Further Reading, Other Developments, and Coming Events (22, 23, 24, and 25 February 2021)

Further Reading

  • The Long Hack: How China Exploited a U.S. Tech Supplier” By Jordan Robertson and Michael Riley — Bloomberg. This piece argues that the United States (U.S.) government knew of vulnerabilities in Super Micro Computer Inc.’s products used by the People’s Republic of China (PRC) but chose to keep them secret. This article follows an infamous 2018 Bloomberg BusinessWeek article alleging that Apple and Amazon had discovered malicious chips in Supermicro products, a claim all three and the U.S. vociferously denied. Allegedly the Federal Bureau of Investigation (FBI) has been investigating and monitoring in its counterintelligence capacity, mostly to learn what the PRC is capable of. U.S. security agencies warned some companies not to use Supermicro products, and some agencies, like the Department of Defense (DOD), instituted an ad hoc ban on the companies products in classified systems. Apparently, the PRC used three sophisticated means of penetrating Supermicro products, Moreover, in a May 2019 Securities and Exchange Commission (SEC) filing, Supermicro admitted:
    • We experienced unauthorized intrusions into our network between 2011 and 2018. None of these intrusions, individually or in the aggregate, has had a material adverse effect on our business, operations, or products. We have taken steps to enhance the security of our network and computer systems but, despite these efforts, we may experience future intrusions, which could adversely affect our business, operations, or products. In addition, our hardware and software or third party components and software that we utilize in our products may contain defects in design or manufacture, including “bugs” and other problems that could unexpectedly interfere with the operation or security of the products.
  • ‘A managerial Mephistopheles’: inside the mind of Jeff Bezos” By Mark O’Connell — The Guardian. This long read contemplates what Amazon giveth and what Amazon taketh away from the vantage of the now former CEO’s writings.
  • Anatomy of a conspiracy: With COVID, China took leading role” By Erika Kinetz — Associated Press. A detailed history on the People’s Republic of China’s extensive and effective propaganda campaign, much of it waged on social media, trying to pin COVID-19 on the United States.
  • “Mark Changed The Rules”: How Facebook Went Easy On Alex Jones And Other Right-Wing Figures” By Ryan Mac and Craig Silverman — BuzzFeed News. Another disquieting view into Facebook from BuzzFeed News. The reproters draw a straight line from CEO Mark Zuckerberg softening a ban on Alex Jones-related content to the insurrection on 6 January 2021. Moreover, as has been reported many times, Vice President Joel Kaplan’s influence has consistently made the platform much more lenient on conservative figures and content, including many extremists.
  • China Censors the Internet. So Why Doesn’t Russia?” By Anton Troianovski — The New York Times. Unlike the People’s Republic of China which never let the genie of a free and open internet out of the bottle, Russia is vainly trying to get the genie back in. The efforts of President Vladimir Putin and his government to crack down on speech it does not like online has mostly failed. But they are trying methods other than simply blocking the outside world that prove effective.
  • How Chrome, Firefox, and Safari are stopping supercookies” By Shubham Agarwal — Fast Company. As soon as browsers find ways to combat the abuse of abusive cookies, largely through their removal, the online advertising industry hatches a new way of tracking people across the internet: so-called super cookies that often cannot be removed from one’s device. However, the Mozillas of the world are making process in ways to defeat super cookies, which undoubtedly has already prompted the advertising industry to conjure new means of tracking people.
  • Facebook knew ad metrics were inflated, but ignored the problem, lawsuit claims” by Megan Graham — CNBC; “Facebook’s Sheryl Sandberg Knew About Inflated Ad-Reach Figures for Years, Lawsuit Claims” By Todd Spangler — Variety. A small business alleged in its latest filing in its lawsuit against Facebook that top executives, including Chief Operating Officer Sheryl Sandberg, knew the company was overestimating the potential reach of ads but still pitched wrong figures to potential ad buyers. This suit was filed in August 2018 in federal court in California and is seeking class action status. This is not the first time Facebook has been accused of inflating the number of people who may see an advertisement. Last year, Facebook settled claims it had “misled [advertisers] about viewer engagement of video ads by using inflated video-viewing metrics” by paying out $40 million. In its filing this month, the plaintiffs in the new suit argued:
    • Facebook knew for years its Potential Reach was inflated and misleading. While Facebook brushed aside Plaintiffs’ allegations here, years ago it admitted the VAB report –relied upon in Plaintiffs’ Complaint –“has the order of magnitude in inflation correct.” Facebook knew the problem was largely due to fake and duplicate accounts —but, the company made a “deliberate decision” not to remove duplicate or fake accounts from Potential Reach. And senior executives blocked employees from fixing the problem, because it believed the “revenue impact [would be] significant.”
    • Facebook knew it was wrong. As the product manager for Potential Reach put it: “it’s revenue we should have never made given the fact it’s based on wrong data.” Another employee stated “[t]he status quo in ad Reach estimation and reporting is deeply wrong.” The only question was, “[h]ow long can we get away with the reach overestimation.” After learning these facts, Plaintiffs amended their complaint to add claims for fraud and a request for punitive damages, because Facebook’s officers engaged in or ratified conduct despicable under California law.
  • Amazon’s Great Labor Awakening” By Erika Hayasaki — The New York Times. A comprehensive look at Amazon’s labor practices through the eyes of workers at a California facility, which they allege, with reason, are inhumane and anti-labor. For example, the company only started taking steps to combat COVID-19 at its facilities well after the beginning of the epidemic amidst negative publicity and unrest among its work force.
  • SolarWinds hackers studied Microsoft source code for authentication and email” By Joseph Menn — Reuters. More details about the Russian Federation’s hack of United States (U.S.) government agencies and private sector companies. Microsoft has revealed that not only did intruders view source code for a number of its products like Azure and Exchange, but they are now saying “there was additional access, including in some cases, downloading component source code.” Microsoft insists that none of its source code was used by hackers to attack agencies and companies while leaving open the possibility that some of its resellers may have been used thusly. I suspect this is not the last that will be heard about Microsoft’s security practices and their role in the hack. Incidentally, I highly recommend the 26 January episode of The Verge’s Decoder podcast with the author of this piece dedicated to the SVR hack.
  • Twenty-Six Words Created the Internet. What Will It Take to Save It?” By Stephen Engelberg — ProPublica. An interview with the lawyer and professor who wrote the history on 47 USC 230 (Section 230) that illuminates the policy backdrop and genesis of this now controversial provision. He makes the case that until stakeholders can arrive at a shared definition of the problems with Section 230, any fixes will likely be Frankenstein bills pieced together from conflicting legislation with an eye toward passage and not coherence.
  • Deepfake porn is ruining women’s lives. Now the law may finally ban it.” By Karen Hao — MIT Technology Review. As a Motherboard writer predicted in 2017, deepfake porn is now being used on non-celebrity women with devastating effects to their health, well-being, careers, and lives. Those seeking to solve this growing problem of women having their face or image inserted into pornography are trying to convince policymakers in the United Kingdom (UK), United States (U.S.), and Europe to ban such deepfake porn. A key legal forum is close to making recommendations to the British parliament while in the U.S. concerns about violating the free speech clause of the First Amendment has thus far precluded action. Only two U.S. states, California and Virginia, have provisions in their revenge porn laws that also ban faked and deepfake videos. This is a problem that is likely to only get worse, especially given the spotty compliance people get from platforms to remove abusive material generally.
  • Major camera company can sort people by race, alert police when it spots Uighurs” By Johana Bhuiyan — Los Angeles Times. A company from the People’s Republic of China (PRC), Dahua, has developed and marketed facial recognition technology that can identify and filter on the basis of race. Critics claim this is because the PRC government is using this capability to locate, track, and oppress the Uighur minority. This technology is available and used in the United States despite Dahua being on the Entity List which stops the company from buying most American products but does not stop U.S. entities from buying and using their services. There is a ban on using federal funds to buy Dahua’s services and products, but the article documents a California school district that spent hundreds of thousands of federally provided dollars on Dahua systems.
  • Google Kicks Location Data Broker That Sold Muslim Prayer App User Data” By Joseph Cox — Motherboard. Google told application developers to remove location data broker Predicio from their offerings or face removal from the Google Play Store. Predicio is part of the data ecosystem that funnels location data to Venntel, a company that contracts with law enforcement agencies to give them location data. Motherboard has already detailed how Venntel has sold location data to Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP). In December, both Google and Apple banned a Predicio rival, X-Mode, from their app stores, threatening developers with banishment if they used their software development kit (SDK).
  • Is This Beverly Hills Cop Playing Sublime’s ‘Santeria’ to Avoid Being Live-Streamed?” By Dexter Thomas — Motherboard. It appears some officers are trying to foil some people’s exercise of their First Amendment rights to record police interactions by playing copyrighted songs the rights holders. Once the video is posted or livestreamed, the rights holders may object causing the video to be taken down.
  • Fears over DNA privacy as 23andMe plans to go public in deal with Richard Branson” By Kari Paul — The Guardian. The firm that started out as a resource for people looking to research their heritage has transitioned to a company that can offer health care companies a library of DNA. And now 23andMe is teaming up with Richard Branson, giving rise to all sorts of privacy concerns about the DNA people have submitted to the company.
  • New state privacy initiatives turn up heat on Congress” By Rebecca Klar and Chris Mills Rodrigo — The Hill. Undoubtedly the central thrust of this piece is true: with Virginia on the verge of enacting privacy legislation with others thinking of doing the same, Congress feels more pressure to enact federal privacy legislation. However, there is no hint of the White House’s position on either of the two issues that have held up a bill: preemption of state privacy laws and whether people can sue for violations (aka a private right of action.) I have not seen much movement on those issues, and it may be that since most of the major stakeholders have largely been silent on privacy that there are serious talks happening away from the public view. I think it is more likely that higher priority items have taken the fore like the Biden Administration’s COVID-19 bill, and even in the tech space, there is much more heat around Section 230 than privacy. And, lest anyone forget data breach/data security was one of the hot topics about ten years ago as almost every state had a different statute, a seemingly untenable situation that never resulted in legislation. The status quo is the same today and somehow companies can do business.
  • Twitter Says It Won’t Block Journalists, Activists, And Politicians In India To Protect Free Speech” By Pranav Dixit — BuzzFeed News. A continuing free speech standoff in the world’s most populous democracy. In response to blocking orders issued by the Ministry of Electronics and Information Technology (MeitY), Twitter has decided to unblock some accounts it originally blocked. These accounts are those of “news media entities, journalists, activists, and politicians,” according to the company’s blog posting. However, the company is continuing to block some accounts inside India (with these accounts still presumably visible to the rest of the world) and is contemplating litigation (i.e., “exploring options under Indian law — both for Twitter and for the accounts that have been impacted.”) However, Twitter and its employees may be subjecting themselves to criminal liability, for the government in New Delhi could prosecute them for violating MeitY’s orders.
  • Instagram bans Robert F. Kennedy Jr. over false vaccine, Covid claims” By Minyvonne Burke — NBC News. The anti-vaccine activist has been removed from Instagram for “repeatedly sharing debunked claims about the coronavirus or vaccines” according to a Facebook spokesperson. A few days earlier Facebook had announced an expansion of “efforts to remove false claims on Facebook and Instagram about COVID-19, COVID-19 vaccines and vaccines in general during the pandemic.” Kennedy claimed he was not posting false information and his being banned is a blow to the First Amendment. Thus far, Facebook has left his page up, however. One wonders if the two feeds were so different as to warrant a ban on one but not the other.
  • A Clearview AI Patent Application Describes Facial Recognition For Dating, And Identifying Drug Users And Homeless People” By Caroline Haskins, Ryan Mac, and Brianna Sacks — BuzzFeed News. Even though Clearview AI has repeatedly said its facial recognition technology is intended only for law enforcement agencies, it filed a patent application last year with the United States government to enter the private sector in a number of markets. The patent application states “In many instances, it may be desirable for an individual to know more about a person that they meet, such as through business, dating, or other relationship,” which very much sounds like applications other than law enforcement purposes. Clearview AI CEO Hoan Ton-That  asserted “[w]e applied for a patent because we believe we have made significant innovations in the field of facial recognition, especially regarding accuracy and the use of our large-scale database of publicly available facial images.” He added “Clearview AI is currently only used by law enforcement for after-the-crime investigations,” which does not definitively rule out future applications beyond law enforcement.
  • There’s a Smarter Way to Make Tech Pay for News” By Will Oremus — OneZero. This piece provides an overview and critique of the various proposals other than Australia’s to help media in the social media age. Speaking of which, almost all the experts asked panned Australia’s law, saying it will most likely solidify the position of the incumbents in social media and in news media, an outcome not to be desired.

