Further Reading, Other Developments, and Coming Events (10 September)

Coming Events

  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • Top Senate Democrats asked the Secretary of the Treasury to impose sanctions on officials and others in the Russian Federation for interfering in the 2020 United States election. In their letter, they urged Secretary Steven Mnuchin “to draw upon the conclusions of the Intelligence Community to identify and target for sanctions all those determined to be responsible for ongoing election interference, including any actors within the government of the Russian Federation, any Russian actors determined to be directly responsible, and those acting on their behalf or providing material or financial support for their efforts.” Given that Mnuchin is unlikely to displease President Donald Trump through agreeing that Russians are again interfering in a presidential election, it is probable that Senate Democrats are seeking to further their line of attack on Republicans that they are unwilling to defend the U.S. and its elections from Russia. They called on Mnuchin to use the authorities granted by Congress in the “Countering America’s Adversaries Through Sanctions Act” (P.L. 115-44) and Executive Order 13848 “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election.”
  • Epic Games has returned to court in an attempt to force Apple to put its popular multiplayer game, Fortnite back into the App Store. At present, those on iOS devices cannot download and play the newest version of the game released a few weeks ago. Even though Epic Games lost its request for a temporary restraining order that would order Apple to put the game back, it has filed for a preliminary injunction:
    • (1) restraining Defendant Apple Inc. (“Apple”) from removing, de-listing, refusing to list or otherwise making unavailable the app Fortnite or any other app on Epic’s Team ID ’84 account in Apple’s Developer Program, including any update of such an app, from the App Store on the basis that Fortnite offers in-app payment processing through means other than Apple’s In-App Purchase (“IAP”) or on any pretextual basis;
    • (2) restraining Apple from taking any adverse action against Epic, including but not limited to restricting, suspending, or terminating any other Apple Developer Program account of Epic or its affiliates, on the basis that Epic enabled in-app payment processing in Fortnite through means other than IAP or on the basis of the steps Epic took to do so;
    • (3) restraining Apple from removing, disabling, or modifying Fortnite or any code, script, feature, setting, certification, version or update thereof on any iOS user’s device; and
    • (4) requiring Apple to restore Epic’s Team ID ’84 account in Apple’s Developer Program.
    •  Epic Games asserts:
      • This motion is made on the grounds that: (1) Epic is likely to succeed on the merits of its claims that Apple’s conduct violates the Sherman Act; (2) absent a preliminary injunction, Epic is likely to suffer irreparable harm; (3) the balance of harms tips sharply in Epic’s favor; and (4) the public interest supports an injunction.
    • Considering that the judge ruled against Epic Games’ claim of irreparable harm in the motion for a temporary restraining order on the grounds that self-inflicted harm (i.e. Epic Game escalated by putting its own pay option on Fortnite to foil Apple’s 30% take on in-game sales and no public interest being present, one wonders if the company will prevail on this motion.
  • Apple filed a countersuit against Epic Games, arguing the latter breached its contract with the former and now must pay damages. In contrast, Epic Games is not suing for any monetary damages, surely a tactical decision to help its case in court and among interested observers.
    • Apple sought to portray Epic Games’ lawsuit this way:
      • Epic’s lawsuit is nothing more than a basic disagreement over money. Although Epic portrays itself as a modern corporate Robin Hood, in reality it is a multi-billion dollar enterprise that simply wants to pay nothing for the tremendous value it derives from the App Store. Epic’s demands for special treatment and cries of “retaliation” cannot be reconciled with its flagrant breach of contract and its own business practices, as it rakes in billions by taking commissions on game developers’ sales and charging consumers up to $99.99 for bundles of “V-Bucks.”
      • Epic decided that it would like to reap the benefits of the App Store without paying anything for them. Armed with the apparent view that Epic is too successful to play by the same rules as everyone else—and notwithstanding a public proclamation that Epic “w[ould] not accept special revenue sharing or payment terms just for ourselves”1—Epic CEO Tim Sweeney emailed Apple executives on June 30, 2020, requesting a “side letter” that would exempt Epic from its existing contractual obligations, including the App Store Review Guidelines (the “Guidelines”) that apply equally to all Apple developers. Among other things, Mr. Sweeney demanded a complete end-run around “Apple’s fees”—specifically, Epic wished to continue taking full advantage of the App Store while allowing consumers to pay Epic instead, leaving Apple to receive no payment whatsoever for the many services it provides developers and consumers.
    • Apple contended “[t]his Court should hold Epic to its contractual promises, award Apple compensatory and punitive damages, and enjoin Epic from engaging in further unfair business practices.”
  • The General Services Administration (GSA) released a draft Data Ethics Framework as part of implementing the Trump Administration’s Federal Data Strategy.
    • GSA noted
      • The Federal Data Strategy, delivered in December 2019, recognized the importance of ethics in its founding Principles. When the Federal Data Strategy team created the 2020 Action Plan, they specifically tasked the General Services Administration (GSA) with developing a Data Ethics Framework (Framework)in Action 14to help agency employees, managers, and leaders make ethical decisions as they acquire, manage, and use data.
      • The resulting Framework is intended to be a “living” resource and to be regularly updated by the CDO Council and ICSP. The Framework incorporates the input and terminology from stakeholders representing many domains, and who use different types of data in different ways. The developers of the Framework recognize that some terms may be used differently, depending on the context, type of data being used, and stage in the data lifecycle.
      • The Framework applies to all data types and data uses. The Framework consists of four parts:
        • About the Data Ethics Framework outlines the intended purpose and audience of this document
        • Data Ethics Defined explores the meaning of the term “data ethics,” as background to the Tenets provided in the following section
        • Data Ethics Tenets provides seven Tenets, or high-level principles, for using data ethically within the Federal Government
        • Data Ethics Tenets in Action describes the benefits of data ethics and contains use cases demonstrating how the Tenets can guide data activities within federal agencies and federally sponsored programs
      • The Administration claimed the 2020 Action Plan “establishes a solid foundation that will support implementation of the strategy over the next decade…[and] identifies initial actions for agencies that are essential for establishing processes, building capacity, and aligning existing efforts to better leverage data as a strategic asset.” The use of federal data holds a key place in the President’s Management Agenda (PMA) and, according to the Administration, will be a key driver in transforming how the federal government operates, particularly in relation to technology. The 2020 Action Plan lays out the steps agencies will be expected to take to realize the Administration’s 10-year Federal Data Strategy. As always, results will be informed by follow through and prioritization by the Office of Management and Budget (OMB) and buy-in from agency leadership.
      • Notably, the Administration tied the 2020 Action Plan to a number of other ongoing initiatives that rely heavily on data. The Administration said the plan “incorporates requirements of the Foundations for Evidence-Based Policymaking Act of 2018, the Geospatial Data Act of 2018, and Executive Order 13859 on Maintaining American Leadership in Artificial Intelligence.”
  • The Office of the Australian Information Commissioner (OAIC) published “its Corporate Plan for 2020-21, which sets out its strategic priorities and key activities for the next four years” according to its press release. The OAIC stated “[t]he plan identifies four strategic priorities that will help the OAIC achieve its vision to increase public trust and confidence in the protection of personal information and access to government-held information:
    • Advance online privacy protections for Australians
    • Influence and uphold privacy and information access rights frameworks
    • Encourage and support proactive release of government-held information, and
    • Contemporary approach to regulation.
    • The agency stated:
      • Over the coming year, the OAIC will continue to promote strong privacy protections for the use of personal information to prevent and manage the spread of COVID-19, including oversight of data handling within the COVIDSafe app system. 
      • Strengthening privacy protections in the online environment remains a key focus for the organisation, while privacy law reform will be a priority in 2020-21, with the Australian Government’s review of the Privacy Act an opportunity to ensure the regulatory framework can respond to new challenges in the digital environment.
      • Commissioner [Angelene] Falk said the OAIC will also enforce privacy safeguards under the Consumer Data Right and will continue its work to improve transparency and prevent harm to consumers through its oversight of the Notifiable Data Breaches scheme.
  • Ontario’s Ministry of Government and Consumer Services “launched consultations to improve the province’s privacy protection laws” and stakeholders “will have the opportunity to contribute to strengthening transparency and accountability concerning the collection, use and safeguarding of personal information online.” Ontario “is seeking advice on ways to:
    • Increase transparency for individuals, providing Ontarians with more detail about how their information is being used by businesses and organizations.
    • Enhance consent provisions allowing individuals to revoke consent at any time, and adopting an “opt-in” model for secondary uses of their information.
    • Introduce a right for individuals to request information related to them be deleted, subject to limitations (this is otherwise known as “right to erasure” or “the right to be forgotten”).
    • Introduce a right for individuals to obtain their data in a standard and portable digital format, giving them greater freedom to change service providers without losing their data (this is known as “data portability”).
    • Increase enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law, including giving the commissioner the ability to impose penalties.
    • Introduce requirements for data that has been de-identified and derived from personal information to provide clarity of applicability of privacy protections.
    • Expand the scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties.
    • Create a legislative framework to enable the establishment of data trusts for privacy protective data sharing.
  • The United States (U.S.) Department of Homeland Security (DHS) Office of the Inspector General (OIG) issued “Progress and Challenges in Modernizing DHS’ Information Technology (IT) Systems and Infrastructure” and found fault with these three systems:
    • DHS-wide Human Resources IT (HRIT)
    • DHS Legacy Major IT Financial System that “[s]erves as Coast Guard and Transportation Security Agency’s (TSA) financial system of record.
    • Federal Emergency Management Agency (FEMA) Grants Management Mission Domain and Operational Environment
    • The OIG stated
      • The DHS 2019–2023 IT strategic plan included two distinct department-wide IT modernization initiatives: to adopt cloud-based computing and to consolidate data centers. However, not all components have complied with or fully embraced these efforts due to a lack of standard guidance and funding. Without consistent implementation of these efforts, DHS components remain hindered in their ability to provide personnel with more enhanced, up-to-date technology.
      • In the meantime, DHS continues to rely on deficient and outdated IT systems to perform mission-critical operations. We identified three legacy IT systems with significant operational challenges that negatively affected critical DHS functions, such as human resources and financial management, as well as disaster recovery mission operations. DHS has not made sufficient progress in replacing or augmenting these IT systems due to ineffective planning and inexperience in executing complex IT modernization efforts. Additionally, the DHS CIO has not performed mandated oversight of legacy IT to mitigate and reduce risks associated with outdated systems. Until DHS addresses these issues, it will continue to face significant challenges to accomplish mission operations efficiently and effectively
    • The OIG recommended:
      • We recommend the DHS OCIO develop department-wide guidance for implementing cloud technology and migrating legacy IT systems to the cloud. Recommendation
      • We recommend the DHS OCIO coordinate with components to develop and finalize a data center migration approach to accomplish strategic goals for reducing the footprint of DHS IT infrastructure. Recommendation
      • We recommend the DHS OCIO establish a process to assign risk ratings for major legacy IT investments, as required by the Federal Information Technology Acquisition Reform Act.
  • The University of Toronto’s Citizen Lab and the International Human Rights Program at the University of Toronto’s Faculty of Law published a report “To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada” that “focuses on the human rights and constitutional law implications of the use of algorithmic policing technologies by law enforcement authorities.” The authors found:
    • The research conducted for this report found that multiple law enforcement agencies across Canada have started to use, procure, develop, or test a variety of algorithmic policing methods. These programs include using and both developing predictive policing technologies and using algorithmic surveillance tools. Additionally, some law enforcement agencies have acquired tools with the capability of algorithmic policing technology, but they are not currently using that capability because, to date, they have not decided to do so. 
    • The authors “analyze the potential impacts of algorithmic policing technologies on the following rights: the right to privacy; the right to freedoms of expression, peaceful assembly, and association; the right to equality and freedom from discrimination; the right to liberty and to be free from arbitrary detention; the right to due process; and the right to a remedy.”
  • The United States (U.S.) Department of Homeland Security (DHS) issued “the Electromagnetic Pulse (EMP) Program Status Report as part of an update on efforts underway in support of Executive Order (E.O.) 13865 on Coordinating National Resilience to Electromagnetic Pulses…[that] establishes resilience and security standards for U.S. critical infrastructure as a national priority.”
    • DHS stated
      • E.O.13865 states, “An electromagnetic pulse (EMP) has the potential to disrupt, degrade, and damage technology and critical infrastructure systems. Human-made or naturally occurring EMPs can affect large geographic areas, disrupting elements critical to the Nation’s security and economic prosperity, and could adversely affect global commerce and stability. The federal government must foster sustainable, efficient, and cost-effective approaches to improving the Nation’s resilience to the effects of EMPs.”
      • In accordance with E.O.13865, the Department has identified initial critical infrastructure and associated functions that are at greatest risk from an EMP and is focusing efforts on the development and implementation of evidence-based and independently-tested EMP protection and mitigation technologies and resilience best practices. Initial efforts within the Department, working across the federal interagency, have focused on risk management to both the Energy and Communications Sectors.
  • Two United States Magistrate Judges denied three requests for a geofence warrant to serve on Google to obtain cell phone data from an area of Chicago for three forty-five minutes periods on three different days. The courts took the unusual step of unsealing the opinions for the proceedings which are not adversarial because the person or people suspected of being involved with the alleged crime are presumably unaware and therefore cannot contest the warrant application. If Google took an adversarial position, there is no indication in the decisions the company did so. However, Google did state in a filing that “[b]etween 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.”
    • Moreover, one wonders if prosecutors did not also seek similar warrant requests from other companies such as telecommunications providers. Nonetheless, the judges ruled the geofence warrant requests violated the Fourth Amendment to the U.S. Constitution in a number of ways and suggested that narrower, more particular requests might have been legal.
    • In the first denial, the magistrate judge explained:
      • As to the first geofence request, the government has probable cause to believe that the suspect received the stolen pharmaceuticals from a commercial enterprise located within the designated geofence area during the designated forty-five minute interval in the early afternoon hours on the day of the first geofence request. The geofence, which has a 100-meter radius, is in a densely populated city, and the area contains restaurants, various commercial establishments, and at least one large residential complex, complete with a swimming pool, workout facilities, and other amenities associated with upscale urban living.
      • The second and third geofence requests focus on the same commercial enterprise where the government has probable cause to believe that the suspect shipped some of the stolen pharmaceuticals to a buyer, who purchased the pharmaceuticals from the suspect at the government’s direction. Again, the government’s requested geofence is a I00-meter radius area extending from the commercial establishment where the suspect shipped the pharmaceuticals and covers two separate dates for forty-five minute intervals in the early afternoon hours. This geofence includes medical offices and other single and multi-floor commercial establishments that are likely to have multiple patrons during the early afternoon hours.
      • The warrant application contemplates that the information will be obtained in three stages: (l) Google will be required to disclose to the government an anonymized list of devices that specifies information including the corresponding unique device ID, timestamp, coordinates, and data source, if available, of the devices that reported their location within the geofence during the forty-five minute periods; (2) the government will then review the list to prioritize the devices about which it wishes to obtain associated information; and (3) Google will then be required to disclose to the government the information identifying the Google account(s) for those devices about which the government further inquiries. The warrant application includes no criteria or limitations as to which cellular telephones government agents can seek additional information.

