Further Reading, Other Developments, and Coming Events (22, 23, 24, and 25 February 2021)

Further Reading

  • The Long Hack: How China Exploited a U.S. Tech Supplier” By Jordan Robertson and Michael Riley — Bloomberg. This piece argues that the United States (U.S.) government knew of vulnerabilities in Super Micro Computer Inc.’s products used by the People’s Republic of China (PRC) but chose to keep them secret. This article follows an infamous 2018 Bloomberg BusinessWeek article alleging that Apple and Amazon had discovered malicious chips in Supermicro products, a claim all three and the U.S. vociferously denied. Allegedly the Federal Bureau of Investigation (FBI) has been investigating and monitoring in its counterintelligence capacity, mostly to learn what the PRC is capable of. U.S. security agencies warned some companies not to use Supermicro products, and some agencies, like the Department of Defense (DOD), instituted an ad hoc ban on the companies products in classified systems. Apparently, the PRC used three sophisticated means of penetrating Supermicro products, Moreover, in a May 2019 Securities and Exchange Commission (SEC) filing, Supermicro admitted:
    • We experienced unauthorized intrusions into our network between 2011 and 2018. None of these intrusions, individually or in the aggregate, has had a material adverse effect on our business, operations, or products. We have taken steps to enhance the security of our network and computer systems but, despite these efforts, we may experience future intrusions, which could adversely affect our business, operations, or products. In addition, our hardware and software or third party components and software that we utilize in our products may contain defects in design or manufacture, including “bugs” and other problems that could unexpectedly interfere with the operation or security of the products.
  • ‘A managerial Mephistopheles’: inside the mind of Jeff Bezos” By Mark O’Connell — The Guardian. This long read contemplates what Amazon giveth and what Amazon taketh away from the vantage of the now former CEO’s writings.
  • Anatomy of a conspiracy: With COVID, China took leading role” By Erika Kinetz — Associated Press. A detailed history on the People’s Republic of China’s extensive and effective propaganda campaign, much of it waged on social media, trying to pin COVID-19 on the United States.
  • “Mark Changed The Rules”: How Facebook Went Easy On Alex Jones And Other Right-Wing Figures” By Ryan Mac and Craig Silverman — BuzzFeed News. Another disquieting view into Facebook from BuzzFeed News. The reproters draw a straight line from CEO Mark Zuckerberg softening a ban on Alex Jones-related content to the insurrection on 6 January 2021. Moreover, as has been reported many times, Vice President Joel Kaplan’s influence has consistently made the platform much more lenient on conservative figures and content, including many extremists.
  • China Censors the Internet. So Why Doesn’t Russia?” By Anton Troianovski — The New York Times. Unlike the People’s Republic of China which never let the genie of a free and open internet out of the bottle, Russia is vainly trying to get the genie back in. The efforts of President Vladimir Putin and his government to crack down on speech it does not like online has mostly failed. But they are trying methods other than simply blocking the outside world that prove effective.
  • How Chrome, Firefox, and Safari are stopping supercookies” By Shubham Agarwal — Fast Company. As soon as browsers find ways to combat the abuse of abusive cookies, largely through their removal, the online advertising industry hatches a new way of tracking people across the internet: so-called super cookies that often cannot be removed from one’s device. However, the Mozillas of the world are making process in ways to defeat super cookies, which undoubtedly has already prompted the advertising industry to conjure new means of tracking people.
  • Facebook knew ad metrics were inflated, but ignored the problem, lawsuit claims” by Megan Graham — CNBC; “Facebook’s Sheryl Sandberg Knew About Inflated Ad-Reach Figures for Years, Lawsuit Claims” By Todd Spangler — Variety. A small business alleged in its latest filing in its lawsuit against Facebook that top executives, including Chief Operating Officer Sheryl Sandberg, knew the company was overestimating the potential reach of ads but still pitched wrong figures to potential ad buyers. This suit was filed in August 2018 in federal court in California and is seeking class action status. This is not the first time Facebook has been accused of inflating the number of people who may see an advertisement. Last year, Facebook settled claims it had “misled [advertisers] about viewer engagement of video ads by using inflated video-viewing metrics” by paying out $40 million. In its filing this month, the plaintiffs in the new suit argued:
    • Facebook knew for years its Potential Reach was inflated and misleading. While Facebook brushed aside Plaintiffs’ allegations here, years ago it admitted the VAB report –relied upon in Plaintiffs’ Complaint –“has the order of magnitude in inflation correct.” Facebook knew the problem was largely due to fake and duplicate accounts —but, the company made a “deliberate decision” not to remove duplicate or fake accounts from Potential Reach. And senior executives blocked employees from fixing the problem, because it believed the “revenue impact [would be] significant.”
    • Facebook knew it was wrong. As the product manager for Potential Reach put it: “it’s revenue we should have never made given the fact it’s based on wrong data.” Another employee stated “[t]he status quo in ad Reach estimation and reporting is deeply wrong.” The only question was, “[h]ow long can we get away with the reach overestimation.” After learning these facts, Plaintiffs amended their complaint to add claims for fraud and a request for punitive damages, because Facebook’s officers engaged in or ratified conduct despicable under California law.
  • Amazon’s Great Labor Awakening” By Erika Hayasaki — The New York Times. A comprehensive look at Amazon’s labor practices through the eyes of workers at a California facility, which they allege, with reason, are inhumane and anti-labor. For example, the company only started taking steps to combat COVID-19 at its facilities well after the beginning of the epidemic amidst negative publicity and unrest among its work force.
  • SolarWinds hackers studied Microsoft source code for authentication and email” By Joseph Menn — Reuters. More details about the Russian Federation’s hack of United States (U.S.) government agencies and private sector companies. Microsoft has revealed that not only did intruders view source code for a number of its products like Azure and Exchange, but they are now saying “there was additional access, including in some cases, downloading component source code.” Microsoft insists that none of its source code was used by hackers to attack agencies and companies while leaving open the possibility that some of its resellers may have been used thusly. I suspect this is not the last that will be heard about Microsoft’s security practices and their role in the hack. Incidentally, I highly recommend the 26 January episode of The Verge’s Decoder podcast with the author of this piece dedicated to the SVR hack.
  • Twenty-Six Words Created the Internet. What Will It Take to Save It?” By Stephen Engelberg — ProPublica. An interview with the lawyer and professor who wrote the history on 47 USC 230 (Section 230) that illuminates the policy backdrop and genesis of this now controversial provision. He makes the case that until stakeholders can arrive at a shared definition of the problems with Section 230, any fixes will likely be Frankenstein bills pieced together from conflicting legislation with an eye toward passage and not coherence.
  • Deepfake porn is ruining women’s lives. Now the law may finally ban it.” By Karen Hao — MIT Technology Review. As a Motherboard writer predicted in 2017, deepfake porn is now being used on non-celebrity women with devastating effects to their health, well-being, careers, and lives. Those seeking to solve this growing problem of women having their face or image inserted into pornography are trying to convince policymakers in the United Kingdom (UK), United States (U.S.), and Europe to ban such deepfake porn. A key legal forum is close to making recommendations to the British parliament while in the U.S. concerns about violating the free speech clause of the First Amendment has thus far precluded action. Only two U.S. states, California and Virginia, have provisions in their revenge porn laws that also ban faked and deepfake videos. This is a problem that is likely to only get worse, especially given the spotty compliance people get from platforms to remove abusive material generally.
  • Major camera company can sort people by race, alert police when it spots Uighurs” By Johana Bhuiyan — Los Angeles Times. A company from the People’s Republic of China (PRC), Dahua, has developed and marketed facial recognition technology that can identify and filter on the basis of race. Critics claim this is because the PRC government is using this capability to locate, track, and oppress the Uighur minority. This technology is available and used in the United States despite Dahua being on the Entity List which stops the company from buying most American products but does not stop U.S. entities from buying and using their services. There is a ban on using federal funds to buy Dahua’s services and products, but the article documents a California school district that spent hundreds of thousands of federally provided dollars on Dahua systems.
  • Google Kicks Location Data Broker That Sold Muslim Prayer App User Data” By Joseph Cox — Motherboard. Google told application developers to remove location data broker Predicio from their offerings or face removal from the Google Play Store. Predicio is part of the data ecosystem that funnels location data to Venntel, a company that contracts with law enforcement agencies to give them location data. Motherboard has already detailed how Venntel has sold location data to Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP). In December, both Google and Apple banned a Predicio rival, X-Mode, from their app stores, threatening developers with banishment if they used their software development kit (SDK).
  • Is This Beverly Hills Cop Playing Sublime’s ‘Santeria’ to Avoid Being Live-Streamed?” By Dexter Thomas — Motherboard. It appears some officers are trying to foil some people’s exercise of their First Amendment rights to record police interactions by playing copyrighted songs the rights holders. Once the video is posted or livestreamed, the rights holders may object causing the video to be taken down.
  • Fears over DNA privacy as 23andMe plans to go public in deal with Richard Branson” By Kari Paul — The Guardian. The firm that started out as a resource for people looking to research their heritage has transitioned to a company that can offer health care companies a library of DNA. And now 23andMe is teaming up with Richard Branson, giving rise to all sorts of privacy concerns about the DNA people have submitted to the company.
  • New state privacy initiatives turn up heat on Congress” By Rebecca Klar and Chris Mills Rodrigo — The Hill. Undoubtedly the central thrust of this piece is true: with Virginia on the verge of enacting privacy legislation with others thinking of doing the same, Congress feels more pressure to enact federal privacy legislation. However, there is no hint of the White House’s position on either of the two issues that have held up a bill: preemption of state privacy laws and whether people can sue for violations (aka a private right of action.) I have not seen much movement on those issues, and it may be that since most of the major stakeholders have largely been silent on privacy that there are serious talks happening away from the public view. I think it is more likely that higher priority items have taken the fore like the Biden Administration’s COVID-19 bill, and even in the tech space, there is much more heat around Section 230 than privacy. And, lest anyone forget data breach/data security was one of the hot topics about ten years ago as almost every state had a different statute, a seemingly untenable situation that never resulted in legislation. The status quo is the same today and somehow companies can do business.
  • Twitter Says It Won’t Block Journalists, Activists, And Politicians In India To Protect Free Speech” By Pranav Dixit — BuzzFeed News. A continuing free speech standoff in the world’s most populous democracy. In response to blocking orders issued by the Ministry of Electronics and Information Technology (MeitY), Twitter has decided to unblock some accounts it originally blocked. These accounts are those of “news media entities, journalists, activists, and politicians,” according to the company’s blog posting. However, the company is continuing to block some accounts inside India (with these accounts still presumably visible to the rest of the world) and is contemplating litigation (i.e., “exploring options under Indian law — both for Twitter and for the accounts that have been impacted.”) However, Twitter and its employees may be subjecting themselves to criminal liability, for the government in New Delhi could prosecute them for violating MeitY’s orders.
  • Instagram bans Robert F. Kennedy Jr. over false vaccine, Covid claims” By Minyvonne Burke — NBC News. The anti-vaccine activist has been removed from Instagram for “repeatedly sharing debunked claims about the coronavirus or vaccines” according to a Facebook spokesperson. A few days earlier Facebook had announced an expansion of “efforts to remove false claims on Facebook and Instagram about COVID-19, COVID-19 vaccines and vaccines in general during the pandemic.” Kennedy claimed he was not posting false information and his being banned is a blow to the First Amendment. Thus far, Facebook has left his page up, however. One wonders if the two feeds were so different as to warrant a ban on one but not the other.
  • A Clearview AI Patent Application Describes Facial Recognition For Dating, And Identifying Drug Users And Homeless People” By Caroline Haskins, Ryan Mac, and Brianna Sacks — BuzzFeed News. Even though Clearview AI has repeatedly said its facial recognition technology is intended only for law enforcement agencies, it filed a patent application last year with the United States government to enter the private sector in a number of markets. The patent application states “In many instances, it may be desirable for an individual to know more about a person that they meet, such as through business, dating, or other relationship,” which very much sounds like applications other than law enforcement purposes. Clearview AI CEO Hoan Ton-That  asserted “[w]e applied for a patent because we believe we have made significant innovations in the field of facial recognition, especially regarding accuracy and the use of our large-scale database of publicly available facial images.” He added “Clearview AI is currently only used by law enforcement for after-the-crime investigations,” which does not definitively rule out future applications beyond law enforcement.
  • There’s a Smarter Way to Make Tech Pay for News” By Will Oremus — OneZero. This piece provides an overview and critique of the various proposals other than Australia’s to help media in the social media age. Speaking of which, almost all the experts asked panned Australia’s law, saying it will most likely solidify the position of the incumbents in social media and in news media, an outcome not to be desired.