Other Developments

  • The National Institute of Standards and Technology (NIST) issued “the final NIST Interagency or Internal Report (NISTIR) 8323, Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. NIST stated “[t]he national and economic security of the United States (US) is dependent upon the reliable functioning of the nation’s critical infrastructure.”
    • NIST explained:
      • The PNT Profile was created by applying the NIST Cybersecurity Framework (CSF) to help organizations:
        • Identify systems dependent on PNT 
        • Identify appropriate PNT sources
        • Detect disturbances and manipulation of PNT services
        • Manage the risk to these systems 
      • The PNT Profile provides a flexible framework for users of PNT services to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural, manufactured, intentional, and unintentional. It was created by applying the NIST Cybersecurity Framework (CSF) [NIST CSF] and can be applied to all organizations that use PNT services, irrespective of the level of familiarity or knowledge that they have with the CSF. Organizations that have fully or partially adopted, or who have not adopted the CSF can benefit.
      • The PNT Profile is voluntary and does not: issue regulations, define mandatory practices, provide a checklist for compliance, or carry statutory authority. It is intended to be a foundational set of guidelines. Sector-specific agencies (SSAs) and entities may wish to augment or further develop their own PNT cybersecurity efforts via full or partial implementation of the recommended practices in this document. Any implementation of its recommendations will not necessarily protect organizations from all PNT disruption or manipulation. Each organization is encouraged to make their risk management decisions in the context of their own cyber ecosystem, architecture, and components. The PNT Profile’s strategic focus is to supplement preexisting resilience measures and elevate the postures of less mature initiatives.
  • The European Parliament’s Panel for the Future of Science and Technology (STOA) issued a study it commissioned on the liability of online platforms. STOA explained “[g]iven the central role that online platforms (OPs) play in the digital economy, questions arise about their responsibility in relation to illegal/harmful content or products hosted in the frame of their operation.”
    • The researchers who drafted the study explained:
      • the study reviews the main legal/regulatory challenges associated with the operation of OPs and analyses the incentives for OPs, their users and third parties, to detect and remove illegal/harmful and dangerous material, content and/or products. To create a functional classification which can be used for regulatory purposes, it discusses the notion of OPs and attempts to categorise them under multiple criteria. The study then maps and critically assesses the whole range of OP liabilities, taking hard and soft law, self-regulation, as well as national legislation into consideration. To do so, the study distinguishes between liabilities connected with the activities performed or the content uploaded by OP users – from the liability exemptions established by the e-Commerce Directive, to the sectoral rules provided in media law, intellectual property (IP) law, product safety and product liability , protection of minors, hate speech, disinformation and voting manipulation, terrorist activities – and alternative sources of liability, such as OPs’ contractual liability towards users, both businesses and consumers, as well as that deriving from infringements of privacy and data protection law.
      • Finally, the study drafts policy options for an efficient EU liability regime: (i) maintaining the status quo; (ii) awareness-raising and media literacy; (iii) promoting self-regulation; (iv) establishing co-regulation mechanisms and tools; (v) adopting statutory legislation; (vi) modifying OPs’ secondary liability by employing two different models – (a) by clarifying the conditions for liability exemptions under e-Commerce Directive, or (b) by establishing a harmonised regime of liability.
  • The European Union Agency for Cybersecurity (ENISA) published “two reports on cryptography: one on the progress of post-quantum cryptography standardisation, and the other on exploring the technologies under the hood of crypto-assets.”
    • In “Post-Quantum Cryptography: Current state and quantum mitigation,” ENISA stated
      • Given the recent developments in the Quantum Computing race among industries and nation states, it seems prudent for Europe to start considering mitigation strategies now. The EU Cybersecurity Agency is not alone in this line of though. Other authorities and EU Institutions have also raised concerns; for in- stance, the European Data Protection Supervisor has highlighted the dangers against data protection, national authorities have been investigating and preparing; e.g., the German Federal Office for Information Security has been evaluating Post-Quantum alternatives since before the launch of NIST’s standardisation process.
      • This study provides an overview of the current state of play on the standardisation process of Post-Quantum Cryptography (PQC). It introduces a framework to analyse existing proposals, considering five (5) main families of PQC algorithms; viz. code-based, isogeny-based, hash-based, lattice-based and multivariate-based. It then goes on to describe the NIST Round 3 finalists for encryption and signature schemes, as well as the alternative candidate schemes. For which, key information on cryptodesign, implementation considerations, known cryptanalysis efforts, and advantages & disadvantage is provided.
      • Since the NIST standardisation process is going, the report makes no claim on the superiority of one proposal against another. In most cases the safest transition strategy involves waiting for national authorities to standardise PQC algorithms and provide a transition path. There might be cases thought were the quantum risk in not tolerated, in which case the last chapter offers 2 proposals that system owners can implement now in order to protect the confidentiality of their data against a quantum capable attacker; namely hybrid implementations that use a combination of pre-quantum and post-quantum schemes, and the mixing of preshared keys into all keys established via public-key cryptography. These solutions come at a cost and as such system designers are well advised to perform a thorough risk and cost-benefit analysis.
    • In “Crypto Assets: Introduction to Digital Currencies and Distributed Ledger Technologies,” ENISA asserted:
      • The European Commission on the 24th September 2020 adopted a comprehensive package of legislative proposals for the regulation of crypto-assets, updating relevant financial market rules, and is moving forward with a Pan-European blockchain regulatory sandbox facility to test innovative solutions and identify obstacles that arise in using Distributed Ledger Technnologies (DLTs) in the trading and post trading of securities. Crypto-assets may qualify as “financial instruments”, in which case they fall under the Markets in Financial Instruments Directive (e.g.: tokenised equities or tokenised bonds). But there are also types that do not qualify as “financial instruments”, such as utility tokens or payment tokens, generally referred to as digital currencies. Further, digital currencies when based on DLTs, like the Blockchain, are usually called cryptocurrencies; as opposed to centralized digital currencies.
      • These timely policy initiatives make evident that crypto-assets are a playground of not only technical, but also financial innovation that demands scrutiny in all its aspects. With this first introductory study focusing on the rise of cryptocurrencies & DLT, the European Union Agency for CyberSecurity is launching a series of information security studies in the area of crypto-assets to support policy-makers and raise awareness on the arising security and data protection.
      • The creation of BitCoin by Nakamoto [Nak08] in 2008 created a flurry of interest in so-called ‘digital currencies’. The basic ideas of a blockchain, a consensus mechanism, and operations on a public ledger have potentially wide application outside of the narrow confines of creating a digital currency.
      • The technological ideas behind such distributed ledger technologies go back to way before 2008, often to the 1970s. What digital ledger technologies do is bring various technical components such as digital signatures, cryptographic hash functions, Merkle-Trees, consensus mechanisms, zero-knowledge proofs, secret sharing, together into an interesting combination which can address a number of application needs.
      • However, the hype behind such technologies understandably also creates unrealistic expectations as to what problems the technology can solve. This has led to a common quote of ‘If you think your problem can be solved by blockchain, then you do not understand your problem’. This report aims to increase the under- standing of blockchain technologies. It aims to explain the underlying technical concepts and how they relate to each other. The goal is to explain the components, and illustrate their use by pointing to deployed instances where the ideas are utilized.
  • A United States (U.S.) appeals court reversed a lower court’s ruling that suspicionless searches could not be conducted at the U.S. border or at ports of entry. The United States Court of Appeals For the First Circuit (First Circuit) overturned a district court and hewed to rulings handed down by other circuits.
    • The First Circuit explained:
      • Plaintiffs bring a civil action seeking to enjoin current policies which govern searches of electronic devices at this country’s borders. They argue that these border search policies violate the Fourth and First Amendments both facially and as applied. The policies each allow border agents to perform “basic” searches of electronic devices without reasonable suspicion and “advanced” searches only with reasonable suspicion.
    • The First Circuit held:
      • In these cross-appeals we conclude that the challenged border search policies, both on their face and as applied to the two plaintiffs who were subject to these policies, are within permissible constitutional grounds. We find no violations of either the Fourth Amendment or the First Amendment. While this court apparently is the first circuit court to address these questions in a civil action, several of our sister circuits have addressed similar questions in criminal proceedings prosecuted by the United States. We join the Eleventh Circuit in holding that advanced searches of electronic devices at the border do not require a warrant or probable cause. United States v. Vergara, 884 F.3d 1309, 1311-12 (11th Cir. 2018). We also join the Ninth and Eleventh Circuits in holding that basic border searches of electronic devices are routine searches that may be performed without reasonable suspicion. United States v. Cano, 934 F.3d 1002, 1016 (9th Cir. 2019), petition for cert. filed (Jan. 29, 2021) (No. 20-1043); United States v. Touset, 890 F.3d 1227, 1233 (11th Cir. 2018). We also hold the district court erroneously narrowed the scope of permissible searches of such equipment at the border.
    • In November 2019, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
    • The case was brought by the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) on behalf of 10 U.S. citizens and one legal permanent resident who had had their phones and computers searched by CBP or ICE agents upon entering the U.S., typically at airports. The ACLU argued these searches violated the Fourth Amendment’s because the agents did not obtain search warrants before conducting the searches of the devices for contraband. The plaintiffs further alleged the searches violated the First Amendment because “warrantless searches of travelers’ electronic devices unconstitutionally chill the exercise of speech and associational rights” according to their complaint. The agencies claimed that such searches require neither a warrant nor probable cause and that the First Amendment claim held no water, a position a number of federal appeals courts have held.
  • The Cybersecurity and Infrastructure Security Agency (CISA) announced a six-month extension of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force. CISA stated:
    • In December of last year, the Task Force released its Year 2 Report, which built off previous work completed in year one. It showcased the collective ongoing efforts of five working groups within the Task Force to address challenges to information sharing, threat analysis, qualified bidder and qualified manufacturer lists, vendor attestation, and impacts from COVID-19 on supply chains. 
    • The extension of the Task Force will allow working groups to continue their work as outlined in the Year 2 Report, to include the release of specific reports, including the latest Working Group 2 Threat Scenarios Report, as well as other upcoming working group products. It will also ensure both government and industry members can continue to collaborate on other ongoing public-private engagement efforts around supply chain and support the Federal Acquisition Security Council (FASC)
    • Over the next six months, through July 2021, the Task Force will continue to explore means for building partnerships with international partners, new sectors, and stakeholders who can help grow the applicability and utilization of Task Force. With the interconnectedness between the sectors and the scale of supply chain risks faced by both government and industry, private-public coordination is essential to enhance ICT supply chain resilience.
  • Representatives Suzan DelBene (D-WA) and John Katko (R-NY) reintroduced the “Internet of Things (IoT) Readiness Act” (H.R.981) “that would prepare the U.S. for the continued growth of IoT devices and devices that use 5G networks” per their press release. DelBene and Katko asserted:
    • IoT devices, ranging from fitness watches to sensors that monitor traffic, require significant spectrum capacity so that information, such as time, location, and temperature, can be transmitted to and from other devices. Spectrum is a limited resource and if the available capacity cannot accommodate all the devices in the same vicinity, the signals will interfere with each other and cause them to fail.
    • The IoT Readiness Act directs the Federal Communications Commission (FCC) to collect and provide Congress with the data needed to be prepared for the continued growth of these devices and their connectivity needs.
    • As a recent example, after the introduction of smartphones over the last decade, the number of devices that could access the internet increased dramatically. Cellular networks became overwhelmed, and the FCC had to go through the lengthy and burdensome process of reallocating spectrum. Now, IoT devices are facing the same problem.
    • In 2015, a family of four had an average of 10 IoT devices connected to the internet. The Organization for Economic Co-operation and Development estimates that that average will increase to 50 devices per family by 2022.
  • At a White House press conference, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger made remarks on the Biden Administration’s investigation of and response to the Russian Federation’s massive hack through SolarWinds and likely other entities. Neuberger revealed that the administration is working on an executive order as part of its response without laying out a timeline. She also said the Biden Administration aspires to “modernize” federal defenses without discussing possible costs or ramifications for current programs and authorities. Neuberger remarked:
    • As of today, 9 federal agencies and about 100 private sector companies were compromised.  As you know, roughly 18,000 entities downloaded the malicious update.  So the scale of potential access far exceeded the number of known compromises.  Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions. 
    • what are we going to do about it?  Three things: First, finding and expelling the adversary.  Second, building back better to modernize federal defenses and reduce the risk of this happening again.  And finally, potential response options to the perpetrators. 
    • So, first, finding and expelling the adversary.  We’re coordinating the interagency response from the National Security Council.  I was on the Hill last week, had Hill discussions this week, and will be on the Hill next week, as well.  We’re working closely with daily conversations with our private sector partners.  They have visibility and technology that is key to understanding the scope and scale of compromise.  There are legal barriers and disincentives to the private sector sharing information with the government.  That is something we need to overcome. 
    • And then, finally, this is challenging.  This is a sophisticated actor who did their best to hide their tracks.  We believe it took them months to plan and execute this compromise.  It’ll take us some time to uncover this, layer by layer. 
    • Second, building back better to modernize federal defenses.  We’re absolutely committed to reducing the risk this happens again.  If you can’t see a network, you can’t defend a network.  And federal networks’ cybersecurity need investment and more of an integrated approach to detect and block such threats. 
    • We’re also working on close to about a dozen things — likely eight will pass — that will be part of an upcoming executive action to address the gaps we’ve identified in our review of this incident. 
    • And, finally, in terms of response to the perpetrator, discussions are underway.  I know some of you will want to know what kind of options are being contemplated.  What I will share with you is how I frame this in my own mind.  This isn’t the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners.  So as we contemplate future response options, we’re considering holistically what those activities were. 
  • The Chamber of Commerce of the United States of America, Internet Association, NetChoice, and the Computer & Communications Industry Association sued to stop implementation of the “Taxation – Tobacco Tax, Sales and Use Tax, and Digital Advertising Gross Revenues Tax” (HB0732) that would impose a tax on digital advertising in the state, the first such tax in the United States (U.S.) The plaintiffs argued:
    • Although the Act is styled as a tax, several features confirm its punitive character, including its severity (up to 10% of gross revenues), its focus on extraterritorial conduct, the segregation of its proceeds from the State’s general fund, and the legislative history leading to its enactment. Among other things, the legislative history shows that lawmakers believe that the charge cannot be passed to consumers, and that the targets of the law, and they alone, will bear the burden of the assessment. A pass-through prohibition recently introduced in the Maryland Senate would lock in that understanding; if adopted into law, it would expressly prohibit the targets of the charge from passing it on to advertisers as a line item.
    • The Act is unlawful in several ways. First, it is preempted by the Internet Tax Freedom Act (ITFA), which prohibits States from imposing “multiple and discriminatory taxes on electronic commerce.” 47 U.S.C. § 151 note. Second, the Act violates the Due Process Clause and Commerce Clause of the United States Constitution by burdening and penalizing purely out-of- state conduct and interfering with foreign affairs.
    • The plaintiffs are seeking a declaration that the law is illegal and an injunction barring its enforcement.
  • The “Consumer Data Protection Act” (SB 1392) passed both the Virginia General Assembly and Virginia Senate by large margins, sending the bill to Governor Ralph Northam (D). This bill is one of the weaker privacy bills within sight of enactment. It would permit many of the same data collection and processing activities currently occurring in Virginia to continue largely in the same fashion in 2023. The bill uses the opt out consent model but only in limited circumstances, for if entities disclose how they propose to process personal information, there limited cases in which people could opt out. There is no private right of action, and the attorney general would have to give entities a 30 day window to cure any potential violations and would be barred from proceeding if his office receives an express written statement that the violations have been cured. (see here for more analysis.)
  • The United States (U.S.) Department of Justice (DOJ) unsealed a federal indictment against “three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform” per the DOJ’s press release. The DOJ stated:
    • The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018. 
    • The indictment alleges a broad array of criminal cyber activities undertaken by the conspiracy, in the United States and abroad, for revenge or financial gain. The schemes alleged include:
      • Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
      • Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
      • Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
      • Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
      • Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.
      • Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
      • Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense.
      • Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.
      • According to the allegations contained in the hacking indictment, which was filed on Dec. 8, 2020, in the U.S. District Court in Los Angeles and unsealed today, the three defendants were members of units of the RGB who were at times stationed by the North Korean government in other countries, including China and Russia. While these defendants were part of RGB units that have been referred to by cybersecurity researchers as Lazarus Group and APT38, the indictment alleges that these groups engaged in a single conspiracy to cause damage, steal data and money, and otherwise further the strategic and financial interests of the DPRK government and its leader, Kim Jong Un.
  • The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury (Treasury) issued “a joint cybersecurity advisory about North Korean government malicious activity the U.S. government refers to as “AppleJeus”…[that] highlights technical details on this specific threat activity, mitigations for networks compromised by it, and recommended proactive mitigations for defense against it.” The agencies added:
    • The joint advisory provides technical details on seven versions of the AppleJeus malware, which has been used by North Korea posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. 
    • Working closely with our interagency and international partners, the FBI, CISA and Treasury share timely cyber threat information with the intent to disrupt malicious cyber activity and help our partners protect their networks. Today’s advisory along with seven malware analysis reports adds to a still growing list of malicious cyber activity by North Korean state actors. Four of the seven versions of AppleJeus malware were identified in 2020 and reveal a determination by this group to evolve and continue this scheme. A complete list of their activity and important mitigation recommendations, can be found here.   
    • Organizations, specifically those in the financial services sector, should give this activity the highest priority for assessing their networks and implementing appropriate mitigation. You can read the joint cybersecurity advisory here and the seven malware analysis reports here.
  • Epic Games and plaintiffs agreed to a settlement in a class action suit, alleging the company was engaged in predatory practices through the sale of random loot boxes to users. In a statement, the company and the plaintiffs’ attorneys announced over $78 million in relief for the litigants. Specifically, they asserted:
    • A class action settlement with Epic Games, Inc. (“Defendant” or “Epic Games”) has been reached. Under the Settlement, all U.S. players of Fortnite: Save the World and Rocket League who bought a random item loot box in either game before Epic Games discontinued random loot boxes will receive certain benefits immediately and automatically. The Settlement also provides up to $26.5 million in cash and other benefits to U.S.-based Fortnite and Rocket League players to resolve claims arising from players’ purchases of Fortnite and Rocket League in-game items. The case is Zanca, et al. v. Epic Games, Inc., Case No. 21-CVS-534, currently pending in the Superior Court of Wake County, North Carolina before the Honorable Keith Gregory, General Court of Justice, Superior Court Division (the “Action”). The proposed Settlement is not an admission of wrongdoing by Epic Games, and it denies that it violated the law. The Court has not decided who is right or wrong. Rather, to avoid the time, expense, and uncertainty of litigation, the Parties have agreed to settle the lawsuit. The Court has granted preliminary approval of the Settlement and has conditionally certified the Settlement Class for purposes of settlement only.
    • Settlement Class means all persons in the United States who, at any time between July 1, 2015, and the date of Preliminary Approval, had a Fortnite or Rocket League account that they used to play either game on any device and in any mode, and (a) exchanged in game virtual currency for any in-game benefit, or (b) made a purchase of virtual currency or other in-game benefit for use within Fortnite or Rocket League.
    • As part of the Settlement, Epic Games will automatically add 1,000 Fortnite V-Bucks to each Fortnite: Save the World account that was used to acquire a random-item “Loot Llama” loot box, and 1,000 Rocket League Credits to each Rocket League account that was used to acquire a random item “Crate” loot box. Additionally, you may submit a Claim Form to receive your choice of a cash benefit or additional V-Bucks/Credits, as set forth in more detail in this website and in the Settlement Agreement.
  • At the 2021 Virtual Munich Security Conference, United States (U.S.) President Joe Biden renewed the U.S. commitment to the North Atlantic Treaty Organization (NATO), its long time European allies, and multilateralism in a reversal of policy from the Trump Administration. He endorsed efforts to craft cyberspace norms of behavior and called upon the nations of NATO to join the U.S. in fighting against the authoritarianism of the People’s Republic of China (PRC) and the Russian Federation. Biden declared:
    • America is back.  The transatlantic alliance is back.  And we are not looking backward; we are looking forward, together. 
    • It comes down to this: The transatlantic alliance is a strong foundation — the strong foundation — on which our collective security and our shared prosperity are built.  The partnership between Europe and the United States, in my view, is and must remain the cornerstone of all that we hope to accomplish in the 21st century, just as we did in the 20th century.
    • With respect to the broad foreign policy strokes his administration will pursue, Biden stated:
      • we must prepare together for a long-term strategic competition with China.  How the United States, Europe, and Asia work together to secure the peace and defend our shared values and advance our prosperity across the Pacific will be among the most consequential efforts we undertake.  Competition with China is going to be stiff.  That’s what I expect, and that’s what I welcome, because I believe in the global system Europe and the United States, together with our allies in the Indo-Pacific, worked so hard to build over the last 70 years. 
      • We can own the race for the future.  But to do so, we have to be clear-eyed about the historic investments and partnerships that this will require.  We have to protect — we have to protect for space for innovation, for intellectual property, and the creative genius that thrives with the free exchange of ideas in open, democratic societies.  We have to ensure that the benefits of growth are shared broadly and equitably, not just by a few. 
      • We have to push back against the Chinese government’s economic abuses and coercion that undercut the foundations of the international economic system.  Everyone — everyone — must play by the same rules. 
      • U.S. and European companies are required to publicly disclose corporate governance — to corporate governance structures and abide by rules to deter corruption and monopolistic practices.  Chinese companies should be held to the same standard. 
      • We must shape the rules that will govern the advance of technology and the norms of behavior in cyberspace, artificial intelligence, biotechnology so that they are used to lift people up, not used to pin them down.  We must stand up for the democratic values that make it possible for us to accomplish any of this, pushing back against those who would monopolize and normalize repression. 
      • You know, this is also — this is also how we’re going to be able to meet the threat from Russia.  The Kremlin attacks our democracies and weaponizes corruption to try to undermine our system of governance.  Russian leaders want people to think that our system is more corrupt or as corrupt as theirs.  But the world knows that isn’t true, including Russians — Russia’s own citizens. 
  • Secretary of Homeland Security Alejandro Mayorkas issued a statement titled “DHS Announces Steps to Advance President’s Commitment to Elevate Cybersecurity,” in which he announced “DHS will lead efforts to mitigate risks to the United States, further strengthen its partnerships with the private sector, and expand its investment in the infrastructure and people required to defend against malicious cyber attacks as part of a whole-of-government effort.” However, the statement was mostly a recitation of programs and efforts that largely pre-date the Biden Administration. However, Mayorkas stated:
    • This week, Secretary Mayorkas will increase the required minimum spend on cybersecurity through FEMA grant awards. To accelerate critical improvements in state and local cybersecurity, CISA will urgently evaluate and implement additional capabilities including potential new grant programs that will enable critical security investments. This is important: the nation’s cybersecurity is only as strong as its weakest link.
  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) named three new Biden Administration appointees for “leadership roles:” “Nitin Natarajan has joined CISA as its Deputy Director, Eric Goldstein as Executive Assistant Director for Cybersecurity, and Dr. David Mussington as Executive Assistant Director for Infrastructure Security.” However, no names have been floated to head CISA, and nor, for that matter, have any been circulated as the White House’s choice to be the first National Cyber Director, a position established in the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (P.L. 116-283) on the basis of a recommendation by the Cyberspace Solarium Commission (CSC).
    • CISA provided biographical sketches:
      • Deputy Director Natarajan led a practice at an international consulting firm focused on health security and provided subject matter expertise on continuity of operations, environmental emergency management, public health, and homeland security matters. He also held a number of roles in federal government, focused on critical infrastructure resilience.  Deputy Director Natarajan started his career as a first responder in New York including service as a flight paramedic.
      • In addition to serving on the Agency Review Team, Executive Assistant Director Goldstein was previously the Head of Cybersecurity Policy, Strategy, and Regulation at Goldman Sachs, where he led a global team to improve and mature the firm’s cybersecurity risk management program.  He served at CISA’s precursor agency, the National Protection and Programs Directorate, in various roles from 2013 to 2017.
      • Executive Assistant Director Mussington is an internationally known expert in critical infrastructure protection and cybersecurity – leading projects and program analyses for US federal agencies, states, and internationally for institutions in Canada, Europe, and the United Kingdom.  In an over two-decade career, he has played a variety of roles in both the public and private sectors.  His research and teaching activities have focused on cyber physical system risk management, election cybersecurity, and critical infrastructure security risk management.
  • The United Kingdom’s (UK) Supreme Court ruled against Uber in its appeal of a lower court’s finding that people driving for the company are to be considered workers and must have the rights afforded to workers in the UK. In its judgment, the court stated:
    • New ways of working organised through digital platforms pose pressing questions about the employment status of the people who do the work involved. The central question on this appeal is whether an employment tribunal was entitled to find that drivers whose work is arranged through Uber’s smartphone application (“the Uber app”) work for Uber under workers’ contracts and so qualify for the national minimum wage, paid annual leave and other workers’ rights; or whether, as Uber contends, the drivers do not have these rights because they work for themselves as independent contractors, performing services under contracts made with passengers through Uber as their booking agent. If drivers work for Uber under workers’ contracts, a secondary question arises as to whether the employment tribunal was also entitled to find that the drivers who have brought the present claims were working under such contracts whenever they were logged into the Uber app within the territory in which they were licensed to operate and ready and willing to accept trips; or whether, as Uber argues, they were working only when driving passengers to their destinations.
    • For the reasons given in this judgment, I would affirm the conclusion of the Employment Appeal Tribunal and the majority of the Court of Appeal that the employment tribunal was entitled to decide both questions in the claimants’ favour.
  • The Election Assistance Commission (EAC) adopted Voluntary Voting System Guidelines (VVSG) 2.0, which it characterized in its press release as “a major step toward improving the manufacturing and testing of voting machines.” The EAC asserted:
    • The VVSG 2.0 represents a significant advancement in defining standards that will serve as the cornerstone of the next generation of voting systems. It lays the groundwork for 21st century voting systems that are desperately needed with improved cybersecurity, accessibility, and usability requirements. The VVSG 2.0 also supports various audit methods supporting software independence to confirm the accuracy of the vote and increase voter confidence. With its adoption, manufacturers are empowered to begin designing and building voting machines according to these new guidelines.
    • Despite the requirements being voluntary, at least 38 states use the standards in some way making today’s vote on advancing of the next version of VVSG very important. This is the most significant update of the federal standards for voting technology since VVSG 1.0 was adopted in 2005.
    • The major updates included in the VVSG 2.0 are the following:
      • Improved cybersecurity requirements to secure voting and election management systems associated with the administration of elections.
        • Software independence
        • Requires systems to be air-gapped from other networks and disallows the use of wireless technologies
        • Physical security
        • Multi-factor authentication
        • System integrity
        • Data protection
      • Interoperability
        • Ensures devices are capable of importing and exporting data in common data formats
        • Requires manufacturers to provide complete specifications of how the format is implemented
        • Requires that encoded data uses a publicly available method
  • The Estonian Foreign Intelligence Service has released its annual security report, titled “International Security and Estonia 2021,” which focused, in some part, on the Russian Federation and the People’s Republic of China’s cyber and influence operations. The agency asserted:
    • Russia continues to be the primary security threat to Western democracies also in cyberspace. In addition to espionage, Russian special services are actively using cyberspace in their influence operations to create divisions in Western societies, transnational relations and NATO.
    • Cyber operations originating in Russia and the abuse of cyberspace for the purpose of influencing will very likely continue in 2021. These are effective, inexpensive and well-established measures for the Russian services. Moreover, influence operations can be a way to achieve long-term effects without always requiring intervention in the target country’s domestic politics.
    • The Chinese propaganda machine uses Western information channels to spread its narrative. Since the coronavirus pandemic outbreak, the amount of biased and fake news produced in China has increased, and its content has become more aggressive.
    • Tactically, China follows Russia’s example in spreading propaganda and disinformation. However, this points more to conformity resulting from shared objectives rather than any coordinated cooperation, as do the good relations between Chinese and Russian representatives on social media and the sharing of each other’s posts . At present, China does not use disinformation as actively and as professionally as Russia, but it is likely that it will expand and intensify its activities in this area in the near future. China’s influence operations aim to weaken Europe’s open society by promoting its own propaganda messages.
    • China’s ambition to become the world leader in technology poses major security threats.
    • Following Xi Jinping’s strategic guide-lines, China is devoting all its resources to technological development to become a world leader in the field and make other countries dependent on Chinese technology . China faces sanctions and obstacles, which is giving rise to the sinicisation of its technology – increasing reliance on domestic producers. If Chinese technology becomes entirely domestic, the technology and software’s working principles will be even more opaque than before.
    • Cyber espionage has also been one of China’s traditional means of getting hold of foreign high technology. To justify its actions, China is ostensibly working to break the Western monopoly and considers it acceptable to use any means necessary to achieve this .
  • The Government Accountability Office (GAO) issued a response to a request “to review [the Department of] State’s efforts to advance U.S. interests in cyberspace.” The GAO stated that “[t]his report examines the extent to which State used data and evidence to develop and justify its proposal to establish [the] Bureau of Cyberspace Security and Emerging Technologies (CSET).” House Foreign Affairs Committee Chair Gregory Meeks (D-NY) and Ranking Member Michael McCaul (R-TX) had requested that the GAO investigate the Trump Administration’s Department of State decision to stand up the CSET in the face of criticism from Members on both sides of the aisle. The Trump Administration was subjected to criticism for allegedly downgrading the United States’ (U.S.) cyber diplomacy capabilities and legislation was introduced to essentially reverse the decision (i.e., the “Cyber Diplomacy Act of 2019” (H.R.739) in the last Congress.) The GAO concluded:
    • The United States faces expanding cyber threats and the challenge of building international consensus on standards for acceptable state behavior in cyberspace. In leading federal efforts to advance U.S. interests in cyberspace, State has notified Congress of its proposal to establish a new bureau focused on cyberspace security and the security aspects of emerging technologies. State, however, has not demonstrated that it used data and evidence to support its proposal, particularly for the bureau’s focus and organizational placement. Without developing evidence to support its proposal for the new bureau, State lacks needed assurance that the proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals.
    • The GAO recommended:
      • The Secretary of State should ensure that State uses data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals.
  • Acting Federal Trade Commission (FTC) Chair Rebecca Kelly Slaughter made remarks at a recent conference that maps out her enforcement priorities and how she wants FTC staff to be investigating and charging cases. Notably, she said she will be pressing to ensure that all possible offenses are charged, the agency should litigate if entities will not settle in ways that will make consumers whole, and that certain types of relief are pursued such as forcing companies that violate the FTC Act erase all their ill-gotten data and algorithms. Specifically, Kelly Slaughter stated:
    • I’ve supported many of the Commission’s privacy and security cases, like Equifax and TikTok, but for those of you who have followed the FTC’s privacy and security work closely, you’ll know that I dissented in cases like Facebook, YouTube, and Zoom. When I dissented, in most instances it was because I believed that the Commission should have obtained stronger relief for consumers, including by pursuing litigation if we were unable to negotiate sufficient relief in settlement.
    • Two types of relief I want us to seek and believe we can achieve are meaningful disgorgement and effective consumer notice. The Commission achieved an innovative disgorgement remedy in the settlement with photo app Everalbum announced last month. In that case, we alleged that the company violated its promises about the circumstances under which it would use facial recognition technology. As part of the settlement, the Commission required the company to delete facial recognition models or algorithms developed with users’ photos or videos.
    • We routinely obtain disgorgement of ill-gotten monetary gains when consumers pay for a product that is marketed deceptively. Everalbum shows how we can apply this principle to privacy cases where companies collect and use consumers’ data in unlawful ways: we should require violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data.
    • A good example of effective notice is the Commission’s recent fem-tech case involving the Flo menstruation and fertility app. We alleged that Flo violated its promises not to share consumers’ sensitive information to third parties by sharing the information with Facebook, Google, and others. An important remedy the Commission achieved in this case was to require the company to notify consumers of its false promises.
    • Notice lets consumers “vote with their feet” and helps them better decide whether to recommend the service to others. Finally, and crucially, notice accords consumers the dignity of knowing what happened. There’s a fundamental equity issue here: many people—including those who most need to know—won’t hear about the FTC’s action against a company they deal with unless the company tells them. So, I’ll be pushing staff to include provisions requiring notice in privacy and data security orders as a matter of course.
    • The other lesson we can take from Flo is the need to fully plead all law violations. As I mentioned in my joint statement with Commissioner Chopra on that case, I believe we also should have applied the Health Breach Notification Rule to those facts and I’m glad we are conducting a review of this Rule, which requires that vendors of personal health records notify consumers of breaches. In other cases, I have argued that we should have included unfairness counts. In all of our cases, I want to make sure that we are analyzing all of the relevant laws and pleading all the violations that are applicable.
    • Finally, I think we need to think carefully about the overlap between our work in data privacy and in competition. Many of the largest players in digital markets are as powerful as they are because of the breadth of their access to and control over consumer data. The FTC has a structural advantage over our counterparts in other jurisdictions that focus exclusively on antitrust or on data protection. Our dual missions can and should be complementary, and we need to make sure we are looking with both privacy and competition lenses at problems that arise in digital markets.
  • In making remarks before a business organization, the Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales unveiled “the agency’s first-ever international strategy, CISA Global.” In the document’s, cover letter, Wales explained:
    • CISA Global outlines our approach to how CISA will work with international partners to fulfill our responsibilities, execute our work, and create unity
      of effort within our mission areas. This strategy presents the global vision and international operational priorities of the CISA Director, consistent with CISA’s international authorities as outlined in the Homeland Security Act of 2002; Department of Homeland Security’s Strategic Plan for FY 2020-2024; EO 13800 Report, DHS International Cybersecurity Priorities; and the CISA Strategic Intent. This overarching strategy provides an approach for how CISA will execute its responsibilities and serves as a reference point to guide our work and create unity of effort.
    • In CISA’s press release, the agency stated “[t]he strategy describes CISA’s international vision and identifies four goals:
      • Advancing operational cooperation;
      • Building partner capacity;
      • Strengthening collaboration through stakeholder engagement and outreach; and
      • Shaping the global policy ecosystem.
    • In CISA Global, CISA expanded upon each of the four goals:
      • Given the increasing interconnectedness of our networks, the interdependencies among critical infrastructure sectors, and cross- border data flows, operational cooperation with foreign counterparts is a key tool in collaborating to prevent, detect, deter, and mitigate threats and hazards effectively. Operational cooperation, for the purposes of this document, can be defined as engagement with international partners that is characterized by mutually beneficial information sharing that informs and enhances our relationships. Through such international operational cooperation, CISA can improve its collective situational awareness, and is able foster innovative approaches for responding to and mitigating threats and hazards to critical infrastructure and cybersecurity. Developing CISA’s partnerships into trusted relationships will enable critical operational information sharing that can improve communications capabilities, foster an environment for joint operations, and support resilience efforts – whether that be by sharing operational best practices, working on joint exercises, addressing threat information and related mitigation advice, or collaborating in a fashion so as to align security and defense efforts with like-minded partners. Ultimately, CISA seeks to mature our partnerships to establish an attaché program and to deploy personnel overseas to effectively execute CISA’s mission.
      • Liaise with and support international partners in developing their own capacity to effectively detect threats, assess impact potential, and take appropriate response actions to mitigate risk that enable cooperation with and increase benefits for CISA divisions. The global implications of all threats and hazards — especially those stemming from the cyber-physical nexus — actuates CISA to assist countries in building their own competency in managing risk, strengthen security and resilience, and address current and emerging risks. Enhancing other countries’ organic capabilities simultaneously enables CISA to comprehensively protect the Homeland, to bolster international security, and to promote global societal resilience. Sharing lessons learned, best practices, and information sharing while leveraging the technology, research, and capacities of other nations will be the cornerstone of this effort while working with Department of State.
      • The CISA international mission depends upon strategic stakeholder engagement to establish a vast, diverse, and robust network of public and private stakeholders and experts in order to promote a collective effort towards protecting critical infrastructure and strengthening the global cyber posture. CISA aims to build and to mature partnerships internationally to create channels of communication that facilitate the exchange of information, best practices, ideas, and lessons-learned as well as to remain timely and relevant on ongoing global efforts to address common issues. Through stakeholder engagement and outreach, CISA is not only able to raise awareness to a broader audience but is also able to maintain a platform amenable to U.S. initiatives and priorities.
      • CISA will ensure that its overall mission and objectives are supported and reflected in a manner consistent with CISA’s authorities and U.S. policy goals while shaping the legal environment and effectively driving research and development. By advancing domestic initiatives and promoting national models at the international level, CISA will lead global efforts to support common approaches to shared challenges in securing critical infrastructure and cyberspace. Through cooperation with the Department and the interagency, CISA will guide overall U.S. government efforts to work bilaterally, regionally and multilaterally with foreign counterparts to promote the adoption of standards, regulations and policies that support a homeland and global community that is safe, secure and resilient to threats and hazards.
  • Senate Finance Committee Chair Ron Wyden (D-OR), Senator Kirsten Gillibrand (D-NY), Senate Banking Committee Chair Sherrod Brown (D-OH), Senator Mazie Hirono (D-HI), and Representative Anna Eshoo (D-CA) reintroduced the “Invest in Child Safety Act” (S.223/H.R.807), legislation that claimed in their press release would “confront online child exploitation and reverse a decade of underfunding key enforcement and prevention efforts.” There is a messaging angle of this bill in that it implicitly proposes a different route to combatting online child sexual abuse material apart from modifying 47 U.S.C. 230 (aka Section 230.) The sponsors released bill text and a one page summary. They stated:
    • The Invest in Child Safety Act would direct $5 billion in mandatory funding to investigate and target the predators and abusers who create and share child sexual abuse material online. It also directs substantial new funding for community-based efforts to prevent children from becoming victims in the first place. And it would create a new White House office to coordinate efforts across federal agencies, after [the Department of Justice] refused to comply with a 2008 law requiring coordination and reporting of those efforts.
    • The bill would require a historic, mandatory investment in personnel and funding to take on child exploitation, including:
      • Quadruple the number of prosecutors and agents in DOJ’s Child Exploitation and Obscenity Section from 30 FTEs to 120 FTEs;
      • Add 100 new agents and investigators for the Federal Bureau of Investigation’s Innocent Images National Initiative, Crimes Against Children Unit, Child Abduction Rapid Deployment Teams, and Child Exploitation and Human Trafficking Task Forces;
      • Fund 65 new National Center for Missing and Exploited Children (NCMEC) analysts, engineers, and mental health counselors, as well as a major upgrade to NCMEC’s technology platform to enable the organization to more effectively evaluate and process CSAM reports from tech companies;
      • Double funding for the state Internet Crimes Against Children (ICAC) Task Forces; 
      • Double funding for the National Criminal Justice Training Center, to administer crucial Internet Crimes Against Children and Missing and Exploited Children training programs; 
      • Increase funding for evidence-based programs, local governments and non-federal entities to detect, prevent and support victims of child sexual abuse, including school-based mental health services and prevention programs like the Children’s Advocacy Centers and the HHS’ Street Outreach Program;  
      • Require tech companies to increase the time that they hold evidence of CSAM, in a secure database, to enable law enforcement agencies to prosecute older cases; 
      • Establish an Office to Enforce and Protect Against Child Sexual Exploitation, within the Executive Office of the President, to direct and streamline the federal government’s efforts to prevent, investigate and prosecute the scourge of child exploitation; 
      • Require the Office to develop an enforcement and protection strategy, in coordination with HHS and GAO; and 
      • Require the Office to submit annual monitoring reports, subject to mandatory Congressional testimony to ensure timely execution. 
  • The National Institute of Standards and Technology (NIST) released for comment NIST Special Publication (SP) 800-47 Revision 1, Managing the Security of Information Exchanges that “provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information” per the agency’s press release. NIST explained:
    • Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.
    • NIST is specifically interested in feedback on:
      • Whether the agreements addressed in the draft publication represent a comprehensive set of agreements needed to manage the security of information exchange.
      • Whether the matrix provided to determine what types of agreements are needed is helpful in determining appropriate agreement types.
      • Whether additional agreement types are needed, as well as examples of additional agreements.
      • Additional resources to help manage the security of information exchange.
    • A public comment period for this document is open through March 12, 2021.
  • The European Commission’s (EC) Health and Food Safety Directorate General issued an “Assessment of the EU Member States’ rules on health data in the light of GDPR,” which found “that while the General Data Protection Regulation (GDPR) lays down horizontal directly applicable rules in all Member States, there remains variation in the range of national-level legislation linked to its implementation in the area of health.” The authors of the report added that “[t]his, the study suggests, has led to a fragmented approach in the way that health data processing for health and research is conducted in the Member States…[and] [t]his can negatively impact cross-border cooperation for care provision, healthcare system administration, public health or research.” The authors of the report asserted:
    • The work conducted in the context of the study makes clear that a number of legal and operational issues need to be addressed to ensure that European healthcare systems can make best possible use of data for the three interlinked purposes of primary use for direct patient care, secondary use to support the safe and efficient functioning of healthcare systems, and secondary use to drive health research and innovation. It is clear from the evidence of workshop participants, country correspondents and stakeholder consultation that while the GDPR is a much appreciated piece of legislation, variation in application of the law and national level legislation linked to its implementation have led to a fragmentation of the law which makes cross-border cooperation for care provision, healthcare system administration or research difficult. Furthermore, the interpretation of the law is complex for researchers at national level and patients do not always find it easy to exercise the rights granted by the GDPR.
    • It is clear that addressing these challenges requires a multifaceted approach. The identified future EU level actions to address these challenges, that should be complementary and cumulative, include stakeholders driven codes of conduct, new targeted and sector specific EU level legislation, guidance and support to the cooperation among Member States and relevant stakeholders, but also support for digitalisation, interoperability and digital infrastructures, allowing for the use of data for healthcare, policy making and research and innovation. It is important that these future actions are developed in full respect of principles of proportionality and subsidiarity
  • The New York State Department of Financial Services (NYDFS) issued a report “detailing the findings of an investigation into the transmission of sensitive user data by application and website designers to Facebook.” NYDFS stated “[f]ollowing a report by the Wall Street Journal, the Governor directed DFS to perform an investigation which found that app developers regularly sent Facebook sensitive data, including medical and personal data, derived from consumers’ usage of third-party websites and applications.” NYDFS stated “[t]he data was then shared with Facebook by app developers as part of Facebook’s free online data analytics services…[and] [t]hough such data-sharing violated Facebook policy, Facebook took few steps to enforce the policy or to block the flow of sensitive data prior to the state’s investigation.” NYDFS asserted:
    • The Department found that consumer data was regularly shared with Facebook by app developers who downloaded Facebook’s Software Development Kit as part of Facebook’s free online data analytics services. Personal data that was wrongfully shared included sensitive and/or medical data such as health diagnoses, blood pressure readings, and even fertility data.
    • The report focuses on the facts surrounding the conduct described by the WSJ, the inadequate controls at Facebook that allowed it to happen, the remedial measures Facebook has undertaken as a result of the DFS investigation, and the Department’s recommendations on how to better protect consumer privacy:
      • Inadequate Controls: Despite the fact that sensitive data has been transmitted to Facebook every day in violation of Facebook policy, prior to the DFS investigation, Facebook did little to track whether app developers were violating its policies and to this day takes no real action against developers that do.
      • Remediation Efforts as a Result of the Department’s Investigation: As a result of the DFS investigation, Facebook built and implemented a screening system that is designed to identify and block sensitive information before it enters the Facebook system. Facebook also enhanced app developer education to better inform developers of their obligations to avoid transmitting sensitive data and took steps to give users more control over data that is collected about them, including from off-Facebook activity.
      • Recommended Further Action: Although Facebook’s remediation efforts are important first steps, Facebook must meaningfully ensure that developers are fully aware of its prohibition on transmitting sensitive data, and the report recommends Facebook do more to prevent developers from transmitting sensitive data in the first place rather than simply relying on a back-end screening system. The report further urges Facebook to take additional steps to police its own rules by putting in place appropriate consequences for doing so.
      • Federal Regulatory Oversight: Current laws and regulations have not kept pace with the technological advancements of the “big data” industry. Although the U.S. Federal Trade Commission has taken some action, consumers would benefit from a comprehensive federal regulatory approach, as noted in the DFS’s Twitter report.
    • The report also supports the adoption of Governor Cuomo’s proposal to enact NYDATA, a comprehensive data privacy law that would significantly enhance privacy protections for New Yorkers. The law would mandate that any entity that collects data on large numbers of New Yorkers disclose the purposes of such collection, and limit the data collected to that purpose.
  • Over 40 privacy, civil liberties, and civil rights groups “called on the Biden administration to 1) place a moratorium on federal use of facial recognition and other biometric technologies, 2) stop state and local governments from purchasing facial recognition services with federal funds, and 3) support the Facial Recognition and Biometric Technology Act” (S.4084.)
  • “[A] bipartisan coalition of technology policy organizations” wrote the chairs and ranking members of the subcommittees that control the appropriations for the Federal Trade Commission (FTC) urging them “to provide increased resources for the FTC so that the agency can respond to growing demands and fulfill its mission of protecting consumers and promoting competition in the digital age.” They added:
    • Over the past decade, the agency reported an increase of over 100 percent for consumer complaints, and an increase in premerger filings of over 75 percent. It has recently increased its enforcement activity too, bringing a much higher number of cases in 2020 as compared to prior years. A recent financial report by the Commission noted, “constraints from stagnant financial resources are further magnified by increasing costs and rising expectations from the American public.”
    • To address this institutional gap, we urge you to provide a significant increase to the Commission’s gross budget authority for FY 2021. We expect that even a substantial increase would have a minimal impact on the national debt, considering the revenue generating activities of the Commission. Additionally, to minimize the burden on taxpayers, Congress should consider increasing the authorized limit for offsetting collections, and adjust HSR fees with indexing to inflation.
  • The International Standards Organization (ISO) published “[t]wo new ISO guidance documents…to help organizations ensure the best possible frameworks and keep them cybersecure:
    • Developed in collaboration with the International Electrotechnical Commission (IEC), ISO/IEC TS 27110, Information technology, cybersecurity and privacy protection – Cybersecurity framework development guidelines, specifies how to create or refine a robust system to protect against cyber-attacks.
    • ISO/IEC TS 27100, Information technology – Cybersecurity – Overview and concepts, which defines cybersecurity, establishes its context in terms of managing information security risks when information is in digital form, and describes relevant relationships including how cybersecurity is related to information security.

Coming Events

  • On 23 February, the Senate Intelligence Committee will hold a “Hearing on the Hack of U.S. Networks by a Foreign Adversary” with these witnesses:
    • Kevin Mandia, CEO, FireEye
    • Sudhakar Ramakrishna, CEO, SolarWinds
    • Brad Smith, President, Microsoft
    • George Kurtz, President and CEO, CrowdStrike
  • On 24 February, the House Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled “Fanning the Flames: Disinformation and Extremism in the Media” with these witnesses:
    • Soledad O’Brien, Anchor, Matter of Fact and CEO, Soledad O’Brien Productions
    • Emily Bell, Director, The Tow Center for Digital Media, Columbia University
    • Kristin Danielle Urquiza, Co-Founder, Marked by COVID
    • Jonathan Turley, Professor, The George Washington University Law School
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Reviving Competition, Part 1: Proposals to Address Gatekeeper Power and Lower Barriers to Entry Online” on 25 February.
  • On 17 March, the Federal Communications Commission (FCC) will hold an open meeting but an agenda has not yet been released.
  • The House Energy and Commerce Committee’s Communications and Technology and Consumer Protection and Commerce Subcommittees will hold a joint hearing on 25 March “on misinformation and disinformation plaguing online platforms” with these witnesses: Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Twitter CEO Jack Dorsey.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Maxim Hopman on Unsplash

An Online Misinformation Hearing Splits Along Predictable Lines

A key House committee begins its inquiry into misinformation, which implicates Section 230 legal protections.

