, larger acquisitions above the threshold of about $90 million are not part of this examination such as Facebook’s $22 billion purchase of WhatsApp. Agency officials were also quoted as saying that the inquiry is bigger than anti-competitive issues as there may be ulterior motives for the rash of acquisitions in this sector. Moreover, this order was issued at a time when the agency, the Department of Justice (DOJ), state attorneys general, and the House Judiciary Committee are examining antitrust and anti-competitive practices in the technology world.

Nonetheless, the agency is asking that major technology firms turn over information on mergers and acquisitions that were too small for the FTC or the DOJ to investigate potential anti-competitive effects. And, while the information gleaned from such an inquiry may not be used for an investigation that could result in legal action, the FTC may do so under the FTC Act if it so chooses. In a conference call with reporters, FTC Chair Joe Simons remarked “[i]f during this study we see that there are transactions that turn out were problematic, all of our options are on the table.”

The FTC sent letters to Alphabet, Amazon, Apple, Facebook, and Microsoft “to provide information and documents on the terms, scope, structure, and purpose of transactions that each company consummated between Jan. 1, 2010 and Dec. 31, 2019” according to the agency’s press release.

In an FAQ, the FTC stated:

We plan to use the responses to our Special Orders to better understand acquisitions by certain technology companies. In particular, the study will help the FTC assess whether U.S. antitrust authorities are receiving adequate notice of transactions that might limit or eliminate competition. The Hart-Scott-Rodino (HSR) Antitrust Improvements Act requires premerger filings when the parties and the transaction meet certain size thresholds. The FTC will study whether large tech companies are making potentially anticompetitive acquisitions—including acquisitions of nascent or potential competitors—that fall below HSR filing thresholds.

The FTC explained that these orders are issued “under Section 6(b) of the FTC Act, which authorizes the Commission to conduct wide-ranging studies that do not have a specific law enforcement purpose.” The agency claimed that “[t]he orders will help the FTC deepen its understanding of large technology firms’ acquisition activity, including how these firms report their transactions to the federal antitrust agencies, and whether large tech companies are making potentially anticompetitive acquisitions of nascent or potential competitors that fall below HSR filing thresholds and therefore do not need to be reported to the antitrust agencies.”

The FTC added

  • The Special Orders require each recipient to identify acquisitions that were not reported to the FTC and the U.S. Department of Justice under the HSR Act, and to provide information similar to that requested on the HSR notification and report form. The orders also require companies to provide information and documents on their corporate acquisition strategies, voting and board appointment agreements, agreements to hire key personnel from other companies, and post-employment covenants not to compete. Last, the orders ask for information related to post-acquisition product development and pricing, including whether and how acquired assets were integrated and how acquired data has been treated.
  • The Commission plans to use the information obtained in this study to examine trends in acquisitions and the structure of deals, including whether acquisitions not subject to HSR notification might have raised competitive concerns, and the nature and extent of other agreements that may restrict competition. The Commission also seeks to learn more about how small firms perform after they are acquired by large technology firms. These and related issues were discussed during several sessions of the FTC’s 2018 Hearings on Competition and Consumer Protection in the 21st Century, and this study is part of the follow-up from those Hearings.

Simons stated that “[t]his initiative will enable the Commission to take a closer look at acquisitions in this important sector, and also to evaluate whether the federal agencies are getting adequate notice of transactions that might harm competition…[and] will help us continue to keep tech markets open and competitive, for the benefit of consumers.”

In a tweet, Commissioner Rohit Chopra suggested the FTC may be interested in more than just anti-competitive mergers:

Companies across the economy are in an arms race to soak up every source of data and monetize it. Many of these mergers fly below the radar. The FTC orders will provide clarity on why boardrooms are shelling out billions for our personal data.

As noted, the FTC and DOJ are in the midst of investigations into big technology companies. However, the agencies had supposedly divided the investigation with the FTC looking at Facebook and Amazon and the DOJ investigating Google and Apple. However, there have been reports that the DOJ and the FTC have been fighting over who is investigating whom with the FTC and DOJ confirming a dispute in testimony before the Senate Judiciary Committee last fall.

The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee held its fifth hearing on competition in digital markets in January and is expected to at least issue a report and possibly even legislative language to reform the antitrust and anti-competitive statutory and regulatory landscape.

Additionally, New York Attorney General Letitia James is leading an antitrust investigation of Facebook that almost all state attorneys general are part of while Texas Attorney General Ken Paxton is leading almost all state attorneys general’s investigation of Google for possible antitrust violations.

Finally, Senators Bernie Sanders (I-VT) and Elizabeth Warren (D-MA) have called for the breakup of large technology companies as part of their campaigns to secure the Democratic nomination for president.