Other Developments

  • The National Institute of Standards and Technology (NIST) issued “the final NIST Interagency or Internal Report (NISTIR) 8323, Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. NIST stated “[t]he national and economic security of the United States (US) is dependent upon the reliable functioning of the nation’s critical infrastructure.”
    • NIST explained:
      • The PNT Profile was created by applying the NIST Cybersecurity Framework (CSF) to help organizations:
        • Identify systems dependent on PNT 
        • Identify appropriate PNT sources
        • Detect disturbances and manipulation of PNT services
        • Manage the risk to these systems 
      • The PNT Profile provides a flexible framework for users of PNT services to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural, manufactured, intentional, and unintentional. It was created by applying the NIST Cybersecurity Framework (CSF) [NIST CSF] and can be applied to all organizations that use PNT services, irrespective of the level of familiarity or knowledge that they have with the CSF. Organizations that have fully or partially adopted, or who have not adopted the CSF can benefit.
      • The PNT Profile is voluntary and does not: issue regulations, define mandatory practices, provide a checklist for compliance, or carry statutory authority. It is intended to be a foundational set of guidelines. Sector-specific agencies (SSAs) and entities may wish to augment or further develop their own PNT cybersecurity efforts via full or partial implementation of the recommended practices in this document. Any implementation of its recommendations will not necessarily protect organizations from all PNT disruption or manipulation. Each organization is encouraged to make their risk management decisions in the context of their own cyber ecosystem, architecture, and components. The PNT Profile’s strategic focus is to supplement preexisting resilience measures and elevate the postures of less mature initiatives.
  • The European Parliament’s Panel for the Future of Science and Technology (STOA) issued a study it commissioned on the liability of online platforms. STOA explained “[g]iven the central role that online platforms (OPs) play in the digital economy, questions arise about their responsibility in relation to illegal/harmful content or products hosted in the frame of their operation.”
    • The researchers who drafted the study explained:
      • the study reviews the main legal/regulatory challenges associated with the operation of OPs and analyses the incentives for OPs, their users and third parties, to detect and remove illegal/harmful and dangerous material, content and/or products. To create a functional classification which can be used for regulatory purposes, it discusses the notion of OPs and attempts to categorise them under multiple criteria. The study then maps and critically assesses the whole range of OP liabilities, taking hard and soft law, self-regulation, as well as national legislation into consideration. To do so, the study distinguishes between liabilities connected with the activities performed or the content uploaded by OP users – from the liability exemptions established by the e-Commerce Directive, to the sectoral rules provided in media law, intellectual property (IP) law, product safety and product liability , protection of minors, hate speech, disinformation and voting manipulation, terrorist activities – and alternative sources of liability, such as OPs’ contractual liability towards users, both businesses and consumers, as well as that deriving from infringements of privacy and data protection law.
      • Finally, the study drafts policy options for an efficient EU liability regime: (i) maintaining the status quo; (ii) awareness-raising and media literacy; (iii) promoting self-regulation; (iv) establishing co-regulation mechanisms and tools; (v) adopting statutory legislation; (vi) modifying OPs’ secondary liability by employing two different models – (a) by clarifying the conditions for liability exemptions under e-Commerce Directive, or (b) by establishing a harmonised regime of liability.
  • The European Union Agency for Cybersecurity (ENISA) published “two reports on cryptography: one on the progress of post-quantum cryptography standardisation, and the other on exploring the technologies under the hood of crypto-assets.”
    • In “Post-Quantum Cryptography: Current state and quantum mitigation,” ENISA stated
      • Given the recent developments in the Quantum Computing race among industries and nation states, it seems prudent for Europe to start considering mitigation strategies now. The EU Cybersecurity Agency is not alone in this line of though. Other authorities and EU Institutions have also raised concerns; for in- stance, the European Data Protection Supervisor has highlighted the dangers against data protection, national authorities have been investigating and preparing; e.g., the German Federal Office for Information Security has been evaluating Post-Quantum alternatives since before the launch of NIST’s standardisation process.
      • This study provides an overview of the current state of play on the standardisation process of Post-Quantum Cryptography (PQC). It introduces a framework to analyse existing proposals, considering five (5) main families of PQC algorithms; viz. code-based, isogeny-based, hash-based, lattice-based and multivariate-based. It then goes on to describe the NIST Round 3 finalists for encryption and signature schemes, as well as the alternative candidate schemes. For which, key information on cryptodesign, implementation considerations, known cryptanalysis efforts, and advantages & disadvantage is provided.
      • Since the NIST standardisation process is going, the report makes no claim on the superiority of one proposal against another. In most cases the safest transition strategy involves waiting for national authorities to standardise PQC algorithms and provide a transition path. There might be cases thought were the quantum risk in not tolerated, in which case the last chapter offers 2 proposals that system owners can implement now in order to protect the confidentiality of their data against a quantum capable attacker; namely hybrid implementations that use a combination of pre-quantum and post-quantum schemes, and the mixing of preshared keys into all keys established via public-key cryptography. These solutions come at a cost and as such system designers are well advised to perform a thorough risk and cost-benefit analysis.
    • In “Crypto Assets: Introduction to Digital Currencies and Distributed Ledger Technologies,” ENISA asserted:
      • The European Commission on the 24th September 2020 adopted a comprehensive package of legislative proposals for the regulation of crypto-assets, updating relevant financial market rules, and is moving forward with a Pan-European blockchain regulatory sandbox facility to test innovative solutions and identify obstacles that arise in using Distributed Ledger Technnologies (DLTs) in the trading and post trading of securities. Crypto-assets may qualify as “financial instruments”, in which case they fall under the Markets in Financial Instruments Directive (e.g.: tokenised equities or tokenised bonds). But there are also types that do not qualify as “financial instruments”, such as utility tokens or payment tokens, generally referred to as digital currencies. Further, digital currencies when based on DLTs, like the Blockchain, are usually called cryptocurrencies; as opposed to centralized digital currencies.
      • These timely policy initiatives make evident that crypto-assets are a playground of not only technical, but also financial innovation that demands scrutiny in all its aspects. With this first introductory study focusing on the rise of cryptocurrencies & DLT, the European Union Agency for CyberSecurity is launching a series of information security studies in the area of crypto-assets to support policy-makers and raise awareness on the arising security and data protection.
      • The creation of BitCoin by Nakamoto [Nak08] in 2008 created a flurry of interest in so-called ‘digital currencies’. The basic ideas of a blockchain, a consensus mechanism, and operations on a public ledger have potentially wide application outside of the narrow confines of creating a digital currency.
      • The technological ideas behind such distributed ledger technologies go back to way before 2008, often to the 1970s. What digital ledger technologies do is bring various technical components such as digital signatures, cryptographic hash functions, Merkle-Trees, consensus mechanisms, zero-knowledge proofs, secret sharing, together into an interesting combination which can address a number of application needs.
      • However, the hype behind such technologies understandably also creates unrealistic expectations as to what problems the technology can solve. This has led to a common quote of ‘If you think your problem can be solved by blockchain, then you do not understand your problem’. This report aims to increase the under- standing of blockchain technologies. It aims to explain the underlying technical concepts and how they relate to each other. The goal is to explain the components, and illustrate their use by pointing to deployed instances where the ideas are utilized.
  • A United States (U.S.) appeals court reversed a lower court’s ruling that suspicionless searches could not be conducted at the U.S. border or at ports of entry. The United States Court of Appeals For the First Circuit (First Circuit) overturned a district court and hewed to rulings handed down by other circuits.
    • The First Circuit explained:
      • Plaintiffs bring a civil action seeking to enjoin current policies which govern searches of electronic devices at this country’s borders. They argue that these border search policies violate the Fourth and First Amendments both facially and as applied. The policies each allow border agents to perform “basic” searches of electronic devices without reasonable suspicion and “advanced” searches only with reasonable suspicion.
    • The First Circuit held:
      • In these cross-appeals we conclude that the challenged border search policies, both on their face and as applied to the two plaintiffs who were subject to these policies, are within permissible constitutional grounds. We find no violations of either the Fourth Amendment or the First Amendment. While this court apparently is the first circuit court to address these questions in a civil action, several of our sister circuits have addressed similar questions in criminal proceedings prosecuted by the United States. We join the Eleventh Circuit in holding that advanced searches of electronic devices at the border do not require a warrant or probable cause. United States v. Vergara, 884 F.3d 1309, 1311-12 (11th Cir. 2018). We also join the Ninth and Eleventh Circuits in holding that basic border searches of electronic devices are routine searches that may be performed without reasonable suspicion. United States v. Cano, 934 F.3d 1002, 1016 (9th Cir. 2019), petition for cert. filed (Jan. 29, 2021) (No. 20-1043); United States v. Touset, 890 F.3d 1227, 1233 (11th Cir. 2018). We also hold the district court erroneously narrowed the scope of permissible searches of such equipment at the border.
    • In November 2019, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
    • The case was brought by the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) on behalf of 10 U.S. citizens and one legal permanent resident who had had their phones and computers searched by CBP or ICE agents upon entering the U.S., typically at airports. The ACLU argued these searches violated the Fourth Amendment’s because the agents did not obtain search warrants before conducting the searches of the devices for contraband. The plaintiffs further alleged the searches violated the First Amendment because “warrantless searches of travelers’ electronic devices unconstitutionally chill the exercise of speech and associational rights” according to their complaint. The agencies claimed that such searches require neither a warrant nor probable cause and that the First Amendment claim held no water, a position a number of federal appeals courts have held.
  • The Cybersecurity and Infrastructure Security Agency (CISA) announced a six-month extension of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force. CISA stated:
    • In December of last year, the Task Force released its Year 2 Report, which built off previous work completed in year one. It showcased the collective ongoing efforts of five working groups within the Task Force to address challenges to information sharing, threat analysis, qualified bidder and qualified manufacturer lists, vendor attestation, and impacts from COVID-19 on supply chains. 
    • The extension of the Task Force will allow working groups to continue their work as outlined in the Year 2 Report, to include the release of specific reports, including the latest Working Group 2 Threat Scenarios Report, as well as other upcoming working group products. It will also ensure both government and industry members can continue to collaborate on other ongoing public-private engagement efforts around supply chain and support the Federal Acquisition Security Council (FASC)
    • Over the next six months, through July 2021, the Task Force will continue to explore means for building partnerships with international partners, new sectors, and stakeholders who can help grow the applicability and utilization of Task Force. With the interconnectedness between the sectors and the scale of supply chain risks faced by both government and industry, private-public coordination is essential to enhance ICT supply chain resilience.
  • Representatives Suzan DelBene (D-WA) and John Katko (R-NY) reintroduced the “Internet of Things (IoT) Readiness Act” (H.R.981) “that would prepare the U.S. for the continued growth of IoT devices and devices that use 5G networks” per their press release. DelBene and Katko asserted:
    • IoT devices, ranging from fitness watches to sensors that monitor traffic, require significant spectrum capacity so that information, such as time, location, and temperature, can be transmitted to and from other devices. Spectrum is a limited resource and if the available capacity cannot accommodate all the devices in the same vicinity, the signals will interfere with each other and cause them to fail.
    • The IoT Readiness Act directs the Federal Communications Commission (FCC) to collect and provide Congress with the data needed to be prepared for the continued growth of these devices and their connectivity needs.
    • As a recent example, after the introduction of smartphones over the last decade, the number of devices that could access the internet increased dramatically. Cellular networks became overwhelmed, and the FCC had to go through the lengthy and burdensome process of reallocating spectrum. Now, IoT devices are facing the same problem.
    • In 2015, a family of four had an average of 10 IoT devices connected to the internet. The Organization for Economic Co-operation and Development estimates that that average will increase to 50 devices per family by 2022.
  • At a White House press conference, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger made remarks on the Biden Administration’s investigation of and response to the Russian Federation’s massive hack through SolarWinds and likely other entities. Neuberger revealed that the administration is working on an executive order as part of its response without laying out a timeline. She also said the Biden Administration aspires to “modernize” federal defenses without discussing possible costs or ramifications for current programs and authorities. Neuberger remarked:
    • As of today, 9 federal agencies and about 100 private sector companies were compromised.  As you know, roughly 18,000 entities downloaded the malicious update.  So the scale of potential access far exceeded the number of known compromises.  Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions. 
    • what are we going to do about it?  Three things: First, finding and expelling the adversary.  Second, building back better to modernize federal defenses and reduce the risk of this happening again.  And finally, potential response options to the perpetrators. 
    • So, first, finding and expelling the adversary.  We’re coordinating the interagency response from the National Security Council.  I was on the Hill last week, had Hill discussions this week, and will be on the Hill next week, as well.  We’re working closely with daily conversations with our private sector partners.  They have visibility and technology that is key to understanding the scope and scale of compromise.  There are legal barriers and disincentives to the private sector sharing information with the government.  That is something we need to overcome. 
    • And then, finally, this is challenging.  This is a sophisticated actor who did their best to hide their tracks.  We believe it took them months to plan and execute this compromise.  It’ll take us some time to uncover this, layer by layer. 
    • Second, building back better to modernize federal defenses.  We’re absolutely committed to reducing the risk this happens again.  If you can’t see a network, you can’t defend a network.  And federal networks’ cybersecurity need investment and more of an integrated approach to detect and block such threats. 
    • We’re also working on close to about a dozen things — likely eight will pass — that will be part of an upcoming executive action to address the gaps we’ve identified in our review of this incident. 
    • And, finally, in terms of response to the perpetrator, discussions are underway.  I know some of you will want to know what kind of options are being contemplated.  What I will share with you is how I frame this in my own mind.  This isn’t the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners.  So as we contemplate future response options, we’re considering holistically what those activities were. 
  • The Chamber of Commerce of the United States of America, Internet Association, NetChoice, and the Computer & Communications Industry Association sued to stop implementation of the “Taxation – Tobacco Tax, Sales and Use Tax, and Digital Advertising Gross Revenues Tax” (HB0732) that would impose a tax on digital advertising in the state, the first such tax in the United States (U.S.) The plaintiffs argued:
    • Although the Act is styled as a tax, several features confirm its punitive character, including its severity (up to 10% of gross revenues), its focus on extraterritorial conduct, the segregation of its proceeds from the State’s general fund, and the legislative history leading to its enactment. Among other things, the legislative history shows that lawmakers believe that the charge cannot be passed to consumers, and that the targets of the law, and they alone, will bear the burden of the assessment. A pass-through prohibition recently introduced in the Maryland Senate would lock in that understanding; if adopted into law, it would expressly prohibit the targets of the charge from passing it on to advertisers as a line item.
    • The Act is unlawful in several ways. First, it is preempted by the Internet Tax Freedom Act (ITFA), which prohibits States from imposing “multiple and discriminatory taxes on electronic commerce.” 47 U.S.C. § 151 note. Second, the Act violates the Due Process Clause and Commerce Clause of the United States Constitution by burdening and penalizing purely out-of- state conduct and interfering with foreign affairs.
    • The plaintiffs are seeking a declaration that the law is illegal and an injunction barring its enforcement.
  • The “Consumer Data Protection Act” (SB 1392) passed both the Virginia General Assembly and Virginia Senate by large margins, sending the bill to Governor Ralph Northam (D). This bill is one of the weaker privacy bills within sight of enactment. It would permit many of the same data collection and processing activities currently occurring in Virginia to continue largely in the same fashion in 2023. The bill uses the opt out consent model but only in limited circumstances, for if entities disclose how they propose to process personal information, there limited cases in which people could opt out. There is no private right of action, and the attorney general would have to give entities a 30 day window to cure any potential violations and would be barred from proceeding if his office receives an express written statement that the violations have been cured. (see here for more analysis.)
  • The United States (U.S.) Department of Justice (DOJ) unsealed a federal indictment against “three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform” per the DOJ’s press release. The DOJ stated:
    • The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018. 
    • The indictment alleges a broad array of criminal cyber activities undertaken by the conspiracy, in the United States and abroad, for revenge or financial gain. The schemes alleged include:
      • Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
      • Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
      • Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
      • Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
      • Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.
      • Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
      • Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense.
      • Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.
      • According to the allegations contained in the hacking indictment, which was filed on Dec. 8, 2020, in the U.S. District Court in Los Angeles and unsealed today, the three defendants were members of units of the RGB who were at times stationed by the North Korean government in other countries, including China and Russia. While these defendants were part of RGB units that have been referred to by cybersecurity researchers as Lazarus Group and APT38, the indictment alleges that these groups engaged in a single conspiracy to cause damage, steal data and money, and otherwise further the strategic and financial interests of the DPRK government and its leader, Kim Jong Un.
  • The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury (Treasury) issued “a joint cybersecurity advisory about North Korean government malicious activity the U.S. government refers to as “AppleJeus”…[that] highlights technical details on this specific threat activity, mitigations for networks compromised by it, and recommended proactive mitigations for defense against it.” The agencies added:
    • The joint advisory provides technical details on seven versions of the AppleJeus malware, which has been used by North Korea posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. 
    • Working closely with our interagency and international partners, the FBI, CISA and Treasury share timely cyber threat information with the intent to disrupt malicious cyber activity and help our partners protect their networks. Today’s advisory along with seven malware analysis reports adds to a still growing list of malicious cyber activity by North Korean state actors. Four of the seven versions of AppleJeus malware were identified in 2020 and reveal a determination by this group to evolve and continue this scheme. A complete list of their activity and important mitigation recommendations, can be found here.   
    • Organizations, specifically those in the financial services sector, should give this activity the highest priority for assessing their networks and implementing appropriate mitigation. You can read the joint cybersecurity advisory here and the seven malware analysis reports here.
  • Epic Games and plaintiffs agreed to a settlement in a class action suit, alleging the company was engaged in predatory practices through the sale of random loot boxes to users. In a statement, the company and the plaintiffs’ attorneys announced over $78 million in relief for the litigants. Specifically, they asserted:
    • A class action settlement with Epic Games, Inc. (“Defendant” or “Epic Games”) has been reached. Under the Settlement, all U.S. players of Fortnite: Save the World and Rocket League who bought a random item loot box in either game before Epic Games discontinued random loot boxes will receive certain benefits immediately and automatically. The Settlement also provides up to $26.5 million in cash and other benefits to U.S.-based Fortnite and Rocket League players to resolve claims arising from players’ purchases of Fortnite and Rocket League in-game items. The case is Zanca, et al. v. Epic Games, Inc., Case No. 21-CVS-534, currently pending in the Superior Court of Wake County, North Carolina before the Honorable Keith Gregory, General Court of Justice, Superior Court Division (the “Action”). The proposed Settlement is not an admission of wrongdoing by Epic Games, and it denies that it violated the law. The Court has not decided who is right or wrong. Rather, to avoid the time, expense, and uncertainty of litigation, the Parties have agreed to settle the lawsuit. The Court has granted preliminary approval of the Settlement and has conditionally certified the Settlement Class for purposes of settlement only.
    • Settlement Class means all persons in the United States who, at any time between July 1, 2015, and the date of Preliminary Approval, had a Fortnite or Rocket League account that they used to play either game on any device and in any mode, and (a) exchanged in game virtual currency for any in-game benefit, or (b) made a purchase of virtual currency or other in-game benefit for use within Fortnite or Rocket League.
    • As part of the Settlement, Epic Games will automatically add 1,000 Fortnite V-Bucks to each Fortnite: Save the World account that was used to acquire a random-item “Loot Llama” loot box, and 1,000 Rocket League Credits to each Rocket League account that was used to acquire a random item “Crate” loot box. Additionally, you may submit a Claim Form to receive your choice of a cash benefit or additional V-Bucks/Credits, as set forth in more detail in this website and in the Settlement Agreement.
  • At the 2021 Virtual Munich Security Conference, United States (U.S.) President Joe Biden renewed the U.S. commitment to the North Atlantic Treaty Organization (NATO), its long time European allies, and multilateralism in a reversal of policy from the Trump Administration. He endorsed efforts to craft cyberspace norms of behavior and called upon the nations of NATO to join the U.S. in fighting against the authoritarianism of the People’s Republic of China (PRC) and the Russian Federation. Biden declared:
    • America is back.  The transatlantic alliance is back.  And we are not looking backward; we are looking forward, together. 
    • It comes down to this: The transatlantic alliance is a strong foundation — the strong foundation — on which our collective security and our shared prosperity are built.  The partnership between Europe and the United States, in my view, is and must remain the cornerstone of all that we hope to accomplish in the 21st century, just as we did in the 20th century.
    • With respect to the broad foreign policy strokes his administration will pursue, Biden stated:
      • we must prepare together for a long-term strategic competition with China.  How the United States, Europe, and Asia work together to secure the peace and defend our shared values and advance our prosperity across the Pacific will be among the most consequential efforts we undertake.  Competition with China is going to be stiff.  That’s what I expect, and that’s what I welcome, because I believe in the global system Europe and the United States, together with our allies in the Indo-Pacific, worked so hard to build over the last 70 years. 
      • We can own the race for the future.  But to do so, we have to be clear-eyed about the historic investments and partnerships that this will require.  We have to protect — we have to protect for space for innovation, for intellectual property, and the creative genius that thrives with the free exchange of ideas in open, democratic societies.  We have to ensure that the benefits of growth are shared broadly and equitably, not just by a few. 
      • We have to push back against the Chinese government’s economic abuses and coercion that undercut the foundations of the international economic system.  Everyone — everyone — must play by the same rules. 
      • U.S. and European companies are required to publicly disclose corporate governance — to corporate governance structures and abide by rules to deter corruption and monopolistic practices.  Chinese companies should be held to the same standard. 
      • We must shape the rules that will govern the advance of technology and the norms of behavior in cyberspace, artificial intelligence, biotechnology so that they are used to lift people up, not used to pin them down.  We must stand up for the democratic values that make it possible for us to accomplish any of this, pushing back against those who would monopolize and normalize repression. 
      • You know, this is also — this is also how we’re going to be able to meet the threat from Russia.  The Kremlin attacks our democracies and weaponizes corruption to try to undermine our system of governance.  Russian leaders want people to think that our system is more corrupt or as corrupt as theirs.  But the world knows that isn’t true, including Russians — Russia’s own citizens. 
  • Secretary of Homeland Security Alejandro Mayorkas issued a statement titled “DHS Announces Steps to Advance President’s Commitment to Elevate Cybersecurity,” in which he announced “DHS will lead efforts to mitigate risks to the United States, further strengthen its partnerships with the private sector, and expand its investment in the infrastructure and people required to defend against malicious cyber attacks as part of a whole-of-government effort.” However, the statement was mostly a recitation of programs and efforts that largely pre-date the Biden Administration. However, Mayorkas stated:
    • This week, Secretary Mayorkas will increase the required minimum spend on cybersecurity through FEMA grant awards. To accelerate critical improvements in state and local cybersecurity, CISA will urgently evaluate and implement additional capabilities including potential new grant programs that will enable critical security investments. This is important: the nation’s cybersecurity is only as strong as its weakest link.
  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) named three new Biden Administration appointees for “leadership roles:” “Nitin Natarajan has joined CISA as its Deputy Director, Eric Goldstein as Executive Assistant Director for Cybersecurity, and Dr. David Mussington as Executive Assistant Director for Infrastructure Security.” However, no names have been floated to head CISA, and nor, for that matter, have any been circulated as the White House’s choice to be the first National Cyber Director, a position established in the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (P.L. 116-283) on the basis of a recommendation by the Cyberspace Solarium Commission (CSC).
    • CISA provided biographical sketches:
      • Deputy Director Natarajan led a practice at an international consulting firm focused on health security and provided subject matter expertise on continuity of operations, environmental emergency management, public health, and homeland security matters. He also held a number of roles in federal government, focused on critical infrastructure resilience.  Deputy Director Natarajan started his career as a first responder in New York including service as a flight paramedic.
      • In addition to serving on the Agency Review Team, Executive Assistant Director Goldstein was previously the Head of Cybersecurity Policy, Strategy, and Regulation at Goldman Sachs, where he led a global team to improve and mature the firm’s cybersecurity risk management program.  He served at CISA’s precursor agency, the National Protection and Programs Directorate, in various roles from 2013 to 2017.
      • Executive Assistant Director Mussington is an internationally known expert in critical infrastructure protection and cybersecurity – leading projects and program analyses for US federal agencies, states, and internationally for institutions in Canada, Europe, and the United Kingdom.  In an over two-decade career, he has played a variety of roles in both the public and private sectors.  His research and teaching activities have focused on cyber physical system risk management, election cybersecurity, and critical infrastructure security risk management.
  • The United Kingdom’s (UK) Supreme Court ruled against Uber in its appeal of a lower court’s finding that people driving for the company are to be considered workers and must have the rights afforded to workers in the UK. In its judgment, the court stated:
    • New ways of working organised through digital platforms pose pressing questions about the employment status of the people who do the work involved. The central question on this appeal is whether an employment tribunal was entitled to find that drivers whose work is arranged through Uber’s smartphone application (“the Uber app”) work for Uber under workers’ contracts and so qualify for the national minimum wage, paid annual leave and other workers’ rights; or whether, as Uber contends, the drivers do not have these rights because they work for themselves as independent contractors, performing services under contracts made with passengers through Uber as their booking agent. If drivers work for Uber under workers’ contracts, a secondary question arises as to whether the employment tribunal was also entitled to find that the drivers who have brought the present claims were working under such contracts whenever they were logged into the Uber app within the territory in which they were licensed to operate and ready and willing to accept trips; or whether, as Uber argues, they were working only when driving passengers to their destinations.
    • For the reasons given in this judgment, I would affirm the conclusion of the Employment Appeal Tribunal and the majority of the Court of Appeal that the employment tribunal was entitled to decide both questions in the claimants’ favour.
  • The Election Assistance Commission (EAC) adopted Voluntary Voting System Guidelines (VVSG) 2.0, which it characterized in its press release as “a major step toward improving the manufacturing and testing of voting machines.” The EAC asserted:
    • The VVSG 2.0 represents a significant advancement in defining standards that will serve as the cornerstone of the next generation of voting systems. It lays the groundwork for 21st century voting systems that are desperately needed with improved cybersecurity, accessibility, and usability requirements. The VVSG 2.0 also supports various audit methods supporting software independence to confirm the accuracy of the vote and increase voter confidence. With its adoption, manufacturers are empowered to begin designing and building voting machines according to these new guidelines.
    • Despite the requirements being voluntary, at least 38 states use the standards in some way making today’s vote on advancing of the next version of VVSG very important. This is the most significant update of the federal standards for voting technology since VVSG 1.0 was adopted in 2005.
    • The major updates included in the VVSG 2.0 are the following:
      • Improved cybersecurity requirements to secure voting and election management systems associated with the administration of elections.
        • Software independence
        • Requires systems to be air-gapped from other networks and disallows the use of wireless technologies
        • Physical security
        • Multi-factor authentication
        • System integrity
        • Data protection
      • Interoperability
        • Ensures devices are capable of importing and exporting data in common data formats
        • Requires manufacturers to provide complete specifications of how the format is implemented
        • Requires that encoded data uses a publicly available method
  • The Estonian Foreign Intelligence Service has released its annual security report, titled “International Security and Estonia 2021,” which focused, in some part, on the Russian Federation and the People’s Republic of China’s cyber and influence operations. The agency asserted:
    • Russia continues to be the primary security threat to Western democracies also in cyberspace. In addition to espionage, Russian special services are actively using cyberspace in their influence operations to create divisions in Western societies, transnational relations and NATO.
    • Cyber operations originating in Russia and the abuse of cyberspace for the purpose of influencing will very likely continue in 2021. These are effective, inexpensive and well-established measures for the Russian services. Moreover, influence operations can be a way to achieve long-term effects without always requiring intervention in the target country’s domestic politics.
    • The Chinese propaganda machine uses Western information channels to spread its narrative. Since the coronavirus pandemic outbreak, the amount of biased and fake news produced in China has increased, and its content has become more aggressive.
    • Tactically, China follows Russia’s example in spreading propaganda and disinformation. However, this points more to conformity resulting from shared objectives rather than any coordinated cooperation, as do the good relations between Chinese and Russian representatives on social media and the sharing of each other’s posts . At present, China does not use disinformation as actively and as professionally as Russia, but it is likely that it will expand and intensify its activities in this area in the near future. China’s influence operations aim to weaken Europe’s open society by promoting its own propaganda messages.
    • China’s ambition to become the world leader in technology poses major security threats.
    • Following Xi Jinping’s strategic guide-lines, China is devoting all its resources to technological development to become a world leader in the field and make other countries dependent on Chinese technology . China faces sanctions and obstacles, which is giving rise to the sinicisation of its technology – increasing reliance on domestic producers. If Chinese technology becomes entirely domestic, the technology and software’s working principles will be even more opaque than before.
    • Cyber espionage has also been one of China’s traditional means of getting hold of foreign high technology. To justify its actions, China is ostensibly working to break the Western monopoly and considers it acceptable to use any means necessary to achieve this .
  • The Government Accountability Office (GAO) issued a response to a request “to review [the Department of] State’s efforts to advance U.S. interests in cyberspace.” The GAO stated that “[t]his report examines the extent to which State used data and evidence to develop and justify its proposal to establish [the] Bureau of Cyberspace Security and Emerging Technologies (CSET).” House Foreign Affairs Committee Chair Gregory Meeks (D-NY) and Ranking Member Michael McCaul (R-TX) had requested that the GAO investigate the Trump Administration’s Department of State decision to stand up the CSET in the face of criticism from Members on both sides of the aisle. The Trump Administration was subjected to criticism for allegedly downgrading the United States’ (U.S.) cyber diplomacy capabilities and legislation was introduced to essentially reverse the decision (i.e., the “Cyber Diplomacy Act of 2019” (H.R.739) in the last Congress.) The GAO concluded:
    • The United States faces expanding cyber threats and the challenge of building international consensus on standards for acceptable state behavior in cyberspace. In leading federal efforts to advance U.S. interests in cyberspace, State has notified Congress of its proposal to establish a new bureau focused on cyberspace security and the security aspects of emerging technologies. State, however, has not demonstrated that it used data and evidence to support its proposal, particularly for the bureau’s focus and organizational placement. Without developing evidence to support its proposal for the new bureau, State lacks needed assurance that the proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals.
    • The GAO recommended:
      • The Secretary of State should ensure that State uses data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals.
  • Acting Federal Trade Commission (FTC) Chair Rebecca Kelly Slaughter made remarks at a recent conference that maps out her enforcement priorities and how she wants FTC staff to be investigating and charging cases. Notably, she said she will be pressing to ensure that all possible offenses are charged, the agency should litigate if entities will not settle in ways that will make consumers whole, and that certain types of relief are pursued such as forcing companies that violate the FTC Act erase all their ill-gotten data and algorithms. Specifically, Kelly Slaughter stated:
    • I’ve supported many of the Commission’s privacy and security cases, like Equifax and TikTok, but for those of you who have followed the FTC’s privacy and security work closely, you’ll know that I dissented in cases like Facebook, YouTube, and Zoom. When I dissented, in most instances it was because I believed that the Commission should have obtained stronger relief for consumers, including by pursuing litigation if we were unable to negotiate sufficient relief in settlement.
    • Two types of relief I want us to seek and believe we can achieve are meaningful disgorgement and effective consumer notice. The Commission achieved an innovative disgorgement remedy in the settlement with photo app Everalbum announced last month. In that case, we alleged that the company violated its promises about the circumstances under which it would use facial recognition technology. As part of the settlement, the Commission required the company to delete facial recognition models or algorithms developed with users’ photos or videos.
    • We routinely obtain disgorgement of ill-gotten monetary gains when consumers pay for a product that is marketed deceptively. Everalbum shows how we can apply this principle to privacy cases where companies collect and use consumers’ data in unlawful ways: we should require violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data.
    • A good example of effective notice is the Commission’s recent fem-tech case involving the Flo menstruation and fertility app. We alleged that Flo violated its promises not to share consumers’ sensitive information to third parties by sharing the information with Facebook, Google, and others. An important remedy the Commission achieved in this case was to require the company to notify consumers of its false promises.
    • Notice lets consumers “vote with their feet” and helps them better decide whether to recommend the service to others. Finally, and crucially, notice accords consumers the dignity of knowing what happened. There’s a fundamental equity issue here: many people—including those who most need to know—won’t hear about the FTC’s action against a company they deal with unless the company tells them. So, I’ll be pushing staff to include provisions requiring notice in privacy and data security orders as a matter of course.
    • The other lesson we can take from Flo is the need to fully plead all law violations. As I mentioned in my joint statement with Commissioner Chopra on that case, I believe we also should have applied the Health Breach Notification Rule to those facts and I’m glad we are conducting a review of this Rule, which requires that vendors of personal health records notify consumers of breaches. In other cases, I have argued that we should have included unfairness counts. In all of our cases, I want to make sure that we are analyzing all of the relevant laws and pleading all the violations that are applicable.
    • Finally, I think we need to think carefully about the overlap between our work in data privacy and in competition. Many of the largest players in digital markets are as powerful as they are because of the breadth of their access to and control over consumer data. The FTC has a structural advantage over our counterparts in other jurisdictions that focus exclusively on antitrust or on data protection. Our dual missions can and should be complementary, and we need to make sure we are looking with both privacy and competition lenses at problems that arise in digital markets.
  • In making remarks before a business organization, the Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales unveiled “the agency’s first-ever international strategy, CISA Global.” In the document’s, cover letter, Wales explained:
    • CISA Global outlines our approach to how CISA will work with international partners to fulfill our responsibilities, execute our work, and create unity
      of effort within our mission areas. This strategy presents the global vision and international operational priorities of the CISA Director, consistent with CISA’s international authorities as outlined in the Homeland Security Act of 2002; Department of Homeland Security’s Strategic Plan for FY 2020-2024; EO 13800 Report, DHS International Cybersecurity Priorities; and the CISA Strategic Intent. This overarching strategy provides an approach for how CISA will execute its responsibilities and serves as a reference point to guide our work and create unity of effort.
    • In CISA’s press release, the agency stated “[t]he strategy describes CISA’s international vision and identifies four goals:
      • Advancing operational cooperation;
      • Building partner capacity;
      • Strengthening collaboration through stakeholder engagement and outreach; and
      • Shaping the global policy ecosystem.
    • In CISA Global, CISA expanded upon each of the four goals:
      • Given the increasing interconnectedness of our networks, the interdependencies among critical infrastructure sectors, and cross- border data flows, operational cooperation with foreign counterparts is a key tool in collaborating to prevent, detect, deter, and mitigate threats and hazards effectively. Operational cooperation, for the purposes of this document, can be defined as engagement with international partners that is characterized by mutually beneficial information sharing that informs and enhances our relationships. Through such international operational cooperation, CISA can improve its collective situational awareness, and is able foster innovative approaches for responding to and mitigating threats and hazards to critical infrastructure and cybersecurity. Developing CISA’s partnerships into trusted relationships will enable critical operational information sharing that can improve communications capabilities, foster an environment for joint operations, and support resilience efforts – whether that be by sharing operational best practices, working on joint exercises, addressing threat information and related mitigation advice, or collaborating in a fashion so as to align security and defense efforts with like-minded partners. Ultimately, CISA seeks to mature our partnerships to establish an attaché program and to deploy personnel overseas to effectively execute CISA’s mission.
      • Liaise with and support international partners in developing their own capacity to effectively detect threats, assess impact potential, and take appropriate response actions to mitigate risk that enable cooperation with and increase benefits for CISA divisions. The global implications of all threats and hazards — especially those stemming from the cyber-physical nexus — actuates CISA to assist countries in building their own competency in managing risk, strengthen security and resilience, and address current and emerging risks. Enhancing other countries’ organic capabilities simultaneously enables CISA to comprehensively protect the Homeland, to bolster international security, and to promote global societal resilience. Sharing lessons learned, best practices, and information sharing while leveraging the technology, research, and capacities of other nations will be the cornerstone of this effort while working with Department of State.
      • The CISA international mission depends upon strategic stakeholder engagement to establish a vast, diverse, and robust network of public and private stakeholders and experts in order to promote a collective effort towards protecting critical infrastructure and strengthening the global cyber posture. CISA aims to build and to mature partnerships internationally to create channels of communication that facilitate the exchange of information, best practices, ideas, and lessons-learned as well as to remain timely and relevant on ongoing global efforts to address common issues. Through stakeholder engagement and outreach, CISA is not only able to raise awareness to a broader audience but is also able to maintain a platform amenable to U.S. initiatives and priorities.
      • CISA will ensure that its overall mission and objectives are supported and reflected in a manner consistent with CISA’s authorities and U.S. policy goals while shaping the legal environment and effectively driving research and development. By advancing domestic initiatives and promoting national models at the international level, CISA will lead global efforts to support common approaches to shared challenges in securing critical infrastructure and cyberspace. Through cooperation with the Department and the interagency, CISA will guide overall U.S. government efforts to work bilaterally, regionally and multilaterally with foreign counterparts to promote the adoption of standards, regulations and policies that support a homeland and global community that is safe, secure and resilient to threats and hazards.
  • Senate Finance Committee Chair Ron Wyden (D-OR), Senator Kirsten Gillibrand (D-NY), Senate Banking Committee Chair Sherrod Brown (D-OH), Senator Mazie Hirono (D-HI), and Representative Anna Eshoo (D-CA) reintroduced the “Invest in Child Safety Act” (S.223/H.R.807), legislation that claimed in their press release would “confront online child exploitation and reverse a decade of underfunding key enforcement and prevention efforts.” There is a messaging angle of this bill in that it implicitly proposes a different route to combatting online child sexual abuse material apart from modifying 47 U.S.C. 230 (aka Section 230.) The sponsors released bill text and a one page summary. They stated:
    • The Invest in Child Safety Act would direct $5 billion in mandatory funding to investigate and target the predators and abusers who create and share child sexual abuse material online. It also directs substantial new funding for community-based efforts to prevent children from becoming victims in the first place. And it would create a new White House office to coordinate efforts across federal agencies, after [the Department of Justice] refused to comply with a 2008 law requiring coordination and reporting of those efforts.
    • The bill would require a historic, mandatory investment in personnel and funding to take on child exploitation, including:
      • Quadruple the number of prosecutors and agents in DOJ’s Child Exploitation and Obscenity Section from 30 FTEs to 120 FTEs;
      • Add 100 new agents and investigators for the Federal Bureau of Investigation’s Innocent Images National Initiative, Crimes Against Children Unit, Child Abduction Rapid Deployment Teams, and Child Exploitation and Human Trafficking Task Forces;
      • Fund 65 new National Center for Missing and Exploited Children (NCMEC) analysts, engineers, and mental health counselors, as well as a major upgrade to NCMEC’s technology platform to enable the organization to more effectively evaluate and process CSAM reports from tech companies;
      • Double funding for the state Internet Crimes Against Children (ICAC) Task Forces; 
      • Double funding for the National Criminal Justice Training Center, to administer crucial Internet Crimes Against Children and Missing and Exploited Children training programs; 
      • Increase funding for evidence-based programs, local governments and non-federal entities to detect, prevent and support victims of child sexual abuse, including school-based mental health services and prevention programs like the Children’s Advocacy Centers and the HHS’ Street Outreach Program;  
      • Require tech companies to increase the time that they hold evidence of CSAM, in a secure database, to enable law enforcement agencies to prosecute older cases; 
      • Establish an Office to Enforce and Protect Against Child Sexual Exploitation, within the Executive Office of the President, to direct and streamline the federal government’s efforts to prevent, investigate and prosecute the scourge of child exploitation; 
      • Require the Office to develop an enforcement and protection strategy, in coordination with HHS and GAO; and 
      • Require the Office to submit annual monitoring reports, subject to mandatory Congressional testimony to ensure timely execution. 
  • The National Institute of Standards and Technology (NIST) released for comment NIST Special Publication (SP) 800-47 Revision 1, Managing the Security of Information Exchanges that “provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information” per the agency’s press release. NIST explained:
    • Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.
    • NIST is specifically interested in feedback on:
      • Whether the agreements addressed in the draft publication represent a comprehensive set of agreements needed to manage the security of information exchange.
      • Whether the matrix provided to determine what types of agreements are needed is helpful in determining appropriate agreement types.
      • Whether additional agreement types are needed, as well as examples of additional agreements.
      • Additional resources to help manage the security of information exchange.
    • A public comment period for this document is open through March 12, 2021.
  • The European Commission’s (EC) Health and Food Safety Directorate General issued an “Assessment of the EU Member States’ rules on health data in the light of GDPR,” which found “that while the General Data Protection Regulation (GDPR) lays down horizontal directly applicable rules in all Member States, there remains variation in the range of national-level legislation linked to its implementation in the area of health.” The authors of the report added that “[t]his, the study suggests, has led to a fragmented approach in the way that health data processing for health and research is conducted in the Member States…[and] [t]his can negatively impact cross-border cooperation for care provision, healthcare system administration, public health or research.” The authors of the report asserted:
    • The work conducted in the context of the study makes clear that a number of legal and operational issues need to be addressed to ensure that European healthcare systems can make best possible use of data for the three interlinked purposes of primary use for direct patient care, secondary use to support the safe and efficient functioning of healthcare systems, and secondary use to drive health research and innovation. It is clear from the evidence of workshop participants, country correspondents and stakeholder consultation that while the GDPR is a much appreciated piece of legislation, variation in application of the law and national level legislation linked to its implementation have led to a fragmentation of the law which makes cross-border cooperation for care provision, healthcare system administration or research difficult. Furthermore, the interpretation of the law is complex for researchers at national level and patients do not always find it easy to exercise the rights granted by the GDPR.
    • It is clear that addressing these challenges requires a multifaceted approach. The identified future EU level actions to address these challenges, that should be complementary and cumulative, include stakeholders driven codes of conduct, new targeted and sector specific EU level legislation, guidance and support to the cooperation among Member States and relevant stakeholders, but also support for digitalisation, interoperability and digital infrastructures, allowing for the use of data for healthcare, policy making and research and innovation. It is important that these future actions are developed in full respect of principles of proportionality and subsidiarity
  • The New York State Department of Financial Services (NYDFS) issued a report “detailing the findings of an investigation into the transmission of sensitive user data by application and website designers to Facebook.” NYDFS stated “[f]ollowing a report by the Wall Street Journal, the Governor directed DFS to perform an investigation which found that app developers regularly sent Facebook sensitive data, including medical and personal data, derived from consumers’ usage of third-party websites and applications.” NYDFS stated “[t]he data was then shared with Facebook by app developers as part of Facebook’s free online data analytics services…[and] [t]hough such data-sharing violated Facebook policy, Facebook took few steps to enforce the policy or to block the flow of sensitive data prior to the state’s investigation.” NYDFS asserted:
    • The Department found that consumer data was regularly shared with Facebook by app developers who downloaded Facebook’s Software Development Kit as part of Facebook’s free online data analytics services. Personal data that was wrongfully shared included sensitive and/or medical data such as health diagnoses, blood pressure readings, and even fertility data.
    • The report focuses on the facts surrounding the conduct described by the WSJ, the inadequate controls at Facebook that allowed it to happen, the remedial measures Facebook has undertaken as a result of the DFS investigation, and the Department’s recommendations on how to better protect consumer privacy:
      • Inadequate Controls: Despite the fact that sensitive data has been transmitted to Facebook every day in violation of Facebook policy, prior to the DFS investigation, Facebook did little to track whether app developers were violating its policies and to this day takes no real action against developers that do.
      • Remediation Efforts as a Result of the Department’s Investigation: As a result of the DFS investigation, Facebook built and implemented a screening system that is designed to identify and block sensitive information before it enters the Facebook system. Facebook also enhanced app developer education to better inform developers of their obligations to avoid transmitting sensitive data and took steps to give users more control over data that is collected about them, including from off-Facebook activity.
      • Recommended Further Action: Although Facebook’s remediation efforts are important first steps, Facebook must meaningfully ensure that developers are fully aware of its prohibition on transmitting sensitive data, and the report recommends Facebook do more to prevent developers from transmitting sensitive data in the first place rather than simply relying on a back-end screening system. The report further urges Facebook to take additional steps to police its own rules by putting in place appropriate consequences for doing so.
      • Federal Regulatory Oversight: Current laws and regulations have not kept pace with the technological advancements of the “big data” industry. Although the U.S. Federal Trade Commission has taken some action, consumers would benefit from a comprehensive federal regulatory approach, as noted in the DFS’s Twitter report.
    • The report also supports the adoption of Governor Cuomo’s proposal to enact NYDATA, a comprehensive data privacy law that would significantly enhance privacy protections for New Yorkers. The law would mandate that any entity that collects data on large numbers of New Yorkers disclose the purposes of such collection, and limit the data collected to that purpose.
  • Over 40 privacy, civil liberties, and civil rights groups “called on the Biden administration to 1) place a moratorium on federal use of facial recognition and other biometric technologies, 2) stop state and local governments from purchasing facial recognition services with federal funds, and 3) support the Facial Recognition and Biometric Technology Act” (S.4084.)
  • “[A] bipartisan coalition of technology policy organizations” wrote the chairs and ranking members of the subcommittees that control the appropriations for the Federal Trade Commission (FTC) urging them “to provide increased resources for the FTC so that the agency can respond to growing demands and fulfill its mission of protecting consumers and promoting competition in the digital age.” They added:
    • Over the past decade, the agency reported an increase of over 100 percent for consumer complaints, and an increase in premerger filings of over 75 percent. It has recently increased its enforcement activity too, bringing a much higher number of cases in 2020 as compared to prior years. A recent financial report by the Commission noted, “constraints from stagnant financial resources are further magnified by increasing costs and rising expectations from the American public.”
    • To address this institutional gap, we urge you to provide a significant increase to the Commission’s gross budget authority for FY 2021. We expect that even a substantial increase would have a minimal impact on the national debt, considering the revenue generating activities of the Commission. Additionally, to minimize the burden on taxpayers, Congress should consider increasing the authorized limit for offsetting collections, and adjust HSR fees with indexing to inflation.
  • The International Standards Organization (ISO) published “[t]wo new ISO guidance documents…to help organizations ensure the best possible frameworks and keep them cybersecure:
    • Developed in collaboration with the International Electrotechnical Commission (IEC), ISO/IEC TS 27110, Information technology, cybersecurity and privacy protection – Cybersecurity framework development guidelines, specifies how to create or refine a robust system to protect against cyber-attacks.
    • ISO/IEC TS 27100, Information technology – Cybersecurity – Overview and concepts, which defines cybersecurity, establishes its context in terms of managing information security risks when information is in digital form, and describes relevant relationships including how cybersecurity is related to information security.