One House committee picked up its inquiry into lies, misinformation, disinformation, extremism, terrorism, and online media. The House Energy and Commerce Committee’s Communications and Technology Subcommittee held a hearing titled “Fanning the Flames: Disinformation and Extremism in the Media” with witnesses from the policy realm. The committee will hear from the major social media platforms on 25 March who will be testifying on misinformation and disinformation. Moreover, given the interest among Democrats and Republicans, this will undoubtedly not be the last hearing the committee holds on this issue. The bigger question is whether the Democratic majority will be able to fashion legislation to reform 47 USC 230 (Section 230) or establish other means to combat misinformation, disinformation, and lies. Republicans tend to focus on the problems arising from a supposed bias online against conservatives (never proven and frequently disproven[1]). In short, the likelihood of agreeing on legislation to address the ills of the online world and how they affect the real world are very low.

Chair Frank Pallone Jr (D-NJ) pushed back on the narrative that the hearing and Democrats were part of a plan to impinge First Amendment rights, a frequently made claim by Republicans. He asserted that while Congress cannot pass laws that “inappropriately limit speech,” pointing to Supreme Court rulings that allow some regulation of free speech rights, he claimed Congress need not sit idly by while misinformation causes public harm. Pallone asserted this inquiry will pose questions that may be uncomfortable to some stakeholders. For example, he suggested social media platforms may be profiting off of extreme and conspiratorial content. Pallone also pointed the finger at “traditional media outlets” which he accused of spreading misinformation and disinformation. Pallone said the 6 January insurrection and the death toll of COVID-19 in the United States (U.S.) can both be traced in large part to online disinformation, which has often been amplified by traditional media.

Ranking Member Cathy McMorris Rodgers (R-WA) argued the hearing is a “direct attack on the First Amendment.” She contended that condemning the “January 6th attack” and upholding truth and facts are shared bipartisan goals. McMorris Rodgers characterized the motives of the Democratic majority as being contrary to these shared values in scheduling “a hyper-partisan hearing to shame and blame.” She claimed if Democrats did not want this, they would not have sent “letters pressuring companies to block conservative media outlets.” McMorris Rodgers asserted all media and defenders of the First Amendment should be concerned about the hearing. She then made the rather interesting argument that public officials using their platform to pressure media outlets is reminiscent of the People’s Republic of China, a claim that seemingly omits the pressure social media companies have faced in public hearings over the last few years from Republicans[2] to say nothing of the reporting showing companies like Facebook have bent over backwards not to punish conservative figures and content when they have violated terms of service[3]. Nonetheless, she alluded to Justice Oliver Wendell Holmes’ argument that the best way to manage bad speech was to best it with better speech.

McMorris Rodgers decried an alleged Democratic “censorship campaign[4] over the news they disagree with” and called on Pallone and others to denounce it. She argued if this campaign were to succeed, the “liberal media” would cease to exist. She then went on to make the novel case that under this standard CNN could be punished for televising New York Governor Andrew Cuomo’s press conferences during the pandemic now that an alleged coverup of neglect and disregard of nursing homes has come to light. McMorris Rodgers said the same of MSNBC “of pushing the false “Russia collusion” narrative,” which other journalists proved was “false.” McMorris Rodgers then went on to touch the other talking points of the right regarding “woke culture,” “cancel culture,” and liberal social hegemony over the United States that is oppressing those not in agreement.

Subcommittee Chair Mike Doyle (D-PA) largely echoed Pallone’s opening statement and asserted:

  • Partisanship and polarization in the media has been building for years, but these more recent events reflect a frightening escalation.
  • These changes have given rise to national media entities that are more focused on the kind of tactics we see from social media companies – they engage their viewers by enraging them and further dividing us – and our nation.
  • We’ve also seen the rise of news as entertainment – where the claims of anchors and commentators are likened to performance art. When they are challenged in court, the lawyers from their own networks even claim that no reasonable person could believe these people are speaking the truth or reporting facts.
  • When truth becomes a commodity – to be traded upon for profit – and facts and consequences don’t matter to those who report them, our democracy is undermined. It is the responsibility of this Subcommittee to hold these institutions to a higher standard.

Subcommittee Ranking Member Bob Latta (R-OH) echoed McMorris Rodgers in asserting the hearing was not bipartisan and referenced the letter Representatives Anna Eshoo (D-CA) and Jerry McNerney sent to 12 cable companies and platforms[5]. Latta claimed “the Majority’s intent behind today’s hearing is to fan the flames of silencing certain viewpoints in America by trying to suppress and censor speech, a concept that has the potential to destroy our Democracy.” He went on to argue Democrats are somehow claiming the 6 January “attacks” are the fault of the media and not the people who stormed the Capitol seeking to stop the certification of the Electoral College results. Latta argued Democrats have thrown away bipartisan progress in the last Congress on the issues raised by the hearing because “they disdain President Trump.” He stated “I cannot imagine any legislative remedy that would not implicate the First Amendment,” hinting any legislation would be found in violation of the U.S. Constitution.

Matter of Fact Anchor Soledad O’Brien called out her former employer, CNN, for enabling Lou Dobbs for legitimizing his 2005 lie about leprosy numbers to smear illegal immigrants “which emboldened Dobbs and so many other racist provocateurs while sidelining critical reporting.” She further asserted “[m]edia disguised as journalism has been spreading lies for years, elevating liars, and using the ensuing slugfest to chase ratings, hits, subscriptions and advertisers.” O’Brien lamented the demise of facts and local media in the U.S. and deemed television media, especially cable channels, has become “a place where facts go to die.” Nonetheless, she argued:

Congress can’t, and shouldn’t, regulate journalism in defiance of the First Amendment. It’s enough that Congress underfunds and politicizes public media even as it strives to bring basic news to scores of communities big and small. What Congress can do is shed light on how irresponsible media contributes to disinformation in ways that have consequences for democracy.

Consequently, she called on the media to amend its ways and identified a number of steps the media could take:

  • Don’t book liars or advance lies. Sure, cover the fact that lies and propaganda are being disseminated but don’t book people to lie on your show because it elevates them and presents them as another “side.”
  • Get out of the office and interview people all over the country of all different backgrounds. Cable TV, in particular, infuriates Americans with elitist and tone-deaf coverage that often ignores the plight of regular people.
  • Stop posing every story as having two sides when some stories have many sides and are more complicated. Take the time to unravel and report and give history and context.
  • Every perspective doesn’t deserve a platform. Media thrives on the open exchange of ideas but that doesn’t mean you have to book a Neo-Nazi every time you book someone who is Jewish. Balance does not mean giving voice to liars, bigots and kooks.
  • Stop saying you want a diverse staff and go hire one — fast. A diversity of staff is not just fair, but it helps you reach into different communities and tell an accurate story of America. The public will trust you again if you tell the truth of who lives in this country and report accurately on communities.
  • Make sure that reporting and anchoring staff adheres to professional standards by consistently speaking in a fair, accurate and balanced reportorial voice that is absent opinion. People who traffic in opinion should do only that and be labeled as that.
  • Recognize that objectivity means having an open mind, not a lack of judgment. If you don’t call a lie a lie or racism, racism, you empower the liar or the racist.
  • Reject the majority rule mentality in journalism. Just because a lot of people believe something doesn’t make it real, true or reasonable.
  • Support efforts to challenge media who disseminate misinformation, particularly in vulnerable communities. Answering hard questions just makes us stronger.

Columbia University’s Tow Center for Digital Media Director Emily Bell stated:

  • For the past 25 years, the broadcast and print industries have been disrupted by the rise of new platforms which democratized the distribution, circulation and monetization of media. The gatekeeping function of broadcast and print media has gone, and shifted to the aggregation and search platforms of companies such as Facebook, Twitter and Google. Two players, Google and Facebook, now dominate a digital advertising market which was once the key support mechanism for funding free news media. Whilst news media companies have benefited from digital in terms of audience growth, the disruption to the advertising model particularly for non broadcast media has had an enormous impact.
  • A forty year path of deregulation has transformed the US media landscape in both economic and political terms. The abandonment of the Fairness Doctrine in 1987 paved the way for the late Rush Limbaugh and other opinionated broadcasters to address audiences on matters of political sensitivity and public interest without an obligation to provide contrasting views or context, and the establishment of Fox News in 1996 brought similar sensibilities to cable news. The Telecommunications Act of 1996, including the Communications Decency Act, and more recently the 2017 roll back of rules restricting cross-media ownership and physical presence in local media markets by the Federal Communications Commission are all significant liberalizing measures. However, these changes also mean that the content produced and carried by powerful media entities – old and new – is unfettered of obligations towards fairness or even truth.
  • It is impossible to know precisely what actions might have mitigated or avoided the shocking events of 2020 and 2021. A president who regularly denigrated the press has undermined trust in all but the most loyal outlets. The commercial success of Fox News, Sinclair Broadcasting, OANN and NewsMax serves to remind us there are few penalties for deploying misinformation. The markets and technologies that enabled the seamless manufacture of vast amounts of misinformation are the outcome of editorial, product and policy decisions. We are at the end of a forty-year arc of deregulation during which the environment has optimized for growth and innovation rather than for civic cohesion and inclusion.
  • There is an opportunity for America to identify and act on the priorities that are already known to work against extremism and disengagement. Finding the means to fund and sustain more independent local reporting is a burning priority. The gap between abundant polarizing national coverage and scarce local accountability journalism is widening. Civic journalism representative of the communities it serves, could be established and strengthened through a reform agenda which takes the information needs of communities seriously. This should not be a luxury but a right.

Marked by COVID Co-Founder Kristin Danielle Urquiza discussed how her father’s consumption of and belief in Fox News’ misinformation about COVID-19 was a direct cause of his death at 65.

George Washington University Law School Jonathan Turley stated:

As will come as no surprise to those familiar with my prior writings, I maintain what was once a mainstream view of free speech. I believe that free speech is the greatest protection against bad speech. That view is admittedly under fire and indeed may be a minority view today, but history has shown that public or private censorship does not produce better speech. It is a self-replicating and self-perpetuating path that only produces more censorship and more controlled speech. I encourage you (indeed I implore you) not to proceed down that slippery slope toward censorship.

Turley added:

  • The election coverage is a good example of how free speech offers its own protections. Many of us countered claims of systemic electoral fraud in covering the election challenges. While some individuals remain unconvinced, many more would still harbor doubts if Big Tech or Congress had succeeded in silencing those raising such questions. Instead, viewers could hear opposing views on channels like Fox with experts who overwhelmingly noted that no compelling evidence had been presented in court. Those conclusions were more compelling because they came from analysts and reporters who were open to reviewing such evidence while stressing that it had not been produced. It is the difference between a process geared toward reaching conclusions and a process of dictating conclusions. However, this process requires trust. A free and open forum for communication was the original and perfect design for the Internet. And here, once again, the Constitution could offer the clarity of that original meaning to limit the detail to the perfect. To paraphrase the First Amendment, Twitter and carriers can hold to a simple static, “originalist” position: It should “make no policy abridging the freedom of speech or the press.”
  • Rather than seek to silence others (or whole networks), there is an alternative way to combat bad speech. Congress should focus on publishing data and information that supports citizens in reaching their own conclusions. I am not speaking of processed or conclusory reports, but objective material for citizens to consider. There is a palpable mistrust of Congress and the media in framing information. That can be addressed through greater transparency and access to information.
  • I admit that I may be a relic in my views, but I continue to believe that the greatest protection against bad speech is better speech. I sometimes tell my students that free speech often metaphorically divides those who prefer oceans to swimming pools. Those seeking limits often speak of free speech like it is a swimming pool that must be monitored and carefully controlled for purity and safety. I view it as more of a rolling ocean. It is indeed dangerous, but it is also majestic and inspiring. It’s immense size also allows for a natural balance. Free speech allows false ideas to be challenged in the open rather than driving dissenting viewpoints beneath the surface. However, free speech, like other constitutional values, requires a leap of faith. Faith, not only in free speech, but in ourselves. Citizens are capable of educating and informing themselves. They do not need politicians or corporate filters to protect them from speech deemed misleading, false or inciting. History has shown that the far greater danger is found, not in these individual speakers, but the empowered censors in a system of speech control.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Markus Spiske on Unsplash


[1] For example, these data from CrowdTangle show the top links on Facebook on 1 March being from conservatives. Of course, Facebook is not the end all, be all of social media (sorry, Mark Zuckerberg), but this would evidence contrary to this by now article of faith on the right.

[2] For example, this 2017 letter entered into the hearing record from Representative Anna Eshoo (D-CA) to the Federal Communications Commission (FCC) urging it not to heed then President Donald Trump’s tweet to challenge and revoke NBC’s broadcasting license. Of course, this is not a Republican Member, and some may quibble by saying this was a tweet and not an official platform. Well, judging by many conservatives’ reaction to Twitter permanently banning Trump in January, one got the impression they very much think Twitter is a vital part of any politician’s means of communicating and shaping policy. Moreover, then FCC Chair Ajit Pai went out of his way at a public event to reaffirm the FCC’s commitment to the First Amendment, a not very subtle means of pushing back on Trump’s tweet. Moreover, a search of McMorris Rodgers’ press releases turned up no statement on this incident or the many others in which Trump seemed to do the very thing she is claiming Democrats are doing.

[3]“Mark Changed The Rules”: How Facebook Went Easy On Alex Jones And Other Right-Wing Figures” By Ryan Mac and Craig Silverman — BuzzFeed News. Another disquieting view into Facebook from BuzzFeed News. The reporters draw a straight line from CEO Mark Zuckerberg softening a ban on Alex Jones-related content to the insurrection on 6 January 2021. Moreover, as has been reported many times, Vice President Joel Kaplan’s influence has consistently made the platform much more lenient on conservative figures and content, including many extremists. And this is not the first article based on sources inside Facebook accusing Kaplan (a former George W. Bush White House staffer) of bending the rules for conservative figures and outlets.

[4] Apparently, she is referring to this 22 February 2021 letter sent by Representatives Anna Eshoo (D-CA) and Jerry McNerney (D-CA) to AT&T, Verizon, Roku, Amazon, Apple, Comcast, Charter, Dish, Cox, Altice, Alphabet, and Hulu. Eshoo and McNerney “urging them to combat the spread of misinformation and requesting more information about their actions to address misinformation, disinformation, conspiracy theories, and lies spread through channels they host.”

[5] See previous footnote.

Further Reading, Other Developments, and Coming Events (17 February 2021)

Further Reading

Other Developments

  • The new leadership at the United States (U.S.) Department of Justice (DOJ) was withdrawn from the litigation brought by their predecessors against California for its net neutrality law. This case was brought after California and other states enacted such laws after the Trump era Federal Communications Commission (FCC) repealed the Obama era FCC’s net neutrality rules. In its motion, the DOJ stated it “hereby gives notice of its voluntary dismissal of this case,” which the court soon thereafter granted. However, there is another lawsuit being waged against the California law by a number of cable trade associations, including the American Cable Association, CTIA – The Wireless Association, NCTA – The Internet & Television Association, And USTelecom – The Broadband Association.
    • Acting FCC Chair Jessica Rosenworcel asserted in her press release:
      • I am pleased that the Department of Justice has withdrawn this lawsuit.  When the FCC, over my objection, rolled back its net neutrality policies, states like California sought to fill the void with their own laws.  By taking this step, Washington is listening to the American people, who overwhelmingly support an open internet, and is charting a course to once again make net neutrality the law of the land.
    • In 2014, the United States Court of Appeals for the District Of Columbia Circuit (D.C. Circuit) struck down a 2010 FCC net neutrality order in Verizon v. FCC, but the court did suggest a path forward. The court held the FCC “reasonably interpreted section 706 to empower it to promulgate rules governing broadband providers’ treatment of Internet traffic, and its justification for the specific rules at issue here—that they will preserve and facilitate the “virtuous circle” of innovation that has driven the explosive growth of the Internet—is reasonable and supported by substantial evidence.” The court added that “even though the Commission has general authority to regulate in this arena, it may not impose requirements that contravene express statutory mandates…[and] [g]iven that the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the Commission from nonetheless regulating them as such.” However, in 2016, the same court upheld the 2015 net neutrality regulations in U.S. Telecom Association v. FCC, and this court is hearing a challenge to the FCC’s 2017 order in Mozilla v. FCC.
    • In the fall of 2019, In a highly anticipated decision, the D.C. Circuit upheld most of the FCC’s repeal of the its earlier net neutrality rule (i.e. In re Restoring Internet Freedom, 33 FCC Rcd. 311 (2018)). However, the D.C. Circuit declined to accept the FCC’s attempt to preempt all contrary state laws and struck down this part of the FCC’s rulemaking. Consequently, states and local jurisdictions may now be free to enact regulations of internet services along the lines of the FCC’s now repealed Open Internet Order.
    • In September 2018, then-Governor Jerry Brown signed into law SB 822, summarized thusly:
      • This bill would enact the California Internet Consumer Protection and Net Neutrality Act of 2018. This act would prohibit fixed and mobile Internet service providers, as defined, that provide broadband Internet access service, as defined, from engaging in specified actions concerning the treatment of Internet traffic. The act would prohibit, among other things, blocking lawful content, applications, services, or nonharmful devices, impairing or degrading lawful Internet traffic on the basis of Internet content, application, or service, or use of a nonharmful device, and specified practices relating to zero-rating, as defined. It would also prohibit fixed and mobile Internet service providers from offering or providing services other than broadband Internet access service that are delivered over the same last-mile connection as the broadband Internet access service, if those services have the purpose or effect of evading the above-described prohibitions or negatively affect the performance of broadband Internet access service.
  • President Joe Biden announced the formation of a Department of Defense (DOD) China Task Force in remarks at the Pentagon. Biden said:
    • The task force will work quickly, drawing on civilian and
      military experts across the Department, to provide, within the next few months, recommendations to [Secretary of Defense Lloyd] Austin on key priorities and decision points so that we can chart a strong path forward on China-related matters.  It will require a whole-of-government effort, bipartisan cooperation in Congress, and strong alliances and partnerships.
    • That’s how we’ll meet the China challenge and ensure the American people win the competition of the future.
    • In a press release, the DOD explained further:
      • Ely Ratner, a special assistant to Secretary of Defense Lloyd J. Austin III, will lead the effort. The task force has four months to develop recommendations for senior defense leaders.
      • Defense officials called the task force a “sprint effort” that will examine high-priority topics including strategy, operational concepts, technology and force structure, force posture and force management and intelligence. The task force will also examine U.S. alliances and partnerships and their impact on Sino-American relations and DOD relations with China.
      • The 15-member task force will come from a wide swath of the department and include the Office of the Secretary of Defense staff, the Joint Staff, the services, the combatant commands and representatives from the intelligence community.
      • The task force will also speak with interagency partners to ensure the defense response is aligned with the whole-of-government approach toward China that the president wants.
  • The United States (U.S.) Department of Labor (DOL) and Google settled claims the tech giant was discriminating against female and Asian American engineering applicants. In its statement, the DOL said it had reached agreement with Google “to resolve allegations of systemic compensation and hiring discrimination at the company’s California and Washington State facilities and will pay over $3.8 million to more than 5,500 current employees and job applicants.” The DOL added:
    • During a routine compliance evaluation, the department’s Office of Federal Contract Compliance Programs identified pay disparities affecting female employees in software engineering positions at its facilities in Mountain View, and in Seattle and Kirkland, Washington. The agency also identified hiring rate differences that disadvantaged female and Asian applicants for software engineering positions at Google’s locations in San Francisco and Sunnyvale, and in Kirkland.   
    • Under the terms of the early resolution conciliation agreement, Google agreed to the following:
      • To pay $3,835,052 to resolve OFCCP’s allegations, namely $1,353,052 in back pay and interest to 2,565 female employees in engineering positions subject to pay discrimination; and $1,232,000 in back pay and interest to 1,757 female and 1,219 Asian applicants for software engineering positions not hired.
      • Allocate a cash reserve of least $1,250,000 in pay-equity adjustments for the next 5 years for U.S. employees in engineering positions at Google’s Mountain View, Kirkland, Seattle and New York establishments, locations that house approximately 50 percent of Google’s engineering employees nationwide. Google has provided job opportunities to 51 female and 17 Asian applicants for software engineering positions.
    • Google agreed to enhance future compliance proactively and review its current policies, procedures and practices related to hiring, compensation; conduct analyses; and take corrective action to ensure non-discrimination. 
  • The National Institute of Standards and Technology (NIST) has issued supplemental materials designed to help federal agencies, their private sector partners, and other interested parties on one of the agency’s foundational security guides. NIST explained:
    • New and updated supplemental materials for NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, and NIST SP 800-53B, Control Baselines for Information Systems and Organizations, are available for download to support the December 10, 2020, errata release of SP 800-53 and SP 800-53B
      • Both spreadsheets have been preformatted for improved data visualization and allow for alternative views of the catalog and baselines. Users can also convert the contents to different data formats, including text only, comma-separated values (CSV), and other formats that can provide greater flexibility (e.g., by ingesting it into an existing product or platform and/or to facilitate automation). The spreadsheets were created from the Open Security Controls Assessment Language (OSCAL) version of the SP 800-53 Rev. 5 controls, which is offered as a supplemental material to the publications.
  • Senators John Thune (R-SD), Jon Tester (D-MT), Roger Wicker (R-MS), Gary Peters (D-MI), and Jerry Moran (R-KS) “reintroduced the “Telecommunications Skilled Workforce Act,” (S.163) legislation to address the shortage of trained workers necessary to fill next-generation jobs in the telecommunications industry in communities throughout the country” per their press release. They claimed “The Telecommunications Skilled Workforce Act would address the shortage of trained workers necessary to fill next-generation jobs by:
    • Establishing an Federal Communications Commission (FCC)-led interagency working group that, in consultation with the Department of Labor (DOL) and other federal and non-federal stakeholders, would be tasked with developing recommendations to address the workforce needs of the telecommunications industry.
    • Requiring the FCC, in consultation with DOL, to issue guidance on how states can address the workforce shortage in the telecommunications industry by identifying all of the federal resources currently available to them that can be used for workforce development efforts.
    • Directing the Government Accountability Office to conduct a study to determine the specific number of skilled telecommunications workers that will be required to build and maintain broadband infrastructure in rural areas and the 5G wireless infrastructure needed to support 5G wireless technology.
  • Senate Banking, Housing and Urban Development Committee Chair Sherrod Brown (D-OH) and Senator Cory Booker (D-NJ) along with other Democratic colleagues wrote current Amazon CEO Jeff Bezos, and his successor, Amazon Web Services CEO Andy Jassy expressing “support for Amazon workers seeking to organize a union with the Retail, Wholesale and Department Store Union (RWDSU), and pushed the company to take this opportunity to recognize the true value of its workers to the company’s success and treat them as the critical assets they are.” Brown, Booker, and their colleagues stated “[t]he letter comes ahead of an upcoming election in Bessemer, Alabama, where Amazon warehouse workers will vote to form a union that will represent full and part-time workers.” They argued:
    • Amazon should view this as an opportunity to demonstrate its commitment to its stated values. Though Amazon has referred to their workers as “heroes fighting for their communities and helping people get critical items they need,” Amazon’s treatment of its workforce has not always reflected that. From using so-called “flex” workers to avoid paying full benefits to your employees, to failing to provide complete data on COVID-19 spread in the workplace, to spying on employees seeking to organize a union, Amazon has not always treated its workers with the dignity they deserve. During this campaign in Alabama, employees seeking to unionize have received misleading text messages, been overwhelmed by anti-union propaganda, and faced attempts to force in person voting during a pandemic that has resulted in the deaths of [nearly 500,000] Americans. All of these efforts represent disgraceful attempts to coerce Amazon employees out of exercising their voices and their rights under the National Labor Relations Act.
    • The upcoming election in Bessemer, Alabama is an opportunity for a reset. We ask that Amazon follow the law and allow their employees to freely exercise their right to organize this union. We will be paying close attention to the way Amazon conducts itself during this vote and call on Amazon to ensure an election for its workers in Alabama that honors the dignity of work.
  • Senate Armed Services Committee Chair Jack Reed (D-RI), Senate Budget Committee Chairr Bernie Sanders (I-VT), Senator Sheldon Whitehouse (D-RI), and Senate Finance Committee Chair Ron Wyden (D-OR) introduced the “Build America’s Libraries Act” (S. 127) which would set up a new source of funding for United States public libraries to upgrade, including new technology and broadband. They explained:
    • This legislation would provide $5 billion over three years to build and modernize public libraries, including addressing needs that have arisen due to COVID–19, to enable libraries to better serve and engage their communities, particularly in underserved areas.  These federal funds could be utilized to help construct new libraries, build additions, improve accessibility, update technology and broadband infrastructure, enhance energy efficiency standards, and renovate and modernize facilities to better meet the evolving learning and information needs of the American public.
  • Ireland’s Data Protection Commission (DPC) is being pressured by another stakeholder over its handling of its responsibilities as perhaps the most prominent supervisory authority under the General Data Protection Regulation (GDPR). A key committee in the European Union’s parliament looks to be starting the process under which the European Commission could seek to penalize Ireland for not properly enforcing the bloc’s data protection rules. This effort arises from the criticism over the DPC’s management of the complaint and subsequent court cases over Facebook’s compliance with the GDPR in light of the United States (U.S.) mass electronic surveillance. The European Parliament’s Civil Liberties, Justice and Home Affairs Committee introduced a draft resolution expressing the Parliament’s position visa via the DPC, notably the initiation of an infringement procedure:
    • shows deep concern that several complaints against breaches of the GDPR filed on 25th May 2018, have not yet been decided by the Irish Data Protection Commissioner, which is the lead authority for these cases; strongly condemns the attempt of the Irish Data Protection Authority to shift the costs of the judicial procedure to Maximilian Schrems, which would have created a massive chilling effect; calls on the Commission to start infringement procedures against Ireland for not properly enforcing the GDPR;
    • In a 2020 assessment of the GDPR after two years of being operative, the European Commission (EC) singled out Ireland and Luxembourg for not providing adequate resources to their data protection authorities:
      • Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross-border cases and may need larger resources than their population would otherwise suggest. However, the situation is still uneven between Member States and is not yet satisfactory overall.

Coming Events

  • On 17 February, the House Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled “Connecting America: Broadband Solutions to Pandemic Problems” with these witnesses:
    • Free Press Action Vice President of Policy and General Counsel Matthew F. Wood
    • Topeka Public Schools Superintendent Dr. Tiffany Anderson
    • Communications Workers of America President Christopher M. Shelton
    • Wireless Infrastructure Association President and CEO Jonathan Adelstein
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 18 February, the House Financial Services will hold a hearing titled “Game Stopped? Who Wins and Loses When Short Sellers, Social Media, and Retail Investors Collide” with Reddit Co-Founder and Chief Executive Officer Steve Huffman testifying along with other witnesses.
  • The U.S.-China Economic and Security Review Commission will hold a hearing titled “Deterring PRC Aggression Toward Taiwan” on 18 February.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by CDC on Unsplash

Further Reading, Other Developments, and Coming Events (16 February 2021)

Further Reading

  • India cuts internet around New Delhi as protesting farmers clash with police” By Esha Mitra and Julia Hollingsworth — CNN; “Twitter Temporarily Blocked Accounts Critical Of The Indian Government” By Pranav Dixit — BuzzFeed News. Prime Minister Narendra Modi’s government again shut down the internet as a way of managing unrest or discontent with government policies. The parties out of power have registered their opposition, but the majority seems intent on using this tactic time and again. One advocacy organization named India as the nation with the most shutdowns in 2019, by far. The government in New Delhi also pressed Twitter to take down tweets and accounts critical of the proposed changes in agricultural law. Twitter complied per its own policies and Indian law and then later restored the accounts and tweets.
  • Lacking a Lifeline: How a federal effort to help low-income Americans pay their phone bills failed amid the pandemic” By Tony Romm — The Washington Post. An excellent overview of this Federal Communications Commission (FCC) program and its shortcomings. The Trump era FCC blunted and undid Obama era FCC reforms designed to make the eligibility of potential users easier to discern, among other changes. At the end of the day, many enrollees are left with a fixed number of minutes for phone calls and 4GB of data a month, or roughly what my daughter often uses in a day.
  • She exposed tech’s impact on people of color. Now, she’s on Biden’s team.” By Emily Birnbaum — Protocol. The new Deputy Director for Science and Society in the Office of Science and Technology Policy (OSTP) is a former academic and researcher who often focused her studies on the intersection of race and technology, usually how the latter failed minorities. This is part of the Biden Administration’s fulfillment of its campaign pledges to establish a more inclusive White House. It remains to be seen how the administration will balance the views of those critical of big technology with those hailing from big technology as a number of former high ranking employees have already joined or are rumored to be joining the Biden team.
  • Vaccine scheduling sites are terrible. Can a new plan help Chicago fix them?” By Issie Lapowsky — Protocol. As should not be shocking, many jurisdictions across the country have problematic interfaces for signing up for vaccination against COVID-19. It sounds reminiscent of the problems that plagued the Obamacare exchanges rollout in that potentially well thought out policy was marred by a barely thought out public face.
  • Google launches News Showcase in Australia in sign of compromise over media code” By Josh Taylor — The Guardian; “Cracks in media code opposition as Microsoft outflanks Google and Facebook” By Lisa Visentin — The Sydney Morning Herald. Both Google and Canberra seem to be softening their positions as the company signed up a number of major media outlets for its News Showcase, a feature that will be made available in Australia that will compensate the news organizations at an undisclosed level. However, a few major players, Nine, News Corp., and the Australian Broadcasting Corporation, have not joined, with Nine saying it will not. Google’s de-escalation of rhetoric and tactics will likely allow Prime Minister Scott Morrison’s government to relax the proposed legislation that would mandate Google and Facebook compensate Australian news media (i.e., the News Media and Digital Platforms Mandatory Bargaining Code.) Microsoft’s theoretical entrance into the Australian market through Bing if Google and Facebook actually leave or limit their presence seems to be arguing against the latter two companies’ position that the new code is unworkable. It is not clear if Microsoft is acting earnestly or floating a possible scenario in order that the other companies be cast in a bad light. In any event, cristics of the platforms say the fight is not about the technical feasibility of compensating news media but rather about establishing a precedent of paying for content the platforms now get essentially for free. Other content creators and entities could start demanding payment, too. An interesting tidbit from the second article: Canada may soon join Australia and the European Union in enacting legislation requiring Big Tech to pay its media companies for using their content (i.e., “a more equitable digital regulatory framework across platforms and news media” according to a minister.)