Further Reading

  • A Saudi Prince’s Attempt to Silence Critics on Twitter” By Bradley Hope and Justin Scheck – WIRED. Considering the United States Department of Justice indictments against three Saudi nationals in November 2019 and resulting news stories (“Why Do We Tolerate Saudi Money in Tech?” – The New York Times and “Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics” – The Washington Post), one would think what news is there in this excerpt on a book. But we learn that Twitter’s anti-establishment stance led the company’s lawyers to suspend the Saudi Twitter employee who the target of a U.S. investigation which allowed him to flee the U.S. Government lawyers were livid. The bigger issue is foreign operatives infiltrated social media platforms and then reaping information about selected people, especially dissidents.
  • When Algorithms Give Real Students Imaginary Grades” By Meredith Broussard – The New York Times. The International Baccalaureate (IB) program used an algorithm to hand out grades this past spring when in-person exams were cancelled. It did not go well as you might imagine. The same was true in the United Kingdom for its A-level exams, causing a furor there. The case id made for never using algorithms in education or related fields.
  • Wheely ride-hailing app writes to UK privacy watchdog over Moscow data demands” By Simon Goodley – The Guardian. A British ride-sharing company wrote the United Kingdom’s data protection authority about data requests made by the Moscow Department of Transportation (MDOT) on individual riders. Wheely made the case to the Information Commissioner’s Office (ICO) that it could not hand over the data under the General Data Protection Regulation (GDPR) unlike some of the app’s rivals who apparently complied with the demand. It is not clear whether the company’s GDPR obligations would apply in another jurisdiction. It may possible Wheely is trying to smear the other companies in the U.K.
  • Deepfake porn is now mainstream. And major sites are cashing in” By Matt BurgessWired. Through the use of artificial intelligence technology, people are making fake pornography in which actresses’ faces are affixed to women’s bodies that are engaged in sexual acts. These deepfake porn videos are soaring in popularity, and there are often not good options for taking them down or taking legal action. This is another area in which technology has outpaced policy and law.
  • Most cyber-security reports only focus on the cool threats” By Catalin Cimpanu – ZDNet. Turns out that commercial threat reports are issued with an eye towards generating business and considering that governments and huge contractors have the deepest pockets, the issues of concern are covered while other less lucrative areas like threats to civil society are largely ignored. These reports also influence policymakers and give them a distorted picture of cyber threats.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (7 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • A federal appeals court found that the National Security Agency (NSA) exceeded it lawful remit in operating the bulk collection of metadata program former contractor Edward Snowden exposed. Even though the United States Court of Appeals for the Ninth Circuit did not reverse the convictions of four Somalis convicted of providing assistance to terrorists, the court did find the telephony metadata program exceeded Congress’ authorization provided in the Foreign Surveillance Intelligence Act (FISA). The court also suggested the NSA may have also violated the Fourth Amendment’s ban on unreasonable searches without deciding the question. The NSA closed the program in 2015 and had a great deal of difficulty with a successor program authorized the same year that was also shut down in 2018. However, the Trump Administration has asked for a reauthorization of the most recent version even though it has admitted it has no plans to restart the program in the immediate future.
  • The top Democrats on five House and Senate committees wrote the new Director of National Intelligence (DNI) calling on him to continue briefing committees of jurisdiction on intelligence regarding election interference. Reportedly, DNI John Ratcliffe wrote these committees in late August, stating his office would still provide Congress written briefings but would no longer conduct in-person briefings because of alleged leaking by Democrats. However, the chair of the Senate Intelligence Committee claimed his committee would still be briefed in person.
    • In an interview, Ratcliffe explained his rationale for ending in person briefings:
      • I reiterated to Congress, look, I’m going to keep you fully and currently informed, as required by the law. But I also said, we’re not going to do a repeat of what happened a month ago, when I did more than what was required, at the request of Congress, to brief not just the Oversight Committees, but every member of Congress. And yet, within minutes of that — one of those briefings ending, a number of members of Congress went to a number of different publications and leaked classified information, again, for political purposes, to create a narrative that simply isn’t true, that somehow Russia is a greater national security threat than China.
    • Senate Rules Committee Ranking Member Amy Klobuchar (D-MN), House Administration Committee Chair Zoe Lofgren (D-CA), Senate Judiciary Committee Ranking Member Dianne Feinstein (D-CA), House Judiciary Committee Chair Jerrold Nadler (D-NY), and House Homeland Security Committee Chair Bennie Thompson (D-MS) expressed “serious alarm regarding your decision to stop providing in-person election security briefings to Congress, and to insist that you immediately reschedule these critical briefings ahead of the November general election.” They added
      • The important dialogue that comes from a briefing cannot be understated, as you’re well aware. This is why the Intelligence Community (IC) has for decades arranged for senior members of every administration to have intelligence briefers who provide regular, often daily, briefings, rather than simply sending written products to review. Intelligence memos are not a substitute for full congressional briefings. It is also unacceptable to fully brief only one Committee on matters related to federal elections.
      • As Members of the House and Senate with jurisdiction over federal elections, we call on you to immediately resume in-person briefings. We also remind you that the ODNI does not own the intelligence it collects on behalf of the American people, it is a custodian of the information. In addition to the power to establish and fund the ODNI, Congress has the power to compel information from it.
    • In his statement, acting Senate Intelligence Committee Chair Marco Rubio (R-FL) asserted
      • Intelligence agencies have a legal obligation to keep Congress informed of their activities. And Members of Congress have a legal obligation to not divulge classified information. In my short time as Acting Chair of the Senate Select Committee on Intelligence, I have witnessed firsthand how this delicate balance has been destroyed.
      • Divulging access to classified information in order to employ it as a political weapon is not only an abuse, it is a serious federal crime with potentially severe consequences on our national security. This situation we now face is due, in no small part, to the willingness of some to commit federal crimes for the purpose of advancing their electoral aims.
      • Yet, this grotesque criminal misconduct does not release the Intelligence Community from fulfilling its legal requirements to respond to Congressional oversight committees and to keep Members of Congress fully informed of relevant information on a timely basis. I have spoken to Director Ratcliffe who stated unequivocally that he will continue to fulfill these obligations. In particular, he made explicitly clear that the Senate Select Committee on Intelligence will continue receiving briefings on all oversight topics, including election matters. 
    • In early August, National Counterintelligence and Security Center (NCSC) Director William Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the People’s Republic of China (PRC), and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).
    • In a statement, Pelosi and House Intelligence Committee Chair Adam Schiff (D-CA) expressed gratitude for the additional detail but took issue with the statement for implying through its structure that the risks each nation presents are equal. It would seem to make sense that Pelosi and Schiff are arguing that the Russian Federation is the biggest threat in light of its history in successfully spreading disinformation and misinformation in 2016 to benefit then candidate Donald Trump and harm former Secretary of State Hillary Clinton. This assertion would also serve to rebut the notion that the PRC is the top threat given its placement as the first nation mentioned and Trump Administration rhetoric to this effect.
  • The Federal Acquisition Security Council (FASC) has released an interim regulation that took effect upon being published, but the body will be accepting comments on a still-to-be drafted final regulation. This entire effort is aimed at helping the United States government identify and remove risky and untrustworthy information technology from its systems. However, the FASC is some nine months late in issuing this rule, suggesting that some of the same troubles that have slowed other Trump Administration efforts to secure the federal government’s information and communications technology supply chain delayed this rule. Other efforts have been slowed by industry stakeholder pushback because a number of American multinationals have supply chains in the People’s Republic of China (PRC) and have resisted efforts to decrease sourcing from that country. This rulemaking was required by the “Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act” (SECURE Technology Act) (P.L. 115-390). The council has one year to fashion and release a final rule.
    • FASC explained that the interim final rule “implement[s] the requirements of the laws that govern the operation of the FASC, the sharing of supply chain risk information, and the exercise of its authorities to recommend issuance of removal and exclusion orders to address supply chain security risks…[and] [w]ritten comments must be received on or before November 2, 2020.”
    • FASC stated
      • Information and communications technology and services (ICTS) are essential to the proper functioning of U.S. government information systems. The U. S. government’s efforts to evaluate threats to and vulnerabilities in ICTS supply chains have historically been undertaken by individual or small groups of agencies to address specific supply chain security risks. Because of the scale of supply chain risks faced by government agencies, and the need for better coordination among a broader group of agencies, there was an organized effort within the executive branch to support Congressional efforts in 2018 to pass new legislation to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks.
    • FASC explained the interim rule is divided into three parts:
      • Subpart A explains the scope of this IFR, provides definitions for relevant terms, and establishes the membership of the FASC. Subpart B establishes the role of the FASC’s Information Sharing Agency (ISA). DHS, acting primarily through the Cybersecurity and Infrastructure Security Agency, will serve as the ISA. The ISA will standardize processes and procedures for submission and dissemination of supply chain information, and will facilitate the operations of a Supply Chain Risk Management (SCRM) Task Force under the FASC. This FASC Task Force (hereafter referred to as “Task Force”) will be comprised of designated technical experts that will assist the FASC in implementing its information sharing, risk analysis, and risk assessment functions. Subpart B also prescribes mandatory and voluntary information sharing criteria and associated information protection requirements. Subpart C provides the criteria and procedures by which the FASC will evaluate supply chain risk from sources and covered articles and recommend issuance of orders requiring removal of covered articles from executive agency information systems (removal orders) and orders excluding sources or covered articles from future procurements (exclusion orders). Subpart C also provides the process for issuance of removal orders and exclusion orders and agency requests for waivers from such orders.
    • The FASC noted it was required to select “an appropriate executive agency—the FASC’s Information Sharing Agency (ISA)—to perform the administrative information sharing functions on behalf of the FASC,” and it has chosen the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA).
  • The Federal Communications Commission (FCC) released “the results of its efforts to identify use of Huawei and ZTE equipment and services in U.S. telecommunications networks that receive support from the federal Universal Service Fund.” The FCC initiated this proceeding with its the 2019 Supply Chain Order, 85 FR 230, and then Congress came behind the agency and enacted the “Secure and Trusted Communications Networks Act of 2019” (Secure Networks Act) (P.L. 116-124), which authorized in law much of what the FCC was doing. However, this statute did not appropriate any funds for the FCC to implement the identification and removal of Huawei and ZTE equipment from U.S. telecommunications networks. It is possible Congress could provide these funds in an annual appropriations bill for the coming fiscal year.
    • The FCC stated
      • Based on data Commission staff collected through the information collection, all filers report it could cost an estimated $1.837 billion to remove and replace Huawei and ZTE equipment in their networks. Of that total, filers that appear to initially qualify for reimbursement under the Secure and Trusted Communications Network Act of 2019 report it could require approximately $1.618 billion to remove and replace such equipment. Other providers of advanced communications service may not have participated in the information collection and yet still be eligible for reimbursement under the terms of that Act.
  • Australia’s government has released “a voluntary Code of Practice to improve the security of the Internet of Things (IoT),” “a first step in the Australian Government’s approach to improve the security of IoT devices in Australia.” These standards are optional but may foretell future mandatory requirements. The Department of Home Affairs and the Australian Signals Directorate’s Australian Cyber Security Centre developed the Code and explained:
    • This Code of Practice is a voluntary set of measures the Australian Government recommends for industry as the minimum standard for IoT devices. The Code of Practice will also help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.
    • The Code of Practice is designed for an industry audience and comprises 13 principles. The Australian Government recommends industry prioritise the top three principles because action on default passwords, vulnerability disclosure and security updates will bring the largest security benefits in the short term.
    • In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.
  • The Office of the Privacy Commissioner of Canada (OPC) issued “Privacy guidance for manufacturers of Internet of Things devices” intended to provide “practical information to help ensure that your business practices and the devices you make are privacy protective and compliant with the “Personal Information Protection and Electronic Documents Act” (PIPEDA). The OPC cautioned “[i]f your IoT device is collecting, using or disclosing personal data in the course of commercial activity, then you are subject to PIPEDA and must follow the principles set out in Schedule 1 of PIPEDA…[and] [t]hese principles…are rooted in international data protection standards and reflect the Canadian Standards Association’s Model Privacy Code for the Protection of Personal Information.” OPC offered this checklist:
    • What you must do to fulfill your responsibilities under PIPEDA:
      • Be accountable by instituting practices that protect the personal information under the control of your organization
      • Before collecting personal information, identify the purposes for its collection
      • Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed
      • Design your devices to limit collection to that which is necessary to fulfil their stated purposes
      • Use and disclose personal information only for the purpose for which it was collected
      • Ensure that personal information is as accurate, up-to-date and complete as is necessary for the purposes for which it is to be used, especially when making a decision about individuals or when sharing it with others
      • Ensure the personal information you are accountable for is appropriately safeguarded
      • Inform individuals about your policies and practices for information management
      • Give individuals the ability to access and correct their information
      • Provide recourse to individuals by developing complaint procedures
      • Limit what you collect, use, share and retain about your customers, including children
      • Protect personal information through technological safeguards such as encryption and password protection
    • What you should do to supplement your responsibilities under the law:
      • Create device specific privacy policies to improve the transparency of your information practices. For example, include a list of every sensor a device possesses in your policy’s section on disclosures and state the minimum length of time these devices will receive security updates
      • Consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection.
      • Perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices
      • Design your devices to have consumers use of strong and unique passwords
      • Provide consumers with user-friendly options to permanently delete information you hold about them and inform them of how to do so
      • Ensure that the end user can patch or update the firmware on the device
  • The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) published a joint technical alert “about an ongoing automated teller machine (ATM) cash-out scheme by North Korean government cyber actors – referred to by the U.S. government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.” The agencies asserted
    • [The Democratic People’s Republic of Korea’s (DPRK)] intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts. This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs. Additionally, this activity poses significant operational risk to the Financial Services sector and erodes the integrity of the financial system.
  • In a short statement released late on a Friday heading into the Labor Day three day weekend, the Department of Defense (DOD) signaled the end of “its comprehensive re-evaluation of the Joint Enterprise Defense Infrastructure (JEDI) Cloud proposals and determined that Microsoft’s proposal continues to represent the best value to the Government.” Microsoft bested Amazon for the contract in late 2019, but the latter’s court challenge alleged bias against the company as evidenced by comments from President Donald Trump. This case is ongoing, and Amazon will almost certainly challenge this award, too. In a blog posting, Amazon declared “we will not back down in the face of targeted political cronyism or illusory corrective actions, and we will continue pursuing a fair, objective, and impartial review.” The DOD explained that the potentially $10 billion contract “will make a full range of cloud computing services available to the DOD.” The Pentagon conceded that “[w]hile contract performance will not begin immediately due to the Preliminary Injunction Order issued by the Court of Federal Claims on February 13, 2020, DOD is eager to begin delivering this capability to our men and women in uniform.”