Coming Events

  • On 23 February, the Senate Intelligence Committee will hold a “Hearing on the Hack of U.S. Networks by a Foreign Adversary” with these witnesses:
    • Kevin Mandia, CEO, FireEye
    • Sudhakar Ramakrishna, CEO, SolarWinds
    • Brad Smith, President, Microsoft
    • George Kurtz, President and CEO, CrowdStrike
  • On 24 February, the House Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled “Fanning the Flames: Disinformation and Extremism in the Media” with these witnesses:
    • Soledad O’Brien, Anchor, Matter of Fact and CEO, Soledad O’Brien Productions
    • Emily Bell, Director, The Tow Center for Digital Media, Columbia University
    • Kristin Danielle Urquiza, Co-Founder, Marked by COVID
    • Jonathan Turley, Professor, The George Washington University Law School
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Reviving Competition, Part 1: Proposals to Address Gatekeeper Power and Lower Barriers to Entry Online” on 25 February.
  • On 17 March, the Federal Communications Commission (FCC) will hold an open meeting but an agenda has not yet been released.
  • The House Energy and Commerce Committee’s Communications and Technology and Consumer Protection and Commerce Subcommittees will hold a joint hearing on 25 March “on misinformation and disinformation plaguing online platforms” with these witnesses: Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Twitter CEO Jack Dorsey.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Maxim Hopman on Unsplash

Further Reading, Other Developments, and Coming Events (17 February 2021)

Further Reading

Other Developments

  • The new leadership at the United States (U.S.) Department of Justice (DOJ) was withdrawn from the litigation brought by their predecessors against California for its net neutrality law. This case was brought after California and other states enacted such laws after the Trump era Federal Communications Commission (FCC) repealed the Obama era FCC’s net neutrality rules. In its motion, the DOJ stated it “hereby gives notice of its voluntary dismissal of this case,” which the court soon thereafter granted. However, there is another lawsuit being waged against the California law by a number of cable trade associations, including the American Cable Association, CTIA – The Wireless Association, NCTA – The Internet & Television Association, And USTelecom – The Broadband Association.
    • Acting FCC Chair Jessica Rosenworcel asserted in her press release:
      • I am pleased that the Department of Justice has withdrawn this lawsuit.  When the FCC, over my objection, rolled back its net neutrality policies, states like California sought to fill the void with their own laws.  By taking this step, Washington is listening to the American people, who overwhelmingly support an open internet, and is charting a course to once again make net neutrality the law of the land.
    • In 2014, the United States Court of Appeals for the District Of Columbia Circuit (D.C. Circuit) struck down a 2010 FCC net neutrality order in Verizon v. FCC, but the court did suggest a path forward. The court held the FCC “reasonably interpreted section 706 to empower it to promulgate rules governing broadband providers’ treatment of Internet traffic, and its justification for the specific rules at issue here—that they will preserve and facilitate the “virtuous circle” of innovation that has driven the explosive growth of the Internet—is reasonable and supported by substantial evidence.” The court added that “even though the Commission has general authority to regulate in this arena, it may not impose requirements that contravene express statutory mandates…[and] [g]iven that the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the Commission from nonetheless regulating them as such.” However, in 2016, the same court upheld the 2015 net neutrality regulations in U.S. Telecom Association v. FCC, and this court is hearing a challenge to the FCC’s 2017 order in Mozilla v. FCC.
    • In the fall of 2019, In a highly anticipated decision, the D.C. Circuit upheld most of the FCC’s repeal of the its earlier net neutrality rule (i.e. In re Restoring Internet Freedom, 33 FCC Rcd. 311 (2018)). However, the D.C. Circuit declined to accept the FCC’s attempt to preempt all contrary state laws and struck down this part of the FCC’s rulemaking. Consequently, states and local jurisdictions may now be free to enact regulations of internet services along the lines of the FCC’s now repealed Open Internet Order.
    • In September 2018, then-Governor Jerry Brown signed into law SB 822, summarized thusly:
      • This bill would enact the California Internet Consumer Protection and Net Neutrality Act of 2018. This act would prohibit fixed and mobile Internet service providers, as defined, that provide broadband Internet access service, as defined, from engaging in specified actions concerning the treatment of Internet traffic. The act would prohibit, among other things, blocking lawful content, applications, services, or nonharmful devices, impairing or degrading lawful Internet traffic on the basis of Internet content, application, or service, or use of a nonharmful device, and specified practices relating to zero-rating, as defined. It would also prohibit fixed and mobile Internet service providers from offering or providing services other than broadband Internet access service that are delivered over the same last-mile connection as the broadband Internet access service, if those services have the purpose or effect of evading the above-described prohibitions or negatively affect the performance of broadband Internet access service.
  • President Joe Biden announced the formation of a Department of Defense (DOD) China Task Force in remarks at the Pentagon. Biden said:
    • The task force will work quickly, drawing on civilian and
      military experts across the Department, to provide, within the next few months, recommendations to [Secretary of Defense Lloyd] Austin on key priorities and decision points so that we can chart a strong path forward on China-related matters.  It will require a whole-of-government effort, bipartisan cooperation in Congress, and strong alliances and partnerships.
    • That’s how we’ll meet the China challenge and ensure the American people win the competition of the future.
    • In a press release, the DOD explained further:
      • Ely Ratner, a special assistant to Secretary of Defense Lloyd J. Austin III, will lead the effort. The task force has four months to develop recommendations for senior defense leaders.
      • Defense officials called the task force a “sprint effort” that will examine high-priority topics including strategy, operational concepts, technology and force structure, force posture and force management and intelligence. The task force will also examine U.S. alliances and partnerships and their impact on Sino-American relations and DOD relations with China.
      • The 15-member task force will come from a wide swath of the department and include the Office of the Secretary of Defense staff, the Joint Staff, the services, the combatant commands and representatives from the intelligence community.
      • The task force will also speak with interagency partners to ensure the defense response is aligned with the whole-of-government approach toward China that the president wants.
  • The United States (U.S.) Department of Labor (DOL) and Google settled claims the tech giant was discriminating against female and Asian American engineering applicants. In its statement, the DOL said it had reached agreement with Google “to resolve allegations of systemic compensation and hiring discrimination at the company’s California and Washington State facilities and will pay over $3.8 million to more than 5,500 current employees and job applicants.” The DOL added:
    • During a routine compliance evaluation, the department’s Office of Federal Contract Compliance Programs identified pay disparities affecting female employees in software engineering positions at its facilities in Mountain View, and in Seattle and Kirkland, Washington. The agency also identified hiring rate differences that disadvantaged female and Asian applicants for software engineering positions at Google’s locations in San Francisco and Sunnyvale, and in Kirkland.   
    • Under the terms of the early resolution conciliation agreement, Google agreed to the following:
      • To pay $3,835,052 to resolve OFCCP’s allegations, namely $1,353,052 in back pay and interest to 2,565 female employees in engineering positions subject to pay discrimination; and $1,232,000 in back pay and interest to 1,757 female and 1,219 Asian applicants for software engineering positions not hired.
      • Allocate a cash reserve of least $1,250,000 in pay-equity adjustments for the next 5 years for U.S. employees in engineering positions at Google’s Mountain View, Kirkland, Seattle and New York establishments, locations that house approximately 50 percent of Google’s engineering employees nationwide. Google has provided job opportunities to 51 female and 17 Asian applicants for software engineering positions.
    • Google agreed to enhance future compliance proactively and review its current policies, procedures and practices related to hiring, compensation; conduct analyses; and take corrective action to ensure non-discrimination. 
  • The National Institute of Standards and Technology (NIST) has issued supplemental materials designed to help federal agencies, their private sector partners, and other interested parties on one of the agency’s foundational security guides. NIST explained:
    • New and updated supplemental materials for NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, and NIST SP 800-53B, Control Baselines for Information Systems and Organizations, are available for download to support the December 10, 2020, errata release of SP 800-53 and SP 800-53B
      • Both spreadsheets have been preformatted for improved data visualization and allow for alternative views of the catalog and baselines. Users can also convert the contents to different data formats, including text only, comma-separated values (CSV), and other formats that can provide greater flexibility (e.g., by ingesting it into an existing product or platform and/or to facilitate automation). The spreadsheets were created from the Open Security Controls Assessment Language (OSCAL) version of the SP 800-53 Rev. 5 controls, which is offered as a supplemental material to the publications.
  • Senators John Thune (R-SD), Jon Tester (D-MT), Roger Wicker (R-MS), Gary Peters (D-MI), and Jerry Moran (R-KS) “reintroduced the “Telecommunications Skilled Workforce Act,” (S.163) legislation to address the shortage of trained workers necessary to fill next-generation jobs in the telecommunications industry in communities throughout the country” per their press release. They claimed “The Telecommunications Skilled Workforce Act would address the shortage of trained workers necessary to fill next-generation jobs by:
    • Establishing an Federal Communications Commission (FCC)-led interagency working group that, in consultation with the Department of Labor (DOL) and other federal and non-federal stakeholders, would be tasked with developing recommendations to address the workforce needs of the telecommunications industry.
    • Requiring the FCC, in consultation with DOL, to issue guidance on how states can address the workforce shortage in the telecommunications industry by identifying all of the federal resources currently available to them that can be used for workforce development efforts.
    • Directing the Government Accountability Office to conduct a study to determine the specific number of skilled telecommunications workers that will be required to build and maintain broadband infrastructure in rural areas and the 5G wireless infrastructure needed to support 5G wireless technology.
  • Senate Banking, Housing and Urban Development Committee Chair Sherrod Brown (D-OH) and Senator Cory Booker (D-NJ) along with other Democratic colleagues wrote current Amazon CEO Jeff Bezos, and his successor, Amazon Web Services CEO Andy Jassy expressing “support for Amazon workers seeking to organize a union with the Retail, Wholesale and Department Store Union (RWDSU), and pushed the company to take this opportunity to recognize the true value of its workers to the company’s success and treat them as the critical assets they are.” Brown, Booker, and their colleagues stated “[t]he letter comes ahead of an upcoming election in Bessemer, Alabama, where Amazon warehouse workers will vote to form a union that will represent full and part-time workers.” They argued:
    • Amazon should view this as an opportunity to demonstrate its commitment to its stated values. Though Amazon has referred to their workers as “heroes fighting for their communities and helping people get critical items they need,” Amazon’s treatment of its workforce has not always reflected that. From using so-called “flex” workers to avoid paying full benefits to your employees, to failing to provide complete data on COVID-19 spread in the workplace, to spying on employees seeking to organize a union, Amazon has not always treated its workers with the dignity they deserve. During this campaign in Alabama, employees seeking to unionize have received misleading text messages, been overwhelmed by anti-union propaganda, and faced attempts to force in person voting during a pandemic that has resulted in the deaths of [nearly 500,000] Americans. All of these efforts represent disgraceful attempts to coerce Amazon employees out of exercising their voices and their rights under the National Labor Relations Act.
    • The upcoming election in Bessemer, Alabama is an opportunity for a reset. We ask that Amazon follow the law and allow their employees to freely exercise their right to organize this union. We will be paying close attention to the way Amazon conducts itself during this vote and call on Amazon to ensure an election for its workers in Alabama that honors the dignity of work.
  • Senate Armed Services Committee Chair Jack Reed (D-RI), Senate Budget Committee Chairr Bernie Sanders (I-VT), Senator Sheldon Whitehouse (D-RI), and Senate Finance Committee Chair Ron Wyden (D-OR) introduced the “Build America’s Libraries Act” (S. 127) which would set up a new source of funding for United States public libraries to upgrade, including new technology and broadband. They explained:
    • This legislation would provide $5 billion over three years to build and modernize public libraries, including addressing needs that have arisen due to COVID–19, to enable libraries to better serve and engage their communities, particularly in underserved areas.  These federal funds could be utilized to help construct new libraries, build additions, improve accessibility, update technology and broadband infrastructure, enhance energy efficiency standards, and renovate and modernize facilities to better meet the evolving learning and information needs of the American public.
  • Ireland’s Data Protection Commission (DPC) is being pressured by another stakeholder over its handling of its responsibilities as perhaps the most prominent supervisory authority under the General Data Protection Regulation (GDPR). A key committee in the European Union’s parliament looks to be starting the process under which the European Commission could seek to penalize Ireland for not properly enforcing the bloc’s data protection rules. This effort arises from the criticism over the DPC’s management of the complaint and subsequent court cases over Facebook’s compliance with the GDPR in light of the United States (U.S.) mass electronic surveillance. The European Parliament’s Civil Liberties, Justice and Home Affairs Committee introduced a draft resolution expressing the Parliament’s position visa via the DPC, notably the initiation of an infringement procedure:
    • shows deep concern that several complaints against breaches of the GDPR filed on 25th May 2018, have not yet been decided by the Irish Data Protection Commissioner, which is the lead authority for these cases; strongly condemns the attempt of the Irish Data Protection Authority to shift the costs of the judicial procedure to Maximilian Schrems, which would have created a massive chilling effect; calls on the Commission to start infringement procedures against Ireland for not properly enforcing the GDPR;
    • In a 2020 assessment of the GDPR after two years of being operative, the European Commission (EC) singled out Ireland and Luxembourg for not providing adequate resources to their data protection authorities:
      • Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross-border cases and may need larger resources than their population would otherwise suggest. However, the situation is still uneven between Member States and is not yet satisfactory overall.

Coming Events

  • On 17 February, the House Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled “Connecting America: Broadband Solutions to Pandemic Problems” with these witnesses:
    • Free Press Action Vice President of Policy and General Counsel Matthew F. Wood
    • Topeka Public Schools Superintendent Dr. Tiffany Anderson
    • Communications Workers of America President Christopher M. Shelton
    • Wireless Infrastructure Association President and CEO Jonathan Adelstein
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 18 February, the House Financial Services will hold a hearing titled “Game Stopped? Who Wins and Loses When Short Sellers, Social Media, and Retail Investors Collide” with Reddit Co-Founder and Chief Executive Officer Steve Huffman testifying along with other witnesses.
  • The U.S.-China Economic and Security Review Commission will hold a hearing titled “Deterring PRC Aggression Toward Taiwan” on 18 February.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by CDC on Unsplash

Further Reading, Other Developments, and Coming Events (8 February 2021)

Further Reading

  • ‘A kiss of death’: Top GOP tech critics are personae non gratae after election challenge” By Cristiano Lima — Politico. I take these articles with a block of salt, not least of which because many inside the Beltway articles lack perspective and a sense of history. For sure, in the short term the Josh Hawleys and Ted Cruzes of the world are radioactive to Democrats, but months down the road things will look different, especially if Democrats need votes or allies in the Senate. For example, former Senator David Vitter’s (R-LA) interesting activities with prostitutes made him radioactive for some time and then all was forgotten because he held a valuable currency: a vote.
  • I Talked to the Cassandra of the Internet Age” By Charlie Warzel — The New York Times. A sobering read on the implications of the attention economy. We would all be helped by slowing down and choosing what to focus on.
  • A Vast Web of Vengeance” By Kashmir Hill — The New York Times. A true horror story illustrating the power platforms give anyone to slander others. The more these sorts of stories move to the fore of the consciousness of policymakers, the greater the chances of reform to 47 USC 230 (Section 230), which many companies used to deny requests that they take down defamatory, untrue material.
  • Amazon says government demands for user data spiked by 800% in 2020” By Zack Whitaker — TechCrunch. In an interesting development, Germany far outpaced the United States (U.S.) in information requests between 1 July and 31 December 2020 for Amazon except for Amazon Web Services (AWS). Regarding AWS, the U.S. accounted for 75% of requests. It bears note there were over 27,000 non-AWS requests and only 523 AWS requests.
  • Russian hack brings changes, uncertainty to US court system” By MaryClaire Dale — Associated Press. Because the Administrative Office of United States (U.S.) Courts may have been part of the massive SolarWinds hack, lawyers involved with cases that have national security aspects may no longer file materials electronically. It appears these cases will go old school with paper filings only, stored on a computers in federal courts that have no connection to the internet. However, it is apparently believed at present that the Foreign Intelligence Surveillance Court system was not compromised by the Russians.