House Judiciary Committee Continues Its Antitrust Examination

The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee continued its series of hearings titled “Online Platforms and Market Power” with an examination of the agencies charged with enforcing federal antitrust laws: the Department of Justice (DOJ) and the Federal Trade Commission (FTC).

Subcommittee Chair David Cicilline (D-RI) said the U.S. is experiencing a moment of extreme concentration across the economy as in industry after industry a few companies dominate critical markets that effect the day-to-day lives of hard-working Americans. He said unchecked by competition corporations can abuse their market power to raise prices for consumers, lower wages, and stifle entrepreneurship, and enriching themselves and their executives at the expense of everyone else. Cicilline said that one area where the concentration is most troubling is in the digital economy where a small number of dominant platforms have become critical intermediaries for the flow of commerce and information. He stated that while the platforms have delivered consumers some benefit, there is growing evidence that these platforms are now using their power to set the terms of the market in ways that enrich them but make it impossible to compete on an even playing field. Cicilline asserted that the news each day brings stories of how the decisions by these handful of companies increasingly determines whether a merchant, publisher, or app developer sinks or swims. He contended that because several of these monopolies operate business models premised on the surveillance of Americans, the power wielded over Americans is unprecedented.

Cicilline noted that six months ago the committee initiated a bipartisan investigation into competition in digital markets that follows in a long tradition of Congressional investigations into industry-wide assessments of whether dominant corporations were abusing their market power and whether U.S. laws are working to reverse the rising tide of economic concentration. Cicilline said the investigation is pursuing a similar path, and he said a key task for the subcommittee is understanding the enforcement record of each agency. Cicilline claimed that over the last decade alone, the largest technology firms have acquired over 436 companies, many of which were actual or potential competitors, but not a single transaction was challenged by antitrust enforcers. He added that only a handful were closely scrutinized. Cicilline said that the last major case brought by enforcers was Microsoft 20 years ago. He remarked that while these problems have plagued markets across the economy and not just in digital markets, the enforcement gap in these markets have created a de facto antitrust exemption for online platforms. Cicilline asked whether the federal agencies have failed to bring cases because of unfavorable caselaw requiring Congressional action to amend the law. He asked whether the inaction is due to a lack of agency resources or is it due to a lack of will at the agencies to enforce the laws on the books. Cicilline said that these are the questions the subcommittee is looking to answer through its investigation and areas he hoped would be fully addressed during the hearing.

Subcommittee Ranking Member James Sensenbrenner (R-WI) said in the course of ordinary oversight of antitrust enforcement agencies the committee conducts annual or biannual hearings to examine the waterfront before these important agencies, but the DOJ and FTC will discuss only one set of issues: antitrust issues in the tech sector. He asserted that the agencies understand the importance of getting right the applicability of the nation’s antitrust laws to this critical sector of the modern economy. Sensenbrenner noted that like the subcommittee, the agencies are in the midst of a searching inquiry into whether the U.S.’s century-old antitrust laws and government enforcement of those laws is adequate to the challenges presented by the new digital economy. Sensenbrenner said the subcommittee’s examination thus far has looked at whether entities in the tech sector, particularly the largest online platforms, have or have not been accumulating and leveraging market power over competitors and other market participants. He added that affected entities include fellow technology companies, news publishers, and app developers who depend upon large online platforms to reach consumers and many others. He stated that the subcommittee has also examined aspects of online data privacy and the role online data plays in competition, particularly with very large accumulations of consumers’ online data. Sensenbrenner said the testimony at the hearing would help the subcommittee by receiving the wisdom and expertise of the antitrust agencies and by helping legislators better understand if antitrust laws are current and up to the task of the modern digital economy. He added that there a number of issues before the agencies that Members are monitoring closely, including consent decrees. HE said he intended to submit questions for the record on situations where antitrust laws could be misapplied or extending to the point where success is punished, innovation is suppressed, and consumer welfare is harmed.

Committee Chair Jerrod Nadler (D-NY) stated that stated that “[t]here is growing evidence that a handful of dominant platforms now control key arteries of online commerce, content, and communications.” He claimed that “[a] number of important digital markets are now dominated by just one or two firms. For example, Google controls over 90% of the global search market and Facebook captures over 80% of all global social media revenue…[and] by some estimates, Amazon controls about half of all online commerce in the U.S.” Nadler stated that “[w]hile the open internet has delivered enormous benefits to Americans, waves of anti-competitive consolidation in digital markets have had devastating effects on key elements of our democracy and economy, such as the free and diverse press.” He said that “[i]t also threatens the survival of a key element of our economy—the American startup.” Nadler stated that “[e]mpirical evidence suggests that the trends of increasing consolidation and market power in digital markets pose a threat to technology startups and innovation in the U.S. economy.” He said that “[f]or example, it has been reported that seed funding for technology startups—the initial round of investment in a startup—has declined significantly from 2015 to 2018.”