Further Reading

  • Race for Coronavirus Vaccine Pits Spy Against Spy” By Julian E. Barnes and Michael Venutolo-Mantovani – The New York Times. Reportedly, hackers from the People’s Republic of China (PRC), Russian Federation, and the Islamic Republic of Iran have widened their list of targets to include research universities in the United States (U.S.) working on COVID-19 vaccine research. Officials quoted in the piece explain the likely motivations as being knowing what the U.S. is up to considering their research capabilities are not as good, “checking” their own research against the U.S., and possibly even prestige if they can leverage the intelligence gained into a viable vaccine more quickly than the U.S. or other western nations. Perhaps there is an even more basic motivation: they want a vaccine as fast as possible and are willing to steal one to save their citizens. Nonetheless, this article follows the announcements during the summer by Five Eyes security services that the three nations were targeting pharmaceutical companies and seems to be of the same piece. The article only hints at the possibility that the U.S. and its allies may be doing exactly the same to those nations to monitor their efforts as well. One final interesting strand. Russia seems to be gearing up for a major influence campaign to widen the split in U.S. society about the proper response to COVID-19 by sowing doubt about vaccinations generally.
  • Forget TikTok. China’s Powerhouse App Is WeChat, and Its Power Is Sweeping.” By Paul Mozur – The New York Times. This article delves deeply into WeChat the do-all app most people inside and from the People’s Republic of China (PRC) have on their phone. It is a combination WhatsApp, Amazon, Apple Pay, Facebook, and other functionality that has become indispensable to those living in the PRC. One person who lived in Canada and returned wishes she could dispense with the app that has become central to Beijing’s efforts to censor and control its people. The PRC employs algorithms and human monitoring to ensure nothing critical of the government is posted or disseminated. One user in North America was shocked to learn the depiction of Donald Trump on the app as being deeply respected be everyone in the United States (U.S.) was wrong when talking to others. A few of the experts quoted expressed doubt that banning the app in the U.S. will change much.
  • U.S. considers cutting trade with China’s biggest semiconductor manufacturer” By Jeanne Whalen – The Washington Post; “Trump administration weighs blacklisting China’s chipmaker SMIC” by Idrees Ali, Alexandra Alper, and Karen Freifeld – Reuters.
  •  The People’s Republic of China’s (PRC) biggest semiconductor maker may be added to the United States’ (U.S.) no-trade list soon in what may be another move to further cut Huawei’s access to crucial western technology. Ostensibly, the Semiconductor Manufacturing International Corp. (SMIC) is being accused of having ties that too close with the PRC’s military. However, the company rejected this allegation in its statement: “The company manufactures semiconductors and provides services solely for civilian and commercial end-users and end-uses. We have no relationship with the Chinese military.” A different PRC chip maker was added to the list in 2018: Fujian Jinhua Integrated Circuit Co.
  • Pasco’s sheriff created a futuristic program to stop crime before it happens. It monitors and harasses families across the county.” By Kathleen Mcgrory and Neil Bedi – Tampa Bay Times. Eevn though most of the truly alarming aspects of this sheriff’s office are human based, the notion that using technology and intelligence methods will allow someone to predict crime are dystopian and disconcerting. What this sheriff’s department has done to mostly minors guilty of at most petty misdemeanors should give anyone pause about employing technology to predict crime and criminals.
  • DHS, FBI rebut reports about hacked voter data on Russian forum” By Tim Starks – Politico. The United States Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) and Federal Bureau of Investigation rebutted claims made by journalist Julia Ioffe that Michigan voter data were in the hands of Russian hackers. However, statements by CISA, the FBI, and the state of Michigan explained there has been no hack, and that these data may have been obtained through a Freedom of Information Act request.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Republica from Pixabay

Pending Legislation In U.S. Congress, Part I: FY 2021 NDAA and FISA Reauthorization

Normally, a FISA reauthorization would be considered must pass like an NDAA, but this year may be different.   

As Congress returns from an eventful summer recess, it is possible technology focused and related legislation is passed or advances towards passage before the body leaves Washington in late September. However, it is just as likely, possibly even more, that Congress punts everything except for a measure to keep the government funded through the November election. This week, we will explore some of the bills that may become law. Today’s piece is on the FY 2021 National Defense Authorization Act (NDAA) and the lapsed provisions in the Foreign Intelligence Surveillance Act (FISA).

FY 2021 NDAA

Congress will almost certainly pass its annual policy and authorization bill for the Department of Defense (DOD) as it has done for every year since FY 1962. Any more, this bill is laden with technology provisions, most of which are oriented towards national security programs, but not always because the National Defense Authorization Act (NDAA) is considered must-pass legislation, it attracts some legislation that is non-defense. For example, the revamp of how the United States government buys and develops information technology programs, the “Federal Information Technology Acquisition Reform Act” (FITARA) (P.L. 113-291), was enacted as part of the FY 2015 NDAA.

The House and Senate have passed their respective bills: the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) and the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) and have already started work on resolving differences between the two packages. However, over the last decade or so, the NDAA has been one of the last major bills passed each calendar year, and it is possible this legislation will not reach the President’s desk until late December.

The base bill put on the floor of the House contained a range of cybersecurity provisions. The DOD’s requirement that it must submit its cybersecurity and information technology (IT) budget would be broadened to include cyber mission force and a its new cyber operations force budgets. The Cyberspace Solarium Commission’s (CSC) structure would be changed and would be extended. The DOD would need to study and consider replicating an entity inside the Navy that has been researching and pioneering cyber warfare. The DOD’s Principal Cyber Advisor would be invested with the authority to manage the Pentagon’s role as the sector-specific agency (SSA) for the Defense Industrial Base (DIB) under Presidential Policy Directive- 21. The bill also increased the DOD’s reporting requirements to Congress regarding compromises of its system and exceptions to its IT policies with the goal of creating a baseline to help the Pentagon manage its cyber risks and tradeoffs. The DOD would determine whether a current public-private partnership on cybersecurity is working and should be extended.

The Department of Homeland Security (DHS) would need to submit a report on the feasibility of an Integrated Cyber Center housed at its National Cybersecurity and Communications Integration Center (NCCIC). DHS would need to work with the DOD, Office of the Director of National Intelligence (ODNI) and National Security Agency (NSA) on whether it makes sense to create a joint collaboration environment to help shore up cybersecurity. The Pentagon would need to study and then implement a threat hunting program that would allow its personnel to go searching for vulnerabilities and cyber risks in the IT systems of DIB contractors. The DOD would be barred from contracting with entities that do not belong to the DIB threat intelligence sharing program. The bill would also permit the DOD to make grants to companies providing cybersecurity to small manufacturers in the U.S. The bill would establish a National Artificial Intelligence Initiative to support and foster a number of related activities including research and development, education, and training.

During floor consideration of H.R.6395, the House agreed to scores of amendments in two en bloc packages that contained most of the technology provisions made in order for consideration. Among the most notable of these provisions are the following, some of which have been considered by the House as standalone legislation:

The cybersecurity provisions in S.4049 would change, alter, or establish a range of programs and operations. The bill would modify the statutory duties of Department of Defense’s Principal Cyber Advisor to require that the person chosen for this role is a civilian at the Pentagon who holds a position requiring Senate confirmation. The DOD would need to develop and implement a framework for forward hunt operations (i.e. offensive cyber operations) to address some of the issues the committee’s oversight turned up. The focus on this exercise would be to get a better understanding on the utility and life span of intelligence gained through such operations. The Pentagon’s reporting duties after executing an offensive or defensive cyber operation would be expanded to include nations and entities with whom the United States is not at war. The Committee expanded the DOD’s required briefings on cyber operations, expressing frustration with the Department’s “unwillingness to keep the committee apprised of cyber operations conducted to gain access to adversary systems, including those conducted pursuant to standing military plans against military targets.”

There is language mandating that the DOD begin the process of harmonizing the Pentagon’s cyber capabilities and those provided by private sector contractors, much of which overlaps in the view of the committee. Cyber Command would receive expanded but necessarily acquisition authority as the service branches are to remain the entities undertaking large procurements. The Principal Cyber Advisor and head of Cyber Command would need to assess how well the DOD manages inter-agency conflict in the Pentagon and among Intelligence Community agencies in managing the process by which cyber operations are designed and executed, suggesting there is significant internal friction among the stakeholders. The DOD would need to conduct a pilot on the feasibility of adopting and using a commercial practice of speed-based cybersecurity metrics. The Pentagon would also need to better integrate its data collection and data analysis regarding potentially malicious or illegal activities by DOD employees and contractors (i.e. so-called insider threat).

The DOD would need “to develop a comprehensive plan, by February 1, 2021, for the deployment of commercial-off-the-shelf solutions on supplier networks to monitor the public-facing Internet attack surface of members of the defense industrial base (DIB)” that is intended to supplement the DOD’s new Cybersecurity Maturity Model Certification and other DOD efforts to shore up the cybersecurity of its contractors. The bill would grant a DOD request to receive the authority to immediately react and respond to reported threats and penetrations to “operationally critical” DOD contractors’ systems and networks. The DOD would need “to conduct a baseline review of the Joint Regional Security Stacks (JRSS) activity to determine whether the initiative should continue, but as a program of record, or should be replaced by an improved design and modern technology.” The DOD would also receive limited flexibility to use Operation and Maintenance (O&M) “for cyber operations-peculiar capability development projects.” The committee also conditioned the availability of certain Office of the Secretary of Defense travel on fulfilling a requirement in the current year’s NDAA to submit “a report for the structuring and manning of information operations capabilities and forces” in the DOD, develop “a strategy for operations in the information environment” and to “conduct an information operations posture review.”