Other Developments

  • Senator Ted Cruz (R-TX) placed a hold on Secretary of Commerce designate Gina Raimondo’s nomination, explaining on Twitter: “I’ll lift the hold when the Biden admin commits to keep the massive Chinese Communist Party spy operation Huawei on the Entity List.” Cruz was one of three Republicans to vote against reporting out Raimondo’s nomination from the Senate Commerce, Science, and Transportation Committee. Even though the Ranking Member, Senator Roger Wicker (R-MS), voted to advance her nomination to the Senate floor, he, too, articulated concerns about Raimondo and the Biden Administration’s refusal to commit to keeping Huawei on the Department of Commerce’s Entity List, a designation that cuts off needed technology and products from the company from the People’s Republic of China (PRC). Wicker said “I do remain concerned about the Governor’s reluctance to state unequivocally that she intends to keep Huawei on the department’s entity list…[and] [k]eeping Huawei on this list is important for the security of our networks and I urge the Governor and the administration to make its position clear.” Of course, the continuing Republican focus on the PRC is seeking to box in the Biden Administration and to try to force them to maintain the Trump Administration’s policies. The new administration has refused to make hard commitments on the PRC thus far and will likely seek different tactics than the Trump Administration even though there will likely be agreement on the threat posed by the PRC and its companies.
  • Virginia’s “Consumer Data Protection Act” (SB 1392/HB 2307) advanced from the Virginia Senate to the House of Delegates by a 36-0-1 vote on 5 February. The package was sent to the Communications, Technology and Innovation Subcommittee in the House on 7 February. Last week, it appeared as if the legislature would not have time to finish work on the United States’ second privacy law, but Governor Ralph Northam (D) convened a special session right before the legislature was set to adjourn. Now, there will be more time to address this bill and other priorities.
  • Senators Brian Schatz (D-HI), Deb Fischer (R-NE), Richard Blumenthal (D-CT), Rick Scott (R-FL) and Jacky Rosen (D-NV) introduced “The Safe Connections Act” “to help survivors of domestic violence and other crimes cut ties with their abusers and separate from shared wireless service plans, which can be exploited to monitor, stalk, or control victims” per their press release. The Senators asserted “the Safe Connections Act would help them stay safe and connected by:
    • Allowing survivors to separate a mobile phone line from any shared plan involving an abuser without penalties or other requirements. This includes lines of any dependents in their care;
    • Requiring the Federal Communications Commission (FCC) to initiate a rulemaking proceeding to seek comment on how to help survivors who separate from a shared plan enroll in the Lifeline Program for up to six-months as they become financially stable; and
    • Requiring the FCC to establish rules that would ensure any calls or texts to hotlines do not appear on call logs.
  • The European Commission’s Directorate-General for Justice and Consumers issued the “Report on the implementation of specific provisions of Regulation (EU) 2016/679,” the General Data Protection Regulation (GDPR), in which it was determined that implementation of these provisions at the member state level is uneven. The implication of this assessment released some 2.5 years after the GDPR took effect is that it may be some time more before each European Union state has made the statutory and policy changes necessary to the data protection regime full effect. And so, the Directorate-General made “[t]he following general observations can be made in relation to the implementation of the GDPR clauses under assessment:
    • As regards Article 8(1) GDPR (i.e., Conditions applicable to child’s consent in relation to information society services), the majority of the Member States have set an age limit lower than 16 years of age for the validity of the consent of a minor in relation to information society services. Nine Member States set the age limit at 16 years age, while eight Member States opted for that of 13 years, six for that of 14 years and three for 15 years.
    • With respect to Article 9(4) GDPR (i.e., Processing of special categories of personal data), most Member States provide for conditions/limitations with regard to the processing of genetic data, biometric data or data concerning health. Such limitations/conditions typically consist in listing the categories of persons who have access to such data, ensuring that they are subject to confidentiality obligations, or making processing subject to prior authorisation from the competent national authority. No national provision restricting or prohibiting the free movement of personal data within the European Union has been identified.
    • As regards Article 23(1) GDPR, and irrespective of the areas of public interest assessed under Article 23(1)(c) and (e) GDPR (i.e. public security, public administration, public health, taxation and migration), some Member States provide for restrictions in the area of (i) social security; or (ii) supervision of financial market participants, functioning of the guarantee systems and resolution and macroeconomic analyses. Concerning Article 23(1)(c) GDPR, the majority of Member States allow for restrictions of various provisions referred to in Article 23(1) GDPR. Normally there is a general reference to public security, while more specific areas of processing include the processing of personal data for the investigation and prosecution of crimes, and the use of video cameras for surveillance. Most commonly, the restrictions apply only where certain conditions are met. In some Member States the proportionality and necessity test is not contemplated at all, while in most Member States it is established in law, rather than left to the data controller. The overwhelming majority of Member States do not sufficiently implement the conditions and safeguards under Article 23(2) GDPR.
    • As regards Article 23(1)(e) GDPR in relation to public administration, half of the Member States provide for restrictions for such purpose. Normally there is a general reference to general public interest or public administration, while more specific areas of processing include discussions of the Council of Ministers and investigation of judicial or ‘administrative’ police authorities in connection with the commission of a crime or administrative infringement. Most commonly, the restrictions apply only where certain conditions are met. In some Member States the proportionality and necessity test is not contemplated at all, whereas in some other Member States the test is established in law or left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
    • As regards Article 23(1)(e) GDPR in relation to public health, a minority of the Member States provide for restrictions for such purpose. Normally there is a general reference to public health or general public interest, while more specific areas of processing include the security of food chain and medical files. In most Member States, the applicable restrictions apply only where certain conditions are met. The proportionality and necessity test is generally established in the law. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
    • With respect to Article 23(1)(e) GDPR in relation to taxation, a sizeable number of Member States provide restrictions for such purposes. There tends to be a general reference to taxation or general public interest, while more specific areas of processing include recovery of taxes, as well as automated tax data transfer procedures. Normally, the applicable restrictions apply only where certain conditions are met. The proportionality and necessity test is generally left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
    • As regards Article 23(1)(e) GDPR in relation to migration, a minority of the Member States provide for restrictions for such purpose. Normally there is a general reference to migration or general public interest. The applicable restrictions tend to apply only where certain conditions are met. The proportionality and necessity test is generally left to the data controller. No Member State implements all conditions and safeguards under Article 23(2) GDPR.
    • As regards Article 85(1) GDPR (which requires Member States to reconcile by law the right to the protection of personal data with the right to freedom of expression and information), the majority of the Member States provide for provisions aiming to reconcile the right to the protection of personal data with the right to freedom of expression and information. These provisions are usually in the national data protection act implementing the GDPR, however, in some instances there are also specific provisions in media laws to this effect.
    • With respect to Article 85(2) GDPR (Reconciliation of the right to the protection of personal data with the right to freedom of expression and information), most Member States provide exemptions/derogations from the rules set out in Chapters II, III, IV, V, VI, VII and IX GDPR. More often than not, no specific balancing or reconciliation test is identified in the national legislation. A detailed account of the exemptions/derogations can be found in Annex 2 – Implementation of Article 85(2) GDPR.
  • The United Kingdom’s (UK) Information Commissioner’s Office (ICO) announced it is resuming the “investigation into real time bidding (RTB) and the adtech industry” in response to the COVID-19 pandemic. Simon McDougall, ICO Deputy Commissioner – Regulatory Innovation and Technology stated in a blog posting:
    • Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.
    • Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.
    • Our work will continue with a series of audits focusing on data management platforms* and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.
    • The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded.
    • We are also continuing to work with the Competition and Markets Authority (CMA) in considering Google’s Privacy Sandbox proposals to phase out support for third party cookies on Chrome.
  • Washington State Representative Shelley Kloba (D) and cosponsors introduced a bill, HB 1303, to establish a data brokers registry in Washington state that would also levy a 1.8% tax on gross revenue from selling personal data. In her press release, Kloba stated:
    • We are spending more and more of our lives on our phones and devices. From this has arisen a new business model where brokers collect, analyze, and resell personal data collected from applications on our phones and other devices. Currently, this type of business is totally unregulated and untaxed, and these businesses are reselling information with no compensation to the people of Washington. My legislation would shine a light on this very active segment of our economy while also establishing a small tax on the companies that profit from selling our personal data. Brokers that make money from collecting our personal information should contribute their fair share in tax revenue, and there should be more transparency on the number of businesses engaged in this industry.
    • HB 1303 would:
      • Impose a 1.8% Business & Occupation (B&O) tax on gross income arising from the sale of personal data.
      • Require companies that engage in this type of economic activity to register annually with the Department of Revenue (DOR).
      • Require DOR to provide the Legislature with an annual report on this information.
    • Recently, Kloba and cosponsors introduced the “People’s Privacy Act” (HB 1433), a bill to establish a privacy and data protection regime in Washington state. (see here for analysis.)
  • The Federal Trade Commission (FTC) used recently granted authority to police the use of algorithms and automated processes to buy tickets for entertainment and sporting events. The “Better Online Ticket Sales (BOTS) Act” (P.L. 114-274) “was enacted in 2016 and gives the FTC authority to take law enforcement action against individuals and companies that use bots or other means to circumvent limits on online ticket purchases” per the agency’s press release. The FTC stating it is taking “legal action against three ticket brokers based in New York who allegedly used automated software to illegally buy up tens of thousands of tickets for popular concerts and sporting events, then subsequently made millions of dollars reselling the tickets to fans at higher prices.” The FTC added:
    • The three ticket brokers will be subject to a judgment of more than $31 million in civil penalties for violating the Better Online Ticket Sales (BOTS) Act, under a proposed settlement reached with the FTC. Due to their inability to pay, the judgment will be partially suspended, requiring them to pay $3.7 million.
    • The FTC explained “[u]nder the terms of the proposed orders, judgments will be entered against the defendants for civil penalties as follows:
  • The National Institute of Standards and Technology (NIST) pushed back the deadline for comments until 26 February 2021 for four guidance documents on the Internet of Things:
    • Draft NIST SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, has background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management. SP 800-213 provides guidance on considering system security from the device perspective. This allows for the identification of IoT device cybersecurity requirements—the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties, respectively.
    • Draft NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline, complements the NISTIR 8259A device cybersecurity core baseline by detailing additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties. This non-technical baseline collects and makes explicit supporting capabilities like documentation, training, customer feedback, etc.
    • Draft NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, describes a process, usable by any organization, that starts with the core baselines provided in NISTIRs 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop a IoT cybersecurity profile suitable for specific IoT device customers or applications. The process in NISTIR 8259C guides organizations needing to define a more detailed set of capabilities responding to the concerns of a specific sector, based on some authoritative source such as a standard or other guidance, and could be used by organizations seeking to procure IoT technology or by manufacturers looking to match their products to customer requirements.
    • Draft NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government, provides a worked example result of applying the NISTIR 8259C process, focused on the federal government customer space, where the requirements of the FISMA process and the SP 800-53 security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-centric, cybersecurity-oriented profile of the NISTIR 8259A and 8259B core baselines, calibrated against the FISMA low baseline described in NIST SP 800-53B as an example of the criteria for minimal securability for federal use cases.
  • The New York State Department of Financial Services (NYDFS) announced “[r]egulated entities and licensed persons must file the Certification of Compliance for the calendar year 2020 by April 15, 2021” These certificates are due under the NYDFS’ cybersecurity regulations with which most financial services companies in the state must comply. These regulations took effect in May 2017.

Coming Events

  • On 10 February, the House Homeland Committee will hold a hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” with these witnesses:
    • Mr. Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
    • Ms. Sue Gordon, Former Principal Deputy Director of National Intelligence, Office of the Director of National Intelligence
    • Mr. Michael Daniel, President & CEO, Cyber Threat Alliance
    • Mr. Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
  • The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Justice Restored: Ending Forced Arbitration and Protecting Fundamental Rights.”
  • The Federal Communications Commission’s (FCC) acting Chair Jessica Rosenworcel will hold a virtual Roundtable on Emergency Broadband Benefit Program on 12 February “a new a program that would enable eligible households to receive a discount on the cost of broadband service and certain connected devices during the COVID-19 pandemic.” The FCC also noted “[i]n the Consolidated Appropriations Act of 2021, Congress appropriated $3.2 billion” for the program.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Martin Ceralde on Unsplash

Further Reading, Other Developments, and Coming Events (2 February 2021)

Further Reading

  • I checked Apple’s new privacy ‘nutrition labels.’ Many were false.” By Geoffrey Fowler — The Washington Post. It turns out the blue check mark in Apple’s App Store signifying that an app does not collect personal data is based on the honor system. As the Post’s technology columnist learned, Apple tells users this in very small print: “This information has not been verified by Apple.” And so, as Fowler explains, this would seem contrary to the company’s claims of making user privacy a core value. Also, Apple’s definition of tracking is narrow, suggesting the company may be defining its way to being a champion of privacy. Finally, Apple’s practices in light of the coming changes to its iOS to defeat Facebook and others’ tracking people across digital space seem to belie the company’s PR and branding. It would seem like the Federal Trade Commission (FTC) and its overseas counterparts would be interested in such deceptive and unfair practices.
  • Lawmakers Take Aim at Insidious Digital ‘Dark Patterns’” By Tom Simonite — WIRED. Language in the “California Privacy Rights Act” (CPRA) makes consent gained through the use of “dark patterns” (i.e., all those cognitive tricks online and real-life entities use to slant the playing field against consumers) invalid. However, lest one celebrate that policymakers are addressing these underhanded means of gaining consent or selling things, the to be established California Privacy Protection Agency will need to define what dark patterns are and write the regulations barring whatever those will be. In Washington state, the sponsors of the Washington Privacy Act (SB 5062) copied the CPRA language, setting up the possibility Washington state could follow California. It remains to be seen how, or even if, federal privacy legislation proposals deal with dark patterns. And it well may considering that Senators Mark Warner (D-VA) and Deb Fischer (R-NE) introduced the “Deceptive Experiences To Online Users Reduction (DETOUR) Act” (S.1084) in 2019. Moreover, again, as in the previous article, one might think the Federal Trade Commission (FTC) and its overseas counterparts might be interested in policing dark patterns.
  • A PR screwup draws unwanted attention to Google’s Saudi data centers” By Issie Lapowsky — Protocol. The best case scenario is that Google and Snap misstated what cloud infrastructure and content are in the Kingdom of Saudi Arabia. And in this case, privacy and civil liberties groups are unfairly pouncing on the companies over essentially garbling the truth. On the other hand, it may turn out that the companies are routing traffic and content through the repressive regime, allowing a government with an abysmal human rights record to access the data of people. Time may tell what is actually happening, but the two companies are furiously telling the world that there’s nothing to see here.
  • China’s Leader Attacks His Greatest Threat” By John Pomfret — The Atlantic. Xi Jinping, President of the People’s Republic of China (PRC) and Chairman of the Chinese Communist Party (CCP) has accelerated a crack down on entrepreneurs and technology companies started by his predecessors. This would ultimately impair the PRC’s ambitions of becoming the world’s dominant power through technological superiority.
  • Why Is Big Tech Policing Speech? Because the Government Isn’t” By Emily Bazelon — The New York Times. The First Amendment to the United States (U.S.) Constitution is invariably cited in the online speech debate as a reason why people cannot be silenced and as to why social media platforms can silence whom they like. This is an interesting survey of this right in the U.S. and how democracies in Europe have a different understanding of permissible speech.