Other Developments

  • The Maryland legislature overrode Governor Larry Hogan’s (R) veto, and the first tax on digital advertising has been enacted in the United States. The “Taxation – Tobacco Tax, Sales and Use Tax, and Digital Advertising Gross Revenues Tax” (HB0732) would impose a tax on digital advertising in the state and may be outside a federal bar on certain taxes on internet services. However, if the veto is overridden, there will inevitably be challenges, and quite likely a push in Congress to enact a federal law preempting such digital taxes. Additionally, the primary sponsor of the legislation has introduced another bill barring companies from passing along the costs of the tax to Maryland businesses and consumers.
    • In a bill analysis, the legislature asserted about HB0732:
      • The bill imposes a tax on the annual gross revenues of a person derived from digital advertising services in the State. The bill provides for the filing of the tax returns and making tax payments. The part of the annual gross revenues of a person derived from digital advertising services in the State are to be determined using an apportionment fraction based on the annual gross revenues of a person derived from digital advertising services in the State and the annual gross revenues of a person derived from digital advertising services in the United States. The Comptroller must adopt regulations that determine the state from which revenues from digital advertising services are derived.
      • The digital advertising gross revenues tax is imposed at the following rates:
        • 2.5% of the assessable base for a person with global annual gross revenues of $100.0 million through $1.0 billion;
        • 5% of the assessable base for a person with global annual gross revenues of $1.0 billion through $5.0 billion;
        • 7.5% of the assessable base for a person with global annual gross revenues of $5.0 billion through $15.0 billion; and
        • 10% of the assessable base for a person with global annual gross revenues exceeding $15.0 billion.
    • In his analysis, Maryland’s Attorney General explained:
      • House Bill 732 would enact a new “digital advertising gross revenues tax.” The tax would be “imposed on annual gross revenues of a person derived from digital advertising services in the State.” Digital advertising services are defined in the bill to include “advertisement services on a digital interface, including advertisements in the form of banner advertising, search engine advertising, interstitial advertising, and other comparable advertising services.” The annual gross revenues derived from digital advertising services is set out in a formula in the bill.
      • Attorney General Brian Frosh conceded there will be legal challenges to the new Maryland tax: there are “three grounds on which there is some risk that a reviewing court would find that the taxis unconstitutional: (1) preemption under the federal Internet Tax Freedom Act; (2) the Commerce Clause; and, (3) the First Amendment.”
  • Democratic Members introduced the “Secure Data and Privacy for Contact Tracing Act” (H.R.778/S.199) in both the House and Senate, legislation that “would provide grants to states that choose to use technology as part of contact tracing efforts for COVID-19 if they agree to adopt strong privacy protections for users” per their press release. Representatives Jackie Speier (D-CA) and Debbie Dingell (D-MI) introduced the House bill and Senators Brian Schatz (D-HI) and Tammy Baldwin (D-WI) the Senate version. Speier, Dingell, Schatz, and Baldwin contended “[t]he Secure Data and Privacy for Contact Tracing Actprovides grant funding for states to responsibly develop digital contact tracing technologies consistent with the following key privacy protections:
    • Digital contact tracing tech must be strictly voluntary and provide clear information on intended use.
    • Data requested must be minimized and proportionate to what is required to achieve contact tracing objectives.
    • Data must be deleted after contact tracing processing is complete, or at the end of the declaration of emergency.
    • States must develop a plan for how their digital contact tracing technology compliments more traditional contact tracing efforts and describe efforts to ensure their technology will be interoperable with other states. 
    • States must establish procedures for independent security assessments of digital contact tracing infrastructure and remediate vulnerabilities. 
    • Information gathered must be used strictly for public health functions authorized by the state and cannot be used for punitive measures, such as criminal prosecution or immigration enforcement.
    • Digital contact tracing tech must have robust detection capabilities consistent with CDC guidance on exposure. 
    • Digital contact tracing technology must ensure anonymity, allowing only authorized public health authorities or other authorized parties to have access to personally identifiable information.
  • The chair and ranking member of the Senate Intelligence Committee wrote the heads of the agencies leading the response to the Russian hack of the United States (U.S.) government and private sector entities through SolarWinds, taking them to task for their thus far cloistered, siloed approach. In an unusually blunt letter, Chair Mark Warner (D-VA) and Ranking Member Marco Rubio (R-FL) asked the agencies name a leader to the response triggered when former President Donald Trump triggered the system established in Presidential Policy Directive-41 because “[t]he federal government’s response so far has lacked the leadership and coordination warranted by a significant cyber event, and we have little confidence that we are on the shortest path to recovery.” Warner and Rubio directed this request to Director of National Intelligence Avril Haines, National Security Agency and Cyber Command head General Paul Nakasone, Federal Bureau of Investigation (FBI) Director Christopher Wray, and Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales. Warner and Rubio further asserted:
    • The briefings we have received convey a disjointed and disorganized response to confronting the breach. Taking a federated rather than a unified approach means that critical tasks that are outside the central roles of your respective agencies are likely to fall through the cracks. The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery, in particular a leader who has the authority to coordinate the response, set priorities, and direct resources to where they are needed. The handling of this incident is too critical for us to continue operating the way we have been.
  • Huawei filed suit against the Federal Communications Commission’s (FCC) decision to “designate Huawei, as well as its parents, affiliates, and subsidiaries, as companies posing a national security threat to the integrity of our nation’s communications networks and the communications supply chain” through “In the Matter of Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs – Huawei Designation.” In the petition filed with the United States Court of Appeals for the Fifth Circuit, Huawei said it is “seek[ing] review of the Final Designation Order on the grounds that it exceeds the FCC’s statutory authority; violates federal law and the Constitution; is arbitrary, capricious, and an abuse of discretion, and not supported by substantial evidence, within the meaning of the Administrative Procedure Act, 5 U.S.C. § 701 et seq.; was adopted through a process that failed to provide Petitioners with the procedural protections afforded by the Constitution and the Administrative Procedure Act; and is otherwise contrary to law.”
  • According to unnamed sources, the Biden Administration has decided to postpone indefinitely the Trump Administration’s efforts to forcing ByteDance to sell TikTok as required by a Trump Administration executive order. Last September, it appeared that Oracle and Walmart had reached a deal in principle with ByteDance that quickly raised more questions that it settled (see here for more details and analysis.) There are reports of ByteDance working with the Committee on Foreign Investment in the United States (CFIUS), the inter-agency review group, that ordered ByteDance to spin off TikTok. TikTok and CFIUS are reportedly talking about what an acceptable divestment would look like, but of course, under recently implemented measures, the People’s Republic of China (PRC) would also have to sign off. Nonetheless, White House Press Secretary Jen Psaki remarked at a press conference “[t]here is a rigorous CFIUS process that is ongoing.”
  • The Biden Administration has asked two federal appeals courts to pause lawsuits brought to stop the United States (U.S.) government from enforcing the Trump Administration executive order banning TikTok from the United States (see here for more analysis.)
    • In the status report filed with the United States Court of Appeal for the District of Columbia, TikTok and the Department of Justice (DOJ) explained:
      • Defendants’ counsel informed Plaintiffs’ counsel regarding the following developments: As the Biden Administration has taken office, the Department of Commerce has begun a review of certain recently issued agency actions, including the Secretary’s prohibitions regarding the TikTok mobile application at issue in this case. In relation to those prohibitions, the Department plans to conduct an evaluation of the underlying record justifying those prohibitions. The government will then be better positioned to determine whether the national security threat described in the President’s August 6, 2020 Executive Order, and the regulatory purpose of protecting the security of Americans and their data, continue to warrant the identified prohibitions. The Department of Commerce remains committed to a robust defense of national security as well as ensuring the viability of our economy and preserving individual rights and data privacy.
    • In its unopposed motion, the DOJ asked the United States Court of Appeals for the Third Circuit “hold this case in abeyance, with status reports due at 60-day intervals.” The DOJ used exactly the same language as in the filing in the D.C. Circuit.
  • The Trump Administration’s President’s Council of Advisors on Science and Technology (PCAST) issued a report at the tail end of the  administration, “Industries of the Future Institutes: A New Model for American Science and Technology Leadership,” that “follows up on a recommendation from PCAST’s report, released June 30, 2020, involving the formation of a new type of multi-sector research and development organization: Industries of the Future Institutes (IotFIs)…[and] provides a framework to inform the design of IotFIs and thus should be used as preliminary guidance by funders and as a starting point for discussion among those considering participation.”
    • PCAST “propose[d] a revolutionary new paradigm for multi-sector collaboration—Industries of the Future Institutes (IotFIs)—to address some of the greatest societal challenges of our time and to ensure American science and technology (S&T) leadership for decades to come.” PCAST stated “[b]y driving research and development (R&D) at the intersection of two or more IotF areas, these Institutes not only will advance knowledge in the individual IotF topics, but they also will spur new research questions and domains of inquiry at their confluence.” PCAST added:
      • By engaging multiple disciplines and each sector of the U.S. R&D ecosystem—all within the same agile organizational framework—IotFIs will span the spectrum from discovery research to the development of new products and services at scale. Flexible intellectual property terms will incentivize participation of all sectors, and reduced administrative and regulatory burdens will optimize researcher time for creativity and productivity while maintaining appropriate safety, transparency, integrity, and accountability. IotFIs also will serve as a proving ground for new, creative approaches to organizational structure and function; broadening participation; workforce development; science, technology, engineering, and math education; and methods for engaging all sectors of the American research ecosystem. Ultimately, the fruits of IotFIs will sustain American global leadership in S&T, improve quality of life, and help ensure national and economic security for the future.
  • Per the European Commission’s (EC) request, the European Data Protection Board (EDPB) issued clarifications on the consistent application of the General Data Protection Regulation (GDPR) with a focus on health research. The EDPB explained:
    • The following response of the EDPB to the questions of the European Commission should be considered as a first attempt to take away some of the misunderstandings and misinterpretations as to the application of the GDPR to the domain of scientific health research. Generally speaking, most of these questions call for more time for in-depth analysis and/or a search for examples and best practices and can as yet not be completely answered.
    • In its guidelines (currently in preparation and due in 2021) on the processing personal data for scientific research purposes, the EDPB will elaborate further on these issues while also aiming to provide a more comprehensive interpretation of the various provisions in the GDPR that are relevant for the processing of personal data for scientific research purposes.
    • This will also entail a clarification of the extent and scope of the ‘special derogatory regime’ for the processing of personal data for scientific research purposes in the GDPR. It is important that this regime is not perceived as to imply a general exemption to all requirements in the GDPR in case of processing data for scientific research purposes. It should be taken into account that this regime only aims to provide for exceptions to specific requirements in specific situations and that the use of such exceptions is made dependent on ‘additional safeguards’ (Article 89(1) GDPR) to be in place.
  • The Government Accountability Office (GAO) has assessed how well the Federal Communications Commission (FCC) has rolled out and implemented its Lifeline National Verifier (referred to as Verifier by the GAO) to aid low income people in accessing telecommunications benefits. The Verifier was established in 2016 to address claims that allowing telecommunications carriers to make eligibility determinations for participation in the program to help people obtain lower cost communications had led to waste, fraud, and abuse. House Energy and Commerce Committee Chair Frank Pallone Jr. (D-NJ), Communications and Technology Subcommittee Chair Mike Doyle (D-PA), and six Democratic colleagues on the committee asked the GAO “to review FCC’s implementation of the Verifier.” The GAO explained “[t]his report examines (1) the status of the Verifier; (2) the extent to which FCC coordinated with state and federal stakeholders, educated consumers, and facilitated involvement of tribal stakeholders; and (3) the extent to which the Verifier is meeting its goals.” The GAO concluded:
    • The Lifeline program is an important tool that helps low-income Americans afford vital voice and broadband services. In creating the Lifeline National Verifier, FCC sought to facilitate eligible Americans’ access to Lifeline support while protecting the program from waste, fraud, and abuse. Although USAC, under FCC’s oversight, has made progress to implement the Verifier, many eligible consumers are unaware of it and may be unable to use it. Additionally, tribal governments and organizations do not have the information they need from FCC to effectively assist residents of tribal lands in using the Verifier to enroll in Lifeline, even though Lifeline support is critical to increasing access to affordable telecommunications services on tribal lands. Without FCC developing a plan to educate consumers about the Verifier and empowering tribal governments to assist residents of tribal lands with the Verifier, eligible consumers, especially those on tribal lands, will continue to lack awareness of the Verifier and the ability to use it.
    • Further, without measures and information to assess progress toward some of its goals, FCC lacks information it needs to refine and improve the Verifier. While it is too soon to determine if the Verifier is protecting against fraud, FCC has measures in place to monitor fraud moving forward. However, FCC lacks measures to track the Verifier’s progress toward the intent of its second goal of delivering value to Lifeline consumers. FCC also lacks information to help it assess and improve its efforts to meet the third goal of improving the consumer experience. Additionally, consumers may experience challenges with the Verifier’s online application, such as difficulty identifying the Verifier as a government service, and may be uncomfortable providing sensitive information to a website that does not use a “.gov” domain. Unless FCC identifies and addresses challenges with the Verifier’s manual review process and its online application, it will be limited in its ability to improve the consumer experience. As a result, some eligible consumers may abandon their applications and go without the support they need to access crucial telecommunications services. Given that a majority of Lifeline subscribers live in states without state database connections and therefore must undergo manual review more frequently, ensuring that challenges with the manual review process are resolved is particularly important.
    • The GAO recommended:
      • The Chairman of FCC should develop and implement a plan to educate eligible consumers about the Lifeline program and Verifier requirements that aligns with key practices for consumer education planning. (Recommendation 1)
      • The Chairman of FCC should provide tribal organizations with targeted information and tools, such as access to the Verifier, that equip them to assist residents of tribal lands with their Verifier applications. (Recommendation 2)
      • The Chairman of FCC should identify and use performance measures to track the Verifier’s progress in delivering value to consumers. (Recommendation 3)
      • The Chairman of FCC should ensure that it has quality information on consumers’ experience with the Verifier’s manual review process, and should use that information to improve the consumer experience to meet the Verifier’s goals. (Recommendation 4)
      • The Chairman of FCC should ensure that the Verifier’s online application and support website align with characteristics for leading federal website design, including that they are accurate, clear, understandable, easy to use, and contain a mechanism for users to provide feedback. (Recommendation 5)
      • The Chairman of FCC should convert the Verifier’s online application, checklifeline.org, to a “.gov” domain. (Recommendation 6)

Coming Events

  • The House Appropriations Committee’s Financial Services and General Government Subcommittee will hold an oversight hearing on the Election Assistance Commission (EAC) on 16 February with EAC Chair Benjamin Hovland.
  • On 17 February, the House Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled “Connecting America: Broadband Solutions to Pandemic Problems” with these witnesses:
    • Free Press Action Vice President of Policy and General Counsel Matthew F. Wood
    • Topeka Public Schools Superintendent Dr. Tiffany Anderson
    • Communications Workers of America President Christopher M. Shelton
    • Wireless Infrastructure Association President and CEO Jonathan Adelstein
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 18 February, the House Financial Services will hold a hearing titled “Game Stopped? Who Wins and Loses When Short Sellers, Social Media, and Retail Investors Collide” with Reddit Co-Founder and Chief Executive Officer Steve Huffman testifying along with other witnesses.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Zachary Peterson on Unsplash

Further Reading, Other Developments, and Coming Events (10 February 2021)

Further Reading

  • A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say” By Andy Greenberg — WIRED. Given the fact that most water and sewage systems are linked to the internet, even their operational systems, it is surprising these sorts of incidents do not occur more frequently.
  • UK regulator to write to WhatsApp over Facebook data sharing” By Alex Hern — The Guardian. The United Kingdom’s (UK) Information Commissioner Elizabeth Denham said her agency will be pressing Facebook to keep the data its subsidiary, WhatsApp, separate. Now that the UK has exited the European Union, it is no longer bound by the EU‘s system which made Ireland’s Data Protection Commission the lead regulator on Facebook and WhatsApp. And so, WhatsApp’s 2017 commitment not to hand over user data to Facebook until it was compliant with the General Data Protection Regulation (GDPR) falls to the ICO to oversee in the UK.
  • Telegram, Pro-Democracy Tool, Struggles Over New Fans From Far Right” By Michael Schwirtz — The New York Times. The same features that makes messaging app Telegram ideal for warding off attacks by authoritarian regimes to shut down communication makes the platform ideal for right-wing extremists in the United States (U.S.) Federal and state authorities may see their attempts to track and monitor domestic terrorism hit the same roadblocks that foiled Moscow and Tehran’s attempts to crack down on Telegram. The platform uses end-to-end encrypted communications and has servers all over the world.
  • Exclusive: The end of the Maher era at Wikipedia” By Felix Salmon — Axios. The CEO who revitalized Wikimedia is leaving the organization stronger than she found it.
  • After Defending Its Low-Cost Internet Offering, Comcast Agrees To Increase Speeds” By Caroline O’Donovan — BuzzFeed News. The bad publicity seems to have worked on Comcast as the company is now meeting most of the demands of activists, students, and officials by increasing the speed of its low cost broadband option. Comcast said the changes will take effect on 1 March.

Other Developments

  • The Federal Communications Commission (FCC) announced that it is “seeking comment on several petitions requesting permission to use E-Rate program funds to support remote learning during the pandemic.” Comments are due by 16 February and reply comments are due by 23 February. The FCC explained:
    • Today’s Public Notice from the FCC’s Wireline Competition Bureau highlights three petitions that cover the bulk of issues presented in other petitions filed with the Commission.  These include petitions filed by a coalition of E-Rate stakeholders led by the Schools, Health & Libraries Broadband (SHLB) Coalition; a petition filed on behalf of the State of Colorado; and a petition filed by the State of Nevada, Nevada Board of Education and Nevada Department of Education. 
    • The FCC noted:
      • The E-Rate program was authorized by Congress as part of the Telecommunications Act of 1996 (the Telecommunications Act), and created by the Commission in 1997 to, among other things, enhance, to the extent technically feasible and economically reasonable, access to advanced telecommunications and information services for all public and nonprofit elementary and secondary schools and libraries. Under the E-Rate program, eligible schools, libraries, and consortia (comprised of eligible schools and libraries) may request universal service discounts for eligible services and/or equipment (collectively, eligible services), including connections necessary to support broadband connectivity to eligible schools and libraries. Eligible services must be used “primarily for educational purposes.” In the case of schools, “educational purposes” is defined as “activities that are integral, immediate, and proximate to the education of students. In the case of libraries, “educational purposes” is defined as activities that are “integral, immediate, and proximate to the provision of library services to library patrons.”
      • As the pandemic continues to force schools and libraries across the country to remain closed and rely on remote learning and virtual services, either in whole or in part, the need for broadband connections—particularly for those students, teachers, staff, and patrons that lack an adequate connection at home—is more critical than ever.  Eligible schools and libraries explain that they are hampered in their ability to address the connectivity needs brought on, and in many cases exacerbated, by COVID-19 because of the restrictions on off-campus use of E-Rate-funded services and facilities.   Last spring, as the COVID-19 pandemic forced schools and libraries to grapple with the challenges of transitioning to remote learning, the FCC began to receive requests for emergency relief aimed at ensuring that all students have sufficient connectivity at home.
  • The European Commission’s President appealed to the United States (U.S.) in joining the European Union to jointly regulate technology. At the Davos Agenda, EC President Ursula von der Leyen made remarks, a significant portion of which focused on technological issues and the European Union’s (EU) proposals, the Digital Services Act and Digital Markets Act. It is unclear to extent to which the new administration in Washington will be willing to work with the EU. Undoubtedly, the Biden Administration will interpret a number of EU policies and decisions as being implicitly aimed at the U.S. technology sector but there may be common ground. Von der Leyen stated:
    • A year ago at Davos, we talked also intensively about digitalisation. The pandemic has massively accelerated the process. The European Union will dedicate 20% of NextGenerationEU to digital projects. To nurture innovative ecosystems, for example where universities, companies, innovators can access data and cooperate. To boost the vibrant start-up scene we have in cities like Sofia and Lisbon and to become a global hub for Artificial Intelligence. So that the 2020s can finally be Europe’s Digital Decade.
    • But for this to be a success, we must also address the darker sides of the digital world. Like for so many of us, the storming of the Capitol came as a shock to me. We are always quick to say: Democracy and values, they are part of our DNA. And that is true. But we must nurture our democracy every day, and defend our institutions against the corrosive power of hate speech, of disinformation, fake news and incitement to violence. In a world where polarising opinions are the loudest, it is a short step from crude conspiracy theories to the death of a police officer. Unfortunately, the storming of the Capitol Hill showed us how just true that is.
    • The business model of online platforms has an impact – and not only on free and fair competition, but also on our democracies, our security and on the quality of our information. That is why we need to contain this immense power of the big digital companies. Because we want the values we cherish in the offline world also to be respected online. At its most basic, this means that what is illegal offline should be illegal online too. And we want the platforms to be transparent about how their algorithms work. Because we cannot accept that decisions, that have a far-reaching impact on our democracy, are taken by computer programmes alone.
    • Right after von der Leyen addressed the unease she and others felt about the U.S. President’s freedom of expression being abridged because of a company’s rules outside of any controlling legal framework, she stated:
      • I want to invite our friends in the United States to join our initiatives. Together, we could create a digital economy rulebook that is valid worldwide: It goes from data protection and privacy to the security of critical infrastructure. A body of rules based on our values: Human rights and pluralism, inclusion and the protection of privacy. So Europe stands ready.
      • The challenges to our democracy, the pandemic, climate change – in his inauguration speech President Joe Biden so aptly spoke of a Cascade of Crises. And indeed, we face an outstanding set of challenges. But we can meet them – if we work together. That is what we all have to learn again after four long years. That it is not a sign of weakness, to reach out and help each other, but a signal of strength.
  • Consumer Reports tried to become an authorized agent under the “California Consumer Privacy Act” (CCPA) (AB 375) to make do not sell personal data requests or opt out requests. The CCPA was designed to allow California residents to use services that would handle these preferences on a global scale. In their report on the pilot program, Consumer Reports concluded:
    • Unfortunately, too many companies have made it difficult, if not impossible, for agents and consumers to submit opt-out requests. The AG should enforce companies’ compliance with the law so that the authorized agent provisions work as intended. Moreover, the AG should promulgate additional common-sense rules to make sure that opt outs are simple and effective, even when submitted by an authorized agent.
    • Consumer Reports made these recommendations:
      • The AG should hold companies accountable when they violate the law. The AG needs to hold companies accountable for failure to comply with the CCPA’s authorized agent provisions. Without a viable authorized agent option, consumers could be left to navigate complicated processes or interfaces in order to exercise their California privacy rights themselves. Enforcement will help ensure that companies work harder to make sure that they have appropriate agent flows. The AG should also step in when customer service isn’t effective, and should consider directing enforcement resources to encourage better training in this area.
      • The AG should clarify that data shared for cross-context targeted advertising is a sale, and tighten the restrictions on service providers. Many companies have exploited ambiguities in the definition of sale and the rules surrounding service providers to ignore consumers’ requests to opt out of behavioral advertising. While the newly-passed California Privacy Rights Act will largely address these loopholes, these provisions will not go into effect until January 1, 2023. Thus, the AG should exercise its broad authority to issue rules to clarify that the transfer of data between unrelated companies for any commercial purpose falls under the definition of sale. Another common way for companies to avoid honoring consumers’ right to opt out of behavioral advertising is by claiming a service provider exemption. For example, the Interactive Advertising Bureau (IAB), a trade group that represents the ad tech industry, developed a framework for companies to evade the opt out by abusing a provision in the CCPA meant to permit a company to perform certain limited services on its behalf. To address this problem, the AG should clarify that companies cannot transfer data to service providers for behavioral advertising if the consumer has opted out of sale.
      • The AG should prohibit dark patterns as outlined in the Third Set of Proposed Modifications. We appreciate that the AG has proposed to “require minimal steps to allow the consumer to opt-out” and to prohibit dark patterns, “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out[,]” in the Third Set of Proposed Modifications to the CCPA Regulations. This proposal should be finalized as quickly as possible. This is essential, given the difficulties that authorized agents and consumers have experienced in attempting to stop the sale of their information, as demonstrated in the study.
      • The AG should require companies to notify agents when the opt-out request has been received and when it has been honored. Too often, the company provided no information on whether or not the opt-out request had been honored. While the CCPA rules require companies to notify consumers if an opt-out request has been rejected, there is no requirement to provide notice of receipt, or notice of confirmation—nor is there guidance on how to respond to opt-out requests when the company does not possess the consumer’s data. The authorized agent was, in some cases, unable to explain to the consumer whether not the opt-out process had been completed. To ensure that the authorized agent service is effective, companies must be required to provide notification upon receipt and completion of the opt-out request. Required notification is also important for compliance purposes. For example, the regulations require companies to comply with opt outs within 15 business days. Without providing adequate notification, there’s no way to judge whether or not the company has honored the law and to hold them accountable if not. Further, if the company does sell consumers’ personal information, but does not have personal information about the consumer who is the subject of the request, the company should be required to notify the agent that the request has been received, and that the company will honor the opt out if and when they do collect the consumer’s data. In the case of an agent opt out, the notification should go to the agent. Otherwise, the consumer could end up getting emails from hundreds, if not thousands, of different companies.
      • The AG should clarify that if an agent inadvertently submits a request incorrectly, the company should either accept it or inform the agent how to submit it appropriately. The regulations provide helpful guidance with respect to consumer access and deletion requests, which ensures that even if a consumer inadvertently submits a request incorrectly, there is a process in place to help them submit it properly. If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall either: (1) Treat the request as if it had been submitted in accordance with the business’s designated manner, or (2) Provide the consumer with information on how to submit the request or remedy any deficiencies with the request, if applicable. The AG should clarify that this guidance applies to all authorized agent-submitted requests as well.
  • The Government Accountability Office (GAO) assessed the Department of Defense’s (DOD) efforts to transition to a more secure version of the Global Positioning System (GPS), an initiative that spans back to the administration of former President George W. Bush. The GAO stated “due to the complexity of the technology, M-code remains years away from being widely fielded across DOD. M-code-capable receiver equipment includes different components, and the development and manufacture of each is key to the modernization effort. These include:
    • special M-code application-specific integrated circuit chips,
    • special M-code receiver cards, being developed under the Air Force Military GPS User Equipment (MGUE) programs, and
    • the next generation of GPS receivers capable of using M-code signals from GPS satellites.
    • The GAO added:
      • DOD will need to integrate all of these components into different types of weapon systems… Integration across DOD will be a considerable effort involving hundreds of different weapon systems, including some with complex and unique integration needs or configurations.
    • The GAO further asserted:
      • The Air Force is almost finished—approximately one year behind schedule— developing and testing one M-code card for testing on the Marine Corps Joint Light Tactical Vehicle and the Army Stryker vehicle. However, one card intended for use in aircraft and ships is significantly delayed and missed key program deadlines. The Air Force is revising its schedule for testing this card.
      • The M-code card development delays have had ripple effects on GPS receiver modernization efforts and the weapon systems that intend to use them.
  • The advocate who brought the cases that brought down both the Safe Harbor and Privacy Shield agreements between the United States (U.S.) and European Union (EU) announced that Ireland’s Data Protection Commission (DPC) has agreed to finally decide on the legality of Facebook’s data transfers to the U.S. that gave rise to both lawsuits. In a press release, none of your business (noyb). Last fall, noyb announced “[t]he Irish High Court has granted leave for a “Judicial Review” against the Irish DPC today…[and] [t]he legal action by noyb aims to swiftly implement the [Court of Justice for the European Union (CJEU)] Decision prohibiting Facebook’s” transfer of personal data from the European Union to the United States (U.S.)” In September 2020, after the DPC directed Facebook to stop transferring the personal data of European Union citizens to the U.S., the company filed suit in Ireland’s court to stop enforcement of the order and succeeded in staying the matter until the court rules on the merits of the challenge.
    • In explaining the most recent development, noyb further asserted:
      • The DPC has agreed with Max Schrems’ demand to swiftly end a 7.5 year battle over EU-US data transfers by Facebook and come to a decision on Facebook’s EU-US data flows. This only came after a Judicial Review against the DPC was filed by Mr Schrems. The case would have been heard by the Irish High Court today.
      • New “own volition” procedure blocked pending complaint from 2013. The Irish DPC oversees the European operations of Facebook. In Summer 2020 the European Court of Justice (CJEU) ruled on a complaint by Mr Schrems that had been pending since 2013 and came before the CJEU for the second time (“Schrems II”): Under the CJEU judgment the DPC must stop Facebook’s EU-US data flows over extreme US Surveillance Laws (like FISA 702). Instead of implementing this ruling, the DPC started a new “own volition” case and paused the original procedure for an indefinite time. Mr Schrems and Facebook brought two Judicial Review procedures against the DPC: While Facebook argued in December that the “own volition” procedure should not go ahead, Mr Schrems argued that his complaints procedure should be heard independently of the “own volition” case.
      • Walls are closing in on Facebook’s EU-US data transfers. The DPC has now settled the second Judicial Review with Mr Schrems just a day before the hearing was to take place, and pledged to finalize his complaints procedure swiftly.
      • As part of the settlement, Mr Schrems will also be heard in the “own volition” procedure and get access to all submissions made by Facebook, should the Court allow the “own volition” investigation to go ahead. Mr Schrems and the DPC further agreed that the case will be dealt with under the GDPR, not the Irish Data Protection Act that was applicable before 2018. The DPC may await the High Court judgement in Facebook’s Judicial Review before investigating the original complaint.
      • This agreement could in essence make the original complaints procedure from 2013 the case that ultimately determines the destiny of Facebook’s EU-US transfers in the wake of the Snowden disclosures. Under the GDPR the DPC has every liberty to issue fines of up to 4% pf Facebook’s global turnover and transfer prohibitions, even on the basis of this individual case.
  • The Information Technology Industry Council (ITI), BSA | The Software Alliance, Internet Association, Computer and Communications Industry Association, and the National Foreign Trade Council made recommendations to the Biden Administration on technology policy and asserted in their press release:
    • Prioritize strategic engagement with U.S. trading partners by ensuring continued protected transatlantic data flows, establishing a U.S.-EU Trade & Technology Council, engaging China through prioritization of digital and technology issues, broadening U.S. engagement and leadership in the Asia-Pacific region, addressing key barriers to digital trade with India, and providing capacity building assistance to the African Union;
    • Promote U.S. competitiveness through leadership on digital trade by countering unilateral, targeted digital taxes, building acceptance of state-of-the-art digital trade commitments, promoting workforce development initiatives globally, and more; and
    • Reassert U.S. multilateral leadership by strengthening and leveraging engagement in global fora such as the WTO, OECD, United Nations, G20, G7, APEC, and others, and by expanding existing plurilateral trade agreements.
  • A group of civil rights organizations and public interest organizations issued “Civil Rights, Privacy, and Technology: Recommended 2021 Oversight Priorities for the 117th Congress” that builds upon the October 2020 Civil Rights Principles for the Era of Big Data. These groups stated:
    • The 117th Congress must take action to ensure that technology serves all people in the United States, rather than facilitating discrimination or reinforcing existing inequities.
    • They cited the following areas of policy that need to be addressed:
      • Broadband Internet
      • Democracy: Voting, the Census, and Hateful Content Online
      • Policing and Justice
      • Immigration Surveillance Technology
      • Commercial Data Practices and Privacy
      • Workers, Labor, and Hiring
  • The United Kingdom’s (UK) Information Commissioner Elizabeth Denham sketched out how she is approaching her final year in office in a blog post. Denham stated:
    • The ICO’s immediate focus remains supporting organisations through the impacts of COVID 19. We have prioritised providing advice and support on data protection related aspects of the pandemic since the start, and will continue to do so, adjusting and responding to the new challenges the country will face until, well, ‘all this is finished’. That work includes protecting people’s rights, and making sure data protection is considered at the earliest stage of any innovations.
    • The Age Appropriate Design Code will start to have a real impact, as the transition period around its introduction comes to an end, and we will be working hard to support organisations to make the necessary changes to comply with the law.
    • We’ll also be focused on supporting organisations around data sharing, following the publication of our guidance last month. The guidance is accompanied by practical resources to help organisations share data in line with the law. As I discussed with the House of Lords Public Services Committee this month, data sharing is an important area of focus, and we will also be supporting broader work to encourage the necessary culture change to remove obstacles to data sharing.
    • Other support for organisations planned for this year includes guidance on political campaigning, facial recognition, and codes of conduct and certification schemes, as well as a digital version of our Data Protection Practitioners’ Conference in April. We’ll also have the latest phases of our grants scheme and sandbox programme. Both are an effective way of the ICO supporting original thinking around privacy, illustrated by the innovative data sharing projects we’ve recently worked with.
    • Our operational work will also continue, including the latest phases of our work looking at data broking, the use of sexual crime victims’ personal information, and adtech, including audits focused on digital marketing platforms.