Nadler stated that “I am deeply concerned about the antitrust agencies’ lax merger enforcement which has permitted these harmful levels of concentration and the rise of market power in the digital economy…[and] [i]n addition to rising consolidation, there have also been allegations of anti-competitive conduct in digital markets.” He stated that “[f]or instance, as more small- and medium-sized businesses become reliant on the dominant platforms to reach customers, they have increasing concerns that discriminatory or exclusionary conduct by the platforms could destroy their business over the course of just a few days or months.” Nadler stated that “[d]espite mounting evidence of illegal monopolization activities by the dominant platforms, and numerous cases brought by international enforcers, U.S. enforcers appear to be paralyzed.” Nadler stated that “[i]t has been decades since the DOJ or the FTC has brought a significant monopolization case in the tech sector. “ He said that “Tim Wu, a professor at Columbia University testified before the Judiciary Committee in July that the DOJ’s court challenges against AT&T, IBM, and Microsoft ‘were foundational in terms of shaking up industry and creating room for new firms to grow.’”

Nadler stated that “I am encouraged by reports of the agencies’ current investigations into the dominant tech platforms, but the decline of enforcement over the past several decades is extremely troubling—a decline, I should add, that has occurred across all industries, not just in the technology sector.” He contended that “I find it hard to believe that companies have simply ceased engaging in illegal monopolization rather than the more likely explanation—which is that the agencies are underenforcing the antitrust laws.” Nadler conceded that “[t]here may be a number of reasons for underenforcement by the agencies with respect to both anti-competitive conduct and merger review, including unfavorable case law, insufficient enforcement will, and inadequate agency resources, all of which I look forward to examining at today’s hearing.”

Nadler stated that “[o]ne problem Congress can most directly address is ensuring that the agencies charged with antitrust enforcement have sufficient funding…[and] [u]nfortunately, appropriations to these agencies have declined over the last decade despite an increase in merger activity and an increase in the complexity of investigations.” He claimed that “[i]n real terms, agency funding in 2019 was nearly 20% lower than in 2010…[and] it is vital that the antitrust agencies have the resources they need to do their jobs.” Nadler stated that “[w]hile ultimately it is the responsibility of the antitrust enforcement agencies to enforce the law, Congress has an obligation to assess whether existing antitrust laws and competition policies—and the will to enforce those laws and policies—are adequate to address the competition issues facing our country, and to take action if they are found to be lacking.”

Committee Ranking Member Doug Collins (R-GA) stated that “[t]he subcommittee’s antitrust investigation has been one of the bright spots on the committee’s agenda this term.” He said “[t]he importance of digital technology to our constituents’ lives grows every day…[and] [t]he tech sector is one of the greatest forces for innovation and wealth creation in the world and our economy.” Collins claimed that “[r]arely in history have we witnessed such a transformative change in how we go about our lives.” He stated that “[m]uch of that change is very much for the good, but not all…[and] [a]mong these changes are the ways that companies compete — both fairly and unfairly — to provide goods and services to consumers.” Collins claimed that “[i]t is therefore critical that we work on a bipartisan basis to understand whether our current antitrust laws and our antitrust enforcement agencies are up to the task the tech sector presents.” He remarked that “[w]e will have accomplished something important if together we can determine whether our antitrust laws need updating for the digital economy or whether the antitrust agencies need Congress’ help to assure vigorous antitrust enforcement in the tech sector.”

Collins claimed that “[f]rom the start of our inquiry, I have made clear the overarching principles guiding me in this endeavor:

  • First, while some tech companies have become very big, big is not necessarily bad. Companies that offer new innovations, better solutions and more consumer benefits at lower prices often become big — to the benefit of society. Proposals to break up big companies because of their size alone risk throwing the baby out with the bath water and simply punishing success.
  • Second, just like the existing antitrust laws, proposals for new legislation should aim to keep the free market free. Proposals to construct broad new regulatory regimes should be viewed with caution. Experience shows that regulatory solutions often miss the mark, solve problems less efficiently than free markets can and create new opportunities for anti-competitive companies to suppress competition through rent-seeking. That is especially true when regulation attempts to take on evolving problems in fast-moving markets.

Collins stated that “[t]his principle is particularly important to me as we seek a better way to protect the privacy of consumers’ online data…[and] I announced in July of this year that I would be introducing legislation this term to achieve better protection.” He added that “I am working hard on that legislation and it is strongly animated by the principle I just laid out.” He asserted that “[o]ther proposals, like laws adopted in Europe and California, threaten to entrench the market power of large incumbent tech companies under the cloak of protecting online data privacy…[and] I want us instead to enact a new federal law that better protects privacy without making it harder for new, small, innovative companies to enter the market, jostle with the giants and strive to become the blockbuster companies of tomorrow.” Collins stated that “[t]he heads of the antitrust agencies before us today also have stated principles they believe should guide antitrust inquiries into the tech sector…[and] I look forward to hearing in depth today about their views and whether we can borrow from some of their guiding lights as we work our way through our own congressional inquiry.”