Other Developments

  • In a recent press conference, White House Press Secretary Jen Psaki shed light on how the Biden Administration will change United States (U.S.) policy towards the People’s Republic of China (PRC). In response to a question about how the U.S. government will deal with TikTok and the PRC generally, Psaki stated:
    • I think our approach to China remains what it has been since — for the last months, if not longer.  We’re in a serious competition with China.  Strategic competition with China is a defining feature of the 21st century.  China is engaged in conduct that it hurts American workers, blunts our technological edge, and threatens our alliances and our influence in international organizations.  
    • What we’ve seen over the last few years is that China is growing more authoritarian at home and more assertive abroad.  And Beijing is now challenging our security, prosperity, and values in significant ways that require a new U.S. approach. 
    • And this is one of the reasons, as we were talking about a little bit earlier, that we want to approach this with some strategic patience, and we want to conduct reviews internally, through our interagency….We wanted to engage more with Republicans and Democrats in Congress to discuss the path forward.  And most importantly, we want to discuss this with our allies. 
    • We believe that this moment requires a strategic and a new approach forward.
    • [T]echnology, as I just noted, is, of course, at the center of the U.S.-China competition.  China has been willing to do whatever it takes to gain a technological advantage — stealing intellectual property, engaging in industrial espionage, and forcing technology transfer.
    • Our view — the President’s view is we need to play a better defense, which must include holding China accountable for its unfair and illegal practices and making sure that American technologies aren’t facilitating China’s military buildup.
    • So he’s firmly committed to making sure that Chinese companies cannot misappropriate and misuse American data.  And we need a comprehensive strategy, as I’ve said, and a more systematic approach that actually addresses the full range of these issues.
    • So there is, again, an ongoing review of a range of these issues.  We want to look at them carefully, and we’ll be committed to approaching them through the lens of ensuring we’re protecting U.S. data and America’s technological edge. 
  • The top Republican on the House Foreign Affairs Committee is calling on Senate Republicans to block Governor Gina Raimondo’s nomination to be the Secretary of Commerce until the White House indicates whether they will keep Huawei on a list of entities to whom the United States (U.S.) restricts exports. Ranking Member Michael McCaul (R-TX) asserted:
    • It is incredibly alarming the Biden Administration has refused to commit to keeping Huawei on the Department of Commerce’s Entity List. Huawei is not a normal telecommunications company – it is a CCP military company that threatens 5G security in our country, steals U.S. intellectual property, and supports the Chinese Communist Party’s genocide in Xinjiang and their human rights abuses across the country. We need a Commerce Department with strong national security credentials and a Secretary with a clear understanding of the CCP threat. Saying people should not use Huawei and actually keeping them on the Entity List are two very different things that result in very different outcomes. I again strongly urge the Biden Administration to reconsider this dangerous position. Until they make their intentions clear on whether they will keep Huawei on the Entity List, I urge my Senate colleagues to hold Ms. Raimondo’s confirmation.
    • McCaul added this background:
      • After the Biden Administration’s nominee for Commerce Secretary, Gina Raimondo, caused heads to turn by refusing to commit to keeping Huawei on the Entity List, White House Press Secretary Jen Psaki seemed to double down by declining on two separate occasions when directly asked to say where President Biden stood on the issue.
      • Huawei was placed on the Commerce Department’s Entity List in August of 2019. Their addition to the Entity List was also one of the recommendations of the [House Republican’s] China Task Force Report.
  • The National Highway Traffic Safety Administration (NHTSA), an agency of the United States (U.S.) Department of Transportation (DOT) is asking for comment “on the Agency’s updated draft cybersecurity best practices document titled Cybersecurity Best Practices for the Safety of Modern Vehicles” according to the notice published in the Federal Register. Comments are due by 15 March 2021. NHTSA explained:
    • In October 2016, NHTSA issued its first best practices document focusing on the cybersecurity of motor vehicles and motor vehicle equipment.Cybersecurity Best Practices for Modern Vehicles (“2016 Best Practices”) was the culmination of years of extensive engagement with public and private stakeholders and NHTSA research on vehicle cybersecurity and methods of enhancing vehicle cybersecurity industry-wide. As explained in the accompanying Federal Register document, NHTSA’s 2016 Best Practices was released with the goal of supporting industry-led efforts to improve the industry’s cybersecurity posture and provide the Agency’s views on how the automotive industry could develop and apply sound risk-based cybersecurity management processes during the vehicle’s entire lifecycle.
    • The 2016 Best Practices leveraged existing automotive domain research as well as non-automotive and IT-focused standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for internet Security’s Critical Security Controls framework. NHTSA considered these sources to be reasonably applicable and appropriate to augment the limited industry-specific guidance that was available at the time. At publication, NHTSA noted that the 2016 Best Practices were intended to be updated with new information, research, and other cybersecurity best practices related to the automotive industry. NHTSA invited comments from stakeholders and interested parties in response to the document.
    • NHTSA is docketing a draft update to the agency’s 2016 Best Practices, titled Cybersecurity Best Practices for the Safety of Modern Vehicles (2020 Best Practices) for public comments. This update builds upon agency research and industry progress since 2016, including emerging voluntary industry standards, such as the ISO/SAE Draft International Standard (DIS) 21434, “Road Vehicles—Cybersecurity Engineering.” In addition, the draft update references a series of industry best practice guides developed by the Auto-ISAC through its members.
    • The 2020 Best Practices also reflect findings from NHTSA’s continued research in motor vehicle cybersecurity, including over-the-air updates, encryption methods, and building our capability in cybersecurity penetration testing and diagnostics, and the new learnings obtained through researcher and stakeholder engagement. Finally, the updates included in the 2020 Best Practices incorporate insights gained from public comments received in response to the 2016 guidance and from information obtained during the annual SAE/NHTSA Vehicle Cybersecurity Workshops.
  • Ireland’s Data Protection Commission (DPC) has released a draft Fundamentals for a Child-Oriented Approach to Data Processing Draft Version for Consultation (Fundamentals) for consultation until 31 March 2021. The DPC asserted the
    • Fundamentals have been drawn up by the Data Protection Commission (DPC) to drive improvements in standards of data processing. They introduce child-specific data protection interpretative principles and recommended measures that will enhance the level of protection afforded to children against the data processing risks posed to them by their use of/ access to services in both an online and offline world. In tandem, the Fundamentals will assist organisations that process children’s data by clarifying the principles, arising from the high-level obligations under the GDPR, to which the DPC expects such organisations to adhere.
    • The DPC “identified the following 14 Fundamentals that organisations should follow to enhance protections for children in the processing of their personal data:
      • 1. FLOOR OF PROTECTION: Online service providers should provide a “floor” of protection for all users, unless they take a risk-based approach to verifying the age of their users so that the protections set out in these Fundamentals are applied to all processing of children’s data (Section 1.4 “Complying with the Fundamentals”).
      • 2. CLEAR-CUT CONSENT: When a child has given consent for their data to be processed, that consent must be freely given, specific, informed and unambiguous, made by way of a clear statement or affirmative action (Section2.4 “Legal bases for processing children’s data”).
      • 3. ZERO INTERFERENCE: Online service providers processing children’s data should ensure that the pursuit of legitimate interests do not interfere with, conflict with or negatively impact, at any level, the best interests of the child (Section 2.4 “Legal bases for processing children’s data”).
      • 4. KNOW YOUR AUDIENCE: Online service providers should take steps to identify their users and ensure that services directed at/ intended for or likely to be accessed by children have child-specific data protection measures in place (Section 3.1 “Knowing your audience”)
      • 5. INFORMATION IN EVERY INSTANCE: Children are entitled to receive information about the processing of their own personal data irrespective of the legal basis relied on and even if consent was given by a parent on their behalf to the processing of their personal data (Section 3 “Transparency and children”).
      • 6. CHILD-ORIENTED TRANSPARENCY: Privacy information about how personal data is used must be provided in a concise, transparent, intelligible and accessible way, using clear and plain language that is comprehensible and suited to the age of the child (Section 3 “Transparency and children”).
      • 7 .LET CHILDREN HAVE THEIR SAY: Online service providers shouldn’t forget that children are data subjects in their own right and have rights in relation to their personal data at any age. The DPC considers that a child may exercise these rights at any time, as long as they have the capacity to do so and it is in their best interests. (Section 4.1 “The position of children as rights holders”)
      • 8. CONSENT DOESN’T CHANGE CHILDHOOD: Consent obtained from children or from the guardians/ parents should not be used as a justification to treat children of all ages as if they were adults (Section 5.1 “Age of digital consent”).
      • 9. YOUR PLATFORM, YOUR RESPONSIBILITY: Companies who derive revenue from providing or selling services through digital and online technologies pose particular risks to the rights and freedoms of children. Where such a company uses age verification and/ or relies on parental consent for processing, the DPC will expect it to go the extra mile in proving that its measures around age verification and verification of parental consent are effective. (Section 5.2 “Verification of parental consent)
      • 10. DON’T SHUT OUT CHILD USERS OR DOWNGRADE THEIR EXPERIENCE: If your service is directed at, intended for, or likely to be accessed by children, you can’t bypass your obligations simply by shutting them out or depriving them of a rich service experience. (Section 5.4 “Age verification and the child’s user experience”)
      • 11. MINIMUM USER AGES AREN’T AN EXCUSE: Theoretical user age thresholds for accessing services don’t displace the obligations of organisations to comply with the controller obligations under the GDPR and the standards and expectations set out in these Fundamentals where “underage” users are concerned. (Section 5.5 “Minimum user ages”)
      • 12. PROHIBITION ON PROFILING: Online service providers should not profile children and/ or carry out automated decision making in relation to children, or otherwise use their personal data, for marketing/advertising purposes due to their particular vulnerability and susceptibility to behavioural advertising, unless they can clearly demonstrate how and why it is in the best interests of the child to do so (Section 6.2 “Profiling and automated decision making”).
      • 13. DO A DPIA: Online service providers should undertake data protection impact assessments to minimise the data protection risks of their services, and in particular the specific risks to children which arise from the processing of their personal data. The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organisation in the event of a conflict between the two sets of interests (Section 7.1 “Data Protection Impact Assessments”).
      • 14. BAKE IT IN: Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection which is “baked in” across their services (Section 7.2 “Data Protection by Design and Default”)
  • The United Kingdom’s (UK) Competition and Markets Authority (CMA) “is now seeking evidence from academics and industry experts on the potential harms to competition and consumers caused by the deliberate or unintended misuse of algorithms…[and] is also looking for intelligence on specific issues with particular firms that the CMA could examine and consider for future action.” CMA stated “[t]he research and feedback will inform the CMA’s future work in digital markets, including its programme on analysing algorithms and the operation of the new Digital Markets Unit (DMU), and the brand-new regulatory regime that the DMU will oversee.” The CMA stated:
    • Algorithms can be used to personalise services in ways that are difficult to detect, leading to search results that can be manipulated to reduce choice or artificially change consumers’ perceptions. An example of this is misleading messages which suggest a product is in short supply.
    • Companies can also use algorithms to change the way they rank products on websites, preferencing their own products and excluding competitors. More complex algorithms could aid collusion between businesses without firms directly sharing information. This could lead to sustained higher prices for products and services.
    • The majority of algorithms used by private firms online are currently subject to little or no regulatory oversight and the research concludes that more monitoring and action is required by regulators, including the CMA. The CMA has already considered the impact of algorithms on competition and consumers in previous investigations, for example monitoring the pricing practices of online travel agents.
    • In the algorithms paper, the CMA explained:
      • The publication of this paper, and the accompanying call for information mark the launch of a new CMA programme of work on analysing algorithms, which aims to develop our knowledge and help us better identify and address harms. This paper reviews the potential harms to competition and consumers from the use of algorithms, focussing on those the CMA or other national competition or consumer authorities may be best placed to address.
      • We first describe direct harms to consumers, many of which involve personalisation. Personalisation can be harmful because it is difficult to detect either by consumers or others, targets vulnerable consumers or has unfair distributive effects. These harms often occur through the manipulation of consumer choices, without the awareness of the consumer.
      • The paper then explores how the use of algorithms can exclude competitors and so reduce competition (for example, a platform preferencing its own products). We outline the most recent developments in the algorithmic collusion literature; collusion appears an increasingly significant risk if the use of more complex pricing algorithms becomes widespread. We also describe how using ineffective algorithms to oversee platform activity fails to prevent harm.
      • Next, we summarise techniques that could be used to analyse algorithmic systems. Potentially problematic systems can be identified even without access to underlying algorithms and data. However, to understand fully how an algorithmic system works and whether consumer or competition law is being breached, regulators need appropriate methods to audit the system. We finally discuss the role of regulators. Regulators can help to set standards and facilitate better accountability of algorithmic systems, including support for the development of ethical approaches, guidelines, tools and principles. They can also use their information gathering powers to identify and remedy harms on either a case-by-case basis or as part of an ex-ante regime overseen by a regulator of technology firms, such as the proposed Digital Markets Unit (DMU) in the UK.
  • The National Institute of Standards and Technology (NIST) is making available for comment a draft of NIST Special Publication (SP) 800-47 Revision 1, Managing the Security of Information Exchanges, that “provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.” NIST is accepting comments through 12 March 2021. The agency stated:
    • Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.
    • NIST is specifically interested in feedback on:
      • Whether the agreements addressed in the draft publication represent a comprehensive set of agreements needed to manage the security of information exchange.
      • Whether the matrix provided to determine what types of agreements are needed is helpful in determining appropriate agreement types.
      • Whether additional agreement types are needed, as well as examples of additional agreements.
      • Additional resources to help manage the security of information exchange.

Coming Events

  • On 3 February, the Senate Commerce, Science, and Transportation Committee will consider the nomination of Rhode Island Governor Gina Raimondo to be the Secretary of Commerce.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by John Howard from Pixabay

Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.

Further Reading, Other Development, and Coming Events (4 January 2021)

Further Reading

  • Microsoft Says Russian Hackers Viewed Some of Its Source Code” By Nicole Perlroth — The New York Times. The Sluzhba vneshney razvedki Rossiyskoy Federatsii’s (SVR) hack keeps growing and growing with Microsoft admitting its source code was viewed through an employee account. It may be that authorized Microsoft resellers were one of the vectors by which the SVR accessed SolarWinds, FireEye, and ultimately a number of United States (U.S.) government agencies. Expect more revelations to come about the scope and breadth of entities and systems the SVR compromised.
  • In 2020, we reached peak Internet. Here’s what worked — and what flopped.” By Geoffrey Fowler — The Washington Post. The newspaper’s tech columnist reviews the technology used during the pandemic and what is likely to stay with us when life returns to some semblance of normal.
  • Facebook Says It’s Standing Up Against Apple For Small Businesses. Some Of Its Employees Don’t Believe It.” By Craig Silverman and Ryan Mac — BuzzFeed News. Again, two of the best-sourced journalists when it comes to Facebook have exposed employee dissent within the social media and advertising giant, and this time over the company’s advertising blitz positioning it as the champion of small businesses that allegedly stand to be hurt when Apple rolls out iOS 14 that will allow users to block the type of tracking across apps and the internet Facebook thrives on. The company’s PR campaign stands in contrast to the anecdotal stories about errors that harmed and impeded small companies in using Facebook to advertise and sell products and services to cusstomers.
  • SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage?” By Tim Starks — cyberscoop. This piece previews possible and likely inevitable litigation to follow from the SolarWinds hack, including possible securities action on the basis of fishy dumps of stock by executive, breach of contract, and negligence for failing to patch and address vulnerabilities in a timely fashion. Federal and state regulators will probably get on the field, too. But this will probably take years to play out as Home Depot settled claims arising from its 2014 breach with state attorneys general in November 2020.
  • The Tech Policies the Trump Administration Leaves Behind” By Aaron Boyd — Nextgov. A look back at the good, the bad, and the ugly of the Trump Administration’s technology policies, some of which will live on in the Biden Administration.

Other Developments

  • In response to the SolarWinds hack, the Federal Bureau of Investigation (FBI), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) issued a joint statement indicating that the process established in Pursuant to Presidential Policy Directive (PPD) 41, an Obama Administration policy has been activated and a Cyber Unified Coordination Group (UCG) has been formed “to coordinate a whole-of-government response to this significant cyber incident.” The agencies explained “[t]he UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities.”
    • In PPD-41 it is explained that a UCG “shall serve as the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate.” Moreover, “[t]he Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight, or command responsibilities.”
  • Following the completion of its “in-depth” investigation, the European Commission (EC) cleared Google’s acquisition of Fitbit with certain conditions, removing a significant hurdle for the American multinational in buying the wearable fitness tracker company. In its press release, the EC explained that after its investigation, “the Commission had concerns that the transaction, as initially notified, would have harmed competition in several markets.” To address and allay concerns, Google bound itself for ten years to a set of commitments that can be unilaterally extended by the EC and will be enforced, in part, by the appointment of a trustee to oversee compliance.
    • The EC was particularly concerned about:
      • Advertising: By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to that of Fitbit. By increasing the already vast amount of data that Google could use for the personalisation of ads, it would be more difficult for rivals to match Google’s services in the markets for online search advertising, online display advertising, and the entire “ad tech” ecosystem. The transaction would therefore raise barriers to entry and expansion for Google’s competitors for these services to the detriment of advertisers, who would ultimately face higher prices and have less choice.
      • Access to Web Application Programming Interface (‘API’) in the market for digital healthcare: A number of players in this market currently access health and fitness data provided by Fitbit through a Web API, in order to provide services to Fitbit users and obtain their data in return. The Commission found that following the transaction, Google might restrict competitors’ access to the Fitbit Web API. Such a strategy would come especially at the detriment of start-ups in the nascent European digital healthcare space.
      • Wrist-worn wearable devices: The Commission is concerned that following the transaction, Google could put competing manufacturers of wrist-worn wearable devices at a disadvantage by degrading their interoperability with Android smartphones.
    • As noted, Google made a number of commitments to address competition concerns:
      • Ads Commitment:
        • Google will not use for Google Ads the health and wellness data collected from wrist-worn wearable devices and other Fitbit devices of users in the EEA, including search advertising, display advertising, and advertising intermediation products. This refers also to data collected via sensors (including GPS) as well as manually inserted data.
        • Google will maintain a technical separation of the relevant Fitbit’s user data. The data will be stored in a “data silo” which will be separate from any other Google data that is used for advertising.
        • Google will ensure that European Economic Area (‘EEA’) users will have an effective choice to grant or deny the use of health and wellness data stored in their Google Account or Fitbit Account by other Google services (such as Google Search, Google Maps, Google Assistant, and YouTube).
      • Web API Access Commitment:
        • Google will maintain access to users’ health and fitness data to software applications through the Fitbit Web API, without charging for access and subject to user consent.
      • Android APIs Commitment:
        • Google will continue to license for free to Android original equipment manufacturers (OEMs) those public APIs covering all current core functionalities that wrist-worn devices need to interoperate with an Android smartphone. Such core functionalities include but are not limited to, connecting via Bluetooth to an Android smartphone, accessing the smartphone’s camera or its GPS. To ensure that this commitment is future-proof, any improvements of those functionalities and relevant updates are also covered.
        • It is not possible for Google to circumvent the Android API commitment by duplicating the core interoperability APIs outside the Android Open Source Project (AOSP). This is because, according to the commitments, Google has to keep the functionalities afforded by the core interoperability APIs, including any improvements related to the functionalities, in open-source code in the future. Any improvements to the functionalities of these core interoperability APIs (including if ever they were made available to Fitbit via a private API) also need to be developed in AOSP and offered in open-source code to Fitbit’s competitors.
        • To ensure that wearable device OEMs have also access to future functionalities, Google will grant these OEMs access to all Android APIs that it will make available to Android smartphone app developers including those APIs that are part of Google Mobile Services (GMS), a collection of proprietary Google apps that is not a part of the Android Open Source Project.
        • Google also will not circumvent the Android API commitment by degrading users experience with third party wrist-worn devices through the display of warnings, error messages or permission requests in a discriminatory way or by imposing on wrist-worn devices OEMs discriminatory conditions on the access of their companion app to the Google Play Store.
  • The United States (U.S.) Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) has proposed a major rewrite of the regulations governing medical privacy in the U.S. As the U.S. lacks a unified privacy regime, the proposed changes would affect on those entities in the medical sector subject to the regime, which is admittedly many such entities. Nevertheless, it is almost certain the Biden Administration will pause this rulemaking and quite possibly withdraw it should it prove crosswise with the new White House’s policy goals.
    • HHS issued a notice of proposed rulemaking “to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).”
      • HHS continued:
        • The Privacy Rule is one of several rules, collectively known as the HIPAA Rules, that protect the privacy and security of individuals’ medical records and other protected health information (PHI), i.e., individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities (i.e., health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses).
        • The proposals in this NPRM support the Department’s Regulatory Sprint to Coordinated Care (Regulatory Sprint), described in detail below. Specifically, the proposals in this NPRM would amend provisions of the Privacy Rule that could present barriers to coordinated care and case management –or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections. These regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care.
    • In a press release, OCR asserted:
      • The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
  • The Federal Trade Commission (FTC) has used its powers to compel selected regulated entities to provide requested information in asking that “nine social media and video streaming companies…provide data on how they collect, use, and present personal information, their advertising and user engagement practices, and how their practices affect children and teens.” The TFTC is using its Section 6(b) authority to compel the information from Amazon.com, Inc., ByteDance Ltd., which operates the short video service TikTok, Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and YouTube LLC. Failure to respond can result in the FTC fining a non-compliant entity.
    • The FTC claimed in its press release it “is seeking information specifically related to:
      • how social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;
      • how they determine which ads and other content are shown to consumers;
      • whether they apply algorithms or data analytics to personal information;
      • how they measure, promote, and research user engagement; and
      • how their practices affect children and teens.
    • The FTC explained in its sample order:
      • The Commission is seeking information concerning the privacy policies, procedures, and practices of Social Media and Video Streaming Service providers, Including the method and manner in which they collect, use, store, and disclose Personal Information about consumers and their devices. The Special Report will assist the Commission in conducting a study of such policies, practices, and procedures.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) supplemented its Emergency Directive 21-01 to federal civilian agencies in response to the Sluzhba vneshney razvedki Rossiyskoy Federatsii’s (SVR) hack via SolarWinds. In an 18 December update, CISA explained:
    • This section provides additional guidance on the implementation of CISA Emergency Directive (ED) 21-01, to include an update on affected versions, guidance for agencies using third-party service providers, and additional clarity on required actions.
    •  In a 30 December update, CISA stated:
      • Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements.
  • Australia’s Attorney-General’s Department published an unclassified version of the four volumes of the “Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community,” an “examination of the legislative framework underpinning the National Intelligence Community (NIC)…the first and largest since the Hope Royal Commissions considered the Australian Intelligence Community (AIC) in the 1970s and 1980s.” Ultimately, the authors of the report concluded:
    • We do not consider the introduction of a common legislative framework, in the form of a single Act governing all or some NIC agencies, to be a practical, pragmatic or proportionate reform. It would be unlikely that the intended benefits of streamlining and simplifying NIC legislation could be achieved due to the diversity of NIC agency functions—from intelligence to law enforcement, regulatory and policy—and the need to maintain differences in powers, immunities and authorising frameworks. The Review estimates that reform of this scale would cost over $200million and take up to 10years to complete. This would be an impractical and disproportionate undertaking for no substantial gain. In our view, the significant costs and risks of moving to a single, consolidated Act clearly outweigh the limited potential benefits.
    • While not recommending a common legislative framework for the entire NIC, some areas of NIC legislation would benefit from simplification and modernisation. We recommend the repeal of the TIA Act, Surveillance Devices Act 2004(SD Act) and parts of the Australian Security Intelligence Organisation Act 1979 (ASIO Act), and their replacement with a single new Act governing the use of electronic surveillance powers—telecommunications interception, covert access to stored communications, computers and telecommunications data, and the use of optical, listening and tracking devices—under Commonwealth law.
  • The National Institute of Standards and Technology (NIST) released additional materials to supplement a major rewrite of a foundational security guidance document. NIST explained “[n]ew supplemental materials for NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, are available for download to support the December 10, 2020 errata release of SP 800-53 and SP 800-53B, Control Baselines for Information Systems and Organizations.” These supplemental materials include:
    • A comparison of the NIST SP 800-53 Revision 5 controls and control enhancements to Revision 4. The spreadsheet describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes.  Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
    • Mapping of the Appendix J Privacy Controls (Revision 4) to Revision 5. The spreadsheet supports organizations using the privacy controls in Appendix J of SP 800-53 Revision 4 that are transitioning to the integrated control catalog in Revision 5.
    • Mappings between NIST SP 800-53 and other frameworks and standards. The mappings provide organizations a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging the mappings, it is important to consider the intended scope of each publication and how each publication is used; organizations should not assume equivalency based solely on the mapping tables because mappings are not always one-to-one and there is a degree of subjectivity in the mapping analysis.
  • Via a final rule, the Department of Defense (DOD) codified “the National Industrial Security Program Operating Manual (NISPOM) in regulation…[that] establishes requirements for the protection of classified information disclosed to or developed by contractors, licensees, grantees, or certificate holders (hereinafter referred to as contractors) to prevent unauthorized disclosure.” The DOD stated “[i]n addition to adding the NISPOM to the Code of Federal Regulations (CFR), this rule incorporates the requirements of Security Executive Agent Directive (SEAD) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position.” The DOD stated “SEAD 3 requires reporting by all contractor cleared personnel who have been granted eligibility for access to classified information.”
    • The DOD added “[t]his NISPOM rule provides for a single nation-wide implementation plan which will, with this rule, include SEAD 3 reporting by all contractor cleared personnel to report specific activities that may adversely impact their continued national security eligibility, such as reporting of foreign travel and foreign contacts.”
    • The DOD explained “NISP Cognizant Security Agencies (CSAs) shall conduct an analysis of such reported activities to determine whether they pose a potential threat to national security and take appropriate action.”
    • The DOD added that “the rule also implements the provisions of Section 842 of Public Law 115-232, which removes the requirement for a covered National Technology and Industrial Base (NTIB) entity operating under a special security agreement pursuant to the NISP to obtain a national interest determination as a condition for access to proscribed information.”
  • An advisory committee housed at the United States (U.S.) Department of Homeland Security (DHS) is calling for the White House to quickly “operationalize intelligence in a classified space with senior executives and cyber experts from most critical entities in the energy, financial services, and communications sectors working directly with intelligence analysts and other government staff.” In their report, the President’s National Infrastructure Advisory Council (NIAC) proposed the creation of a Critical Infrastructure Command Center (CICC) to “provid[e] real-time collaboration between government and industry…[and] take direct action and provide tactical solutions to mitigate, remediate,  and deter threats.” NIAC urged the President to “direct relevant federal agencies to support the private sector in executing the concept, including identifying the required government staff…[and] work with Congress to ensure the appropriate authorities are established to allow the CICC to fully realize its operational functionality.” NIAC recommended “near-term actions to implement the CICC concept:
    • 1.The President should direct the relevant federal agencies to support the private sector in rapidly standing up the CICC concept with the energy, financial services, and communications sectors:
      • a. Within 90 days the private sector will identify the executives who will lead execution of the CICC concept and establish governing criteria (including membership, staffing and rotation, and other logistics).
      • b. Within 120 days the CICC sector executives will identify and assign the necessary CICC staff from the private sector.
      • c. Within 90 days an appropriate venue to house the operational component will be identified and the necessary agreements put in place.
    • 2. The President should direct the Intelligence Community and other relevant government agencies to identify and co-locate the required government staff counterparts to enable the direct coordination required by the CICC. This staff should be pulled from the IC, SSAs, and law enforcement.
    • 3. The President, working with Congress, should establish the appropriate authorities and mission for federal agencies to directly share intelligence with critical infrastructure companies, along with any other authorities required for the CICC concept to be fully successful (identified in Appendix A).
    • 4. Once the CICC concept is fully operational (within 180 days), the responsible executives should deliver a report to the NSC and the NIAC demonstrating how the distinct capabilities of the CICC have been achieved and the impact of the capabilities to date. The report should identify remaining gaps in resources, direction, or authorities.