Coming Events

  • On 10 February, the House Homeland Committee will hold a hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” with these witnesses:
    • Mr. Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
    • Ms. Sue Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence
    • Mr. Michael Daniel, President & CEO, Cyber Threat Alliance
    • Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights” on 11 February.
  • The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Supushpitha Atapattu from Pexels

Further Reading, Other Developments, and Coming Events (9 February 2021)

Further Reading

  • Why Intel’s troubles should concern us all” By Ina Fried — Axios. One of the last major American semi-conductor manufacturers is struggling to keep up with rivals, and this could be very bad for United States (U.S.) national security. Biden Administration officials have made noise signifying they understand, but we will see what, if any action, is taken. A provision in the FY 2021 National Defense Authorization Act (NDAA) could help, but it requires the Appropriations Committees to provide the funding to maintain and stimulate semi-conductor manufacturing in the U.S.
  • Companies and foreign countries vying for your DNA” By Jon Wertheim — CBS News. This piece is a frightening view of the waterfront in the high-tech world of genealogy, which is serving as a front of sorts to collect huge DNA data sets pharmaceutical companies and others will pay billions of dollars for. There are also concerns about investors from the People’s Republic of China (PRC) in light of the country’s ambition to lead the way into biotechnologies.
  • Brazil’s government plans 5G network separate from private market – document” By Lisandra Paraguassu — Reuters. It appears with former President Donald Trump having left office, plans in Brasilia to ban or sideline Huawei have left, too. Now the right-wing government is planning for a government 5G network in Brazil’s capital subject to high security standards that may rule out Huawei while leaving the rest of the nation’s 5G rollout to companies such as Huawei, a state of affairs Brazilian telcos might like considering that an estimated 50% of existing infrastructure is Huawei.
  • An AI saw a cropped photo of AOC. It autocompleted her wearing a bikini.” By Karen Hao — MIT Technology Review. Unsupervised learning algorithms are a new means by which algorithms are educated. Normally, algorithms are fed information, and with respect to images, researchers feed them an image along with its name. But, unsupervised leaning algorithms are let loose on the internet to learn, so it should not be surprising the toxicity of online life is absorbed. Consequently, an autocomplete function with a headshot of a man puts him in a suit whereas the headshot of a woman will be “completed” with a low-cut top or a bikini.
  • How the US Lost to Hackers” By Nicole Perlroth — The New York Times. This piece makes the point that the United States’ (U.S.) relentless focus on offensive cyber operations is now costing the nation as Russian, Chinese, Iranian, and other hackers are pillaging U.S. systems and assets. Defensive capabilities were always a stepchild, and this has left the U.S. vulnerable. A paradigm shift is needed across the U.S. because a number of other nations are every bit as good as the U.S. is.

Other Developments

  • Maryland may be on the verge of enacting the first tax in the United States (U.S.) on digital advertising. The Democratic majorities in the state Senate and House of Delegates seem poised to override the veto the Maryland governor’s veto. The “Taxation – Tobacco Tax, Sales and Use Tax, and Digital Advertising Gross Revenues Tax” (HB0732) would impose a tax on digital advertising in the state and may be outside a federal bar on certain taxes on internet services. However, if the veto is overridden, there will inevitably be challenges, and quite likely a push in Congress to enact a federal law preempting such digital taxes. Additionally, the primary sponsor of the legislation has introduced another bill barring companies from passing along the costs of the tax to Maryland businesses and consumers.
    • In a bill analysis, the legislature asserted about HB0732:
      • The bill imposes a tax on the annual gross revenues of a person derived from digital advertising services in the State. The bill provides for the filing of the tax returns and making tax payments. The part of the annual gross revenues of a person derived from digital advertising services in the State are to be determined using an apportionment fraction based on the annual gross revenues of a person derived from digital advertising services in the State and the annual gross revenues of a person derived from digital advertising services in the United States. The Comptroller must adopt regulations that determine the state from which revenues from digital advertising services are derived.
      • The digital advertising gross revenues tax is imposed at the following rates:
        • 2.5% of the assessable base for a person with global annual gross revenues of $100.0 million through $1.0 billion;
        • 5% of the assessable base for a person with global annual gross revenues of $1.0 billion through $5.0 billion;
        • 7.5% of the assessable base for a person with global annual gross revenues of $5.0 billion through $15.0 billion; and
        • 10% of the assessable base for a person with global annual gross revenues exceeding $15.0 billion.
    • In his analysis, Maryland’s Attorney General explained:
      • House Bill 732 would enact a new “digital advertising gross revenues tax.” The tax would be “imposed on annual gross revenues of a person derived from digital advertising services in the State.” Digital advertising services are defined in the bill to include “advertisement services on a digital interface, including advertisements in the form of banner advertising, search engine advertising, interstitial advertising, and other comparable advertising services.” The annual gross revenues derived from digital advertising services is set out in a formula in the bill.
      • Attorney General Brian Frosh conceded there will be legal challenges to the new Maryland tax: there are “three grounds on which there is some risk that a reviewing court would find that the taxis unconstitutional: (1) preemption under the federal Internet Tax Freedom Act; (2) the Commerce Clause; and, (3) the First Amendment.”
    • Governor Larry Hogan (R) vetoed the bill in May along with others, asserting:
      • These misguided bills would raise taxes and fees on Marylanders at a time when many are already out of work and financially struggling. With our state in the midst of a global pandemic and economic crash, and just beginning on our road to recovery, it would be unconscionable to raise taxes and fees now. To do so would further add to the very heavy burden that our citizens are already facing.
    • As mentioned, a follow on bill has been introduced to ensure the digital advertising tax will not result in higher costs for Maryland businesses and residents. The “Digital Advertising Gross Revenues Tax – Exemption and Restriction” (SB0787) provides:
      • A person who derives gross revenues from digital advertising services in the state may not directly pass on the cost of the tax imposed under this section to a customer who purchases the digital advertising services by means of a separate fee, surcharge, or line-item.
      • However, the news media would be exempted from the digital advertising tax in this bill.
  • The chair and subcommittee chairs of the House Energy and Commerce Committee wrote Facebook, Twitter, and Google “as part of their ongoing investigation into tech companies’ handling of the COVID-19 pandemic in response to reports that COVID-19 vaccine misinformation is escalating on their platforms” per the press release. Chair Frank Pallone, Jr. (D-NJ), Health Subcommittee Chair Anna G. Eshoo (D-CA), Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), Communications and Technology Subcommittee Chair Mike Doyle (D-PA), and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) noted the letters “are a follow-up to letters they sent to the same companies in July, expressing deep concern regarding the rampant rise of COVID-19 disinformation more generally.” They argued:
    • These COVID-19 vaccines and others in development present hope in turning the deadly tide of the last year and can be a powerful tool in our efforts to contain the pandemic—but only if the public has confidence in them. Thus, it is imperative that [Facebook, Twitter, and Google] stop[] the spread of false or misleading information about coronavirus vaccines on its platform. False and misleading information is dangerous, and if relied on by the public to make critical health choices, it could result in the loss of human life.
    • They posed the following questions:
      • Details of all actions the companies have taken to limit false or misleading COVID-19 vaccine misinformation or disinformation on their platforms;
      • Descriptions of all policy changes the companies have implemented to stop the spread of false or misleading COVID-19 vaccine misinformation, and how the companies are measuring the effectiveness of each such policy change;
      • Whether the companies have used information labels or other types of notifications to alert users about COVID-19 vaccine misinformation or disinformation, and if so, the date(s) it first began implanting labels or notifications and how the companies are measuring its effectiveness;
      • Details about the five common targeted advertisements that appear alongside COVID-19 vaccine misinformation or disinformation on the platforms;
      • Details on the companies’ COVID-19 vaccine misinformation and disinformation enforcement efforts; and
      • Whether the companies have coordinated any actions or activities with other online platforms related to COVID-19 vaccine misinformation or disinformation.
  • Graphika released a report on fake social media activity that seems to be advocating for Huawei and against the Belgian government’s proposed ban of the Chinese company in its 5G networks. Graphika asserted the following:
    • A cluster of inauthentic accounts on Twitter amplified, and sometimes created, articles that attacked the Belgian government’s recent plans to limit the access of “high-risk” suppliers to its 5G network. The plans are reportedly designed to limit the influence of Chinese firms, notably Huawei and ZTE. 
    • The operation appears to have been limited to Twitter, and it did not gain substantial traction: other than a systematic amplification by the real accounts of Huawei executives in Western Europe, its main amplification came from bots with zero followers. 
    • As so often in recent influence operations, the accounts used profile pictures created by artificial intelligence. 
    • There is insufficient forensic evidence to prove conclusively who was running the fake accounts, or who sponsored the operation.
  • One of the dueling groups convened at the United Nations (UN) to address information and communications technologies (ICTs) issues and problems has issued a draft report and related materials. The group backed by the Russian Federation, People’s Republic of China (PRC), and other nations, the Open-Ended Working Group (OEWG), has issued its Zero Draft, which details its discussions, findings, and recommendations. The OEWG is working alongside the United States led Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, which is expected to finish its work in May 2021. The OEWG also made available the following:
    • In a 2018 U.N. press release, it was explained that two resolutions to create groups “aimed at shaping norm-setting guidelines for States to ensure responsible conduct in cyberspace:”
      • the draft resolution “Developments in the field of information and telecommunications in the context of international security” (document A/C.1/73/L.27.Rev.1), tabled by the Russian Federation.  By the text, the Assembly would decide to convene in 2019 an open-ended working group acting on a consensus basis to further develop the rules, norms and principles of responsible behaviour of States.
      • the draft resolution “Advancing Responsible State Behaviour in Cyberspace in the Context of International Security” (document A/C.1/73/L.37), tabled by the United States…[that] would request the Secretary-General, with the assistance of a group of governmental experts to be established in 2019, to continue to study possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States.
      • The U.N. noted that ‘[s]everal speakers pointed out that language in [the Russian proposal] departed from previous year’s versions and included excerpts from the Group of Governmental Experts reports in a manner that distorted their meaning and transformed the draft resolution.” The U.N. also acknowledged that “some delegates said [the U.S. proposal] called for the establishment of a new group of governmental experts, with the same mandate as the previous ones and the same selectivity in terms of its composition.” The U.N. added that “[m]ore broadly, while some delegates regretted to note that two separate, yet similar draft resolutions were tabled, others highlighted a need for bold, swift action to prevent cyberattacks and malicious online behaviour.”
    • In the 2018 resolution offered by Russia, an OEWG was convened “with a view to making the United Nations negotiation process on security in the use of information and communications technologies more democratic, inclusive and transparent…and to further develop the rules, norms and principles of responsible behaviour of States” from previous UN-sponsored efforts. The OEWG was further tasked with examining “the ways for their implementation; if necessary, to introduce changes to them or elaborate additional rules of behaviour; to study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the United Nations; and to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them and how international law applies to the use of information and communications technologies by States, as well as confidence-building measures and capacity-building and the concepts.” The OEWG is charged with submitting “a report on the results of the study to the General Assembly at its seventy-fifth session, and to provide the possibility of holding, from within voluntary contributions, intersessional consultative meetings with the interested parties, namely business, non-governmental organizations and academia, to share views on the issues within the group’s mandate.”
  • The United States (U.S.) Department of Justice (DOJ) “announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” The DOJ asserted:
    • NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.
    • The NetWalker action includes charges against a Canadian national in relation to NetWalker ransomware attacks in which tens of millions of dollars were allegedly obtained, the seizure of approximately $454,530.19 in cryptocurrency from ransom payments, and the disablement of a dark web hidden resource used to communicate with NetWalker ransomware victims.
    • According to the affidavit, once a victim’s computer network is compromised and data is encrypted, actors that deploy NetWalker deliver a file, or ransom note, to the victim. Using Tor, a computer network designed to facilitate anonymous communication over the internet, the victim is then provided with the amount of ransom demanded and instructions for payment.
    • Actors that deploy NetWalker commonly gain unauthorized access to a victim’s computer network days or weeks prior to the delivery of the ransom note. During this time, they surreptitiously elevate their privileges within the network while spreading the ransomware from workstation to workstation. They then send the ransom note only once they are satisfied that they have sufficiently infiltrated the victim’s network to extort payment, according to the affidavit.
    • According to an indictment unsealed today, Sebastien Vachon-Desjardins of Gatineau, a Canadian national, was charged in the Middle District of Florida. Vachon-Desjardins is alleged to have obtained at least over $27.6 million as a result of the offenses charged in the indictment.
    • The Justice Department further announced that on Jan. 10, law enforcement seized approximately $454,530.19 in cryptocurrency, which was comprised of ransom payments made by victims of three separate NetWalker ransomware attacks.
    • This week, authorities in Bulgaria also seized a dark web hidden resource used by NetWalker ransomware affiliates to provide payment instructions and communicate with victims. Visitors to the resource will now find a seizure banner that notifies them that it has been seized by law enforcement authorities.
  • The European Data Protection Board (EDPB) has issued guidance to European Union (EU) member states that governs transfers of personal data under Directive (EU) 2016/680 (the Law Enforcement Directive aka the LED.) This guidance flows, in significant part, from Schrems II, the case that struck down the adequacy decision on which the United States-EU Privacy Shield relied. The EDPB noted
    • The LED “lay[s] down the specific rules with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against the prevention of threats to public security.”
    • The LED determines the grounds allowing the transfer of personal data to a third country or an international organisation in this context. One of the grounds for such transfer is the decision by the European Commission that the third country or international organisation in question ensures an adequate level of protection.
    • As specified by the CJEU, while the level of protection in the third country must be essentially equivalent to that guaranteed in the EU, ‘the means to which that third country has recourse, in this connection, for the purpose of such a level of protection may differ from those employed within the European Union ’but‘ those means must nevertheless prove, in practice, effective’. The adequacy standard therefore does not require to mirror point by point the EU legislation, but to establish the essential-core requirements of that legislation.
  • Canada’s federal and state privacy officials asserted in a statement “that [Clearview AI] violated federal and provincial privacy laws.” Clearview AI is an American firm that assembled much of its database by scraping photos from public facing websites, a practice that has left many privacy stakeholders uncomfortable. In a sense these findings are moot, for in summer 2020 shortly after this investigation was launched, Clearview AI announced it would no longer offer its facial recognition technology in Canada. However, a separate federal investigation of whether the Royal Mounted Canadian Police’s use of Clearview AI’s services violated Canadian law is ongoing. The Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Information and Privacy Commissioner of Alberta claimed:
    • Clearview AI’s technology allowed law enforcement and commercial organizations to match photographs of unknown people against the company’s databank of more than 3 billion images, including of Canadians and children, for investigation purposes. Commissioners found that this creates the risk of significant harm to individuals, the vast majority of whom have never been and will never be implicated in a crime.
    • The investigation found that Clearview had collected highly sensitive biometric information without the knowledge or consent of individuals. Furthermore, Clearview collected, used and disclosed Canadians’ personal information for inappropriate purposes, which cannot be rendered appropriate via consent.
    • When presented with the investigative findings, Clearview argued that:
      • Canadian privacy laws do not apply to its activities because the company does not have a “real and substantial connection” to Canada;
      • Consent was not required because the information was publicly available;
      • Individuals who placed or permitted their images to be placed on websites that were scraped did not have substantial privacy concerns justifying an infringement of the company’s freedom of expression;
      • Given the significant potential benefit of Clearview’s services to law enforcement and national security and the fact that significant harm is unlikely to occur for individuals, the balancing of privacy rights and Clearview’s business needs favoured the company’s entirely appropriate purposes; and
      • Clearview cannot be held responsible for offering services to law enforcement or any other entity that subsequently makes an error in its assessment of the person being investigated.
    • Commissioners rejected these arguments. They were particularly concerned that the organization did not recognize that the mass collection of biometric information from billions of people, without express consent, violated the reasonable expectation of privacy of individuals and that the company was of the view that its business interests outweighed privacy rights.
    • On the applicability of Canadian laws, they noted that Clearview collected the images of Canadians and actively marketed its services to law enforcement agencies in Canada. The RCMP became a paying customer and a total of 48 accounts were created for law enforcement and other organizations across the country.
    • The investigation also noted the potential risks to individuals whose images were captured and included in Clearview’s biometric database.  These potential harms include the risk of misidentification and exposure to potential data breaches.

Coming Events

  • On 10 February, the House Homeland Committee will hold a hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” with these witnesses:
    • Mr. Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
    • Ms. Sue Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence
    • Mr. Michael Daniel, President & CEO, Cyber Threat Alliance
    • Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights.”
  • The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Ranjat M from Pixabay

Further Reading, Other Developments, and Coming Events (26, 27, and 28 January 2021)

Further Reading

  • President Biden’s Tech To-Do List” By Shira Ovide — The New York Times. Another survey of the pressing tech issues President Joe Biden and his Administration will grapple with.
  • Trying to improve remote learning? A refugee camp offers some surprising lessons” By Javeria Salman — The Hechinger Report. An organization that is helping refugee children advises that digital literacy is the necessary first step in helping all children have positive online learning experiences (assuming of course they have devices and internet access). This means more than being adept with Instagram, TikTok, and Snapchat. They also suggest that children work on projects as opposed to busy work.
  • Silicon Valley Takes the Battlespace” By Jonathan Guyer — The American Prospect. A company funded, in part, by former Google CEO Eric Schmidt, Rebellion Defense, landed two members on then President-elect Joe Biden’s official transition team, causing some to wonder about the group. This starts up writes artificial intelligence (AI) with defense industry applications, among other products. Schmidt chairs the National Security Commission on Artificial Intelligence and is widely seen as a bridge between Washington and Silicon Valley. Some see the rise of this company as the classic inside the Beltway tale of blurring interests and capitalizing on connections and know how.
  • The fight to make Netflix and Hulu pay cable fees” By Adi Robertson — The Verge. Municipalities are suing platforms like Netflix, Hulu, Dish Network, DirecTV and others, claiming they are not paying the franchise fees and quarterly fees traditional cable companies have been subject to for the use of the localities’ rights of way and broadband service. The companies are, of course, arguing they are not subject to these laws because they are not cable companies. There have been a host of such suits filed throughout the United States (U.S.) and bear watching.
  • Twitter’s misinformation problem is much bigger than Trump. The crowd may help solve it.” By Elizabeth Dwoskin — The Washington Post. Sounds like Twitter is going the route of Wikipedia with a pilot in which volunteers would fact check and provide context to problematic content. Perhaps this helps address the problems posed by social media platforms.
  • Biden’s clean up of Silicon Valley poses a problem for Scott Morrison” By Harley Dennett — The Canberra Times. The concern down under is that the Biden Administration will press the Morrison government into weakening the “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020” that “establishes a mandatory code of conduct to help support the sustainability of the Australian news media sector by addressing bargaining power imbalances between digital platforms and Australian news businesses” according to the Explanatory Memorandum. Doing so would please Google, Facebook, and others, supposedly making them more amenable to the coming policy changes Democrats want to unleash on tech companies. It remains to be seen what the Biden Administration would get in return.
  • China turbocharges bid to discredit Western vaccines, spread virus conspiracy theories” By Gerry Shih — The Washington Post. In light of more effective vaccines developed by United States (U.S.) companies and a World Health Organization (WHO) team in Wuhan investigating, the People’s Republic of China (PRC) has kicked its propaganda campaign into high gear. All sorts of unsubstantiated claims are being made about the safety and effectiveness of the U.S. vaccines and the source of COVID-19 (allegedly from the U.S.)
  • A Chinese hacking group is stealing airline passenger details” By Catalin Cimpanu — ZDNet.  Hackers associated with the People’s Republic of China (PRC) apparently hacked into one of the companies that generates Passenger Name Records (PNR) that details who flies where and when. There are many uses for these data, including identifying likely foreign intelligence operatives such as Central Intelligence Agency (CIA) agents stationed abroad.
  • Biden Has a Peloton Bike. That Raises Issues at the White House.” By Sheryl Gay Stolberg — The New York Times. This is the level of coverage of the new President. His predecessor used an insecure iPhone that other nations’ intelligence agencies were likely tapping and was famously careless with classified information. And yet, President Joe Biden’s Peloton worries cybersecurity experts. Buried inside the story are the revelations that during the Digital Age, Presidents present cybersecurity challenges and tailored solutions are found.
  • Ministry of Electronics asks Whatsapp to withdraw changes to privacy policy, disclose data sharing practice” By Bismah Malik — The New Indian Express. India’s Ministry of Electronics and Information Technology (MeitY) is asking WhatsApp to scrap plans to roll out an already delayed change to privacy policies. India is the company’s largest market and has already flexed its muscle against other foreign apps it claimed posed dangers to its people like TikTok. WhatsApp would likely be blocked under a proposed Indian law from moving ahead with its plan to make data people share with WhatsApp business accounts available to Facebook and for advertising. The Data Protection Bill is expected to pass the Parliament his year.
  • WhatsApp Fueled A Global Misinformation Crisis. Now, It’s Stuck In One.” By Pranav Dixit — BuzzFeed News. A nice overview of how WhatsApp and Facebook’s missteps and limited credibility with people resulted in a widely believed misrepresentation about the changes to WhatsApp’s Terms of Service announced earlier this year.
  • Amazon, Facebook, other tech giants spent roughly $65 million to lobby Washington last year” By Tony Romm — The Washington Post. While Amazon and Facebook increased their federal lobbying, Google cut back. It bears note these totals are only for the lobbying these entities are doing directly to the federal government and does not include what they spend on firms and lobbyists in Washington (which is plenty) or their contributions to organizations like the Information Technology Industry Council or the Center for Democracy and Technology (which, again, is a lot.) Let’s also not forget political contributions or fundraising by the leadership and senior employees of these companies and political action committees (PAC). Finally, these totals exclude funds spent in state capitals, and I expect tech companies dropped a ton of cash in places like Sacramento and Olympia last year as major privacy legislation was under consideration. Moreover, this article does not take in whatever the companies are spending in Brussels and other capitals around the world.
  • Google won’t donate to members of Congress who voted against election results” By Ashley Gold — Axios. Speaking of using money to influence the political process, Google has joined other tech companies in pausing donations to Members who voted against certifying President Joe Biden’s victory in the Electoral College (i.e., Senators Ted Cruz (R-TX) and Josh Hawley (R-MO), to name two). We’ll see how long this lasts.
  • FCC’S acting chair says agency reviewing reports of U.S. East Coast internet outages” By Staff — Reuters; “Big Internet outages hit the East Coast, causing issues for Verizon, Zoom, Slack, Gmail” By Rachel Lerman — The Washington Post. On 26 January, there were widespread internet outages on the east coast of the United States (U.S.) that the Federal Communications Commission (FCC) is vowing to investigate. Acting FCC Chair Jessica Rosenworcel tweeted:
    • We have seen reports of internet-related outages on the East Coast, making it difficult for people to work remotely and go to school online. The @FCC Public Safety and Homeland Security Bureau is working to get to the bottom of what is going on.
    • It is not clear where and why the roughly hour long outage occurred, but early fingers are being pointed at Verizon FIOS.
  • Police Say They Can Use Facial Recognition, Despite Bans” By Alfred Ng — The Markup. No one should be surprised that many police departments are reading bans on using facial recognition technology as narrowly as possible. Nevertheless, legislators and advocates are fighting over the interpretations of these recently passed statutes, almost all of which have been put in place by municipalities. Jurisdictions in the United States may also soon choose to address the use of facial recognition technology by businesses.
  • Why Are Moscow and Beijing Happy to Host the U.S. Far-Right Online?” By Fergus Ryan — Foreign Policy. The enemy of my enemy is my friend, supposedly. Hence, extremist right-wingers, white supremacists, and others are making common cause with the companies of the People’s Republic of China and the Russian Federation by moving their websites and materials to those jurisdictions after getting banned by western companies. Given how closely Beijing and Moscow monitor their nations’ internet, this is surely done with the tacit permission of those governments and quite possibly to the same end as their disinformation campaigns: to disrupt the United States and neutralize it as a rival.
  • After Huawei, Europe’s telcos want ‘open’ 5G networks “ By Laurens Cerulus — Politico EU. Europe’s major telecommunications companies, Deutsche Telekom, Telefónica, Vodafone and Orange, have banded together to support and buy Open RAN technology to roll out 5G instead of buying from Ericsson or Nokia who are promising to do it all. The Open RAN would allow for smaller companies to build pieces of 5G networks that would be interchangeable since everyone is working from the same standards. Huawei, of course, has been shut out of many European nations and see the development as more evidence that western nations are ganging up on it.