The Cyberspace Solarium Commission (CSC) would have its mandate extended so it could monitor, assess, and report on the implementation of its 75 recommendations made in March 2020. The bill includes a number of CSC recommendations, including:

  • Adding “a force structure assessment of the Department of Defense’s Cyber Operations Forces to future cyber posture reviews.”
  • “a report to the congressional defense committees, detailing the actions that the Secretary will undertake to ensure that the Commander, U.S. Cyber Command, has enhanced authority, direction, and control of the Cyber Operations Forces and of the equipment budget that enables Cyber Operations Forces’ operations and readiness, beginning with fiscal year 2024 budget request.”
  • Assessing “options for establishing a cyber reserve force.”
  • A comprehensive plan for “[e]nsuring cyber resiliency of nuclear command and control system”
  • Requiring “the Secretary of Defense to establish policies and requirements for each major weapon system, and the priority critical infrastructure essential to the proper functioning of major weapon systems in broader mission areas, to be re-assessed for cyber vulnerabilities.”
  • Mandating that the Secretary of Defense “establish a threat intelligence sharing program to share threat intelligence with and obtain threat intelligence from the defense industrial base.”
  • Requiring the Pentagon “to conduct an assessment of the adequacy of threat hunting elements of the Cyber Maturity Model Certification (CMMC) program and the need for continuous threat monitoring operations.”
  • Addressing “the risks to National Security Systems (NSSs) posed by quantum computing by requiring the Secretary of Defense to: (1) Complete an assessment of current and potential threats to critical NSSs and the standards used for quantum-resistant cryptography; and (2) Provide recommendations for research and development activities to secure NSSs.”
  • Study the feasibility of establishment of a National Cyber Director.

In terms of the provisions that were folded into the final Senate bill, Senate Homeland Security and Governmental Affairs Committee Chair Ron Johnson (R-WI) succeeded in attached to the larger bill the “Cybersecurity Vulnerability Identification and Notification Act of 2019” (S.3045). S.3045 would expand the authority of Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity and Communications Integration Center (NCCIC) to issue subpoenas to internet service providers to obtain the identity of owners and operators of critical infrastructure subject to be drafted procedures and limits on how any information collected from subpoena is used and retained. The House’s counterpart bill, H.R.5680, was added as an amendment to H.R.6395, meaning the substance of the legislation will almost certainly be in the final NDAA. Also, an amendment was adopted to stimulate semiconductor manufacturing in the United States by creating a grant and tax incentive program at the Department of Commerce

There were other technology provisions added to the bill during debate. The following amendments were adopted on 2 July en bloc by unanimous consent:

  • The Department of Homeland of Security “shall produce a report on the state of digital content forgery technology” within one year of enactment and then every five years
  • “[T]he Secretary of Defense, with appropriate representatives of the Armed Forces, shall brief the Committees on Armed Services of the Senate and the House of Representatives on the feasibility and the current status of assigning members of the Armed Forces on active duty to the Joint Artificial Intelligence Center (JAIC) of the Department of Defense.”
  • “[T]he Secretary of Homeland Security shall conduct a comprehensive review of the ability of the Cybersecurity and Infrastructure Security Agency to fulfill–
    • the missions of the Cybersecurity and Infrastructure Security Agency; and
    • the recommendations detailed in the report issued by the Cyberspace Solarium Commission”
  • The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”
  • “[T]he Secretary of Defense, in coordination with the Director of the National Reconnaissance Office and the Director of the National Geospatial-Intelligence Agency, shall leverage, to the maximum extent practicable, the capabilities of United States industry, including through the use of commercial geospatial-intelligence services and acquisition of commercial satellite imagery.”
  • “[T]he Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability” per a re commendation made by the Section 809 Panel.
  • “[T]he Secretary of Defense shall complete a study on the cyberexploitation of the personal  information and accounts of members of the Armed Forces and their families.”
  • A modified version of the “Utilizing Strategic Allied (USA) Telecommunications Act” (S.3189) that “would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end” according to a press release.

Additionally, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to S.4049 but without a bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242).

FISA Reauthorization

At present, key surveillance authorities for new investigations have lapsed, and it does not appear Congress is close to a deal to restore and reform them, an unusual state of affairs, for since 11 September 2001, it has done so regularly. The House and Senate have both passed bills but have been unable to agree on the extent of reforms to Foreign Intelligence Surveillance Act (FISA) programs given antipathy from the Trump Administration on proposed changes and opposition from some Democrats and Republicans who want to see more significant reforms. It is always possible a compromise package is agreed to and then tacked onto the FY 2021 NDAA, a continuing resolution, or an omnibus appropriations bill as has happened before.

In March, the House passed the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote, a bill to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172, which it did in May. Thereafter, reforms House Democratic leadership tried adding to the bill failed to please stakeholders, leaving the chamber to squelch plans to send a revised bill to the Senate and instead ask for a conference, which is where matters currently stand.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the “USA PATRIOT Act” in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

In May, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to. Senators Pat Leahy (D-VT) and Mike Lee’s (R-UT) amendment to expand the amicus process during the FISA process prevailed by a 77-19 vote.

As mentioned, Wyden and Daines offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories. However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

In late May, it appeared as if the House would bring H.R. 6172 to the floor and possibly take a run at adding language that barely failed to get added during debate in the Senate that would further pare back the ability of federal law enforcement agencies to use the FISA process for surveillance. However, the Trump Administration more forcefully stated its objections to the amended bill, including a veto threat issued via Twitter, that caused Republican support for the bill to cave, and with it the chances of passage, for Republican votes were needed to pass the bill in the first place. Consequently, House Democratic Leadership explored the possibility of a clean vote on the Senate-amended bill, with the House Rules Committee reporting a rule for debate, but this effort was also scuttled as there were not the votes for passage of the bill to send it to the White House. Instead, House Democratic Leadership opted to go to conference committee, which succeeded in a 284-122 proxy vote, one of the first taken under the new procedure. Thereafter, the House named the following conferees: House Judiciary Committee Chair Jerrold Nadler (D-NY) and Ranking Member Jim Jordan (R-OH); House Intelligence Committee Chair Adam Schiff (D-CA) and Ranking Member Devin Nunes (R-CA) and Representative Zoe Lofgren (D-CA). The bill is being held at the desk in the Senate and Senate conferees have not been named, meaning the conference committee cannot formally begin.  

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by ArtTower from Pixabay

Further Reading, Other Developments, and Coming Events (13 August)

Here are Further Reading, Other Developments, and Coming Events:

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.