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by opsa from Pixabay

FY 2021 Omnibus and COVID Stimulus Become Law

The end-of-the-year funding package for FY 2021 is stuffed with technology policy changes.

At the tail end of the calendar year 2020, Congress and the White House finally agreed on FY 2021 appropriations and further COVID-19 relief funding and policies, much of which implicated or involved technology policy. As is often the practice, Congressional stakeholders used the opportunity of must-pass legislation as the vehicle for other legislation that perhaps could not get through a chamber of Congress or surmount the now customary filibuster in the Senate.

Congress cleared the “Consolidated Appropriations Act, 2021” (H.R.133) on 21 December 2020, but President Donald Trump equivocated on whether to sign the package, in part, because it did not provide for $2,000 in aid to every American, a new demand at odds with the one his negotiators worked out with House Democrats and Senate Republicans. Given this disparity, it seems more likely Trump made an issue of the $2,000 assistance to draw attention from a spate of controversial pardons issued to Trump allies and friends. Nonetheless, Trump ultimately signed the package on 27 December.

As one of the only bills or set of bills to annually pass Congress, appropriations acts are often the means by which policy and programmatic changes are made at federal agencies through the ability of the legislative branch to condition the use of such funds as are provided. This year’s package is different only in that it contains much more in the way of ride-along legislation than the average omnibus. In fact, there are hundreds, perhaps even more than 1,000 pages of non-appropriations legislation, some that pertains to technology policy. Moreover, with an additional supplemental bill attached to the FY 2021 omnibus also carries significant technology funding and programming.

First, we will review FY 2021 funding and policy for key U.S. agencies, then discuss COVID-19 related legislation, and then finally all the additional legislation Congress packed into the omnibus.

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) would receive $2.025 billion, a bare $9 million increase above FY 2020 with significant reordering of how the agency may spend its funds:

  • The agreement includes a net increase of $224,178,000 above the budget request. This includes $226,256,000 above the request to maintain current services, and $54,516,000 in enhancements that are described in more detail below. Assumed in the current services level of funding are several rejections of proposed reductions to prior year initiatives and the inclusion of necessary annualizations to sustain them, such as: $35,606,000 for threat analysis and response; $5,507,000 for soft targets and crowded places security, including school safety and best practices; $6,852,000 for bombing prevention activities, including the train-the-trainer programs; and $67,371,000 to fully fund the Chemical Facility Anti-Terrorism Standards program. The agreement includes the following reductions below the budget request: $6,937,000 for personnel cost adjustments; $2,500,000 of proposed increases to the CyberSentry program; $11,354,000 of proposed increases for the Vulnerability Management program; $2,000,000 of proposed increases to the Cybersecurity Quality Service Management Office (QSMO); $6,500,000 of proposed increases for cybersecurity advisors; and $27,303,000 for the requested increase for protective security advisors. Of the total amount provided for this account, $22,793,000 is available until September 30, 2022, for the National Infrastructure Simulation Analysis Center.

The FY 2021 omnibus requires of CISA the following:

  • Financial Transparency and Accountability.-The Cybersecurity and Infrastructure Security Agency (CISA) is directed to submit the fiscal year 2022 budget request at the same level of PP A detail provided in the table at the end of this report with no further adjustments to the PP A structure. Further, CISA shall brief the Committees not later than 45 days after the date of enactment of this Act and quarterly thereafter on: a spend plan; detailed hiring plans with a delineation of each mission critical occupation (MCO); procurement plans for all major investments to include projected spending and program schedules and milestones; and an execution strategy for each major initiative. The hiring plan shall include an update on CISA’s hiring strategy efforts and shall include the following for each MCO: the number of funded positions and FTE within each PP A; the projected and obligated funding; the number of actual onboard personnel as of the date of the plan; and the hiring and attrition projections for the fiscal year.
  • Cyber Defense Education and Training (CDET).-The agreement includes $29,457,000 for CISA’s CDET programs, an increase of$20,607,000 above the request that is described in further detail below. Efforts are underway to address the shortage of qualified national cybersecurity professionals in the current and future cybersecurity workforce. In order to move forward with a comprehensive plan for a cybersecurity workforce development effort, the agreement includes $10,000,000 above the request to enhance cybersecurity education and training and programs to address the national shortfall of cybersecurity professionals, including activities funded through the use of grants or cooperative agreements as needed in order to fully comply with congressional intent. CISA should consider building a higher education consortium of colleges and universities, led by at least one academic institution with an extensive history of education, research, policy, and outreach in computer science and engineering disciplines; existing designations as a land-grant institution with an extension role; a center of academic excellence in cyber security operations; a proven track record in hosting cyber corps programs; a record of distinction in research cybersecurity; and extensive experience in offering distance education programs and outreach with K-12 programs. The agreement also includes $4,300,000 above the request for the Cybersecurity Education and Training Assistance Program (CETAP), which was proposed for elimination, and $2,500,000 above the request to further expand and initiate cybersecurity education programs, including CETAP, which improve education delivery methods for K-12 students, teachers, counselors and post-secondary institutions and encourage students to pursue cybersecurity careers.
  • Further, the agreement includes $2,500,000 above the request to support CISA’s role with the National Institute of Standards and Technology, National Initiative for Cybersecurity Education Challenge project or for similar efforts to address shortages in the cybersecurity workforce through the development of content and curriculum for colleges, universities, and other higher education institutions.
  • Lastly, the agreement includes $800,000 above the request for a review of CISA’s program to build a national cybersecurity workforce. CISA is directed to enter into a contract for this review with the National Academy of Public Administration, or a similar non-profit organization, within 45 days of the date of enactment of this Act. The review shall assess: whether the partnership models under development by CISA are positioned to be effective and scalable to address current and anticipated needs for a highly capable cybersecurity workforce; whether other existing partnership models, including those used by other agencies and private industry, could usefully augment CISA’s strategy; and the extent to which CISA’s strategy has made progress on workforce development objectives, including excellence, scale, and diversity. A report with the findings of the review shall be provided to the Committees not later than 270 days after the date of enactment of this Act.
  • Cyber QSMO.-To help improve efforts to make strategic cybersecurity services available to federal agencies, the agreement provides $1,514,000 above the request to sustain and enhance prior year investments. As directed in the House report and within the funds provided, CISA is directed to work with the Management Directorate to conduct a crowd-sourced security testing program that uses technology platforms and ethical security researchers to test for vulnerabilities on departmental systems. In addition, not later than 90 days after the date of enactment of this Act, CISA is directed to brief the Committees on opportunities for state and local governments to leverage shared services provided through the Cyber QSMO or a similar capability and to explore the feasibility of executing a pilot program focused on this goal.
  • Cyber Threats to Critical Election Infrastructure.-The briefing required in House Report 116–458 regarding CISA’s efforts related to the 2020 elections shall be delivered not later than 60 days after the date of enactment of this Act. CISA is directed to continue working with SL TT stakeholders to implement election security measures.
  • Cybersecurity Worliforce.-By not later than September 30, 2021, CISA shall provide a joint briefing, in conjunction with the Department of Commerce and other appropriate federal departments and agencies, on progress made to date on each recommendation put forth in Executive Order 13800 and the subsequent “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce” report.
  • Hunt and Incident Response Teams.-The agreement includes an increase of $3,000,000 above fiscal year 2020 funding levels to expand CISA’s threat hunting capabilities.
  • Joint Cyber Planning Office (JCPO).-The agreement provides an increase of $10,568,000 above the request to establish a JCPO to bring together federal and SLTT governments, industry, and international partners to strategically and operationally counter nation-state cyber threats. CISA is directed to brief the Committees not later than 60 days after the date of enactment of this Act on a plan for establishing the JCPO, including a budget and hiring plan; a description of how JCPO will complement and leverage other CISA capabilities; and a strategy for partnering with the aforementioned stakeholders.
  • Multi-State Information Sharing and Analysis Center (MS-ISAC).-The agreement provides $5,148,000 above the request for the MS-ISAC to continue enhancements to SLTT election security support, and furthers ransomware detection and response capabilities, including endpoint detection and response, threat intelligence platform integration, and malicious domain activity blocking.
  • Software Assurance Tools.-Not later than 90 days after the date of enactment of this Act, CISA, in conjunction with the Science and Technology Directorate, is directed to brief the Committees on their collaborative efforts to transition cyber-related research and development initiatives into operational tools that can be used to provide continuous software assurance. The briefing should include an explanation for any completed projects and activities that were not considered viable for practice or were considered operationally self-sufficient. Such briefing shall include software assurance projects, such as the Software Assurance Marketplace.
  • Updated Lifecycle Cost Estimates.–CISA is directed to provide a briefing, not later than 60 days after the date of enactment of this Act, regarding the Continuous Diagnostics and Mitigation (COM) and National Cybersecurity Protection System (NCPS) program lifecycles. The briefing shall clearly describe the projected evolution of both programs by detailing the assumptions that have changed since the last approved program cost and schedule baseline, and by describing the plans to address such changes. In addition, the briefing shall include an analysis of alternatives for aligning vulnerability management, incident response, and NCPS capabilities. Finally, CISA is directed to provide a report not later than 120 days after the date of enactment of this Act with updated five-year program costs and schedules which is congruent with projected capability gaps across federal civilian systems and networks.
  • Vulnerability Management.-The agreement provides $9,452,000 above fiscal year 2020 levels to continue reducing the 12-month backlog in vulnerability assessments. The agreement also provides an increase of $8,000,000 above the request to address the increasing number of identified and reported vulnerabilities in the software and hardware that operates critical infrastructure. This investment will improve capabilities to identify, analyze, and share information about known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.

There are a pair of provisions aimed at the People’s Republic of China (PRC) in Division B (i.e. the FY 2021 Commerce-Justice-Science Appropriations Act):

  • Section 514 prohibits funds for acquisition of certain information systems unless the acquiring department or agency has reviewed and assessed certain risks. Any acquisition of such an information system is contingent upon the development of a risk mitigation strategy and a determination that the acquisition is in the national interest. Each department or agency covered under section 514 shall submit a quarterly report to the Committees on Appropriations describing reviews and assessments of risk made pursuant to this section and any associated findings or determinations.
  • Section 526 prohibits the use of funds by National Aeronautics and Space Administration (NASA), Office of Science and Technology Policy (OSTP), or the National Space Council (NSC) to engage in bilateral activities with China or a Chinese-owned company or effectuate the hosting of official Chinese visitors at certain facilities unless the activities are authorized by subsequent legislation or NASA, OSTP, or NSC have made a certification…

The National Institute of Standards and Technology (NIST) is asked with a number of duties, most of which relate to current or ongoing efforts in artificial intelligence (AI), cybersecurity, and the Internet of Things:

  • Artificial Intelligence (Al). -The agreement includes no less than $6,500,000 above the fiscal year 2020 level to continue NIST’s research efforts related to AI and adopts House language on Data Characterization Standards in Al. House language on Framework for Managing AI Risks is modified to direct NIST to establish a multi-stakeholder process for the development of an Al Risk Management Framework regarding the reliability, robustness, and trustworthiness of Al systems. Further, within 180 days of enactment of this Act, NIST shall establish the process by which it will engage with stakeholders throughout the multi-year framework development process.
  • Cybersecurity.-The agreement includes no less than the fiscal year 2020 enacted level for cybersecurity research, outreach, industry partnerships, and other activities at NIST, including the National Cybersecurity Center of Excellence (NCCoE) and the National Initiative for Cybersecurity Education (NICE). Within the funds provided, the agreement encourages NIST to establish additional NICE cooperative agreements with regional alliances and multi-stakeholder partnerships for cybersecurity workforce and education.
  • Cybersecurity of Genomic Data.-The agreement includes no less than $1,250,000 for NIST and NCCoE to initiate a use case, in collaboration with industry and academia, to research the cybersecurity of personally identifiable genomic data, with a particular focus on better securing deoxyribonucleic acid sequencing techniques, including clustered regularly interspaced short palindromic repeat (CRISPR) technologies, and genomic data storage architectures from cyber threats. NIST and NCCoE should look to partner with entities who have existing capability to research and develop state-of-the-art cybersecurity technologies for the unique needs of genomic and biomedical-based systems.
  • Industrial Internet of Things (IIoT).-The agreement includes no less than the fiscal year 2020 enacted amount for the continued development of an IloT cybersecurity research initiative and to partner, as appropriate, with academic entities and industry to improve the sustainable security of IloT devices in industrial settings.

NIST would receive a modest increase in funding from $1.034 billion to $1.0345 billion from the last fiscal year to the next.

The National Telecommunications and Information Administration (NTIA) would be provided $45.5 million and “the agreement provides (1) up to $7,500,000 for broadband mapping in coordination with the Federal Communications Commission (FCC); (2) no less than the fiscal year 2020 enacted amount for Broadband Programs; (3) $308,000 for Public Safety Communications; and (4) no less than $3,000,000 above the fiscal year 2020 enacted level for Advanced Communications Research.” The agency’s funding for FY 2021 is higher than the last fiscal year at a bit more than $40 million but far less than the Trump Administration’s request of more than $70 million.