Other Developments

  • White House Press Secretary Jen Psaki confirmed that President Joe Biden has directed the United Intelligence Community (IC) to investigate and report to him on the SolarWinds breach perpetrated by the Russian Federation’s foreign intelligence service, Sluzhba vneshney razvedki Rossiyskoy Federatsii (SVR). Thus far, it appears that many United States (U.S.) agencies and private sector entities were quietly breached in early 2020 and then surveilled for months until FireEye, a private sector cybersecurity company, divulged it had been breached. Given former President Donald Trump’s aversion to acknowledging the malicious acts of Russia, it seemed likely the Biden Administration would start the U.S. response. Interestingly, the Biden Administration is extending two nuclear weapons control treaties at the same time it seeks to undertake this assessment of Russian hacking. And, whatever the results of the assessment, experts are in agreement that the Biden Administration would seem to have few good options to retaliate and deter future action.
    • At a 21 January press briefing, Psaki stated
      • I can confirm that the United States intends to seek a five-year extension of New START, as the treaty permits.  The President has long been clear that the New START Treaty is in the national security interests of the United States.  And this extension makes even more sense when the relationship with Russia is adversarial, as it is at this time.
      • New START is the only remaining treaty constraining Russian nuclear forces and is an anchor of strategic stability between our two countries.
      • And to the other part of your question: Even as we work with Russia to advance U.S. interests, so too we work to hold Russia to account for its reckless and adversarial actions.  And to this end, the President is also issuing a tasking to the intelligence community for its full assessment of the SolarWinds cyber breach, Russian interference in the 2020 election, its use of chemical weapons against opposition leader Alexei Navalny, and the alleged bounties on U.S. soldiers in Afghanistan.
  • A group of 40 organizations urged President Joe Biden “to avoid appointing to key antitrust enforcement positions individuals who have served as lawyers, lobbyists, or consultants for Amazon, Apple, Facebook, and Google” in a letter sent before his inauguration. Instead, they encouraged him “to appoint experienced litigators or public servants who have recognized the dangers of, rather than helped to exacerbate, these corporations’ market power.” They closed the letter with this paragraph:
    • With your historic election, and the groundbreaking mandate Americans have entrusted you with, you face the challenge of not only rebuilding the country, but also rebuilding trust in government. We believe that appointing antitrust enforcers with no ties to dominant corporations in the industries they will be tasked with overseeing –particularly in regard to the technology sector –willhelp re-establish public trust in government at a critically important moment in our country’s history. We look forward to working with your administration to ensure powerful technology corporations are held accountable for wrongdoing in the months of years ahead.
    • The signatories include:
      • Public Citizen
      • American Economic Liberties Project
      • Open Markets Institute
      • Revolving Door Project
  • The National Security Agency (NSA) issued an advisory “Adopting Encrypted DNS in Enterprise Environments,” “explaining the benefits and risks of adopting the encrypted domain name system (DNS) protocol, DNS over HTTPs (DoH), in enterprise environments.” This advisory is entirely voluntary and does not bind any class of entities. Moreover, it is the latest in a series of public advisories that has seen the heretofore secretive NSA seek to rival the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) in advising the owners and operators of cyber infrastructure. The NSA explained:
    • Use of the Internet relies on translating domain names (like “nsa.gov”) to Internet Protocol addresses. This is the job of the Domain Name System (DNS). In the past, DNS lookups were generally unencrypted, since they have to be handled by the network to direct traffic to the right locations. DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authentication with a client’s DNS resolver. Itis useful to prevent eavesdropping and manipulation of DNS traffic.While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used. Enterprise DNS controls can prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration.
    • Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information. The enterprise DNS resolver may be either an enterprise-operated DNS server or an externally hosted service. Either way, the enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked. However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure.
  • The United States (U.S.) Government Accountability Office (GAO) has sent a report to the chair of the House Oversight Committee on its own initiative that “examines: (1) the Department of Defense’s (DOD) efforts to revise the process for identifying and protecting its critical technologies, and (2) opportunities for DOD’s revised process to inform U.S. government protection programs.” The GAO stated:
    • DOD’s critical technologies—including those associated with an acquisition program throughout its lifecycle or those still early in development—are DOD funded efforts that provide new or improved capabilities necessary to maintain the U.S. technological advantage. For the purposes of this report, we refer to these as critical acquisition programs and technologies. Also for the purposes of this report, U.S. government protection programs are those GAO previously identified across the federal government that are designed to protect critical technologies such as the Arms Export Control System, National Industrial Security Program, and the Committee on Foreign Investment in the U.S
    • Critical technologies are pivotal to maintaining the U.S. military advantage and, as such, are a frequent target for unauthorized access by adversaries such as through theft, espionage, illegal export, and reverse engineering. DOD has long recognized the need to effectively identify and ensure the consistent protection of these technologies from adversaries, but past efforts have not been fully successful. Recent efforts to revise its process for identifying and protecting its critical acquisition programs and technologies—led by DOD’s Protecting Critical Technology Task Force— offer some improvements.
    • However, DOD can further strengthen its revised process by determining the approach for completing key steps. These steps include ensuring its critical acquisition programs and technologies list is formally communicated to all relevant internal entities and other federal agencies, such as the Department of the Treasury as chair of the Committee on Foreign Investment in the United States, to promote a consistent understanding of what DOD deems critical to protect. They also include developing appropriate metrics that DOD program offices as well as organizations—such as the military departments and Under Secretary of Defense level offices—can use to assess the implementation and sufficiency of the assigned protection measures. Finally, DOD has not yet designated an organization to oversee critical technology protection efforts beyond 2020. As DOD works to develop a policy for its revised process, addressing these issues will not only help improve and ensure continuity in DOD’s protection efforts, but also help ensure government- wide protection efforts are better coordinated as called for in the 2020 National Strategy for Critical and Emerging Technologies.
    • The GAO made three recommendations to the DOD:
      • The Secretary of Defense should direct the Deputy Secretary of Defense in conjunction with the Protecting Critical Technology Task Force to determine a process for formally communicating future critical acquisition programs and technologies lists to all relevant DOD organizations and federal agencies. (Recommendation 1)
      • The Secretary of Defense should direct the Deputy Secretary of Defense in conjunction with the Protecting Critical Technology Task Force to identify, develop, and periodically review appropriate metrics to assess the implementation and sufficiency of the assigned protection measures. (Recommendation 2)
      • The Secretary of Defense should direct the Deputy Secretary of Defense in conjunction with the Protecting Critical Technology Task Force to finalize the decision as to which DOD organization will oversee protection efforts beyond 2020. (Recommendation 3)
  • The National Telecommunications and Information Administration (NTIA) “under sponsorship of and in collaboration with the Department of Defense (DOD) 5G Initiative” “issued a Notice of Inquiry (NOI)…to explore a “5G Challenge” aiming to accelerate the development of an open source 5G ecosystem that can support DOD missions.” The NTIA explained:
    • A key innovation in 5G that is becoming more pervasive in the larger 5G ecosystem is the trend toward “open 5G” architectures that emphasize open interfaces in the network stack. NTIA, under sponsorship of and in collaboration with the DOD 5G Initiative, is seeking comments and recommendations from all interested stakeholders to explore the creation of a 5G Challenge that would accelerate the development of the open 5G stack ecosystem in support of DOD missions.
    • For the purposes of this Notice, NTIA has organized these questions into three broad categories: (1) Challenge structure and goals; (2) incentives and scope; and (3) timeframe and infrastructure support. NTIA seeks public input on any and/or all of these three categories.
  • The Court of Justice for the European Union’s (CJEU) Advocate General has released his opinion in a case on whether a different data protection authority (DPA) from the lead agency in a case may also bring actions in its court system. The General Data Protection Regulation (GDPR) has a mechanism that organizes the regulation of data protection in that one agency, often the first to act, becomes the lead supervisory authority (LSA) and other DPAs must follow its lead. Most famously, Ireland’s Data Protection Commission (DPC) has been the LSA for the action Maximillian Schrems brought against Facebook that led to the demise of two adequacy agreements between the United States (U.S.) and the European Union (EU). In each case, the DPC was the LSA. The CJEU is not obligated to follow the Advocate General’s opinions, but they frequently prove persuasive. In any event, the Advocate General found DPAs may, under some circumstances, bring cases for cross border infringement even if another DPA is LSA. Advocate General Michal Bobek summarized the facts of the case:
    • In September 2015, the Belgian data protection authority commenced proceedings before the Belgian courts against several companies belonging to the Facebook group (Facebook), namely Facebook INC, Facebook Ireland Ltd, which is the group’s main establishment in the EU, and Facebook Belgium BVBA (Facebook Belgium). In those proceedings, the data protection authority requested that Facebook be ordered to cease, with respect to any internet user established in Belgium, to place, without their consent, certain cookies on the device those individuals use when they browse a web page in the Facebook.com domain or when they end up on a third party’s website, as well as to collect data by means of social plugins and pixels on third party websites in an excessive manner. In addition, it requested the destruction of all personal data obtained by means of cookies and social plugins, about each internet user established in Belgium.
    • The proceedings at issue are at present in progress before the Hof van beroep te Brussel (Court of Appeal, Brussels, Belgium) with however their scope being limited to Facebook Belgium, as that court previously established that it had no jurisdiction with regard to the actions against Facebook INC and Facebook Ireland Ltd. In this context, Facebook Belgium asserts that, as of thed ate on which the General Data Protection Regulation (GDPR)1has become applicable,the Belgian data protection authority has lost competence to continue the judicial proceedings at issue against Facebook. It contends that, under the GDPR, only the data protection authority of the State of Facebook’s main establishment in the EU (the so-called ‘lead’ data protection authority in the EU for Facebook), namely the Irish Data Protection Commission, is empowered to engage in judicial proceedings against Facebook for infringements of the GDPR in relation to cross-border data processing.
    • Bobek summed up the legal questions presented to the CJEU:
      • Does the GDPR permit a supervisory authority of a Member State to bring proceedings before a court of that State for an alleged infringement of that regulation with respect to cross-border data processing, where that authority is not the lead supervisory authority with regard to that processing?
      • Or does the new ‘one-stop-shop’ mechanism, heralded as one of the major innovations brought about by the GDPR, prevent such a situation from happening? If a controller were called upon to defend itself against a legal challenge concerning cross-border data processing brought by a supervisory authority in a court outside the place of the controller’s main establishment, would that be ‘one-stop-too-many’ and therefore incompatible with the new GDPR mechanism?
    • Bobek made the following findings:
      • [F]irst, that it transpires from the wording of the GDPR that the lead data protection authority has a general competence over cross-border data processing, including the commencement of judicial proceedings for the breach of the GDPR, and, by implication, the other data protection authorities concerned enjoy a more limited power to act in that regard.
      • Second, the Advocate General recalls that the very reason for the introduction of the one-stop-shop mechanism enshrined in the GDPR, whereby a significant role has been given to the lead data protection authority and cooperation mechanisms have been set up to involve other data protection authorities, was to address certain shortcomings resulting from the former legislation. Indeed, economic operators used to be required to comply with the various sets of national rules implementing that legislation, and to liaise, at the same time, with all the national data protection authorities, which proved to be costly, burdensome and time-consuming for those operators, and an inevitable source of uncertainty and conflicts for them and their customers.
      • Third, the Advocate General stresses that the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned, the input of which is crucial in this area.
  • The United States (U.S.) Department of Defense added more companies from the People’s Republic of China (PRC) to the list of those associated with or controlled by the Chinese Communist Party or the People’s Liberation Army (PLA) “in accordance with the statutory requirement of Section 1237 of the National Defense Authorization Act for Fiscal Year 1999.” The previous lists were released last year (here, here and here.) This designation will almost certainly make doing business in the United States (U.S.) and elsewhere more difficult.
    • The first part of Section 1237 grants the President authority to “exercise International Emergency Economic Powers Act (IEEPA) authorities (other than authorities relating to importation) without regard to section 202 of the IEEPA (50 U.S.C. 1701) in the case of any commercial activity in the United States by a person that is on the list.” IEEPA grants the President sweeping powers to prohibit transactions and block property and property interests for nations and other groups subject to an IEEPA national emergency declaration. Consequently, those companies identified by the DOD on a list per Section 1237 could be blocked and prohibited from doing business with U.S. entities and others and those that do business with such Chinese companies could be subject to enforcement actions by the U.S. government.
    • The statute defines a “Communist Chinese military company” as “any person identified in the Defense Intelligence Agency publication numbered VP-1920-271-90, dated September 1990, or PC-1921-57-95, dated October 1995, and any update of those publications for the purposes of this section; and any other person that is owned or controlled by the People’s Liberation Army; and is engaged in providing commercial services, manufacturing, producing, or exporting.” Considering that the terms “owned” and “controlled” are not spelled out in this section, the executive branch may have very wide latitude in deeming a non-Chinese company as owned or controlled and therefore subject to the President’s use of IEEPA powers. Moreover, since the President already has the authority to declare an emergency and then use IEEPA powers, this language would seem to allow the President to bypass any such declaration and immediately use such powers, except those regarding importation, against any Chinese entities identified on this list by the Pentagon.
  • A group of 13 House Democrats wrote Attorney General designate Merrick Garland asking that the Biden Administration “to withdraw from the United States (U.S.) federal government’s lawsuit against the State of California over its net neutrality law as one of the first actions after inauguration.” The Trump Administration had sued California after a measure became law in 2018, mandating net neutrality there in the wake of the Federal Communications Commission’s (FCC) rollback of federal net neutrality. The Members argued:
    • In September 2018, then-Governor Jerry Brown signed into law SB 822, the strongest net neutrality law in the country. The Trump Department of Justice (DOJ) sued to overturn California’s law hours later, and associations of telecommunications providers sued within days. Parties to the case agreed to put the case on hold until Mozilla v. FCC was resolved. In that case, the Court of Appeals for the D.C. Circuit vacated the part of the Federal Communications Commission (FCC)’s 2018 Restoring Internet Order (RIF) that preempted state net neutrality laws.
    • The arguments of the Trump DOJ and telecommunications associations in U.S. v. California extend further than even the FCC’s RIF and have implications on the ability of California and other states to regulate many communications and technology policy issues.
    • The Eastern District of California has scheduled a hearing in U.S. v. California for a request for an injunction on January 26, 2021. It is for these reasons, we ask that the federal DOJ withdraw from U.S. v. California shortly after President-elect Biden is inaugurated.
  • On its first day in power, the Biden Administration issued its “National Strategy for the COVID-19 Response and Pandemic Preparedness.” In the cover letter, President Joe Biden stated:
    • For the past year, we could not turn to the federal government for a national plan to answer prayers with action — until today. In the following pages, you will find my Administration’s national strategy to beat the COVID-19 pandemic. It is a comprehensive plan that starts with restoring public trust and mounting an aggressive, safe, and effective vaccination campaign. It continues with the steps we know that stop the spread liked expanded masking, testing, and social distancing. It’s a plan where the federal government works with states, cities, Tribal communities, and private industry to increase supply and administer testing and the vaccines that will help reopen schools and businesses safely. Equity will also be central to our strategy so that the communities and people being disproportionately infected and killed by the pandemic receive the care they need and deserve.
    • Given the numerous cyber-attacks and intrusions throughout the pandemic and growing risks to the entire vaccine supply chain, the President asked the Director of National Intelligence Avril Haines to “lead an assessment of ongoing cyber threats and foreign interference campaigns targeting COVID-19 vaccines and related public health efforts” in order to “counter any threat to the vaccination program.” The Administration stated “[t]he U.S. Government will take steps to address cyber threats to the fight against COVID-19, including cyber attacks on COVID-19 research, vaccination efforts, the health care systems and the public health infrastructure.”
    • Specifically, the strategy requires the following:
      • To assist in the Federal Government’s efforts to provide warning of pandemics, protect our biotechnology infrastructure from cyber attacks and intellectual property theft, identify and monitor biological threats from states and non-state actors, provide validation of foreign data and response efforts, and assess strategic challenges and opportunities from emerging biotechnologies, the Director of National Intelligence shall:
        • (i) Review the collection and reporting capabilities in the United States Intelligence Community (IC) related to pandemics and the full range of high-consequence biological threats and develop a plan for how the IC may strengthen and prioritize such capabilities, including through organizational changes or the creation of National Intelligence Manager and National Intelligence Officer positions focused on biological threats, global public health, and biotechnology;
        • (ii) Develop and submit to the President, through the Assistant to the President for National Security Affairs (APNSA) and the COVID-19 Response Coordinator, a National Intelligence Estimate on
          • (A) the impact of COVID-19 on national and economic security; and
          • (B) current, emerging, reemerging, potential, and future biological risks to national and economic security; and
        • (iii)  In coordination with the Secretary of State, the Secretary of Defense, the Secretary of Health and Human Services (HHS), the Director of the Centers for Disease Control and Prevention (CDC), the Administrator of United States Agency for International Development (USAID), the Director of the Office of Science and Technology Policy, and the heads of other relevant agencies, promptly develop and submit to the APNSA an analysis of the security implications of biological threats that can be incorporated into modeling, simulation, course of action analysis, and other analyses.
  • Before the end of the Trump Administration, the Departments of State and Treasury imposed sanctions on a group of Russians for taking part in “a Russia-linked foreign influence network associated with Andrii Derkach, who was designated on September 10, 2020, pursuant to Executive Order (E.O.) 13848 for his attempt to influence the 2020 U.S. Presidential election” according to the Trump Administration Department of State press release. These sanctions emanate from a narrative pushed by Derkach, a likely Russian agent, that the Biden family were engaged in corrupt dealings in Ukraine. Allies of the Trump Campaign pushed this narrative, too, until it failed to gain traction in the public sphere. It is little wonder the last administration waited until the tail end of the Trump presidency to levy such sanctions. State went on to explain:
    • Former Ukraine Government officials Konstantin Kulyk, Oleksandr Onyshchenko, Andriy Telizhenko, and current member of the Ukrainian parliament Oleksandr Dubinsky, have publicly appeared with or affiliated themselves with Derkach through the coordinated dissemination and promotion of fraudulent or unsubstantiated allegations involving a U.S. political candidate.  They have made repeated public statements advancing malicious narratives that U.S. Government officials have engaged in corrupt dealings in Ukraine.  These efforts and narratives are consistent with or in support of Derkach’s objectives to influence the 2020 U.S. presidential election.  As such, these individuals have been designated pursuant to E.O. 13848 for having directly or indirectly engaged in, sponsored, concealed, or otherwise been complicit in foreign influence in an attempt to undermine the 2020 U.S. elections.
    • NabuLeaks, Era-Media, Only News, and Skeptik TOV are media front companies in Ukraine that disseminate false narratives at the behest of Derkach’s and his associates.  They are being designated pursuant to E.O. 13848 for being owned or controlled by Derkach or his media team.  Today’s action also includes the designation of Petro Zhuravel, Dmytro Kovalchuk, and Anton Simonenko for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Derkach.
    • Additionally, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) “took additional action against seven individuals and four entities that are part of a Russia-linked foreign influence network associated with Andrii Derkach” according to the agency’s press release. OFAC stated “[a]s a result of today’s designations, all property and interests in property of these targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked.”
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published “a draft of the Trusted Internet Connections (TIC) 3.0 Remote User Use Case and the draft National Cybersecurity Protection System (NCPS) Cloud Interface Reference Architecture (NCIRA): Volume 2.” The agency remarked in its press release:
    • The TIC initiative was launched under former President George W. Bush to limit the access points to the wider internet federal agencies used based on the logic of physical defense. And so, fewer entry and exit points made for a safer compound. However, over time, this proved problematic, especially as new technology came into use. Consequently, in the aforementioned OMB memorandum, the Trump Administration began a revamp from which these documents flow:
      • To continue to promote a consistent baseline of security capabilities, the Department of Homeland Security (DHS) will define TIC initiative requirements in documentation called TIC Use Cases (refer to Appendix A). TIC Use Case documentation will outline which alternative security controls, such as endpoint and user-based protections, must be in place for specific scenarios in which traffic may not be required to flow through a physical TIC access point. To promote flexibility while maintaining a focus on security outcomes, the capabilities used to meet TIC Use Case requirements may be separate from an agency’s existing network boundary solutions provided by a Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS). Given the diversity of platforms and implementations across the Federal Government, TIC Use Cases will highlight proven, secure scenarios, where agencies have met requirements for government-wide intrusion detection and prevention efforts, such as the National Cybersecurity Protection System (including the EINSTEIN suite), without being required to route traffic through a TICAP/MTIPS solution.
    • In the Remote User Use Case, it is explained that
      • The TIC 3.0 Remote User Use Case (Remote User Use Case) defines how network and multi-boundary security should be applied when an agency permits remote users on their network. A remote user is an agency user that performs sanctioned business functions outside of a physical agency premises. The remote user scenario has two distinguishing characteristics:
        • 1. Remote user devices are not directly connected to network infrastructure that is managed and maintained by the agency.
        • 2. Remote user devices are intended for individual use (i.e., not a server).
      • In contrast, when remote user devices are directly connected to local area networks and other devices that are managed and maintained by the agency, it would be considered either an agency campus or a branch office scenario. TIC architectures for agency campus and branch office scenarios are enumerated in the TIC 3.0 Traditional TIC Use Case and the TIC 3.0 Branch Office Use Case respectively.
    • In NCIRA, it is stated:
      • The NCPS Cloud Interface Reference Architecture is being released as two individual volumes. The first volume provides an overview of changes to NCPS to accommodate the collection of relevant data from agencies’ cloud environments and provides general reporting patterns for sending cloud telemetry to CISA. This second volume builds upon the concepts presented in NCPS Cloud Interface Reference Architecture: Volume One and provides an index of common cloud telemetry reporting patterns and characteristics for how agencies can send cloud-specific data to the NCPS cloud-based architecture. Individual cloud service providers (CSPs) can refer to the reporting patterns in this volume to offer guidance on their solutions that allow agencies to send cloud telemetry to CISA in fulfillment of NCPS requirements.
  • The Congressional-Executive Commission on China (CECC) published its “2020 Annual Report” “on human rights and the rule of law in China.” The CECC found that:
    • the Chinese government and Communist Party have taken unprecedented steps to extend their repressive policies through censorship, intimidation, and the detention of people in China for exercising their fundamental human rights. Nowhere is this more evident than in the Xinjiang Uyghur Autonomous Region (XUAR) where new evidence emerged that crimes against humanity—and possibly genocide—are occurring, and in Hong Kong, where the ‘‘one country, two systems’’ frame-work has been effectively dismantled.
    • These policies are in direct violation of China’s Constitution, which guarantees ‘‘freedom of speech, of the press, of assembly, of association, of procession and of demonstration,’’ as well as ‘‘freedom of religious belief.’’ The actions of the Chinese government also contravene both the letter and the spirit of the Universal Declaration of Human Rights; violate its obligations under the Inter-national Covenant on Civil and Political Rights, which the Chinese government has signed but not ratified; and violate the Inter-national Covenant on Economic, Social, and Cultural Rights, ratified in 2001. Further, the Chinese government has abandoned any pretense of adhering to the legally binding commitments it made to the international community when it signed the 1984 Sino-British Joint Declaration on the future of Hong Kong.
    • President and Party General Secretary Xi Jinping has tightened his grip over China’s one-party authoritarian system, and the Party has further absorbed key government functions while also enhancing its control over universities and businesses. Authorities promoted the official ideology of ‘‘Xi Jinping Thought’’ on social media and required Party members, government officials, journalists, and students to study it, making the ideology both pervasive, and for much of the country, mandatory.
    • Regarding freedom of expression, the CECC recommended:
      • Give greater public expression, including at the highest levels of the U.S. Government, to the issue of press freedom in China, condemning: the harassment and detention of both domestic and foreign journalists; the denial, threat of denial, or delay of visas for foreign journalists; and the censorship of foreign media websites. Consistently link press freedom to U.S. interests, noting that censorship and restrictions on journalists and media websites prevent the free flow of information on issues of public concern, including public health and environ-mental crises, food safety problems, and corruption, and act as trade barriers for foreign companies attempting to access the Chinese market. Assess the extent to which China’s treatment of foreign journalists contravenes its World Trade Organization commitments and other obligations.
      • Sustain, and where appropriate, expand, programs that develop and widely distribute technologies that will assist Chinese human rights advocates and civil society organizations in circumventing internet restrictions, in order to access and share content protected under international human rights standards. Continue to maintain internet freedom programs for China at the U.S. Department of State and the United States Agency for Global Media to provide digital security training and capacity-building efforts for bloggers, journalists, civil society organizations, and human rights and internet freedom advocates in China.
      • Raise with Chinese officials, during all appropriate bilateral discussions, the cost to U.S.-China relations and to the Chinese public’s confidence in government institutions that is incurred when the Chinese government restricts political debate, advocacy for democracy or human rights, and other forms of peaceful  political  expression.  Emphasize  that  such  restrictions  violate  international  standards  for  free  expression,  particularly  those  contained  in  Article  19  of  the  International  Covenant  on  Civil  and  Political  Rights  and  Article  19  of  the  Universal  Declaration of Human Rights.
  • The Center for Democracy and Technology (CDT) issued its “Recommendations to the Biden Administration and 117th Congress to Advance Civil Rights & Civil Liberties in the Digital Age” that called for reform to content moderation, election law, privacy, big data, and other policy areas.
  • A United States (U.S.) federal court denied Parler’s request for a preliminary injunction against Amazon Web Services (AWS) after the latter shut down the former’s website for repeated violations of their contract, including the use of the conservative tilting platform during the 6 January 2021 insurrection at the United States Capitol. Parler was essentially asking the court to force AWS to once again host its website while its litigation was pending. The court reviewed Parler’s claims and clarified the scope of the case:
    • In its Complaint, Parler asserts three claims: (1) for conspiracy in restraint of trade, in violation of the Sherman Act, 15 U.S.C. § 1; (2) for breach of contract; and (3) for tortious interference with business expectancy. AWS disputes all three claims, asserting that it is Parler, not AWS, that has violated the terms of the parties’ Agreement, and in particular AWS’s Acceptable Use Policy, which prohibits the “illegal, harmful, or offensive” use of AWS services.
    • It is important to note what this case is not about. Parler is not asserting a violation of any First Amendment rights, which exist only against a governmental entity, and not against a private company like AWS. And indeed, Parler has not disputed that at least some of the abusive and violent posts that gave rise to the issues in this case violate AWS’s Acceptable Use Policy. This motion also does not ask the Court to make a final ruling on the merits of Parler’s claims. As a motion for a preliminary injunction, before any discovery has been conducted, Parler seeks only to have the Court determine the likelihood that Parler will ultimately prevail on its claims, and to order AWS to restore service to Parler pending a full and fair litigation of the issues raised in the Complaint.
    • However, the court ruled against Parler:
      • Parler has failed to meet the standard set by Ninth Circuit and U.S. Supreme Court precedent for issuance of a preliminary injunction. To be clear, the Court is not dismissing Parler’s substantive underlying claims at this time. Parler has fallen far short, however, of demonstrating, as it must, that it has raised serious questions going to the merits of its claims, or that the balance of hardships tips sharply in its favor. It has also failed to demonstrate that it is likely to prevail on the merits of any of its three claims; that the balance of equities tips in its favor, let alone strongly so; or that the public interests lie in granting the injunction.
  • The United States (U.S.) Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a statutorily required “National Strategy to Secure 5G Implementation Plan” and Appendices. The NTIA explained:
    • In accordance with the Secure 5G and Beyond Act of 2020, the Executive Branch has developed a comprehensive implementation plan. This implementation will be managed under the leadership of the National Security Council and the National Economic Council, supported by the National Telecommunications and Information Administration (NTIA), and with contributions from and coordination among a wide range of departments and agencies. The implementation plan took into account the 69 substantive comments in response to NTIA’s Request for Comments received from companies, industry associations, and think tanks representing a range of interests and aspects of the telecommunications ecosystem. Consistent with the National Strategy to Secure 5G, the implementation plan encompasses four lines of effort:
      • Line of Effort One: Facilitate Domestic 5G Rollout: The first line of effort establishes a new research and development initiative to develop advanced communications and networking capabilities to achieve security, resilience, safety, privacy, and coverage of 5G and beyond at an affordable cost. Advancement of United States leadership in Secure 5G and beyond systems and applications will be accomplished by enhancing centers of research and development and manufacturing. These efforts will leverage public-private partnerships spanning government, industry, academia, national laboratories, and international allies. This line of effort also intends to identify incentives and options to leverage trusted international suppliers, both to facilitate secure and competitive 5G buildouts, and to ensure the global competitiveness of United States manufacturers and suppliers.
      • Line of Effort Two: Assess Risks to & Identify Core Security Principles of 5G Infrastructure: The second line of effort is oriented toward identifying and assessing risks and vulnerabilities to 5G infrastructure, building on existing capabilities in assessing and managing supply chain risk. This work will also involve the development of criteria for trusted suppliers and the application of a vendor supply chain risk management template to enable security-conscious acquisition decision-making. Several agencies have responsibilities for assessing threats as the United States’ manages risks associated with the global and regional adoption of 5G network technology as well as developing mitigation strategies to combat any identified threats. These threat assessments take into account, as appropriate, requirements from entities such as the Committee on Foreign Investment in the United States (CFIUS), the Executive Order (E.O.) on Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom), and the Federal Acquisition Security Council (FASC). In addition, this line of effort will identify security gaps in United States and international supply chains and an assessment of the global competitiveness and economic vulnerabilities of United States manufacturers and suppliers. Finally, this set of activities will include working closely with the private sector and other stakeholders to identify, develop, and apply core security principles for 5G infrastructure. These efforts will include leveraging the Enduring Security Framework (ESF), a working group under the Critical Infrastructure Partnership Advisory Council (CIPAC). These emerging security principles will be synchronized with or complementary to other 5G security principles, such as the “Prague Proposals” from the Prague 5G Security Conference held in May 2019.
      • Line of Effort Three: Address Risks to United States Economic and National Security during Development and Deployment of 5G Infrastructure Worldwide: The third line of effort involves addressing the risks to United States economic and national security during the development and deployment of 5G infrastructure worldwide. As a part of this effort, the United States will identify the incentives and policies necessary to close identified security gaps in close coordination with the private sector and through the continuous evaluation of commercial, security, and technological developments in 5G networks. A related activity is the identification of policies that can ensure the economic viability of the United States domestic industrial base, in coordination with the private sector through listening sessions and reviews of best practices. An equally important activity relates to the identification and assessment of “high risk” vendors in United States5G infrastructure, through efforts such as the Implementation of E.O. 13873, on “Securing the Information and Communications Technology and Services Supply Chain.” These efforts will build on the work of the CFIUS, the FASC, and Team Telecom reviews of certain Federal Communications Commission (FCC) licenses involving foreign ownership. This element of the implementation plan will also involve more intense engagement with the owners and operators of private sector communications infrastructure, systems equipment developers, and other critical infrastructure owners and operators. The engagements will involve sharing information on 5G and future generation wireless communications systems and infrastructure equipment. Such work will be conducted through the Network Security Information Exchange, the IT and Communications Sector and Government Coordinating Councils, the National Security Telecommunications Advisory Committee, and NTIA’s Communications Supply Chain Risk Information Partnership (C-SCRIP).
      • Line of Effort Four: Promote Responsible Global Development and Deployment of 5G: The fourth line of effort addresses the responsible global development and deployment of 5G technology. A key component of this line of effort is diplomatic outreach and engagement to advocate for the adoption and implementation of 5G security measures that prohibit the use of untrusted vendors in all parts of 5G networks. A related component involves the provision of technical assistance to mutual defense treaty allies and strategic partners of the United States to maximize the security oftheir5G and future generations of wireless communications systems and infrastructure. The goal of providing financing support and technical assistance is to help enable countries and private companies to develop secure and trusted next generation networks that are free of untrusted vendors and that increase global connectivity. A key part of 5G deployment involves international standards development, thus the implementation plan outlines several steps in support of the goal of strengthening and expanding United States leadership in international standards bodies and voluntary consensus-based standards organizations, including strengthening coordination with and among the private sector. This line of effort will also include collaboration with allies and partners with regard to testing programs to ensure secure 5G and future wireless communications systems and infrastructure equipment, including spectrum-related testing. To successfully execute this work, continued close coordination between the United States Government, private sector, academic, and international government partners is required to ensure adoption of policies, standards, guidelines, and procurement strategies that reinforce 5G vendor diversity and foster market competition. The overarching goals of this line of effort are to promote United States-led or linked technology solutions in the global market; remove and reduce regulatory and trade barriers that harm United States competitiveness; provide support for trusted vendors; and advocate for policies and laws that promote open, competitive markets for United States technology companies. This will also be supported through close collaboration with partners on options to advance the development and deployment of open interfaced, standards-based, and interoperable 5G networks.
  • The Federal Communications Commission (FCC) issued its annual “Broadband Deployment Report,” one of the last reports on FCC policy under the stewardship of former Chair Ajit Pai. In the agency’s press release, Pai claimed “[i]n just three years, the number of American consumers living in areas without access to fixed broadband at 25/3 Mbps has been nearly cut in half.” He added:
    • These successes resulted from forward-thinking policies that removed barriers to infrastructure investment and promoted competition and innovation.  I look forward to seeing the Commission continue its efforts to ensure that all Americans have broadband access.  Especially with the success of last year’s Rural Digital Opportunity Fund Phase I auction, I have no doubt that these figures will continue to improve as auction winners deploy networks in the areas for which they got FCC funding.
    • In relevant part, the FCC claimed:
      • Moreover, more than three-quarters of those in newly served areas, nearly 3.7 million, are located in rural areas, bringing the number of rural Americans in areas served by at least 25/3 Mbps to nearly 83%. Since 2016, the number of Americans living in rural areas lacking access to 25/3 Mbps service has fallen more than 46%.  As a result, the rural–urban divide is rapidly closing; the gap between the percentage of urban Americans and the percentage of rural Americans with access to 25/3 Mbps fixed broadband has been nearly halved, falling from 30 points at the end of 2016 to just 16 points at the end of 2019.
      • With regard to mobile broadband, since 2018, the number of Americans lacking access to 4G LTE mobile broadband with a median speed of 10/3 Mbps was reduced by more than 57%, including a nearly 54% decrease among rural Americans.  As of the end of 2019, the vast majority of Americans, 94% had access to both 25/3 Mbps fixed broadband service and mobile broadband service with a median speed of 10/3 Mbps. Also as of the end of 2019, mobile providers now provide access to 5G capability to approximately 60% of Americans. These strides in mobile broadband deployment were fueled by more than $29 billion of capital expenditures in 2019 (roughly 18% of global mobile capital spending), the largest mobile broadband investment since 2015.
      • .  With this Report, the Commission fulfills the Congressional directive to report each year on the progress made in deploying broadband to all Americans. Despite this finding, our work to close the digital divide is not complete.  The Commission will continue its efforts to ensure that all Americans have the ability to access broadband.
  • The chair of the House Oversight and Reform Committee wrote a letter asking Federal Bureau of Investigation (FBI) Director Christopher Wray to conduct “a comprehensive investigation into the role that the social media site Parler played in the assault on the Capitol on January 6.” Chair Carolyn Maloney (D-NY) indicated her committee is also investigating the events of 6 January, suggesting there could be hearings soon on the matter. In the letter, Maloney asserted:
    • It is clear that Parler houses additional evidence critical to investigations of the attack on the Capitol. One commentator has already used geolocation data associated with Parler to track 1,200 videos that were uploaded in Washington, D.C. on January 6.
    • Questions have also been raised about Parler’s financing and its ties to Russia, which the Intelligence Community has warned is continuing to use social media and other measures to sow discord in the United States and interfere with our democracy. For example, posters on Parler have reportedly been traced back to Russian disinformation campaigns. The company was founded by John Matze shortly after he traveled in Russia with his wife, who is Russian and whose family reportedly has ties to the Russian government. Concerns about the company’s connections to Russia have grown since the company re-emerged on a Russian hosting service, DDos-Guard, after being denied services by Amazon Web Services. DDos-Guard has ties to the Russian government and hosts the websites of other far-right extremist groups, as well as the terrorist group Hamas.According to another recent report, “DDoS-Guard’s other clients include the Russian ministry of defence, as well as media organisations in Moscow.”
    • Given these concerns, we ask that the FBI undertake a robust review of the role played by Parler in the January 6 attacks, including (1) as a potential facilitator of planning and incitement related to the attacks, (2) as a repository of key evidence posted by users on its site, and (3) as potential conduit for foreign governments who may be financing civil unrest in the United States.
  • Microsoft released further detailed, technical findings from its investigation into the wide-ranging SolarWinds hack. Last month, Microsoft revealed that its source code had been accessed as part of the Russian hack and stressed that source code for its products had not been changed or tampered with. In its update on its SolarWinds investigation, Microsoft explained:
    • As we continue to gain deeper understanding of the Solorigate attack, we get a clearer picture of the skill level of the attackers and the extent of planning they put into pulling off one of the most sophisticated attacks in recent history. The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary.
    • More than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence. These attackers appear to be knowledgeable about operations security and performing malicious activity with minimal footprint. In this blog, we’ll share new information to help better understand how the attack transpired. Our goal is to continue empowering the defender community by helping to increase their ability to hunt for the earliest artifacts of compromise and protect their networks from this threat.
    • As mentioned, in a 31 December 2020 blog posting, Microsoft revealed:
      • Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.
      • We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.
  • The Trump Administration’s United States Trade Representative (USTR) weighed in on Australia’s proposed law to make Google, Facebook, and other technology companies pay for using Australian media content. The USTR reiterated the United States (U.S.) position that forcing U.S. firms to pay for content, as proposed, in unacceptable. It is likely the view of a Biden Administration is not likely to change. The Australian Senate committee considering the “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020” had asked for input. In relevant part, the USTR argued:
    • the U.S. Government is concerned that an attempt, through legislation, to regulate the competitive positions of specific players in a fast-evolving digital market, to the clear detriment of two U.S. firms, may result in harmful outcomes. There may also be long-lasting negative consequences for U.S. and Australian firms, as well as Australian consumers. While the revised draft has partially addressed some U.S. concerns—including an effort to move towards a more balanced evaluation of the value news businesses and platforms offer each other in the context of mandatory arbitration—significant issues remain.
  • Plaintiffs have filed suit in California state court against WeChat and Tencent by Plaintiff Citizen Power Initiatives for China (CPIFC) and six unnamed California residents who use WeChat. They argue that the government of the People’s Republic of China (PRC) controls WeChat and forces it and its parent, Tencent, to turn over user data to the PRC in violation of California law. They make other allegations of unlawful conduct, including denying users in California the right to access funds though the app in the PRC. They are seeking class action status in order to bring a larger action against the PRC company. The plaintiffs claimed:
    • This case arises from Tencent’s practices of profiting from politically motivated, pro-Chinese Communist Party (“CCP”) censorship and surveillance of California WeChat users (“challenged practices”), which includes the practice of turning over private user data and communications to the government of the People’s Republic of China (“PRC government,” and, together with the CCP, the “Party-state”), and which inflicts an array of harms. Specifically, the challenged practices include Tencent’s practices of: (i) turning over private California WeChat user data and communications to the Party-state; (ii) profiting by using California WeChat user data and communications to improve Tencent’s censorship and surveillance algorithms; (iii) censoring and surveilling California WeChat user communications for content perceived as critical of the Party-state; (iv) suspending, blocking, or deleting California WeChat user accounts and/or data over such content; and (v) prohibiting California WeChat users from withdrawing funds stored in their WeChat accounts when those users do not possess an account with a PRC financial institution subject to monitoring by the Party-state.
    • This action also challenges provisions in Tencent’s terms of service and privacy policy  which,  taken  together,  are  oppressive,  obfuscatory,  and  incoherent  (“challenged provisions”). The challenged provisions include privacy-related terms that are deliberately vague and ambiguous with respect to whether the challenged practices are permitted or prohibited (“vague and ambiguous privacy provisions”), which in turn benefits Tencent by reserving to it the right to adopt self-interested interpretations. However, California WeChat users are entitled to clear, unambiguous, and testable language with respect to the nature and scope of their privacy on WeChat—in other words, to honesty and transparency.
    • Yet, even if the challenged practices were unambiguously prohibited under the challenged provisions, the challenged provisions include terms that make it practically impossible for California WeChat users to seek meaningful redress for the harms caused by those practices (“remedy-limiting provisions”). 
    • Finally, the challenged provisions include terms that impermissibly discriminate against California WeChat users who happen to be citizens of the PRC (“long-arm provisions”).
  • Representatives Anna Eshoo (D-CA) and Tom Malinowski (D-NJ) wrote the CEOs of Facebook, Twitter, and YouTube “urging the companies to address the fundamental design features of their social networks that facilitate the spread of extreme, radicalizing content to their users” per their press release. Last fall, Eshoo and Malinowski introduced the “Protecting Americans from Dangerous Algorithms Act” (H.R.8636) that would subject platforms like Facebook, Twitter, and YouTube to civil suits on the basis of the algorithms used to amplify content that violates the civil rights of others or results in international terrorism. They asserted:
    • The lawmakers note that the rioters who attacked the Capitol earlier this month were radicalized in part in digital echo chambers that these platforms designed, built, and maintained, and that the platforms are partially responsible for undermining our shared sense of objective reality, for intensifying fringe political beliefs, for facilitating connections between extremists, leading some of them to commit real-world, physical violence.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced “[u]sing enterprise risk management best practices will be a focus for CISA in 2021, and today the National Risk Management Center (NRMC) is launching a Systemic Cyber Risk Reduction Venture to organize our work to reduce shared risk to the Nation’s security and economic security.” CISA explained that “[w]e anticipate three overarching lines of effort:
    • Build the Underlying Architecture for Cyber Risk Analysis to Critical Infrastructure. The critical infrastructure community is underpinned by a dependent web of hardware, software, services, and other connected componentry.
    • Cyber Risk Metric Development. Supporting efforts to better understand the impact of cyber risk across the critical infrastructure community will require developing usable metrics to quantify cyber risk in terms of functional loss. There’s no need to get bogged down with Greek equations with decimal place-level specificity. Metrics that provide even directional or comparative indicators are enormously helpful.
    • Promoting Tools to Address Concentrated Sources of Cyber Risk. Central to our venture to reduce systemic cyber risk is finding concentrated sources of risk that, if mitigated, provide heightened risk management bang for the buck if addressed.
  • The President’s Council of Advisors on Science and Technology (PCAST) issued its first assessment of a government program to fund research and development of advanced information technology for the first time since 2015. PCAST explained:
    • As required by statute, PCAST is tasked with periodically reviewing the Networking and Information Technology Research and Development (NITRD) Program, the Nation’s primary source of federally funded research and development in advanced information technologies such as computing, networking, and software. This report examines the NITRD Program’s progress since the last review was conducted in 2015, explores emerging areas of interest relevant to the NITRD Program, and presents PCAST’s findings and recommendations.
    • PCAST made the following recommendations:
      • Recommendation 1: The current NITRD Program model and its approach to coordinating foundational research in NIT fields across participating agencies should continue as constituted, with the following modifications:
        • NITRD groups should continue to review the PCAs regularly using a fast track action committee (FTAC) and adjust as needed (with a frequency of perhaps every 3 years rather than every 5–6 years, as had been recommended in the 2015 NITRD Review). It should also continue to review IWGs periodically, as recommended in the 2015 NITRD Review.
        • The NITRD Program should continue to pursue incremental modifications of existing structures (e.g., IWGs, PCAs) rather than engage in wholesale reorganizations at this time.
        • When launching wholly new IWGs and PCAs (e.g., such as the AI IWG and AI PCA), the NITRD Program should consider showing clearly in the annual NITRD Supplement to the President’s Budget which lines of effort derive from previous structures and which are wholly new programmatic areas and funding lines. This will be especially important should NITRD groups increase the frequency with which they review and modify PCAs.
      • Recommendation 2: The NITRD Program should examine current structures and operations to identify opportunities for greater multi-sector engagement in its activities. Opportunities include the following:
        • Amplify multi-sector outreach and engagement efforts. While the NITRD Program notifies the public about its convening activities, it could augment its outreach.
        • Expand the NITRD Program’s efforts to track non-U.S. coordinated NIT efforts and collaborate with international efforts where appropriate. This should be done in coordination with the NSTC International S&T Coordination Subcommittee to avoid duplicating efforts.
      • Recommendation 3: The NITRD Program should examine current structures and operations to identify opportunities for improving coordination in IotF areas related to the program. Opportunities could include:
        • AI—continue coordination efforts within the NITRD Program and between NITRD IWGs and the NSTC Select Committee on AI and the Machine Learning and Artificial Intelligence (MLAI) Subcommittee.
        • Advanced communications networks—continue coordination efforts within the NITRD Program through the Subcommittee and the LSN and WSRD IWGs.
        • QIS—increase coordination with the NQCO and the NSTC QIS Subcommittee, particularly on topics such as post-quantum cryptography R&D and other implications of the development of quantum technologies on the NIT landscape with advances in QIS.
        • Biotechnology—coordinate with NSTC bodies working in biosciences-related areas such as the Biodefense R&D (BDRD) Subcommittee and the Biological Sciences Subcommittee (BSSC).
        • Advanced manufacturing—coordinate with the NSTC Subcommittee on Advanced
        • Manufacturing and large-scale manufacturing R&D efforts such as the Manufacturing USA Institutes.
      • Recommendation 4: The NITRD Program should incorporate microelectronics R&D explicitly into its programmatic activities.
        • Could take the form of a separate IWG or incorporating hardware/components R&D into existing IWGs.
        • Should be stronger NNI-NITRD coordination to ensure alignment of R&D strategies and programmatic activities.
      • Recommendation 5: The NITRD Program should further examine ways it can coordinate its participating agencies—such as through an IWG or other multiagency bodies—to ensure they support and emphasize the following:
        • STEM education, including PhD fellowships, in NIT.
        • Programs at the intersection and convergence of computational science and other fields (CS + X) at 2-year and 4-year educational institutions.
        • Retraining and upskilling the non-technical workforce to participate in the cyber-ready workforce.
        • A diverse and inclusive NIT workforce across all levels of technical staff, engineers, and scientists.
        • Strengthen efforts to attract and retain international students, scientists, and engineers who wish to contribute to NIT R&D in the United States. These efforts should be informed by conducting studies of the role that international talent plays in the U.S. NIT workforce and any factors affecting recent changes in recruitment and retention.