Other Developments

  • Senate Intelligence Committee Acting Chair Marco Rubio (R-FL) and Vice Chairman Mark Warner (D-VA) released a statement indicating the committee had voted to adopt the fifth and final volume of its investigation of the Russian Federation’s interference in the 2016 election. The committee had submitted the report to the Intelligence Community for vetting and have received the report with edits and redactions. The report could be released sometime over the next few weeks.  Rubio and Warner stated “the Senate Intelligence Committee voted to adopt the classified version of the final volume of the Committee’s bipartisan Russia investigation. In the coming days, the Committee will work to incorporate any additional views, as well as work with the Intelligence Community to formalize a properly redacted, declassified, publicly releasable version of the Volume 5 report.” The Senate Intelligence Committee’s has released four previous reports:
  • The National Institute of Standards and Technology (NIST) is accepting comments until 11 September on draft Special Publication 800-53B, “Control Baselines for Information Systems and Organizations,” a guidance document that will serve a key role in the United States government’s efforts to secure and protect the networks and systems it operates and those run by federal contractors. NIST explained:
    • This publication establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. The use of the security control baselines is mandatory, in accordance with OMB Circular A-130 [OMB A-130] and the provisions of the Federal Information Security Modernization Act4 [FISMA], which requires the implementation of a set of minimum controls to protect federal information and  information systems. Whereas use of the privacy control baseline is not mandated by law or [OMB A-130], SP 800-53B, along with other supporting NIST publications, is designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974 [PRIVACT], selected OMB policies (e.g., [OMB A-130]), and designated Federal Information Processing Standards (FIPS), among others
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released an “Election Vulnerability Reporting Guide
    to provide “election administrators with a step-by-step guide, list of resources, and a template for establishing a successful vulnerability disclosure program to address possible vulnerabilities in their state and local election systems…[and] [t]he six steps include:
    • Step 1: Identify Systems Where You Would Accept Security Testing, and those Off-Limits
    • Step 2: Draft an Easy-to-Read Vulnerability Disclosure Policy (See Appendix III)
    • Step 3: Establish a Way to Receive Reports/Conduct Follow-On Communication
    • Step 4: Assign Someone to Thank and Communicate with Researchers
    • Step 5: Assign Someone to Vet and Fix the Vulnerabilities
    • Step 6: Consider Sharing Information with Other Affected Parties
  • The United Kingdom’s Information Commissioner’s Office (ICO) has issued “Guidance on AI and data protection” that “clarifies how you can assess the risks to rights and freedoms that AI can pose from a data protection perspective; and the appropriate measures you can implement to mitigate them.” The ICO explained “[w]hile data protection and ‘AI ethics’ overlap, this guidance does not provide generic ethical or design principles for your use of AI.” The ICO stated “[i]t corresponds to data protection principles, and is structured as follows:
    • part one addresses accountability and governance in AI, including data protection impact assessments (DPIAs);
    • part two covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination;
    • part three addresses data minimisation and security; and
    • part four covers compliance with individual rights, including rights related to automated decision-making.
  •  20 state attorneys general wrote Facebook Chief Executive Officer Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg “to request  that  you  take  additional  steps  to prevent   Facebook   from   being used   to   spread   disinformation   and   hate   and   to   facilitate discrimination.” They also asked “that you take more steps to provide redress for users who fall victim to intimidation and harassment, including violence and digital abuse.” The attorneys general said that “[b]ased on our collective experience, we believe that Facebook should take additional actions including the following steps—many of which are highlighted in Facebook’s recent Civil Rights Audit—to strengthen its commitment to civil rights and fighting disinformation and discrimination:
    • Aggressively enforce Facebook policies against hate speech and organized hate organizations: Although Facebook has developed policies against hate speech and organizations that peddle it, we remain concerned that Facebook’s policies on Dangerous Individuals and Organizations, including but not limited to its policies on white nationalist and white supremacist content, are not enforced quickly and comprehensively enough. Content that violates Facebook’s own policies too often escapes removal just because it comes as coded language, rather than specific magic words. And even where Facebook takes steps to address a particular violation, it often fails to proactively address the follow-on actions by replacement or splinter groups that quickly emerge.
    • Allow public, third-party audits of hate content and enforcement: To gauge the ongoing progress of Facebook’s enforcement efforts, independent experts should be permitted access to the data necessary to conduct regular, transparent third-party audits of hate and hate-related misinformation on the platform, including any information made available to the Global Oversight Board. As part of this effort, Facebook should capture data on the prevalence of different forms of hate content on the platform, whether or not covered by Facebook’s own community standards, thus allowing the public to determine whether enforcement of anti-hate policies differs based on the type of hate content at issue.
    • Commit to an ongoing, independent analysis of Facebook’s content population scheme and the prompt development of best practices guidance: By funneling users toward particular types of content, Facebook’s content population scheme, including its algorithms, can push users into extremist online communities that feature divisive and inflammatory messages, often directed at particular groups. Although Facebook has conducted research and considered programs to reduce this risk, there is still no mandatory guidance for coders and other teams involved in content population. Facebook should commit to an ongoing, independent analysis of its content population scheme, including its algorithms, and also continuously implement mandatory protocols as best practices are identified to curb bias and prevent recommendations of hate content and groups.
    • Expand policies limiting inflammatory advertisements that vilify minority groups: Although Facebook currently prohibits ads that claim that certain people, because of their membership in a protected group, pose a threat to the physical safety of communities or the nation, its policies still allow attacks that characterize such groups as threats to national culture or values. The current prohibition should be expanded to include such ads.
  • New Zealand’s Ministry of Statistics “launched the Algorithm Charter for Aotearoa New Zealand” that “signals that [the nation’s agencies] are committed to being consistent, transparent and accountable in their use of algorithms.”
    • The Ministry explained “[t]he Algorithm Charter is part of a wider ecosystem and works together with existing tools, networks and research, including:
      • Principles for the Safe and Effective Use of Data and Analytics (Privacy Commissioner and Government Chief Data Steward, 2018)
      • Government Use of Artificial Intelligence in New Zealand (New Zealand Law Foundation and Otago University, 2019)
      • Trustworthy AI in Aotearoa – AI Principles (AI Forum New Zealand, 2020)
      • Open Government Partnership, an international agreement to increase transparency.
      • Data Protection and Use Policy (Social Wellbeing Agency, 2020)
      • Privacy, Human Rights and Ethics Framework (Ministry of Social Development).
  • The European Union (EU) imposed its first cyber sanctions under its Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (aka the cyber diplomacy toolbox) against six hackers and three entities from the Russian Federation, the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea for attacks against the against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, the malware attacks known as Petya and WannaCry, and Operation Cloud Hopper. The EU’s cyber sanctions follow sanctions the United States has placed on a number of people and entities from the same nations and also indictments the U.S. Department of Justice has announced over the years. The sanctions are part of the effort to levy costs on nations and actors that conduct cyber attacks. The EU explained:
    • The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
    • “WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.
    • “NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
    • “Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.
  • The United States’ Federal Communications Commission (FCC) is asking for comments on the Department of Commerce’s the National Telecommunications and Information Administration’s (NTIA) petition asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself. The NTIA was acting per direction in an executive order allegedly aiming to correct online censorship. Executive Order 13925, “Preventing Online Censorship” was issued in late May after Twitter factchecked two of President Donald Trump’s Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic. Comments are due by 2 September.
  • The Australian Competition & Consumer Commission (ACCC) released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury
    • The ACCC explained
      • The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
    • This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
    • A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “released core guidance documentation for the Trusted Internet Connections (TIC) program, developed to assist agencies in protecting modern information technology architectures and services.” CISA explained “In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: Update to the TIC Initiative, TIC 3.0 expands on the original initiative to drive security standards and leverage advances in technology to secure a wide spectrum of agency network architectures.” Specifically, CISA released three core guidance documents:
    • Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
    • Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
  • Senators Ron Wyden (D-OR), Bill Cassidy (R-LA) and ten other Members wrote the Federal Trade Commission (FTC) urging the agency “to investigate widespread privacy violations by companies in the advertising technology (adtech) industry that are selling private data about millions of Americans, collected without their knowledge or consent from their phones, computers, and smart TVs.” They asked the FTC “to use its authority to conduct broad industry probes under Section 6(b) of the FTC Act to determine whether adtech companies and their data broker partners have violated federal laws prohibiting unfair and deceptive business practices.” They argued “[t]he FTC should not proceed with its review of the Children’s Online Privacy Protection Act (COPPA) Rule before it has completed this investigation.”
  •  “100 U.S. women lawmakers and current and former legislators from around the world,” including Speaker of the House Nancy Pelosi (D-CA), sent a letter to Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg urging the company “to take decisive action to protect women from rampant and increasing online attacks on their platform that have caused many women to avoid or abandon careers in politics and public service.” They noted “[j]ust a few days ago, a manipulated and widely shared video that depicted Speaker Pelosi slurring her speech was once again circulating on major social media platforms, gaining countless views before TikTok, Twitter, and YouTube all removed the footage…[and] [t]he video remains on Facebook and is labeled “partly false,” continuing to gain millions of views.” The current and former legislators “called on Facebook to enforce existing rules, including:
    • Quick removal of posts that threaten candidates with physical violence, sexual violence or death, and that glorify, incite or praise violence against women; disable the relevant accounts, and refer offenders to law enforcement.
    • Eliminate malicious hate speech targeting women, including violent, objectifying or dehumanizing speech, statements of inferiority, and derogatory sexual terms;
    • Remove accounts that repeatedly violate terms of service by threatening, harassing or doxing or that use false identities to attack women leaders and candidates; and
    • Remove manipulated images or videos misrepresenting women public figures.
  • The United States’ Departments of Commerce and Homeland Security released an update “highlighting more than 50 activities led by industry and government that demonstrate progress in the drive to counter botnet threats.” in May 2018, the agencies submitted “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” that identified a number of steps and prompted a follow on “A Road Map Toward Resilience Against Botnets” released in November 2018.
  • United States (U.S.) Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders released a joint statement explaining that “[t]he U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
    • Maximillian Schrems filed a complaint against Facebook with Ireland’s Data Protection Commission (DPC) in 2013, alleging that the company’s transfer of his personal data violated his rights under European Union law because of the mass U.S. surveillance revealed by former National Security Agency (NSA) contractor Edward Snowden. Ultimately, this case resulted in a 2015 Court of Justice of the European Union (CJEU) ruling that invalidated the Safe Harbor agreement under which the personal data of EU residents was transferred to the US by commercial concerns. The EU and US executed a follow on agreement, the EU-U.S. Privacy Shield, that was designed to address some of the problems the CJEU turned up, and the U.S. passed a law, the “Judicial Redress Act of 2015” (P.L. 114-126), to provide EU citizens a way to exercise their EU rights in US courts via the “Privacy Act of 1974.”
    • However, Schrems continued and soon sought to challenge the legality of the European Commission’s signing off on the Privacy Shield agreement, the adequacy decision issued in 2016, and also the use of standard contractual clauses (SCC) by companies for the transfer of personal data to the US. The CJEU struck down the adequacy decision, throwing into doubt many entities’ transfers out of the EU into the U.S. but upheld SCCs in a way that suggested EU data protection authorities (DPA) may need to review all such agreements to ensure they comply with EU law.
  • The European Commission (EC) announced an “an in-depth investigation to assess the proposed acquisition of Fitbit by Google under the EU Merger Regulation.” The EC voiced its concern “that the proposed transaction would further entrench Google’s market position in the online advertising markets by increasing the already vast amount of data that Google could use for personalisation of the ads it serves and displays.” The EC detailed its “preliminary competition concerns:
    • Following its first phase investigation, the Commission has concerns about the impact of the transaction on the supply of online search and display advertising services (the sale of advertising space on, respectively, the result page of an internet search engine or other internet pages), as well as on the supply of ”ad tech” services (analytics and digital tools used to facilitate the programmatic sale and purchase of digital advertising). By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to Fitbit’s one.
    • The data collected via wrist-worn wearable devices appears, at this stage of the Commission’s review of the transaction, to be an important advantage in the online advertising markets. By increasing the data advantage of Google in the personalisation of the ads it serves via its search engine and displays on other internet pages, it would be more difficult for rivals to match Google’s online advertising services. Thus, the transaction would raise barriers to entry and expansion for Google’s competitors for these services, to the ultimate detriment of advertisers and publishers that would face higher prices and have less choice.
    • At this stage of the investigation, the Commission considers that Google:
      • is dominant in the supply of online search advertising services in the EEA countries (with the exception of Portugal for which market shares are not available);
      • holds a strong market position in the supply of online display advertising services at least in Austria, Belgium, Bulgaria, Croatia, Denmark, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom, in particular in relation to off-social networks display ads;
      • holds a strong market position in the supply of ad tech services in the EEA.
    • The Commission will now carry out an in-depth investigation into the effects of the transaction to determine whether its initial competition concerns regarding the online advertising markets are confirmed.
    • In addition, the Commission will also further examine:
      • the effects of the combination of Fitbit’s and Google’s databases and capabilities in the digital healthcare sector, which is still at a nascent stage in Europe; and
      • whether Google would have the ability and incentive to degrade the interoperability of rivals’ wearables with Google’s Android operating system for smartphones once it owns Fitbit.
    • In February after the deal had been announced, the European Data Protection Board (EDPB) made clear it position that Google and Fitbit will need to scrupulously observe the General Data Protection Regulation’s privacy and data security requirements if the body is sign off on the proposed $2.2 billion acquisition. Moreover, at present Google has not informed European Union (EU) regulators of the proposed deal. The deal comes at a time when both EU and U.S. regulators are already investigating Google for alleged antitrust and anticompetitive practices, and the EDPB’s opinion could carry weight in this process.
  • The United States’ (U.S.) Department of Homeland Security released a Privacy Impact Assessment for the U.S. Border Patrol (USPB) Digital Forensics Programs that details how it may conduct searches of electronic devices at the U.S. border and ports of entry. DHS explained
    • As part of USBP’s law enforcement duties, USBP may search and extract information from electronic devices, including: laptop computers; thumb drives; compact disks; digital versatile disks (DVDs); mobile phones; subscriber identity module (SIM) cards; digital cameras; vehicles; and other devices capable of storing electronic information.
    • Last year, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
    • In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.
  • The Inter-American Development Bank (IDB) and the Organization of Americans States (OAS) released their second assessment of cybersecurity across Latin America and the Caribbean that used the Cybersecurity Capacity Maturity Model for Nations (CMM) developed at University of Oxford’s Global Cyber Security Capacity Centre (GSCC). The IDB and OAS explained:
    • When the first edition of the report “Cybersecurity: Are We Ready in Latin America and the Caribbean?” was released in March 2016, the IDB and the OAS aimed to provide the countries of Latin America and the Caribbean (LAC) not only with a picture of the state of cybersecurity but also guidance about the next steps that should be pursued to strengthen national cybersecurity capacities. This was the first study of its kind, presenting the state of cybersecurity with a comprehensive vision and covering all LAC countries.
    • The great challenges of cybersecurity, like those of the internet itself, are of a global nature. Therefore, it is undeniable that the countries of LAC must continue to foster greater cooperation among themselves, while involving all relevant actors, as well as establishing a mechanism for monitoring, analysis, and impact assessment related to cybersecurity both nationally and regionally. More data in relation to cybersecurity would allow for the introduction of a culture of cyberrisk management that needs to be extended both in the public and private sectors. Countries must be prepared to adapt quickly to the dynamic environment around us and make decisions based on a constantly changing threat landscape. Our member states may manage these risks by understanding the impact on and the likelihood of cyberthreats to their citizens, organizations, and national critical infrastructure. Moving to the next level of maturity will require a comprehensive and sustainable cybersecurity policy, supported by the country’s political agenda, with allocation of  financial resources and qualified human capital to carry it out.
    • The COVID-19 pandemic will pass, but events that will require intensive use of digital technologies so that the world can carry on will continue happening. The challenge of protecting our digital space will, therefore, continue to grow. It is the hope of the IDB and the OAS that this edition of the report will help LAC countries to have a better understanding of their current state of cybersecurity capacity and be useful in the design of the policy initiatives that will lead them to increase their level of cyberresilience.
  • The European Data Protection Supervisor (EDPS) issued an opinion on “the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final), published on 7 May 2020.” The EDPS asserted:
    • While  the  EDPS acknowledges the  importance  of  the  fight  against money  laundering  and terrorism financing as an objective of general interest, we call for the legislation to strike a balance between the interference with the fundamental rights of privacy and personal data protection and  the measures that  are  necessary  to  effectively  achieve  the  general  interest goals on anti-money  laundering  and  countering the  financing  of terrorism (AML/CFT) (the principle of proportionality).
    • The EDPS recommends that the Commission monitors the effective implementation of the existing  AML/CFT  framework while ensuring that the  GDPR  and  the  data  protection framework are respected and complied with. This is particularly relevant for the works on the interconnection of central bank account mechanisms and beneficial ownership registers that should be largely inspired by the principles of data minimisation, accuracy and privacy-by-design and by default.  