FTC Chair Joseph Simons stated that

New technologies can offer real consumer benefits, but they can also raise complex and sometimes novel competition issues. We have prioritized efforts to monitor, study, and, where necessary, bring enforcement actions to maintain competition in technology markets. We are undertaking these efforts not only in connection with the technology platforms that are the focus of this committee’s ongoing investigation, but also with respect to technologies employed by companies throughout the economy that are changing and challenging competition. The FTC’s Bureau of Competition this year announced a shift in internal resources to establish a Technology Enforcement Division, a dedicated group that will monitor competition in U.S. technology markets and recommend enforcement action when warranted.

Simons said that “[a]s outlined in [FTC] testimony from last month, current law provides the Commission with several potential avenues to counter anticompetitive conduct by large technology firms that seek to thwart nascent and potential threats by acquisition or other means.” He stated that “[f]or instance, when evaluating mergers in dynamic markets, the Commission pays particularly close attention when an industry leader seeks to acquire an up-and-coming competitor that is changing customer expectations and gaining sales.”

Simons claimed that

The FTC is in the process of concluding a prominent policy initiative: its Hearings on Competition and Consumer Protection in the 21st Century. This extensive series of public hearings was convened to consider whether broad-based changes in the economy, evolving business practices, new technologies, and international developments warrant adjustments to competition and consumer protection law, enforcement priorities, and competition policy. The FTC worked to feature a wide variety of perspectives in these hearings. We invited legal and economic academics and consultants, public interest groups, public advocacy groups, 15 and representatives of businesses and industries to our hearing sessions. By the conclusion of our final hearing on June 12, 2019, we had convened 14 sessions over 23 days, with thousands of people attending via webcast or in person. To date, we have received close to 950 unique comments on the covered topics. All the information related to the hearings—the transcripts, comments, presentations, and questions—is available on the FTC website. This large corpus of material on the critical issues facing modern competition and consumer protection policy has already created a valuable resource for future research by the agency, interested academics, practitioners, and policymakers. At this stage, we are distilling the large volume of stakeholder input and generating further output, such as reports, statements, guidance, and speeches.

Simons stated that

As we have previously announced, we are prioritizing work involving platform competition, vertical mergers, and international initiatives. This work will be forward-looking and will both support the Commission’s enforcement mission and identify additional policy initiatives that may be important in shaping the future development of antitrust law. We expect to begin releasing some of this output soon. Through these hearings, the Commission intends to help formulate an enduring approach to current questions about antitrust and consumer protection enforcement. We recognize that, in some areas of the law, some now question the policies that have served as the basis for what had long been a bipartisan consensus. Particularly with respect to certain antitrust issues where this consensus has been questioned, we believe these hearings were a valuable investment of our resources to determine whether adjustments are necessary.

Assistant Attorney General Makan Delrahim said the Antitrust Division at the DOJ is hard at work reviewing the business practices of online platforms, which was announced in July. He said to date both Facebook and Google have publicly disclosed investigations. Delrahim stressed those companies are not the only focus of the review but they are a significant part of the review because of the role they play in the lives of so many American citizens. He added these companies occupy a unique role in the era of online, personalized advertising supported by user data. Delrahim said the work the DOJ is doing is focused in part on understanding the role data play in personalized advertising and the competitive dynamics. He stated DOJ is looking at how these dynamics create value for advertisers, content creators, and the consumers who use these advertising supported platforms. Delrahim claimed that by understanding these competitive dynamics, the DOJ can determine if the market leaders have monopoly power, how they exercise such monopoly power, and whether the source of that power is from merits-based competition or if the source of that power is exclusionary or anticompetitive conduct. Delrahim stated that other online platforms make money in other ways, and we’re reviewing those other business models as well. He contended that the common thread is that online platforms bring together users who access information services on the platform with third party providers of products, services, or advertisement. Delrahim claimed the DOJ is concerned about ways the online platform operators can manipulate the conditions for competition, and in some instances, the platform operators may have the incentive to improve the platform for the benefit of all those users while in other instances the platform operator may compete against users of the platform and may have an incentive to disadvantage competitors. He noted the DOJ’s 2008 action against Google and Yahoo’s agreement that would have eliminated the latter as an online search engine, and the companies ultimately decided not to proceed. Delrahim stressed he could not comment on the ongoing investigation but recent public remarks should assure the committee that the DOJ is taking a hard look at any possible anticompetitive behavior in online markets.