Coming Events

  • The Commerce, Science, and Transportation Committee will hold a hearing on the nomination of Gina Raimondo to be the Secretary of Commerce on 26 January.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Photoholgic on Unsplash

Further Reading, Other Developments, and Coming Events (19 January 2021)

Further Reading

  • Hong Kong telecoms provider blocks website for first time, citing security law” — Reuters; “A Hong Kong Website Gets Blocked, Raising Censorship Fears” By Paul Mozur and Aaron Krolik — The New York Times. The Hong Kong Broadband Network (HKBN) blocked access to a website about the 2019 protests against the People’s Republic of China (PRC) (called HKChronicles) under a recently enacted security law critics had warned would lead to exactly this sort of outcome. Allegedly, the Hong Kong police had invoked the National Security Law for the first time, and other telecommunications companies have followed suit.
  • Biden to counter China tech by urging investment in US: adviser” By Yifan Yu — Nikkei Asia. President-elect Joe Biden’s head of the National Economic Council said at a public event that the Biden Administration would focus less on tariffs and other similar instruments to counter the People’s Republic of China (PRC). Instead, the incoming President would try to foster investment in United States companies and technologies to fend off the PRC’s growing strength in a number of crucial fields. Also, a Biden Administration would work more with traditional U.S. allies to contest policies from Beijing.
  • Revealed: walkie-talkie app Zello hosted far-right groups who stormed Capitol” By Micah Loewinger and Hampton Stall — The Guardian. Some of the rioters and insurrectionists whop attacked the United States Capitol on 6 January were using another, lesser known communications app, Zello, to coordinate their actions. The app has since taken down a number of right-wing and extremist groups that have flourished for months if not years on the platform. It remains to be seen how smaller platforms will be scrutinized under a Biden Presidency. Zello has reportedly been aware that these groups have been using their platform and opted not to police their conduct.
  • They Used to Post Selfies. Now They’re Trying to Reverse the Election.” By Stuart A. Thompson and Charlie Warzel — The New York Times. The three people who amassed considerable extremist followings seem each to be part believer and part opportunist. A fascinating series of profiles about the three.
  • Telegram tries, and fails, to remove extremist content” By Mark Scott — Politico. Platforms other than Facebook and Twiiter are struggling to moderate right wing and extremist content that violates their policies and terms of service.

Other Developments

  • The Biden-Harris transition team announced that a statutorily established science advisor will now be a member of the Cabinet and named its nominee for this and other positions. The Office of Science and Technology Policy (OSTP) was created by executive order in the Ford Administration and then codified by Congress. However, the OSTP Director has not been a member of the Cabinet alongside the Senate-confirmed Secretaries and others. President-elect Joe Biden has decided to elevate the OSTP Director to the Cabinet, likely in order to signal the importance of science and technology in his Administration. The current OSTP has exercised unusual influence in the Trump Administration under the helm of OSTP Associate Director Michael Kratsios and shaped policy in a number of realms like artificial intelligence, national security, and others.
    • In the press release, the transition team explained:
      • Dr. Eric Lander will be nominated as Director of the OSTP and serve as the Presidential Science Advisor. The president-elect is elevating the role of science within the White House, including by designating the Presidential Science Advisor as a member of the Cabinet for the first time in history. One of the country’s leading scientists, Dr. Lander was a principal leader of the Human Genome Project and has been a pioneer in the field of genomic medicine. He is the founding director of the Broad Institute of MIT and Harvard, one of the nation’s leading research institutes. During the Obama-Biden administration, he served as external Co-Chair of the President’s Council of Advisors on Science and Technology. Dr. Lander will be the first life scientist to serve as Presidential Science Advisor.
      • Dr. Alondra Nelson will serve as OSTP Deputy Director for Science and Society. A distinguished scholar of science, technology, social inequality, and race, Dr. Nelson is president of the Social Science Research Council, an independent, nonprofit organization linking social science research to practice and policy. She is also a professor at the Institute for Advanced Study, one of the nation’s most distinguished research institutes, located in Princeton, NJ.
      • Dr. Frances H. Arnold and Dr. Maria Zuber will serve as the external Co-Chairs of the President’s Council of Advisors on Science and Technology (PCAST). An expert in protein engineering, Dr. Arnold is the first American woman to win the Nobel Prize in Chemistry. Dr. Zuber, an expert in geophysics and planetary science, is the first woman to lead a NASA spacecraft mission and has chaired the National Science Board. They are the first women to serve as co-chairs of PCAST.
      • Dr. Francis Collins will continue serving in his role as Director of the National Institutes of Health.
      • Kei Koizumi will serve as OSTP Chief of Staff and is one of the nation’s leading experts on the federal science budget.
      • Narda Jones, who will serve as OSTP Legislative Affairs Director, was Senior Technology Policy Advisor and Counsel for the Democratic staff of the U.S. Senate Committee on Commerce, Science and Transportation.
  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a report on supply chain security by a public-private sector advisory body, which represents one of the lines of effort of the U.S. government to better secure technology and electronics that emanate from the People’s Republic of China (PRC). CISA’s National Risk Management Center co-chairs the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force along with the Information Technology Sector Coordinating Council and the Communications Sector Coordinating Council. The ICT SCRM published its Year 2 Report that “builds upon” its Interim Report and asserted:
    • Over the past year, the Task Force has expanded upon its first-year progress to advance meaningful partnership around supply chain risk management. Specifically, the Task Force:
      • Developed reference material to support overcoming legal obstacles to information sharing
      • Updated the Threat Evaluation Report, which evaluates threats to suppliers, with additional scenarios and mitigation measures for the corresponding threat scenarios
      • Produced a report and case studies providing in -depth descriptions of control categories and information regarding when and how to use a Qualified List to manage supply chain risks
      • Developed a template for SCRM compliance assessments and internal evaluations of alignment to industry standards
      • Analyzed the current and potential impacts from the COVID-19 pandemic, and developed a system map to visualize ICT supply chain routes and identify chokepoints
      • Surveyed supply chain related programs and initiatives that provide opportunities for potential TaskForce engagement
    • Congress established an entity to address and help police supply chain risk at the end of 2018 in the “Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act” (SECURE Act) (P.L. 115-390). The Federal Acquisition Security Council (FASC) has a number of responsibilities, including:
      • developing an information sharing process for agencies to circulate decisions throughout the federal government made to exclude entities determined to be IT supply chain risks
      • establishing a process by which entities determined to be IT supply chain risks may be excluded from procurement government-wide (exclusion orders) or suspect IT must be removed from government systems (removal orders)
      • creating an exception process under which IT from an entity subject to a removal or exclusion order may be used if warranted by national interest or national security
      • issuing recommendations for agencies on excluding entities and IT from the IT supply chain and “consent for a contractor to subcontract” and mitigation steps entities would need to take in order for the Council to rescind a removal or exclusion order
      • In September 2020, the FASC released an interim regulation that took effect upon being published that “implement[s] the requirements of the laws that govern the operation of the FASC, the sharing of supply chain risk information, and the exercise of its authorities to recommend issuance of removal and exclusion orders to address supply chain security risks…”
  • The Australian government has released its bill to remake how platforms like Facebook, Google, and others may use the content of new media, including provision for payment. The “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020” “establishes a mandatory code of conduct to help support the sustainability of the Australian news media sector by addressing bargaining power imbalances between digital platforms and Australian news businesses.” The agency charged with developing legislation, the Australian Competition and Consumer Commission (ACCC), has tussled with Google in particular over what this law would look like with the technology giant threatening to withdraw from Australia altogether. The ACCC had determined in its July 2019 Digital Platform Inquiry:
    • that there is a bargaining power imbalance between digital platforms and news media businesses so that news media businesses are not able to negotiate for a share of the revenue generated by the digital platforms and to which the news content created by the news media businesses contributes. Government intervention is necessary because of the public benefit provided by the production and dissemination of news, and the importance of a strong independent media in a well-functioning democracy.
    • In an Explanatory Memorandum, it is explained:
      • The Bill establishes a mandatory code of conduct to address bargaining power imbalances between digital platform services and Australian news businesses…by setting out six main elements:
        • bargaining–which require the responsible digital platform corporations and registered news business corporations that have indicated an intention to bargain, to do so in good faith;
        • compulsory arbitration–where parties cannot come to a negotiated agreement about remuneration relating to the making available of covered news content on designated digital platform services, an arbitral panel will select between two final offers made by the bargaining parties;
        • general requirements –which, among other things, require responsible digital platform corporations to provide registered news business corporations with advance notification of planned changes to an algorithm or internal practice that will have a significant effect on covered news content;
        • non-differentiation requirements –responsible digital platform corporations must not differentiate between the news businesses participating in the Code, or between participants and non-participants, because of matters that arise in relation to their participation or non-participation in the Code;
        • contracting out–the Bill recognises that a digital platform corporation may reach a commercial bargain with a news business outside the Code about remuneration or other matters. It provides that parties who notify the ACCC of such agreements would not need to comply with the general requirements, bargaining and compulsory arbitration rules (as set out in the agreement); and
        • standard offers –digital platform corporations may make standard offers to news businesses, which are intended to reduce the time and cost associated with negotiations, particularly for smaller news businesses. If the parties notify the ACCC of an agreed standard offer, those parties do not need to comply with bargaining and compulsory arbitration (as set out in the agreement);
  • The Federal Trade Commission (FTC) has reached a settlement with an mobile advertising company over “allegations that it failed to provide in-game rewards users were promised for completing advertising offers.” The FTC unanimously agreed to the proposed settlement with Tapjoy, Inc. that bars the company “from misleading users about the rewards they can earn and must monitor its third-party advertiser partners to ensure they do what is necessary to enable Tapjoy to deliver promised rewards to consumers.” The FTC drafted a 20 year settlement that will obligate Tapjoy, Inc. to refrain from certain practices that violate the FTC Act; in this case that includes not making false claims about the rewards people can get if they take or do not take some action in an online game. Tapjoy, Inc. will also need to submit compliance reports, keep records, and make materials available to the FTC upon demand. Any failure to meet the terms of the settlement could prompt the FTC to seek redress in federal court, including more than $43,000 per violation.
    • In the complaint, the FTC outlined Tapjoy, Inc.’s illegal conduct:
      • Tapjoy operates an advertising platform within mobile gaming applications (“apps”). On the platform, Tapjoy promotes offers of in-app rewards (e.g., virtual currency) to consumers who complete an action, such as taking a survey or otherwise engaging with third-party advertising. Often, these consumers must divulge personal information or spend money. In many instances, Tapjoy never issues the promised reward to consumers who complete an action as instructed, or only issues the currency after a substantial delay. Consumers who attempt to contact Tapjoy to complain about missing rewards find it difficult to do so, and many consumers who complete an action as instructed and are able to submit a complaint nevertheless do not receive the promised reward.  Tapjoy has received hundreds of thousands of complaints concerning its failure to issue promised rewards to consumers. Tapjoy nevertheless has withheld rewards from consumers who have completed all required actions.
    • In its press release, the FTC highlighted the salient terms of the settlement:
      • As part of the proposed settlement, Tapjoy is prohibited from misrepresenting the rewards it offers consumers and the terms under which they are offered. In addition, the company must clearly and conspicuously display the terms under which consumers can receive such rewards and must specify that the third-party advertisers it works with determine if a reward should be issued. Tapjoy also will be required to monitor its advertisers to ensure they are following through on promised rewards, investigate complaints from consumers who say they did not receive their rewards, and discipline advertisers who deceive consumers.
    • FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a joint statement, and in their summary section, they asserted:
      • The explosive growth of mobile gaming has led to mounting concerns about harmful practices, including unlawful surveillance, dark patterns, and facilitation of fraud.
      • Tapjoy’s failure to properly police its mobile gaming advertising platform cheated developers and gamers out of promised compensation and rewards.
      • The Commission must closely scrutinize today’s gaming gatekeepers, including app stores and advertising middlemen, to prevent harm to developers and gamers.
    • On the last point, Chopra and Kelly Slaughter argued:
      • We should all be concerned that gatekeepers can harm developers and squelch innovation. The clearest example is rent extraction: Apple and Google charge mobile app developers on their platforms up to 30 percent of sales, and even bar developers from trying to avoid this tax through offering alternative payment systems. While larger gaming companies are pursuing legal action against these practices, developers and small businesses risk severe retaliation for speaking up, including outright suspension from app stores – an effective death sentence.
      • This market structure also has cascading effects on gamers and consumers. Under heavy taxation by Apple and Google, developers have been forced to adopt alternative monetization models that rely on surveillance, manipulation, and other harmful practices.
  • The United Kingdom’s (UK) High Court ruled against the use of general warrants for online surveillance by the Uk’s security agencies (MI5, MI6, and the Government Communication Headquarters (GCHQ)). Privacy International (PI), a British advocacy organization, had brought the suit after Edward Snowden revealed the scope of the United States National Security Agency’s (NSA) surveillance activities, including bulk collection of information, a significant portion of which required hacking. PI sued in a special tribunal formed to resolve claims against British security agencies where the government asserted general warrants would suffice for purposes of mass hacking. PI disagreed and argued this was counter to 250 years of established law in the UK that warrants must be based on reasonable suspicion, specific in what is being sought, and proportionate. The High Court agreed with PI.
    • In its statement after the ruling, PI asserted:
      • Because general warrants are by definition not targeted (and could therefore apply to hundreds, thousands or even millions of people) they violate individuals’ right not to not have their property searched without lawful authority, and are therefore illegal.
      • The adaptation of these 250-year-old principles to modern government hacking and property interference is of great significance. The Court signals that fundamental constitutional principles still need to be applied in the context of surveillance and that the government cannot circumvent traditional protections afforded by the common law.
  • In Indiana, the attorney general is calling on the governor to “to adopt a safe harbor rule I proposed that would incentivize companies to take strong data protection measures, which will reduce the scale and frequency of cyberattacks in Indiana.” Attorney General Curtis Hill urged Governor Eric J. Holcomb to allow a change in the state’s data security regulations to be made effective.
    • The proposed rule provides:
      • Procedures adopted under IC 24-4.9-3-3.5(c) are presumed reasonable if the procedures comply with this section, including one (1) of the following applicable standards:
        • (1) A covered entity implements and maintains a cybersecurity program that complies with the National Institute of Standards and Technology (NIST) cybersecurity framework and follows the most recent version of one (1) of the following standards:
          • (A) NIST Special Publication 800-171.
          • (B) NIST SP 800-53.
          • (C) The Federal Risk and Authorization Management Program (FedRAMP) security assessment framework.
          • (D) International Organization for Standardization/International Electrotechnical Commission 27000 family – information security management systems.
        • (2) A covered entity is regulated by the federal or state government and complies with one (1) of the following standards as it applies to the covered entity:
          • (A) The federal USA Patriot Act (P.L. 107-56).
          • (B) Executive Order 13224.
          • (C) The federal Driver’s Privacy Protection Act (18 U.S.C. 2721 et seq.).
          • (D) The federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
          • (E) The federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).
        • (3) A covered entity complies with the current version of the payment card industry data security standard in place at the time of the breach of security of data, as published by the Payment Card Industry Security Standard Council.
      • The regulations further provide that if a data base owner can show “its data security plan was reasonably designed, implemented, and executed to prevent the breach of security of data” then it “will not be subject to a civil action from the office of the attorney general arising from the breach of security of data.”
  • The Tech Transparency Project (TTP) is claiming that Apple “has removed apps in China at the government’s request” the majority of which “involve activities like illegal gambling and porn.” However, TTP is asserting that its analysis “suggests Apple is proactively blocking scores of other apps that are politically sensitive for Beijing.”