Further Reading

  • China already has your data. Trump’s TikTok and WeChat bans can’t stop that.” By Aynne Kokas – The Washington Post. This article persuasively makes the case that even if a ban on TikTok and WeChat were to work, and there are substantive questions as to how a ban would given how widely the former has been downloaded, the People’s Republic of China (PRC) is almost certainly acquiring massive reams of data on Americans through a variety of apps, platforms, and games. For example, Tencent, owner of WeChat, has a 40% stake in Epic Games that has Fortnite, a massively popular multiplayer game (if you have never heard of it, ask one of the children in your family). Moreover, a recent change to PRC law mandates that companies operating in the PRC must share their data bases for cybersecurity reviews, which may be an opportunity aside from hacking and exfiltrating United States entities, to access data. In summation, if the Trump Administration is serious about stopping the flow of data from the U.S. to the PRC, these executive orders will do very little.
  • Big Tech Makes Inroads With the Biden Campaign” by David McCabe and Kenneth P. Vogel – The New York Times. Most likely long before former Vice President Joe Biden clinched the Democratic nomination, advisers volunteered to help plot out his policy positions, a process that intensified this year. Of course, this includes technology policy, and many of those volunteering for the campaign’s Innovation Policy Committee have worked or are working for large technology companies directly or as consultants or lobbyists. This piece details some of these people and their relationships and how the Biden campaign is managing possible conflicts of interest. Naturally, those on the left wing of the Democratic Party calling for tighter antitrust, competition, and privacy regulation are concerned that Biden might be pulled away from these positions despite his public statements arguing that the United States government needs to get tougher with some practices.
  • A Bible Burning, a Russian News Agency and a Story Too Good to Check Out” By Matthew Rosenberg and Julian E. Barnes – The New York Times. The Russian Federation seems to be using a new tactic with some success for sowing discord in the United States that is the information equivalent of throwing fuel onto a fire. In this case, a fake story manufactured by a Russian outlet was seized on by some prominent Republicans, in part, because it fits their preferred world view of protestors. In this instance, a Russian outlet created a fake story amplifying an actual event that went viral. We will likely see more of this, and it is not confined to fake stories intended to appeal to the right. The same is happening with content meant for the left wing in the United States.
  • Facebook cracks down on political content disguised as local news” by Sara Fischer – Axios. As part of its continuing effort to crack down on violations of its policies, Facebook will no longer allow groups with a political viewpoint to masquerade as news. The company and outside experts have identified a range of instances where groups propagating a viewpoint, as opposed to reporting, have used a Facebook exemption by pretending to be local news outlets.
  • QAnon groups have millions of members on Facebook, documents show” By Ari Sen and Brandy Zadrozny – NBC News. It appears as if some Facebooks are leaking the results of an internal investigation that identified more than 1 million users who are part of QAnon groups. Most likely these employees want the company to take a stronger stance on the conspiracy group QAnon like the company has with COVID-19 lies and misinformation.
  • And, since Senator Kamala Harris (D-CA) was named former Vice President Joe Biden’s (D-DE) vice presidential pick, this article has become even more relevant than when I highlighted it in late July: “New Emails Reveal Warm Relationship Between Kamala Harris And Big Tech” – HuffPost. Obtained via an Freedom of Information request, new email from Senator Kamala Harris’ (D-CA) tenure as her state’s attorney general suggest she was willing to overlook the role Facebook, Google, and others played and still play in one of her signature issues: revenge porn. This article makes the case Harris came down hard on a scammer running a revenge porn site but did not press the tech giants with any vigor to take down such material from their platforms. Consequently, the case is made if Harris is former Vice President Joe Biden’s vice presidential candidate, this would signal a go easy approach on large companies even though many Democrats have been calling to break up these companies and vigorously enforce antitrust laws. Harris has largely not engaged on tech issues during her tenure in the Senate. To be fair, many of these companies are headquartered in California and pump billions of dollars into the state’s economy annually, putting Harris in a tricky position politically. Of course, such pieces should be taken with a grain of salt since it may have been suggested or planted by one of Harris’ rivals for the vice president nomination or someone looking to settle a score.
  • Unwanted Truths: Inside Trump’s Battles With U.S. Intelligence Agencies” by Robert Draper – The New York Times. A deeply sourced article on the outright antipathy between President Donald Trump and Intelligence Community officials, particularly over the issue of how deeply Russia interfered in the election in 2016. A number of former officials have been fired or forced out because they refused to knuckle under to the White House’s desire to soften or massage conclusions of Russia’s past and current actions to undermine the 2020 election in order to favor Trump.
  • Huawei says it’s running out of chips for its smartphones because of US sanctions” By Kim Lyons – The Verge and “Huawei: Smartphone chips running out under US sanctions” by Joe McDonald – The Associated Press. United States (U.S.) sanctions have started biting the Chinese technology company Huawei, which announced it will likely run out of processor chips for its smartphones. U.S. sanctions bar any company from selling high technology items like processors to Huawei, and this capability is not independently available in the People’s Republic of China (PRC) at present.
  • Targeting WeChat, Trump Takes Aim at China’s Bridge to the World” By Paul Mozur and Raymond Zhong – The New York Times. This piece explains WeChat, the app, the Trump Administration is trying to ban in the United States (U.S.) without any warning. It is like a combination of Facebook, WhatsApp, news app, and payment platform and is used by more than 1.2 billion people.
  • This Tool Could Protect Your Photos From Facial Recognition” By Kashmir Hill – The New York Times. Researchers at the University of Chicago have found a method of subtly altering photos of people that appears to foil most facial recognition technologies. However, a number of experts interviewed said it is too late to stop companies like AI Clearview.
  • I Tried to Live Without the Tech Giants. It Was Impossible.” By Kashmir Hill – The New York Times. This New York Times reporter tried living without the products of large technology companies, which involved some fairly obvious challenges and some that were not so obvious. Of course, it was hard for her to skip Facebook, Instagram, and the like, but cutting out Google and Amazon proved hardest and basically impossible because of the latter’s cloud presence and the former’s web presence. The fact that some of the companies cannot be avoided if one wants to be online likely lends weight to those making the case these companies are anti-competitive.
  • To Head Off Regulators, Google Makes Certain Words Taboo” by Adrianne Jeffries – The Markup. Apparently, in what is a standard practice at large companies, employees at Google were coached to avoid using certain terms or phrases that antitrust regulators would take notice of such as: “market,” “barriers to entry,” and “network effects.” The Markup obtained a 16 August 2019 document titled “Five Rules of Thumb For Written Communications” that starts by asserting “[w]ords matter…[e]specially in antitrust laws” and goes on to advise Google’s employees:
    • We’re out to help users, not hurt competitors.
    • Our users should always be free to switch, and we don’t lock anyone in.
    • We’ve got lots of competitors, so don’t assume we control or dominate any market.
    • Don’t try and define a market or estimate our market share.
    • Assume every document you generate, including email, will be seen by regulators.
  • Facebook Fired An Employee Who Collected Evidence Of Right-Wing Pages Getting Preferential Treatment” By Craig Silverman and Ryan Mac – BuzzFeed News. A Facebook engineer was fired after adducing proof in an internal communications system that the social media platform is more willing to change false and negative ratings to claims made by conservative outlets and personalities than any other viewpoint. If this is true, it would be opposite to the narrative spun by the Trump Administration and many Republicans in Congress. Moreover, Facebook’s incentives would seem to align with giving conservatives more preferential treatment because many of these websites advertise on Facebook, the company probably does not want to get crosswise with the Administration, sensational posts and content drive engagement which increases user numbers that allows for higher ad rates, and it wants to appear fair and impartial.
  • How Pro-Trump Forces Work the Refs in Silicon Valley” By Ben Smith – The New York Times. This piece traces the nearly four decade old effort of Republicans to sway mainstream media and now Silicon Valley to its viewpoint.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo credit: Gerd Altmann on Pixabay

Europe’s Highest Court Strikes Down Privacy Shield

The agreement that has been allowing US companies to transfer the personal data of EU residents to the US was found to be invalid under EU law. The EU’s highest court seem to indicate standard contractual clauses, a frequently used means to transfer data, may be acceptable.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

In the second major ruling from the European Union (EU) this week, earlier today, its highest court invalidated the agreement that has allowed multinational corporations and others to transfer the personal data of EU citizens to the United States (US) for commercial purposes since 2016. The court did not, however, find illegal standard contractual clauses, the means by which many such transfers are occurring. This is the second case an Austrian privacy activist has brought, alleging that Facebook was transferring his personal data into the US in violation of European law because US law, especially surveillance programs, resulted in less protection and fewer rights. The first case resulted in the previous transfer agreement being found illegal, and now this case has resulted in much the same outcome. The import of this ruling is not immediately clear.

Maximillian Schrems filed a complaint against Facebook with the Data Protection Commission (DPC) in 2013, alleging that the company’s transfer of his personal data violated his rights under EU law because of the mass US surveillance revealed by former National Security Agency (NSA) contractor Edward Snowden. Ultimately, this case resulted in a 2015 Court of Justice of the European Union (CJEU) ruling that invalidated the Safe Harbor agreement under which the personal data of EU residents was transferred to the US by commercial concerns. The EU and US executed a follow on agreement, the EU-US Privacy Shield, that was designed to address some of the problems the CJEU turned up, and the US passed a law, the “Judicial Redress Act of 2015” (P.L. 114-126), to provide EU citizens a way to exercise their EU rights in US courts via the “Privacy Act of 1974.”

However, Schrems continued and soon sought to challenge the legality of the European Commission’s signing off on the Privacy Shield agreement, the adequacy decision issued in 2016, and also the use of standard contractual clauses (SCC) by companies for the transfer of personal data to the US. The European Data Protection Board (EDPB) explained in a recent decision on Denmark’s SCC that

  • According to Article 28(3) General Data Protection Regulation (GDPR), the processing by a data processor shall be governed by a contract or other legal act under Union or Member State law that is binding on the processor with regard to the controller, setting out a set of specific aspects to regulate the contractual relationship between the parties. These include the subject-matter and duration of the processing, its nature and purpose, the type of personal data and categories of data subjects, among others.
  • Under Article 28(6) GDPR, without prejudice to an individual contract between the data controller and the data processor, the contract or the other legal act referred in paragraphs (3) and (4) of Article 28 GDPR may be based, wholly or in part on SCCs.

In a summary of its decision, the CJEU explained

The GDPR provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies. Furthermore, the GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.

The CJEU found

  • Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.
  • Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.

The CJEU stated “the limitations on the protection of personal data arising from the domestic law of the US on the access and use by US public authorities of such data transferred from the EU to that third country, which the Commission assessed in [its 2016 adequacy decision], are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

The CJEU found the process put in place by the US government to handle complaints inadequate. The 2016 Privacy Shield resulted in the creation of an Ombudsman post that EU citizens could submit their complaints. This position is currently held by Under Secretary of State for Economic Growth, Energy, and the Environment Keith Krach.

The CJEU stated “the Ombudsperson mechanism referred to in that decision does  not  provide  data  subjects with any  cause  of  action  before  a  body  which  offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence  of  the Ombudsperson  provided  for  by  that  mechanism  and the  existence  of rules  empowering  the  Ombudsperson  to  adopt  decisions  that  are  binding  on  the US intelligence services.”

The decision on SCCs is more ambiguous as it is not entirely clear the circumstances under which they can be used. In its decision, the CJEU made clear that SCCs are not necessarily legal under EU law:

although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. That is the case, in particular, where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates.

Reaction from the parties was mixed, particularly on what the CJEU’s ruling means for SCCs even though there was agreement that the Privacy Shield will soon no longer govern data transfers from the EU to the US.

The DPC issued a statement in which it asserted

Today’s judgment provides just that, firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States. In that regard, while the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally.

The DPC added

So, while in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.

At a press conference, EC Vice-President Věra Jourová claimed the “CJEU declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries.” She asserted “[t]his means that the transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or SCCs.” Jourová contended with regard to next steps, “[w]e are not starting from scratch…[and] [o]n the contrary, the Commission has already been working intensively to ensure that this toolbox is fit for purpose, including the modernisation of the Standard Contractual Clauses.” Jourová stated “we will be working closely with our American counterparts, based on today’s ruling.”

European Commissioner for Justice Didier Reynders stated

  • First, I welcome the fact that the Court confirmed the validity of our Decision on SCCs.
    • We have been working already for some time on modernising these clauses and ensuring that our toolbox for international data transfers is fit for purpose.
    • Standard Contractual Clauses are in fact the most used tool for international transfers of personal data and we wanted to ensure they can be used by businesses and fully in line with EU law.
    • We are now advanced with this work and we will of course take into account the requirements of judgement.
    • We will work with the European Data Protection Board, as well as the 27 EU Member States. It will be very important to start the process to have a formal approval to modernise the Standard Contractual Clauses as soon as possible. We have been in an ongoing process about such a modernisation for some time, but with an attention to the different elements of the decision of the Court today.
  • My second point: The Court has invalidated the Privacy Shield. We have to study the judgement in detail and carefully assess the consequences of this invalidation.

Reynders stated that “[i]n the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under the GDPR.”

In a statement, US Secretary of Commerce Wilbur Ross

While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.

Ross continued

We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.

The Department of Commerce stated it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” The agency added “[t]oday’s decision does not relieve participating organizations of their Privacy Shield obligations.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by harakir from Pixabay

House Action On FISA Fizzles; A Conference Committee Is Requested

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Despite House Democratic leadership’s plans to pass the Foreign Intelligence Surveillance Act (FISA) reauthorization the Senate sent back to the House earlier this month, plans for a vote last week were scrapped when the coalition that made possible passage of substantially the same bill in March fell apart. Instead, the House voted for a motion to disagree with the Senate’s amendments, to request a conference, and to appoint conferees. It remains to be seen whether the Senate opts to go to conference with the House, but a statement from a spokesperson for the Senate Majority Leader suggested he would support doing so. In the meantime, intelligence and law enforcement agencies cannot use the authorities the bill would renew and reform for they expired on 15 March except for investigations that started before that date.

At week’s beginning, it appeared as if the House would bring the amended “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) to the floor and possibly take a run at adding language that barely failed to get added during debate in the Senate that would further pare back the ability of federal law enforcement agencies to use the FISA process for surveillance. However, the Trump Administration more forcefully stated its objections to the amended bill, including a veto threat issued via Twitter, that caused Republican support for the bill to cave, and with it the chances of passage, for Republican votes were needed to pass the bill in the first place. Consequently, House Democratic Leadership explored the possibility of a clean vote on the Senate-amended bill, with the House Rules Committee reporting a rule for debate, but this effort was also scuttled as there were not the votes for passage of the bill, sending it to the White House. Instead, House Democratic Leadership opted to go to conference committee, which succeeded in a 284-122 proxy vote, one of the first taken under the new procedure. Thereafter, the House named the following conferees: House Judiciary Committee Chair Jerrold Nadler (D-NY) and Ranking Member Jim Jordan (R-OH); House Intelligence Committee Chair Adam Schiff (D-CA) and Ranking Member Devin Nunes (R-CA) and Representative Zoe Lofgren (D-CA).

House Democratic plans on the FISA reauthorization went from amendment to passing the bill the Senate passed to requesting a conference after the Democratic-Republican coalition that got the bill out of the House in March crumbled.  

As noted, this week, the Trump Administration’s opposition has stiffened with the President getting on the field via Twitter, the Department of Justice (DOJ) publicly stating its opposition, and House Republican leadership urging its Members to vote no on H.R.6172. Moreover, progressive Democrats and allied advocacy groups were pushing House Democratic Leadership to adopt provisions blocking the collection and surveillance of web browsing and search engine history under Section 215. Also, some House Democrats had announced their intention to vote against H.R. 6172 regardless of whether the Section 215 narrowing was added, and so it was not clear the Speaker had the votes to pass a bill the President had vowed to veto anyway.

On 26 May, President Donald Trump tweeted “I hope all Republican House Members vote NO on FISA until such time as our Country is able to determine how and why the greatest political, criminal, and subversive scandal in USA history took place!” On 27 May, Trump tweeted

If the FISA Bill is passed tonight on the House floor, I will quickly VETO it. Our Country has just suffered through the greatest political crime in its history. The massive abuse of FISA was a big part of it!

Also on 27 May, Assistant Attorney General Stephen Boyd released the following statement on H.R.6172:

The Department worked closely with House leaders on both sides of the aisle to draft legislation to reauthorize three national security authorities in the U.S.A. Freedom Act while also imposing reforms to other aspects of FISA designed to address issues identified by the DOJ Inspector General. Although that legislation was approved with a large, bipartisan House majority, the Senate thereafter made significant changes that the Department opposed because they would unacceptably impair our ability to pursue terrorists and spies. We have proposed specific fixes to the most significant problems created by the changes the Senate made. Instead of addressing those issues, the House is now poised to further amend the legislation in a manner that will weaken national security tools while doing nothing to address the abuses identified by the DOJ Inspector General.

Accordingly, the Department opposes the Senate-passed bill in its current form and also opposes the Lofgren amendment in the House. Given the cumulative negative effect of these legislative changes on the Department’s ability to identify and track terrorists and spies, the Department must oppose the legislation now under consideration in the House. If passed, the Attorney General would recommend that the President veto the legislation.

And yet this week, the head of the DOJ’s National Security Division John Demers said there is no pressing need for reauthorization at this time. He remarked in an interview:

We’re going to have to look at where we can fill in the gaps using criminal tools. They’re not perfect. Foreign partners are not crazy when we use their information as the basis of criminal tools, because we don’t have the same protections that we do to protect underlying information as we do on the national security side. We are going to do the best we can to fill those holes and keep those investigations going.

Two weeks ago, following Senate amendment and passage of H.R.6172, a DOJ spokesperson said of the bill, it “would unacceptably degrade our ability to conduct surveillance of terrorists, spies and other national security threats.”

Early in the week, Representatives Zoe Lofgren (D-CA) and Warren Davidson (R-OH) submitted an amendment along the lines of the language Senators Ron Wyden (D-OR) and Steve Daines (R-MT) that the Senate rejected by one vote to bar the collection of web browsing and internet search history via a FISA order under Section 215. Lofgren and Davidson had negotiated with other House Democratic stakeholders on language acceptable to them.

Regarding their amendment, in their press release, Lofgren and Davidson claimed “[t]he amendment – which is supported by Reps. Adam Schiff, Chair of the House Permanent Select Committee on Intelligence, and Jerrold Nadler, Chair of the House Judiciary Committee – is an outright prohibition: the government will not be able to use Section 215 to collect the websites that a U.S. person visits, the videos that a U.S. person watches, or the search queries that a U.S. person makes…[and] [s]pecifically:

  • If the government is not sure if you’re a U.S. person, but you could be, the government cannot get your internet activity without a Title I FISA warrant.
  • If the government wants to order a service provider to produce a list of everyone who has visited a particular website, watched a particular video, or made a particular search query: the government cannot make that order unless it can guarantee that no U.S. persons’ IP addresses, device identifiers, or other identifiers will be disclosed to the government.
    • This amendment does not allow for the incidental collection of U.S. persons’ web browsing or search information when the target is a specific-selection term that would or could produce such information.
  • This prohibition is a strict liability-type provision. (It isn’t a knowledge standard or a reasonable-belief standard. An order must not result in the production of a U.S. person’s web browsing or search information.)
  • If the order would or could result in the production of a U.S. person’s web browsing or search information, the government cannot order it without a Title I FISA warrant that must be narrowly tailored toward the subject of the warrant.

It appeared this amendment would be made in order during debate, but opposition from both the left and right in the House and among stakeholders made this untenable. The fact that the Lofgren/Davidson amendment was narrower in that it would only provide this protection to people in the United States whereas the Wyden/Daines amendment would have outright barred the practice under FISA led to opposition on the left. Early on 27 May, Wyden supported this language, but when House Intelligence Committee Chair Adam Schiff (D-CA) suggested that intelligence agencies could continue to collect web browsing and search histories of Americans, Wyden withdrew his support. Thereafter, House Democratic Leadership ultimately decided against allowing this amendment to have a vote.

In December, Lofgren and Davidson were among the Members who introduced the “Safeguarding Americans’ Private Records Act of 2020” (H.R.5675/S.3242) in both chambers. In their press release, the sponsors claimed “[t]he bill includes a host of reforms:

  • It would permanently end the flawed phone surveillance program, which secretly scooped up Americans’ telephone records for years.
  • It would close loopholes and prohibit secret interpretation of the law, like those that led to unconstitutional warrantless surveillance programs.
  • It would prohibit warrantless collection of geolocation information by intelligence agencies.
  • It would respond to issues raised by the Inspector General’s office by ensuring independent attorneys, known as amici, have access to all documents, records and proceedings of Foreign Intelligence Surveillance Court, to provide more oversight and transparency.

Notably, beyond revoking the authority for the NSA to restart the telephone collection program, the bill would also exclude from the definition of “tangible thing” in the Section 215 business records exception: Cell site location information, Global positioning system information, Internet website browsing information, and Internet search history information. The bill also contains language that would limit the use of Section 215 to only counterterrorism and foreign intelligence matters and limit the retention of any such material to three years unless it includes foreign intelligence. Moreover, the bill would increase the justification requirements the government must meet before a nondisclosure requirement (aka gag order) can be placed on a company subject to a Section 215 order.

Two week ago, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to. Senators Pat Leahy (D-VT) and Mike Lee’s (R-UT) amendment to expand the amicus process during the FISA process prevailed by a 77-19 vote. In an op-ed in The Washington Post, Leahy and Lee argued

  • The key to our proposal is to substantially strengthen a program that currently allows FISA judges, in very limited circumstances, to appoint outside legal scholars — called “amici”— to independently analyze FBI surveillance requests that are particularly sensitive. Out of thousands of cases, FISA judges have called for such an independent review by a court-appointed “amicus” only 16 times. Yet this protection is critical because, unlike every courtroom you may have stepped into or any court in a TV drama, the FISA court is not adversarial — meaning there is only a government lawyer and a judge, but no one to advocate for Americans under surveillance.
  • We propose measures that would authorize and actively encourage judges in this secret court to seek independent amicus reviews in all sensitive cases — such as those involving significant First Amendment issues — thereby adding a layer of protection for those who will likely never know they have been targeted for secret surveillance.

As mentioned, Wyden and Daines offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories.

As Wyden explained during debate,

With web browsing and searches, you are talking about some of the most intimate, some of the most personal, some of the most private details of the lives of Americans. Every thought that can come into people’s heads can be revealed in an internet search or in a visit to a website: their health histories, their medical fears, their political views, their romantic lives, their religious beliefs. Collecting this information is as close to reading minds as surveillance can get. It is the digital mining of the personal lives of the American people.

However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

As for the underlying bill the Senate considered, in March, the House passed H.R. 6172 by a 278-136 vote, a bill to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172.

Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Senate Amends FISA Reauthorization; Bill Goes Back To House

A bill to renew three lapsed surveillance provisions was changed during debate, and it is unclear when the House would take up the bill.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Senate sent an amended version of the Foreign Intelligence Surveillance Act (FISA) reauthorization back to the House without a clear timeline as to when that body will take up this bill. The Senate adopted one amendment to bolster the FISA amicus and disclosure process, narrowly failed to adopt another to exclude web browsing information and search history outside the scope of Section 215, and handily rejected an amendment to limit the use of FISA against United States persons.

In March, the House passed the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote, a bill to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process.

Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

Like the bill the House Judiciary Committee was to mark up, the “USA FREEDOM Reauthorization Act of 2020” would set a six-month deadline for the Director of National Intelligence to declassify significant FISA opinions, orders, and decisions. The bill also beefs up the adversarial procedures in the FISA process by expanding the process by which amici curiae are expanded and their ability to ability FISA decisions to the FISA review court would also be expanded. Additionally, both FISA courts and the FISA review court would be empowered to seek outside legal counsel.

The Intelligence Committees would see their power increased to seek and obtain FISA applications in order to conduct oversight of the FISA process.

Finally, the powers of the Privacy and Civil Liberties Oversight Board (PCLOB) to oversee the FISA process would also be expanded. PCLOB would need to report on the extent to which FISA investigations are arising from protected First Amendment activities and from protected characteristics such as race, gender, sexual orientation, and others. There are broader PCLOB reforms that, for example, lengthen PCLOB members’ terms to six years and allows them to serve past the six-year mark until a successor is confirmed by the Senate as is the case with many other agencies.

Senators Pat Leahy (D-VT) and Mike Lee (R-UT) succeeded in having their amendment to expand the amicus process expanded during the FISA process by a 77-19 vote. In an op-ed in The Washington Post, Leahy and Lee argued

  • The key to our proposal is to substantially strengthen a program that currently allows FISA judges, in very limited circumstances, to appoint outside legal scholars — called “amici”— to independently analyze FBI surveillance requests that are particularly sensitive. Out of thousands of cases, FISA judges have called for such an independent review by a court-appointed “amicus” only 16 times. Yet this protection is critical because, unlike every courtroom you may have stepped into or any court in a TV drama, the FISA court is not adversarial — meaning there is only a government lawyer and a judge, but no one to advocate for Americans under surveillance.
  • We propose measures that would authorize and actively encourage judges in this secret court to seek independent amicus reviews in all sensitive cases — such as those involving significant First Amendment issues — thereby adding a layer of protection for those who will likely never know they have been targeted for secret surveillance.

Leahy elaborated during floor debate:

  • My amendment with Senator Lee would create a presumption of amici participation in cases involving significant First Amendment issues, not just “exceptional concerns” as in the House bill. Importantly, we also create a presumption of amici participation when the FBI considers the case to be a “sensitive investigative matter” which the FBI would call an investigation involving the domestic media, a domestic religious organization, or a public official. I think all of us should agree that in those instances we ought to have somebody independently looking at them.
  • Most critically, though, we would leave the decision to appoint amici entirely up to the FISA judge. Even if it would fall into all of these categories they could still say no. As a result, the argument that the expanded amici participation would duly burden the court doesn’t even withstand the slightest scrutiny. If the judge believes amici would not be appropriate because the case is too time sensitive or too simple or too routine or for any other reason–any other reason–they have the discretion to not appoint amici at all. Under our amendment, throughout the FISA process, the judge maintains complete control. It is not a burden on the court. What it is doing is empowering the court. It is up to them.

Senators Ron Wyden (D-OR) and Steve Daines (R-MT) offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and H.R. 6172 would, as noted, exclude cell site location and GPS location from Section 215.

As Wyden explained during debate,

With web browsing and searches, you are talking about some of the most intimate, some of the most personal, some of the most private details of the lives of Americans. Every thought that can come into people’s heads can be revealed in an internet search or in a visit to a website: their health histories, their medical fears, their political views, their romantic lives, their religious beliefs. Collecting this information is as close to reading minds as surveillance can get. It is the digital mining of the personal lives of the American people.

However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

Finally, Senator Rand Paul (R-KY) offered an amendment “to prohibit the use of  authorities  under  [FISA]  to  surveil  United  States  persons  and  to  prohibit  the  use of information acquired under such Act in  any  criminal,  civil,  or  administrative  proceeding or as part of any criminal, civil, or  administrative  investigation,  and  for  other purposes.” Paul’s amendment would bar the use of FISA for the following:

(1)  electronic surveillance of a United  States person;

(2)  a  physical  search  of  a  premises, information, material,  or  property used  exclusively  by, or under the open and exclusive  control of, a United States person;

(3) approval of the installation and use of a pen register or trap and trace device to obtain information concerning a United States person;

(4) the production of  tangible  things (including  books,  records,  papers,  documents,  and other items) concerning a United States person; or

(5) the  targeting of a United States person for the acquisition of information.

Moreover, prosecutors could not use any such information in court proceedings against U.S. persons if obtained without a warrant issued by a federal court excepting FISA courts.