Coming Events

  • On 19 January, the Senate Intelligence Committee will hold a hearing on the nomination of Avril Haines to be the Director of National Intelligence.
  • The Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the nomination of Alejandro N. Mayorkas to be Secretary of Homeland Security on 19 January.
  • On 19 January, the Senate Armed Services Committee will hold a hearing on former General Lloyd Austin III to be Secretary of Defense.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (13 and 14 January 2021)

Further Reading

  • YouTube Suspends Trump’s Channel for at Least Seven Days” By Daisuke Wakabayashi — The New York Times. Even Google is getting further into the water. Its YouTube platform flagged a video of President Donald Trump’s for inciting violence and citing the “ongoing potential for violence,” Trump and his team will not be able to upload videos for seven days and the comments section would be permanently disabled. YouTube has been the least inclined of the major platforms to moderate content and has somehow escaped the scrutiny and opprobrium Facebook and Twitter have faced even though those platforms have been more active in policing offensive content.
  • Online misinformation that led to Capitol siege is ‘radicalization,’ say researchers” By Elizabeth Culliford — Reuters. Experts in online disinformation are saying that the different conspiracy movements that impelled followers to attack the United States (U.S.) Capitol are the result of radicalization. Online activities translated into real world violence, they say. The also decried the responsive nature of social media platforms in acting, waiting for an insurrection to take steps experts and others have been begging them to take.
  • Uganda orders all social media to be blocked – letter” — Reuters. In response to Facebook blocking a number of government related accounts for Coordinated Inauthentic Behaviour” (CIB), the Ugandan government has blocked all access to social media ahead of its elections. In a letter seen by Reuters, the Uganda Communications Commission directed telecommunications providers “to immediately suspend any access and use, direct or otherwise, of all social media platforms and online messaging applications over your network until further notice.” This may become standard practice for many regimes around the world if social media companies crack down on government propaganda.
  • BlackBerry sells 90 patents to Huawei, covering key smartphone technology advances” By Sean Silcoff — The Globe and Mail. Critics of a deal to assign 90 key BlackBerry patents to Huawei are calling on the government of Prime Minister Justin Trudeau to be more involved in protecting Canadian intellectual property and innovations.
  • ‘Threat to democracy is real’: MPs call for social media code of conduct” By David Crowe and Nick Bonyhady — The Sydney Morning Herald. There has been mixed responses in Australia’s Parliament on social media platforms banning President Donald Trump after his role in inciting the violence at the United States (U.S.) Capitol. Many agree with the platforms, some disagree strenuously in light of other inflammatory content that is not taken down, and many want greater rationality and transparency in how platforms make these decisions. And since Canberra has been among the most active governments in regulating technology, it may inform the process of drafting its “Online Safety Bill,” which may place legal obligations on social media platforms.
  • Poland plans to make censoring of social media accounts illegal” By Shaun Walker — The Guardian. Governments around the world continue to respond to a number of social media companies deciding to deplatform United States (U.S.) President Donald Trump. In Warsaw there is a draft bill that would make deplatforming a person illegal unless the offense is also contrary to Polish law. The spin is that the right wing regime in Warsaw is less interested in protecting free speech and more interested in propagating the same grievances the right wing in the United States is. Therefore, this push in Poland may be more about messaging and trying to cow social media companies and less about protecting free speech, especially speech with which the government disagrees (e.g. advocates for LGBTQI rights have been silenced in Poland.)
  • Facebook, Twitter could face punishing regulation for their role in U.S. Capitol riot, Democrats say” By Tony Romm — The Washington Post. Democrats were already furious with social media companies for what they considered their lacking governance of content that clearly violated terms of service and policies. These companies are bracing for an expected barrage of hearings and legislation with the Democrats controlling the White House, House, and Senate.
  • Georgia results sweep away tech’s regulatory logjam” By Margaret Harding McGill and Ashley Gold — Axios. This is a nice survey of possible policy priorities at the agencies and in the Congress over the next two years with the Democrats in control of both.
  • The Capitol rioters put themselves all over social media. Now they’re getting arrested.” By Sara Morrison — Recode. Will the attack on the United States (U.S.) Capitol be the first time a major crime is solved by the evidence largely provided by the accused? It is sure looking that way as law enforcement continues to use the posts of the rioters to apprehend, arrest, and charge them. Additionally, in the same way people who acted in racist and entitled ways (e.g. Amy Cooper in Central Park threatening an African American gentleman with calling the police even though he had asked her to put her dog on a leash) were caught through crowd-sourced identification pushes, rioters are also being identified.
  • CISA: SolarWinds Hackers Got Into Networks by Guessing Passwords” By Mariam Baksh — Nextgov. The Cybersecurity and Infrastructure Security Agency (CISA) has updated its alert on the SolarWinds hack to reflect its finding. CISA explained:
    • CISA incident response investigations have identified that initial access in some cases was obtained by password guessing [T1101.001], password spraying [T1101.003], and inappropriately secured administrative credentials [T1078] accessible via external remote access services [T1133]. Initial access root cause analysis is still ongoing in a number of response activities and CISA will update this section as additional initial vectors are identified.
  •  “A Facial Recognition Company Says That Viral Washington Times “Antifa” Story Is False” By Craig Silverman — BuzzFeed News. XRVIsion denied the Washington Times’ account that the company had identified antifa protestors among the rioters at the United States (U.S. Capitol) (archived here.) The company said it had identified two Neo-Nazis and a QAnon adherent. Even though the story was retracted and a corrected version issued, some still claimed the original story had merit such as Trump supporter Representative Matt Gaetz (R-FL).

Other Developments

  • The United States (U.S.) Trade Representative (USTR) announced that it would not act on the basis of three completed reports on Digital Services Taxes (DST) three nations have put in place and also that it would not proceed with tariffs in retaliation against France, one of the first nations in the world to enact a DST. Last year, the Organization for Economic Co-operation and Development convened multi-lateral talks to resolve differences on how a global digital services tax will ideally function with most of the nations involved arguing for a 2% tax to be assessed in the nation where the transaction occurs as opposed to where the company is headquartered. European Union (EU) officials claimed an agreement was possible, but the U.S. negotiators walked away from the table. It will fall to the Biden Administration to act on these USTR DST investigations if they choose.
    • In its press release, the USTR stated it would “suspend the tariff action in the Section 301 investigation of France’s Digital Services Tax (DST).”
      • The USTR added:
        • The additional tariffs on certain products of France were announced in July 2020, and were scheduled to go into effect on January 6, 2021.  The U.S. Trade Representative has decided to suspend the tariffs in light of the ongoing investigation of similar DSTs adopted or under consideration in ten other jurisdictions.  Those investigations have significantly progressed, but have not yet reached a determination on possible trade actions.  A suspension of the tariff action in the France DST investigation will promote a coordinated response in all of the ongoing DST investigations.
      • In its December 2019 report, the USTR determined “that France’s DST is unreasonable or discriminatory and burdens or restricts U.S. commerce, and therefore is actionable under sections 301(b) and 304(a) of the Trade Act (19 U.S.C. 2411(b) and 2414(a))” and proposed a range of measures in retaliation.
    • The USTR also “issued findings in Section 301 investigations of Digital Service Taxes (DSTs) adopted by India, Italy, and Turkey, concluding that each of the DSTs discriminates against U.S. companies, is inconsistent with prevailing principles of international taxation, and burden or restricts U.S. commerce.” The USTR stated it “is not taking any specific actions in connection with the findings at this time but will continue to evaluate all available options.” The USTR added:
      • The Section 301 investigations of the DSTs adopted by India, Italy, and Turkey were initiated in June 2020, along with investigations of DSTs adopted or under consideration by Austria, Brazil, the Czech Republic, the European Union, Indonesia, Spain, and the United Kingdom.  USTR expects to announce the progress or completion of additional DST investigations in the near future. 
  • The United Kingdom’s Competition and Markets Authority (CMA) has started investigating Google’s Privacy Sandbox’ project to “assess whether the proposals could cause advertising spend to become even more concentrated on Google’s ecosystem at the expense of its competitors.” The CMA asserted:
    • Third party cookies currently play a fundamental role online and in digital advertising. They help businesses target advertising effectively and fund free online content for consumers, such as newspapers. But there have also been concerns about their legality and use from a privacy perspective, as they allow consumers’ behaviour to be tracked across the web in ways that many consumers may feel uncomfortable with and may find difficult to understand.
    • Google’s announced changes – known collectively as the ‘Privacy Sandbox’ project – would disable third party cookies on the Chrome browser and Chromium browser engine and replace them with a new set of tools for targeting advertising and other functionality that they say will protect consumers’ privacy to a greater extent. The project is already under way, but Google’s final proposals have not yet been decided or implemented. In its recent market study into online platforms digital advertising, the CMA highlighted a number of concerns about their potential impact, including that they could undermine the ability of publishers to generate revenue and undermine competition in digital advertising, entrenching Google’s market power.
  • Facebook took down coordinated inauthentic behavior (CIB) originating from France and Russia, seeking to allegedly influence nations in Africa and the Middle East. Facebook asserted:
    • Each of the networks we removed today targeted people outside of their country of origin, primarily targeting Africa, and also some countries in the Middle East. We found all three of them as a result of our proactive internal investigations and worked with external researchers to assess the full scope of these activities across the internet.
    • While we’ve seen influence operations target the same regions in the past, this was the first time our team found two campaigns — from France and Russia — actively engage with one another, including by befriending, commenting and criticizing the opposing side for being fake. It appears that this Russian network was an attempt to rebuild their operations after our October 2019 takedown, which also coincided with a notable shift in focus of the French campaign to begin to post about Russia’s manipulation campaigns in Africa.
    • Unlike the operation from France, both Russia-linked networks relied on local nationals in the countries they targeted to generate content and manage their activity across internet services. This is consistent with cases we exposed in the past, including in Ghana and the US, where we saw the Russian campaigns co-opt authentic voices to join their influence operations, likely to avoid detection and help appear more authentic. Despite these efforts, our investigation identified some links between these two Russian campaigns and also with our past enforcements.
  • Two of the top Democrats on the House Energy and Committee along with another Democrat wrote nine internet service providers (ISP) “questioning their commitment to consumers amid ISPs raising prices and imposing data caps during the COVID-19 pandemic.” Committee Chair Frank Pallone, Jr. (D-NJ), Communications and Technology Subcommittee Chairman Mike Doyle (D-PA), and Representative Jerry McNerney (D-CA) wrote the following ISPs:
    • Pallone, Doyle, and McNerney took issue with the companies raising prices and imposing data caps after having pledged not to do so at the behest of the Federal Communications Commission (FCC). They asked the companies to answer a series of questions:
      • Did the company participate in the FCC’s “Keep Americans Connected” pledge?
      • Has the company increased prices for fixed or mobile consumer internet and fixed or phone service since the start of the pandemic, or do they plan to raise prices on such plans within the next six months? 
      • Prior to March 2020, did any of the company’s service plans impose a maximum data consumption threshold on its subscribers?
      • Since March 2020, has the company modified or imposed any new maximum data consumption thresholds on service plans, or do they plan to do so within the next six months? 
      • Did the company stop disconnecting customers’ internet or telephone service due to their inability to pay during the pandemic? 
      • Does the company offer a plan designed for low-income households, or a plan established in March or later to help students and families with connectivity during the pandemic?
      • Beyond service offerings for low-income customers, what steps is the company currently taking to assist individuals and families facing financial hardship due to circumstances related to COVID-19? 
  • The United States (U.S.) Department of Homeland Security (DHS) issued a “Data Security Business Advisory: Risks and Considerations for Businesses Using Data Services and Equipment from Firms Linked to the People’s Republic of China,” that “describes the data-related risks American businesses face as a result of the actions of the People’s Republic of China (PRC) and outlines steps that businesses can take to mitigate these risks.” DHS generally recommended:
    • Businesses and individuals that operate in the PRC or with PRC firms or entities should scrutinize any business relationship that provides access to data—whether business confidential, trade secrets, customer personally identifiable information (PII), or other sensitive information. Businesses should identify the sensitive personal and proprietary information in their possession. To the extent possible, they should minimize the amount of at-risk data being stored and used in the PRC or in places accessible by PRC authorities. Robust due diligence and transaction monitoring are also critical for addressing potential legal exposure, reputation risks, and unfair advantage that data and intellectual property theft would provide competitors. Businesses should seek to acquire a thorough understanding of the ownership of data service providers, location of data infrastructure, and any tangential foreign business relationships and significant foreign investors.
  • The Federal Communications Commission (FCC) is asking for comments on the $3.2 billion Emergency Broadband Benefit Program established in the “Consolidated Appropriations Act, 2021” (H.R. 133). Comments are due by 16 February 2021. The FCC noted “eligible households may receive a discount off the cost of broadband service and certain connected devices during an emergency period relating to the COVID-19 pandemic, and participating providers can receive a reimbursement for such discounts.” The FCC explained the program in further detail:
    • Pursuant to the Consolidated Appropriations Act, the Emergency Broadband Benefit Program will use available funding from the Emergency Broadband Connectivity Fund to support participating providers’ provision of certain broadband services and connected devices to qualifying households.
    • To participate in the program, a provider must elect to participate and either be designated as an eligible telecommunications carrier or be approved by the Commission. Participating providers will make available to eligible households a monthly discount off the standard rate for an Internet service offering and associated equipment, up to $50.00 per month.
    • On Tribal lands, the monthly discount may be up to $75.00 per month. Participating providers will receive reimbursement from the Emergency Broadband Benefit Program for the discounts provided.
    • Participating providers that also supply an eligible household with a laptop, desktop computer, or tablet (connected device) for use during the emergency period may receive a single reimbursement of up to $100.00 for the connected device, if the charge to the eligible household for that device is more than $10.00 but less than $50.00.  An eligible household may receive only one supported device.  Providers must submit certain certifications to the Commission to receive reimbursement from the program, and the Commission is required to adopt audit requirements to ensure provider compliance and prevent waste, fraud, and abuse.
  • The Biden-Harris transition team named National Security Agency’s (NSA) Director of Cybersecurity as the Biden White House’s Deputy National Security Advisor for Cyber and Emerging Technology. Anne Neuberger’s portfolio at the NSA included “lead[ing] NSA’s cybersecurity mission, including emerging technology areas like quantum-resistant cryptography.” At the National Security Council, Neuberger would will work to coordinate cybersecurity and emerging technology policy across agencies and funnel policy options up to the full NSC and ultimately the President. It is not clear how Neuberger’s portfolio will interact with the newly created National Cybersecurity Director, a position that, thus far, has remained without a nominee.
    • The transition noted “[p]rior to this role, she led NSA’s Election Security effort and served as Assistant Deputy Director of NSA’s Operations Directorate, overseeing foreign intelligence and cybersecurity operations…[and] also previously served as NSA’s first Chief Risk Officer, as Director of NSA’s Commercial Solutions Center, as Director of the Enduring Security Framework cybersecurity public-private partnership, as the Navy’s Deputy Chief Management Officer, and as a White House Fellow.” The transition stated that “[p]rior to joining government service, Neuberger was Senior Vice President of Operations at American Stock Transfer & Trust Company (AST), where she directed technology and operations.”
  • The Federal Communications Commission (FCC) published a final rule in response to the United States (U.S.) Court of Appeals for the District of Columbia’s decision striking down three aspects of the FCC’s rollback of net neutrality, “Restoring Internet Freedom Order.” The FCC explained the final rule:
    • responds to a remand from the U.S. Court of Appeals for the D.C. Circuit directing the Commission to assess the effects of the Commission’s Restoring Internet Freedom Order on public safety, pole attachments, and the statutory basis for broadband internet access service’s inclusion in the universal service Lifeline program. This document also amends the Commission’s rules to remove broadband internet service from the list of services supported by the universal service Lifeline program, while preserving the Commission’s authority to fund broadband internet access service through the Lifeline program.
    • In 2014, the U.S. Court of Appeals for the District of Columbia struck down a 2010 FCC net neutrality order in Verizon v. FCC, but the court did suggest a path forward. The court held the FCC “reasonably interpreted section 706 to empower it to promulgate rules governing broadband providers’ treatment of Internet traffic, and its justification for the specific rules at issue here—that they will preserve and facilitate the “virtuous circle” of innovation that has driven the explosive growth of the Internet—is reasonable and supported by substantial evidence.” The court added that “even though the Commission has general authority to regulate in this arena, it may not impose requirements that contravene express statutory mandates…[and] [g]iven that the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the Commission from nonetheless regulating them as such.” However, in 2016, the same court upheld the 2015 net neutrality regulations in U.S. Telecom Association v. FCC, and then upheld most of the Trump Administration’s FCC’s repeal of the its earlier net neutrality rule.
    • However, the D.C. Circuit declined to accept the FCC’s attempt to preempt all contrary state laws and struck down this part of the FCC’s rulemaking. Consequently, states and local jurisdictions may now be free to enact regulations of internet services along the lines of the FCC’s now repealed Open Internet Order. The D.C. Circuit also sent the case back to the FCC for further consideration on three points.
    • In its request for comments on how to respond to the remand, the FCC summarized the three issues: public safety, pole attachments, and the Lifeline Program:
      • Public Safety.  First, we seek to refresh the record on how the changes adopted in the Restoring Internet Freedom Order might affect public safety. In the Restoring Internet Freedom Order, the Commission predicted, for example, that permitting paid prioritization arrangements would “increase network innovation,” “lead[] to higher investment in broadband capacity as well as greater innovation on the edge provider side of the market,” and “likely . . . be used to deliver enhanced service for applications that need QoS [i.e., quality of service] guarantees.” Could the network improvements made possible by prioritization arrangements benefit public safety applications—for example, by enabling the more rapid, reliable transmission of public safety-related communications during emergencies? 
      • Pole Attachments.  Second, we seek to refresh the record on how the changes adopted in the Restoring Internet Freedom Order might affect the regulation of pole attachments in states subject to federal regulation.  To what extent are ISPs’ pole attachments subject to Commission authority in non-reverse preemption states by virtue of the ISPs’ provision of cable or telecommunications services covered by section 224?  What impact would the inapplicability of section 224 to broadband-only providers have on their access to poles?  Have pole owners, following the Order, “increase[d] pole attachment rates or inhibit[ed] broadband providers from attaching equipment”?  How could we use metrics like increases or decreases in broadband deployment to measure the impact the Order has had on pole attachment practices?  Are there any other impacts on the regulation of pole attachments from the changes adopted in the Order?  Finally, how do any potential considerations about pole attachments bear on the Commission’s underlying decision to classify broadband as a Title I information service?
      • Lifeline Program.  Third, we seek to refresh the record on how the changes adopted in the Restoring Internet Freedom Order might affect the Lifeline program.  In particular, we seek to refresh the record on the Commission’s authority to direct Lifeline support to eligible telecommunications carriers (ETCs) providing broadband service to qualifying low-income consumers.  In the 2017 Lifeline NPRM, the Commission proposed that it “has authority under Section 254(e) of the Act to provide Lifeline support to ETCs that provide broadband service over facilities-based broadband-capable networks that support voice service,” and that “[t]his legal authority does not depend on the regulatory classification of broadband Internet access service and, thus, ensures the Lifeline program has a role in closing the digital divide regardless of the regulatory classification of broadband service.”  How, if at all, does the Mozilla decision bear on that proposal, and should the Commission proceed to adopt it? 
  • The Federal Trade Commission (FTC) reached a settlement with a photo app company that allegedly did not tell users their photos would be subject to the company’s facial recognition technology. The FTC deemed this a deceptive business practice in violation of Section 5 of the FTC Act and negotiated a settlement the Commissioners approved in a 5-0 vote. The consent order includes interesting, perhaps even new language, requiring the company “to delete models and algorithms it developed by using the photos and videos uploaded by its users” according to the FTC’s press release.
    • In the complaint, the FTC asserted:
      • Since 2015, Everalbum has provided Ever, a photo storage and organization application, to consumers.
      • In February 2017, Everalbum launched its “Friends” feature, which operates on both the iOS and Android versions of the Ever app. The Friends feature uses face recognition to group users’ photos by faces of the people who appear in the photos. The user can choose to apply “tags” to identify by name (e.g., “Jane”) or alias (e.g., “Mom”) the individuals who appear in their photos. These tags are not available to other Ever users. When Everalbum launched the Friends feature, it enabled face recognition by default for all users of the Ever mobile app. At that time, Everalbum did not provide users of the Ever mobile app an option to turn off or disable the feature.
      • However, prior to April 2019, Ever mobile app users who were located anywhere other than Texas, Illinois, Washington, and the European Union did not need to, and indeed could not, take any affirmative action to “let[ Everalbum] know” that it should apply face recognition to the users’ photos. In fact, for those users, face recognition was enabled by default and the users lacked the ability to disable it. Thus, the article was misleading for Ever mobile app users located outside of Texas, Illinois, Washington, and the European Union.
      • Between September 2017 and August 2019, Everalbum combined millions of facial images that it extracted from Ever users’ photos with facial images that Everalbum obtained from publicly available datasets in order to create four new datasets to be used in the development of its face recognition technology. In each instance, Everalbum used computer scripts to identify and compile from Ever users’ photos images of faces that met certain criteria (i.e., not associated with a deactivated Ever account, not blurry, not too small, not a duplicate of another image, associated with a specified minimum number of images of the same tagged identity, and, in three of the four instances, not identified by Everalbum’s machines as being an image of someone under the age of thirteen).
      • The FTC summarized its settlement:
        • The proposed settlement requires Everalbum to delete:
          • the photos and videos of Ever app users who deactivated their accounts;
          • all face embeddings—data reflecting facial features that can be used for facial recognition purposes—the company derived from the photos of Ever users who did not give their express consent to their use; and
          • any facial recognition models or algorithms developed with Ever users’ photos or videos.
        • In addition, the proposed settlement prohibits Everalbum from misrepresenting how it collects, uses, discloses, maintains, or deletes personal information, including face embeddings created with the use of facial recognition technology, as well as the extent to which it protects the privacy and security of personal information it collects. Under the proposed settlement, if the company markets software to consumers for personal use, it must obtain a user’s express consent before using biometric information it collected from the user through that software to create face embeddings or develop facial recognition technology.
      • FTC Commissioner Rohit Chopra issued a statement, explaining his view on facial recognition technology and he settlement:
        • As outlined in the complaint, Everalbum made promises that users could choose not to have facial recognition technology applied to their images, and that users could delete the images and their account. In addition to those promises, Everalbum had clear evidence that many of the photo app’s users did not want to be roped into facial recognition. The company broke its promises, which constitutes illegal deception according to the FTC’s complaint. This matter and the FTC’s proposed resolution are noteworthy for several reasons.
        • First, the FTC’s proposed order requires Everalbum to forfeit the fruits of its deception. Specifically, the company must delete the facial recognition technologies enhanced by any improperly obtained photos. Commissioners have previously voted to allow data protection law violators to retain algorithms and technologies that derive much of their value from ill-gotten data. This is an important course correction.
        • Second, the settlement does not require the defendant to pay any penalty. This is unfortunate. To avoid this in the future, the FTC needs to take further steps to trigger penalties, damages, and other relief for facial recognition and data protection abuses. Commissioners have voted to enter into scores of settlements that address deceptive practices regarding the collection, use, and sharing of personal data. There does not appear to be any meaningful dispute that these practices are illegal. However, since Commissioners have not restated this precedent into a rule under Section 18 of the FTC Act, we are unable to seek penalties and other relief for even the most egregious offenses when we first discover them.
        • Finally, the Everalbum matter makes it clear why it is important to maintain states’ authority to protect personal data. Because the people of Illinois, Washington, and Texas passed laws related to facial recognition and biometric identifiers, Everalbum took greater care when it came to these individuals in these states. The company’s deception targeted Americans who live in states with no specific state law protections.
  • The Trump Administration issued the “National Maritime Cybersecurity Plan” that “sets forth how the United States government will defend the American economy through enhanced cybersecurity coordination, policies and practices, aimed at mitigating risks to the maritime sub-sector, promoting prosperity through information and intelligence sharing, and preserving and increasing the nation’s cyber workforce” according to the National Security Advisor Robert O’Brien. It will be up to the Biden Administration to implement, revise, or discard this strategy, but strategy documents such as this that complain anodyne recommendations tend to stay in place for the short-term, at least. It bears note that the uneven margins to the columns in the document suggests a rush to issue this document before the end of the Trump Administration. Nevertheless, O’Brien added:
    • President [Donald] Trump designated the cybersecurity of the Maritime Transportation System (MTS) as a top priority for national defense, homeland security, and economic competitiveness in the 2017 National Security Strategy. The MTS contributes to one quarter of all United States gross domestic product, or approximately $5.4 trillion. MTS operators are increasingly reliant on information technology (IT) and operational technology (OT) to maximize the reliability and efficiency of maritime commerce. This plan articulates how the United States government can buy down the potential catastrophic risks to our national security and economic prosperity created by technology innovations to strengthen maritime commerce efficiency and reliability.
    • The strategy lists a number of priority actions for the executive branch, including:
      • The United States will de- conflict government roles and responsibilities.
      • The United States will develop risk modeling to inform maritime cybersecurity standards and best practices.
      • The United States will strengthen cybersecurity requirements in port services contracts and leasing.
      • The United States will develop procedures to identify, prioritize, mitigate, and investigate cybersecurity risks in critical ship and port systems.
      • Exchange United States government information with the maritime industry.
      • Share cybersecurity intelligence with appropriate non- government entities.
      • Prioritize maritime cybersecurity intelligence collection.
  • The National Security Agency’s NSA Cybersecurity Directorate has issued its very annual review, the “2020 NSA Cybersecurity Year in Review” that encapsulates the first year of operation for the newly created part of the NSA.
    • Highlights include:
      • In 2020, NSA focused on modernizing encryption across the Department of Defense (DOD). It began with a push to eliminate cryptography that is at risk from attack due to adversarial computational advances. This applied to several systems commonly used by the Armed Services today to provide command and control, critical communications, and battlefield awareness. It also applied to operational practices concerning the handling of cryptographic keys and the implementation of modern suites of cryptography in network communications devices.
      • 2020 was notable for the number of Cybersecurity Advisories (CSAs) and other products NSA cybersecurity produced and released. These products are intended to alert network owners, specifically National Security System (NSS), Department of Defense (DOD), and Defense Industrial Base (DIB), of cyber threats and enable defenders to take immediate action to secure their systems.
      • 2020 was notable not just because it was the NSA Cybersecurity Directorate’s first year nor because of COVID-19, but also because it was an election year in the United States. Drawing on lessons learned from the 2016 presidential election and the 2018 mid-term elections, NSA was fully engaged in whole-of-government efforts to protect 2020 election from foreign interference and influence. Cybersecurity was a foundational component of NSA’s overall election defense effort.
      • This past year, NSA cybersecurity prioritized public-private collaboration, invested in cybersecurity research, and made a concerted effort to build trusted partnerships with the cybersecurity community.
      • The NSA touted the following achievements:
        • In November 2019, NSA began laying the groundwork to conduct a pilot with the Defense Cyber Crime Center and five DIB companies to monitor and block malicious network traffic based on continuous automated analysis of the domain names these companies’ networks were contacting. The pilot’s operational phase commenced in March 2020. Over six months, the Protective Domain Name Service (PDNS) examined more than 4 billion DNS queries to and from these companies. The PDNS provider identified callouts to 3,519 malicious domains and blocked upwards of 13 million connections to those domains. The pilot proved the value of DoD expanding the PDNS service to all DIB entities at scale
        • How cyber secure is cyber “ready” for combat? In response to legislation that recognized the imperative of protecting key weapons and space systems from adversary cyber intrusions, NSA partnered closely with the DoD CIO, Joint Staff, Undersecretary of Defense for Acquisition & Sustainment, and the Military Services to structure, design, and execute a new cybersecurity program, focused on the most important weapons and space systems, known as the Strategic Cybersecurity Program (SCP), with the mindset of “stop assessing and start addressing.”The program initially identified 12 key weapons and space systems that must be evaluated for cybersecurity vulnerabilities that need to be mitigated. This is either due to the existence of intelligence indicating they are being targeted by cyber adversaries or because the systems are particularly important to warfighting. These systems cover all warfighting domains (land, sea, air, cyber, and space). Under the auspices of the SCP, NSA and military service partners will conduct cybersecurity evaluations, and, most importantly, maintain cyber risk scoreboards and mitigation plans accountability in reducing cyber risk to acceptable levels
      • The NSA sees the following issue son the horizon:
        • In October 2020, NSA launched an expansive effort across the Executive Branch to understand how we can better inform, drive, and understand the activities of NSS owners to prevent, or respond to, critical cybersecurity events, and cultivate an operationally-aligned community resilient against the most advanced threats. These efforts across the community will come to fruition during the first quarter of 2021 and are expected to unify disparate elements across USG for stronger cybersecurity at scale.
        • NSA Cybersecurity is also focused on combating ransomware, a significant threat to NSS and critical infrastructure. Ransomware activity has become more destructive and impactful in nature and scope. Malicious actors target critical data and propagate ransomware across entire networks, alarmingly focusing recent attacks against U.S. hospitals. In 2020, NSA formed multiple working groups with U.S. Government agencies and other partners to identify ways to make ransomware operations more difficult for our adversaries, less scalable, and less lucrative. While the ransomware threat remains significant, NSA will continue to develop innovative ways to keep the activity at bay.
  • This week, Parler sued Amazon after it rescinded its web hosting services to the social media platform billed as the conservative, unbiased alternative to Twitter. Amazon has responded with an extensive list of the inflammatory, inciting material upon which it based its decision.
    • In its 11 January complaint, Parler asked a federal court “for injunctive relief, including a temporary restraining order and preliminary injunctive relief, and damages” because mainly “AWS’s decision to effectively terminate Parler’s account is apparently motivated by political animus…[and] is also apparently designed to reduce competition in the microblogging services market to the benefit of Twitter” in violation of federal antitrust law.
    • In its 12 January response, Amazon disagreed:
      • This case is not about suppressing speech or stifling viewpoints. It is not about a conspiracy to restrain trade. Instead, this case is about Parler’s demonstrated unwillingness and inability to remove from the servers of Amazon Web Services (“AWS”) content that threatens the public safety, such as by inciting and planning the rape, torture, and assassination of named public officials and private citizens. There is no legal basis in AWS’s customer agreements or otherwise to compel AWS to host content of this nature. AWS notified Parler repeatedly that its content violated the parties’ agreement, requested removal, and reviewed Parler’s plan to address the problem, only to determine that Parler was both unwilling and unable to do so. AWS suspended Parler’s account as a last resort to prevent further access to such content, including plans for violence to disrupt the impending Presidential transition.
    • Amazon offered a sampling of the content on Parler that caused AWS to pull the plug on the platform:
      • “Fry’em up. The whole fkn crew. #pelosi #aoc #thesquad #soros #gates #chuckschumer #hrc #obama #adamschiff #blm #antifa we are coming for you and you will know it.”
      • “#JackDorsey … you will die a bloody death alongside Mark Suckerturd [Zuckerberg]…. It has been decided and plans are being put in place. Remember the photographs inside your home while you slept? Yes, that close. You will die a sudden death!”
      • “We are going to fight in a civil War on Jan.20th, Form MILITIAS now and acquire targets.”
      • “On January 20th we need to start systematicly [sic] assassinating [sic] #liberal leaders, liberal activists, #blm leaders and supporters, members of the #nba #nfl #mlb #nhl #mainstreammedia anchors and correspondents and #antifa. I already have a news worthy event planned.”
      • Shoot the police that protect these shitbag senators right in the head then make the senator grovel a bit before capping they ass.”

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 15 January, the Senate Intelligence Committee will hold a hearing on the nomination of Avril Haines to be the Director of National Intelligence.
  • The Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the nomination of Alejandro N. Mayorkas to be Secretary of Homeland Security on 19 January.
  • On 19 January, the Senate Armed Services Committee will hold a hearing on former General Lloyd Austin III to be Secretary of Defense.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.