The amendment failed by an 11-87 vote, and then the Senate sent the amended version of H.R. 6172 back to the House by an 80-16 vote where its path to enactment is not immediately clear, in no small part, due to the extended COVID-19 recess that body has taken. However, the House Rules Committee is taking up a proxy voting measure today that may allow all Members to vote without having to be in Washington. This may allow action much sooner on the bill.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

OIG Finds More Flaws in FBI FISA Process

The Department of Justice’s (DOJ) Office of the Inspector General (OIG) issued another report critical of how the Federal Bureau of Investigation (FBI) has complied with requirements for submitting applications to Foreign Intelligence Surveillance Courts under the Foreign Intelligence Surveillance Act (FISA). Like the previous report in December 2019 investigating the FISA process that led to surveillance of certain members of the Trump presidential campaign, this report also turned up numerous instances under which the FBI was not meeting the requirements to substantiate claims made in FISA applications. This report comes at a time when four FISA authorities have lapsed as the House and Senate could not agree on a final bill, and the House has declined to pass the Senate’s extension passed before COVID-19 more or less took over the legislative agenda.

The OIG explained

As a result of these findings (i.e. the investigation in FBI surveillance of some Trump campaign operatives), in December 2019, my office initiated an audit to examine more broadly the FBI’s execution of, and compliance with, its Woods Procedures relating to U.S. Persons covering the period from October 2014 to September 2019. As an initial step in our audit, over the past 2 months, we visited 8 FBI field offices of varying sizes and reviewed a judgmentally selected sample of 29 applications relating to U.S. Persons and involving both counterintelligence and counterterrorism investigations. This sample was selected from a dataset provided by the FBI that contained more than 700 applications relating to U.S. Persons submitted by those 8 field offices over a 5-year period. The proportion of counterintelligence and counterterrorism applications within our sample roughly models the ratio of the case types within that total of FBI FISA applications. Our initial review of these applications has consisted solely of determining whether the contents of the FBI’s Woods File supported statements of fact in the associated FISA application; our review did not seek to determine whether support existed elsewhere for the factual assertion in the FISA application (such as in the case file), or if relevant information had been omitted from the application. For all of the FISA applications that we have reviewed to date, the period of court-authorized surveillance had been completed and no such surveillance was active at the time of our review.

The OIG stated that “[a]s a result of our audit work to date and as described below, we do not have confidence that the FBI has executed its Woods Procedures in compliance with FBI policy.” The OIG noted that “[s]pecifically, the Woods Procedures mandate compiling supporting documentation for each fact in the FISA application…[and] [a]dherence to the Woods Procedures should result in such documentation as a means toward achievement of the FBI’s policy that FISA applications be ‘scrupulously accurate.’” The OIG stated that “[o]ur lack of confidence that the Woods Procedures are working as intended stems primarily from the fact that:

(1) we could not review original Woods Files for 4 of the 29 selected FISA applications because the FBI has not been able to locate them and, in 3 of these instances, did not know if they ever existed;

(2) our testing of FISA applications to the associated Woods Files identified apparent errors or inadequately supported facts in all of the 25 applications we reviewed, and interviews to date with available agents or supervisors in field offices generally have confirmed the issues we identified;

(3) existing FBI and National Security Division (NSD) oversight mechanisms have also identified deficiencies in documentary support and application accuracy that are similar to those that we have observed to date; and

(4) FBI and NSD officials we interviewed indicated to us that there were no efforts by the FBI to use existing FBI and NSD oversight mechanisms to perform comprehensive, strategic assessments of the efficacy of the Woods Procedures or FISA accuracy, to include identifying the need for enhancements to training and improvements in the process, or increased accountability measures.

However, the OIG cautioned that “[d]uring this initial review, we have not made judgments about whether the errors or concerns we identified were material.” The OIG added that “we do not speculate as to whether the potential errors would have influenced the decision to file the application or the FISC’s decision to approve the FISA application…[and] our review was limited to assessing the FBI’s execution of its Woods Procedures, which are not focused on affirming the completeness of the information in FISA applications.”

This is the second report critical of government surveillance programs in the last month. In March, the Privacy and Civil Liberties Oversight Board (PCLOB or Board) released its “Report on the Government’s Use of the Call Detail Records Program Under the USA Freedom Act“ that noted that in only two instances did the CDR program turn up intelligence that was unique and valuable despite having collected over 434 million CDRs in 2018. Opponents of the program have seized on the PCLOB’s review to further argue for closing down the CDR program even though the Board did not find any willful violations of the USA FREEDOM Act, the latter point being likely to be used by proponents of the program.

As noted, even though the House passed the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) in early March to reauthorize three expiring Foreign Intelligence Surveillance Act (FISA) provisions, shutter the CDR program and implement reforms, the Senate declined to act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which is currently in recess. The Senate will turn to a reform bill under a process that will allow votes on specified amendments subject to a 60-vote threshold.

House Passes FISA Reauthorization; Senate To Vote Today

Last week, the House passed the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote, a bill to reauthorize three expiring Foreign Intelligence Surveillance Act (FISA) provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision.

However, the Senate started the process of invoking cloture on H.R.6172 before leaving for the weekend, and these authorities lapsed on March 15 when the current authorization ended. The Senate is scheduled to hold a vote to invoke cloture on the motion to proceed to the bill at 5:30 pm. During floor consideration on March 12, Senator Mike Lee (R-UT) twice asked for unanimous consent to pass a clean 45-day extension of the expiring FISA authorities and then the consideration of amendments to H.R. 6172 offered by Members looking to reform and limit FISA, but Senate Intelligence Committee Chair Richard Burr (R-NC) objected to each request.

A few weeks ago, the House Judiciary Committee set a February 26 markup of the bill that had been agreed upon with the House Intelligence Committee. However, Representative Zoe Lofgren (D-CA), was dissatisfied with the bill, calling it “so pitiful that it is not even worth pursuing.” She added that “[w]e have the opportunity to reform the system…[and] [w]e should take that opportunity.” Reportedly, Lofgren was going to offer amendments changing the bill to require that an amici curiae be appointed to oppose every government application under FISA to surveil an American and to change the definition of business records to exclude cell phone location, web browsing data, and search history. Information on the other amendments was not made available.

H.R. 6172 would end the controversial Call Detail Record (CDR) program that replaced the bulk telephony metadata program exposed by former NSA contractor Edward Snowden. The NSA had already shut down this program over what it framed as technical issues and deleted all the CDRs acquired from telecommunications companies, and yet, the Trump Administration asked that the program be reauthorized and vowed not to restart it until a need arose for these authorities. However, this request was coolly received by many Republicans and Democrats.

Also, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

Like the bill the House Judiciary Committee was to mark up, the “USA FREEDOM Reauthorization Act of 2020” would set a six-month deadline for the Director of National Intelligence to declassify significant FISA opinions, orders, and decisions. The bill also beefs up the adversarial procedures in the FISA process by expanding the process by which amici curiae are expanded and their ability to ability FISA decisions to the FISA review court would also be expanded. Additionally, both FISA courts and the FISA review court would be empowered to seek outside legal counsel.

The Intelligence Committees would see their power increased to seek and obtain FISA applications in order to conduct oversight of the FISA process.

Finally, the powers of the Privacy and Civil Liberties Oversight Board (PCLOB) to oversee the FISA process would also be expanded. PCLOB would need to report on the extent to which FISA investigations are arising from protected First Amendment activities and from protected characteristics such as race, gender, sexual orientation, and others. There are broader PCLOB reforms that, for example, lengthen PCLOB members’ terms to six years and allows them to serve past the six-year mark until a successor is confirmed by the Senate as is the case with many other agencies.

During floor debate on H.R. 6172, House Judiciary Committee Chair Jerrod Nadler (D-NY) explained “[i]t is by no means a perfect bill…[and] [t]here are many other changes to FISA that I would have liked to have seen here, but this bill includes very important reforms:

  • First and foremost, it ends the NSA’s Call Detail Records program, which began as part of a secret and unlawful surveillance project almost 20 years ago.
  • This bill also prohibits the use of Section 215 to acquire information that would otherwise require a warrant in the law enforcement context. Our understanding of the Fourth Amendment has come to recognize a privacy interest in our physical location, and this legislation provides new protections accordingly.
  • As the law continues to evolve, the public will see how the government applies these standards in the FISA court. This bill requires the government to disclose all significant opinions of the FISA court within 180 days.
  • The bill also requires a one-time historical review of all significant opinions issued by the court since its inception.

Nadler stated the bill was changed to address the concerns of stakeholders on the left and right:

  • To address the concerns of those who seek additional guarantees of privacy, we have added new retention limits, new reports to explain key legal issues, and an explicit prohibition on the use of Section 215 to obtain GPS and cell site location information.
  • Other Members asked us to address the deep structural flaws in FISA identified by the inspector general in the report issued late last year. We have done just that. Working with our Republican colleagues, we have mandated additional transparency in FISA applications, created additional scrutiny for cases that involve elected officials, and elevated the consequences for misrepresenting information to the FISA court.

Lofgren argued against passage of the bill:

  • I would like to quote from the American Civil Liberties Union letter received today. The American Civil Liberties Union strongly urges us to vote ‘‘no’’ on this bill. They say: ‘‘Over the last several years, it has been abundantly clear that many of our surveillance laws are broken.’’
  • But that, ‘‘disappointingly, the reforms contained in H.R. 6172 are minimal—in many cases merely rep-resenting a codification of the status quo. In addition,’’ the ACLU says, ‘‘the bill contains provisions that would be a step back from even our flawed current law.’’
  • The ACLU goes on to say that ‘‘the bill fails to require that individuals receive appropriate notice and access to information when FISA information is used against them,’’ that ‘‘the bill fails to fully address deficiencies with the FISA court that have led to illegal surveillance,’’ that ‘‘the bill fails to appropriately limit the types of information that can be collected under Section 215,’’ that ‘‘the bill fails to appropriately raise the standard for collecting information under Section 215,’’ and that ‘‘the bill fails to appropriately limit the retention of information collected under Section 215.’

Federal Court Rules Against Suspicionless Searches At Border and In Airports

A U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”

In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.

The case was brought by the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) on behalf of 10 U.S. citizens and one legal permanent resident who had had their phones and computers searched by CBP or ICE agents upon entering the U.S., typically at airports. The ACLU argued these searches violated the Fourth Amendment’s because the agents did not obtain search warrants before conducting the searches of the devices for contraband. The plaintiffs further alleged the searches violated the First Amendment because “warrantless searches of travelers’ electronic devices unconstitutionally chill the exercise of speech and associational rights” according to their complaint. The agencies claimed that such searches require neither a warrant nor probable cause and that the First Amendment claim held no water, a position a number of federal appeals courts have held.

The Court noted that

In January 2018, CBP updated its policy to distinguish between two different types of searches, “basic” and “advanced,” and to require reasonable suspicion or a national security concern for any advanced search, but no showing of cause for a basic search. Under this policy, an advanced search is defined as “any search in which an officer connects external equipment, through a wired or wireless connection, to an electronic device, not merely to gain access to the device, but to review, copy and/or analyze its contents.” The parameters of an advanced search are clearer given this definition than that adopted for a basic search, which is merely defined as “any border search that is not an advanced search.” CBP and ICE use the same definitions of basic and advanced searches and ICE policy also requires reasonable suspicion to perform an advanced search.

The Court stated that

Although the border search exception and the search incident to arrest exception are similar, narrow exceptions to the search warrant requirement, the Court recognizes the governmental interests are different at the border and holds that reasonable suspicion and not the heightened warrant requirement supported by probable cause that Plaintiffs seek here and as applied to the search in Riley is warranted here.

The Court added that

Moreover, the reasonable suspicion that is required for the currently defined basic search and advanced search is a showing of specific and articulable facts, considered with reasonable inferences drawn from those facts, that the electronic devices contains contraband. Although this may be “a close question” on which at least two Circuits disagree…the Court agrees that this formulation is consistent with the government’s interest in stopping contraband at the border and the long-standing distinction that the Supreme Court has made between the search for contraband, a paramount interest at the border, and the search of evidence of past or future crimes at the border, which is a general law enforcement interest not unique to the border.

The Court explained the relief the plaintiffs sought:

  • declaration that CPB and ICE’s policies violate the First and Fourth Amendment facially and have violated Plaintiffs’ First and Fourth Amendment rights by authorizing and conducting searches of electronic devices absent a warrant supported by probable cause, and
  • declarations that CPB and ICE’s policies violate the Fourth Amendment facially and have violated Plaintiffs’ Fourth Amendment rights by authorizing and conducting the confiscation of electronic devices absent probable cause

The Court stated that this relief is granted to the extent that it is declaring “that the CBP and ICE policies for “basic” and “advanced” searches, as presently defined, violate the Fourth Amendment to the extent that the policies do not require reasonable suspicion that the devices contain contraband for both such classes of non-cursory searches and/or seizure of electronic devices; and that the non-cursory searches and/or seizures of Plaintiffs’ electronic devices, without such reasonable suspicion, violated the Fourth Amendment.”

However, the Court declined to institute a nationwide injunction preventing [CPB and ICE] from “searching electronic devices absent a warrant supported by probable cause that the devices contain contraband or evidence of a violation of immigration or customs laws,”…and b) an injunction preventing Defendants from confiscating electronic devices, with the intent to search the devices after the travelers leave the border, without probable cause and without promptly seeking a warrant for the search.” The Court asserted that briefing on the issues would be needed before such relief could be granted.