Regarding NTIA programmatic language, the bill provides:

  • Further, the agreement directs the additional funds for Advanced Communications Research be used to procure and maintain cutting-edge equipment for research and testing of the next generation of communications technologies, including 5G, as well as to hire staff as needed. The agreement further encourages NTIA to improve the deployment of 5G and spectrum sharing through academic partnerships to accelerate the development of low-cost sensors. For fiscal year 2021, NTIA is directed to follow prior year report language, included in Senate Report 116-127 and adopted in Public Law 116-93, on the following topics: Federal Spectrum Management, Spectrum Management for Science, and the Internet Corporation for Assigned Names and Numbers (ICANN).
  • Spectrum Management System.-The agreement encourages NTIA and the Department to consider alternative proposals to fully fund the needed upgrades to its spectrum management system, including options outside of direct appropriations, and is directed to brief the Committees regarding possible alternative options no later than 90 days after enactment of this Act.
  • Next Generation Broadband in Rural Areas.-NTIA is encouraged to ensure that deployment of last-mile broadband infrastructure is targeted to areas that are currently unserved or underserved, and to utilize public-private partnerships and projects where Federal funding will not exceed 50 percent of a project’s total cost where practicable.
  • National Broadband Map Augmentation.-NTIA is directed to engage with rural and Tribal communities to further enhance the accuracy of the national broadband availability map. NTIA should include in its fiscal year 2022 budget request an update on rural-and Tribal-related broadband availability and access trends, challenges, and Federal actions to achieve equitable access to broadband services in currently underserved communities throughout the Nation. Furthermore, NTIA is encouraged, in coordination with the FCC, to develop and promulgate a standardized process for collecting data from State and local partners.
  • Domain Name Registration.-NTIA is directed, through its position within the Governmental Advisory Committee to work with ICANN to expedite the establishment of a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information for legitimate purposes. NTIA is encouraged, as appropriate, to require registrars and registries based in the United States to collect and make public accurate domain name registration information.

The Federal Trade Commission (FTC) would receive $351 million, an increase of $20 million over FY 2020. The final bill includes this policy provision for the FTC to heed:

  • Resources for Data Privacy and Security. -The agreement urges the FTC to conduct a comprehensive internal assessment measuring the agency’s current efforts related to data privacy and security while separately identifying all resource-based needs of the FTC to improve in these areas. The agreement also urges the FTC to provide a report describing the assessment’s findings to the Committees within 180 days of enactment of this Act.

The Federal Communications Commission (FCC) would see a larger increase in funding for agency operations than the FTC, going from $339 million in FY 2020 to $374 million in FY 2021. However, $33 million of the increase is earmarked for implementing the “Broadband DATA Act” (P.L.116-130) along with the $65 million in COVID-19 supplemental funding for the same purpose. The FY 2021 omnibus directs the FCC on a range of policy issues:

  • Broadband Maps.-In addition to adopting the House report language on Broadband Maps, the agreement provides substantial dedicated resources for the FCC to implement the Broadband DATA Act. The FCC is directed to submit a report to the Committees on Appropriations within 90 days of enactment of this Act providing a detailed spending plan for these resources. In addition, the FCC, in coordination with the NTIA, shall outline the specific roles and responsibilities of each agency as it relates to the National Broadband Map and implementation of the Broadband DATA Act. The FCC is directed to report in writing to the Committees every 30 days on the date, amount, and purpose of any new obligation made for broadband mapping and any updates to the broadband mapping spending plan.
  • Lifeline Service. In lieu of the House report language on Lifeline Service, the agreement notes recent action by the FCC to partially waive its rules updating the Lifeline program’s minimum service standard for mobile broadband usage in light of the large increase to the standard that would have gone into effect on Dec. I, 2020, and the increased reliance by Americans on mobile broadband as a result of the pandemic. The FCC is urged to continue to balance the Lifeline program’s goals of accessibility and affordability.
  • 5G Fund and Rural America.-The agreement remains concerned about the feasible deployment of 5G in rural America. Rural locations will likely run into geographic barriers and infrastructure issues preventing the robust deployment of 5G technology, just as they have faced with 4G. The FCC’s proposed 5G Fund fails to provide adequate details or a targeted spend plan on creating seamless coverage in the most rural parts of the Nation. Given these concerns, the FCC is directed to report in writing on: (1) its current and future plans fix prioritizing deployment of 4G coverage in rural areas, (2) its plans for 5G deployment in rural areas, and (3) its plan for improving the mapping and long-term tracking of coverage in rural areas.
  • 6 Gigahertz. -As the FCC has authorized unlicensed use of the 6 gigahertz band, the agreement expects the Commission to ensure its plan does not result in harmful interference to incumbent users or impact critical infrastructure communications systems. The agreement is particularly concerned about the potential effects on the reliability of the electric transmission and distribution system. The agreement expects the FCC to ensure any mitigation technologies are rigorously tested and found to be effective in order to protect the electric transmission system. The FCC is directed to provide a report to the Committees within 90 days of enactment of this Act on its progress in ensuring rigorous testing related to unlicensed use of the 6 gigahertz band. Rural Broadband-The agreement remains concerned that far too many Americans living in rural and economically disadvantaged areas lack access to broadband at speeds necessary to fully participate in the Internet age. The agreement encourages the agency to prioritize projects in underserved areas, where the infrastructure to be installed provides access at download and upload speeds comparable to those available to Americans in urban areas. The agreement encourages the FCC to avoid efforts that could duplicate existing networks and to support deployment of last-mile broadband infrastructure to underserved areas. Further, the agreement encourages the agency to prioritize projects financed through public-private partnerships.
  • Contraband Cell Phones. -The agreement notes continued concern regarding the exploitation of contraband cell phones in prisons and jails nationwide. The agreement urges the FCC to act on the March 24, 2017 Further Notice of Proposed Rulemaking regarding combating contraband wireless devices. The FCC should consider all legally permissible options, including the creation, or use, of “quiet or no service zones,” geolocation-based denial, and beacon technologies to geographically appropriate correctional facilities. In addition, the agreement encourages the FCC to adopt a rules-based approach to cellphone disabling that would require immediate disabling by a wireless carrier upon proper identification of a contraband device. The agreement recommends that the FCC move forward with its suggestion in the Fiscal Year 2019 report to this Committee, noting that “additional field testing of jamming technology will provide a better understanding of the challenges and costs associated with the proper deployment of jamming system.” The agreement urges the FCC to use available funds to coordinate rigorous Federal testing of jamming technology and coordinate with all relevant stakeholders to effectively address this urgent problem.
  • Next-Generation Broadband Networks/or Rural America-Deployment of broadband and telecommunications services in rural areas is imperative to support economic growth and public safety. However, due to geographical challenges facing mobile connectivity and fiber providers, connectivity in certain areas remains challenging. Next generation satellite-based technology is being developed to deliver direct satellite to cellular capability. The FCC is encouraged to address potential regulatory hurdles, to promote private sector development and implementation of innovative, next generation networks such as this, and to accelerate broadband and telecommunications access to all Americans.

$635 million is provided for a Department of Agriculture rural development pilot program, and he Secretary will need to explain how he or she will use authority provided in the last farm bill to expand broadband:

  • The agreement provides $635,000,000 to support the ReConnect pilot program to increase access to broadband connectivity in unserved rural communities and directs the Department to target grants and loans to areas of the country with the largest broadband coverage gaps. These projects should utilize technology that will maximize coverage of broadband with the most benefit to taxpayers and the rural communities served. The agreement notes stakeholder concerns that the ReConnect pilot does not effectively recognize the unique challenges and opportunities that different technologies, including satellite, provide to delivering broadband in noncontiguous States or mountainous terrain and is concerned that providing preference to 100 mbps symmetrical service unfairly disadvantages these communities by limiting the deployment of other technologies capable of providing service to these areas.
  • The Agriculture Improvement Act of 2018 (Public Law 115-334) included new authorities for rural broadband programs that garnered broad stakeholder support as well as bipartisan, bicameral agreement in Congress. Therefore, the Secretary is directed to provide a report on how the Department plans to utilize these authorities to deploy broadband connectivity to rural communities.

In Division M of the package, the “Coronavirus Response and Relief Supplemental Appropriations Act, 2021,” there are provisions related to broadband policy and funding. The bill created a $3.2 billion program to help low-income Americans with internet service and buying devices for telework or distance education. The “Emergency Broadband Benefit Program” is established at the FCC, “under which eligible households may receive a discount of up to $50, or up to $75 on Tribal lands, off the cost of internet service and a subsidy for low-cost devices such as computers and tablets” according to a House Appropriations Committee summary. This funding is far short of what House Democrats wanted. And yet, this program aims to help those on the wrong side of the digital divide during the pandemic.

Moreover, this legislation also establishes two grant programs at the NTIA, designed to help provide broadband on tribal lands and in rural areas. $1 billion is provided for the former and $300 million for the latter with the funds going to tribal and state and local governments to obtain services from private sector providers. The $1 billion for tribal lands allows for greater flexibility in what the funds are ultimately spent on with the $320 million for underserved rural areas being restricted to broadband deployment. Again, these funds are aimed at bridging the disparity in broadband service exposed and exacerbated during the pandemic.

Congress also provided funds for the FCC to reimburse smaller telecommunications providers in removing and replacing risky telecommunications equipment from the People’s Republic of China (PRC). Following the enactment of the “Secure and Trusted Communications Networks Act of 2019” (P.L.116-124) that codified and added to a FCC regulatory effort to address the risks posed by Huawei and ZTE equipment in United States (U.S.) telecommunications networks, there was pressure in Congress to provide the funds necessary to help carriers meet the requirements of the program. The FY 2021 omnibus appropriates $1.9 billion for this program. In another but largely unrelated tranche of funding, the aforementioned $65 million given to the FCC to undertake the “Broadband DATA Act.”

Division Q contains text similar to the “Cybersecurity and Financial System Resilience Act of 2019” (H.R.4458) that would require “the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and National Credit Union Administration to annually report on efforts to strengthen cybersecurity by the agencies, financial institutions they regulate, and third-party service providers.”

Division U contains two bills pertaining to technology policy:

  • Title I. The AI in Government Act of 2020. This title codifies the AI Center of Excellence within the General Services Administration to advise and promote the efforts of the federal government in developing innovative uses of artificial intelligence (AI) and competency in the use of AI in the federal government. The section also requires that the Office of Personnel Management identify key skills and competencies needed for federal positions related to AI and establish an occupational series for positions related to AI.
  • Title IX. The DOTGOV Act. This title transfers the authority to manage the .gov internet domain from the General Services Administration to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security. The .gov internet domain shall be available to any Federal, State, local, or territorial government entity, or other publicly controlled entity, subject to registration requirements established by the Director of CISA and approved by the Director of the Office of Management and Budget.

Division W is the FY 2021 Intelligence Authorization Act with the following salient provisions:

  • Section 323. Report on signals intelligence priorities and requirements. Section 323 requires the Director of National Intelligence (DNI) to submit a report detailing signals intelligence priorities and requirements subject to Presidential Policy Directive-28 (PPD-28) that stipulates “why, whether, when, and how the United States conducts signals intelligence activities.” PPD-28 reformed how the National Security Agency (NSA) and other Intelligence Community (IC) agencies conducted signals intelligence, specifically collection of cellphone and internet data, after former NSA contractor Edward Snowden exposed the scope of the agency’s programs.
  • Section 501. Requirements and authorities to improve education in science, technology, engineering, arts, and mathematics. Section 501 ensures that the Director of the Central Intelligence Agency (CIA) has the legal authorities required to improve the skills in science, technology, engineering, arts, and mathematics (known as STEAM) necessary to meet long-term national security needs. Section 502. Seedling investment in next-generation microelectronics in support of artificial intelligence. Section 502 requires the DNI, acting through the Director of the Intelligence Advanced Research Projects Activity, to award contracts or grants, or enter into other transactions, to encourage microelectronics research.
  • Section 601. Report on attempts by foreign adversaries to build telecommunications and cybersecurity equipment and services for, or to provide them to, certain U.S. Section 601 requires the CIA, NSA, and DIA to submit a joint report that describes the United States intelligence sharing and military posture in Five Eyes countries that currently have or intend to use adversary telecommunications or cybersecurity equipment, especially as provided by China or Russia, with a description of potential vulnerabilities of that information and assessment of mitigation options.
  • Section 602. Report on foreign use of cyber intrusion and surveillance technology. Section 602 requires the DNI to submit a report on the threats posed by foreign governments and foreign entities using and appropriating commercially available cyber intrusion and other surveillance technology.
  • Section 603. Reports on recommendations of the Cyberspace Solarium Commission. Section 603 requires the ODNI and representatives of other agencies to report to Congress their assessment of the recommendations submitted by the Cyberspace Solarium Commission pursuant to Section 1652(j) of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019, and to describe actions that each agency expects to take to implement these recommendations.
  • Section 604. Assessment of critical technology trends relating to artificial intelligence, microchips, and semiconductors and related matters. Section 604 requires the DNI to complete an assessment of export controls related to artificial intelligence (AI), microchips, advanced manufacturing equipment, and other AI-enabled technologies, including the identification of opportunities for further cooperation with international partners.
  • Section 605. Combating Chinese influence operations in the United States and strengthening civil liberties protections. Section 605 provides additional requirements to annual reports on Influence Operations and Campaigns in the United States by the Chinese Communist Party (CCP) by mandating an identification of influence operations by the CCP against the science and technology sector in the United States. Section 605 also requires the FBI to create a plan to increase public awareness of influence activities by the CCP. Finally, section 605 requires the FBI, in consultation with the Assistant Attorney General for the Civil Rights and the Chief Privacy and Civil Liberties Officer of the Department of Justice, to develop recommendations to strengthen relationships with communities targeted by the CCP and to build trust with such communities through local and regional grassroots outreach.
  • Section 606. Annual report on corrupt activities of senior officials of the CCP. Section 606 requires the CIA, in coordination with the Department of Treasury’s Office of Intelligence and Analysis and the FBI, to submit to designated congressional committees annually through 2025 a report that describes and assesses the wealth and corruption of senior officials of the CCP, as well as targeted financial measures, including potential targets for sanctions designation. Section 606 further expresses the Sense of Congress that the United States should undertake every effort and pursue every opportunity to expose the corruption and illicit practices of senior officials of the CCP, including President Xi Jinping.
  • Section 607. Report on corrupt activities of Russian and other Eastern European oligarchs. Section 607 requires the CIA, in coordination with the Department of the Treasury’s Office of Intelligence and Analysis and the FBI, to submit to designated congressional committees and the Under Secretary of State for Public Diplomacy, a report that describes the corruption and corrupt or illegal activities among Russian and other Eastern European oligarchs who support the Russian government and Russian President Vladimir Putin, and the impact of those activities on the economy and citizens of Russia. Section 607 further requires the CIA, in coordination with the Department of Treasury’s Office of Intelligence and Analysis, to describe potential sanctions that could be imposed for such activities. Section 608. Report on biosecurity risk and disinformation by the CCP and the PRC. Section 608 requires the DNI to submit to the designated congressional committees a report identifying whether and how CCP officials and the Government of the People’s Republic of China may have sought to suppress or exploit for national advantage information regarding the novel coronavirus pandemic, including specific related assessments. Section 608 further provides that the report shall be submitted in unclassified form, but may have a classified annex.
  • Section 612. Research partnership on activities of People’s Republic of China. Section 612 requires the Director of the NGA to seek to enter into a partnership with an academic or non-profit research institution to carry out joint unclassified geospatial intelligence analyses of the activities of the People’s Republic of China that pose national security risks to the United States, and to make publicly available unclassified products relating to such analyses.

Division Z would tweak a data center energy efficiency and energy savings program overseen by the Secretary of Energy and the Administrator of the Environmental Protection Agency that could impact the Office of Management and Budget’s (OMB) government-wide program. Specifically, “Section 1003 requires the development of a metric for data center energy efficiency, and requires the Secretary of Energy, Administrator of the Environmental Protection Agency (EPA), and Director of the Office of Management and Budget (OMB) to maintain a data center energy practitioner program and open data initiative for federally owned and operated data center energy usage.” There is also language that would require the U.S. government to buy and use more energy-efficient information technology (IT): “each Federal agency shall coordinate with the Director [of OMB], the Secretary, and the Administrator of the Environmental Protection Agency to develop an implementation strategy (including best-practices and measurement and verification techniques) for the maintenance, purchase, and use by the Federal agency of energy-efficient and energy-saving information technologies at or for facilities owned and operated by the Federal agency, taking into consideration the performance goals.”

Division FF contains telecommunications provisions:

  • Section 902. Don’t Break Up the T-Band Act of 2020. Section 902 repeals the requirement for the FCC to reallocate and auction the 470 to 512megahertz band, commonly referred to as the T-band. In certain urban areas, the T-band is utilized by public-safety entities. It also directs the FCC to implement rules to clarify acceptable expenditures on which 9-1- 1 fees can be spent, and creates a strike force to consider how the Federal Government can end 9-1-1 fee diversion.
  • Section 903. Advancing Critical Connectivity Expands Service, Small Business Resources, Opportunities, Access, and Data Based on Assessed Need and Demand (ACCESS BROADBAND) Act. Section 903 establishes the Office of Internet Connectivity and Growth (Office) at the NTIA. This Office would be tasked with performing certain responsibilities related to broadband access, adoption, and deployment, such as performing public outreach to promote access and adoption of high-speed broadband service, and streamlining and standardizing the process for applying for Federal broadband support. The Office would also track Federal broadband support funds, and coordinate Federal broadband support programs within the Executive Branch and with the FCC to ensure unserved Americans have access to connectivity and to prevent duplication of broadband deployment programs.
  • Section 904. Broadband Interagency Coordination Act. Section 904 requires the Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), and the Department of Agriculture to enter into an interagency agreement to coordinate the distribution of federal funds for broadband programs, to prevent duplication of support and ensure stewardship of taxpayer dollars. The agreement must cover, among other things, the exchange of information about project areas funded under the programs and the confidentiality of such information. The FCC is required to publish and collect public comments about the agreement, including regarding its efficacy and suggested modifications.
  • Section 905. Beat CHINA for 5G Act of 2020. Section 905 directs the President, acting through the Assistant Secretary of Commerce for Communications and Information, to withdraw or modify federal spectrum assignments in the 3450 to 3550 megahertz band, and directs the FCC to begin a system of competitive bidding to permit non-Federal, flexible-use services in a portion or all of such band no later than December 31, 2021.

Section 905 would countermand the White House’s efforts to auction off an ideal part of spectrum for 5G (see here for analysis of the August 2020 announcement). Congressional and a number of Trump Administration stakeholders were alarmed by what they saw as a push to bestow a windfall on a private sector company in the rollout of 5G.

Title XIV of Division FF would allow the FTC to seek civil fines of more than $43,000 per violation during the duration of the public health emergency arising from the pandemic “for unfair and deceptive practices associated with the treatment, cure, prevention, mitigation, or diagnosis of COVID–19 or a government benefit related to COVID-19.”

Finally, Division FF is the vehicle for the “American COMPETES Act” that:

directs the Department of Commerce and the FTC to conduct studies and submit reports on technologies including artificial intelligence, the Internet of Things, quantum computing, blockchain, advanced materials, unmanned delivery services, and 3-D printing. The studies include requirements to survey each industry and report recommendations to help grow the economy and safely implement the technology.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by forcal35 from Pixabay

Further Reading, Other Development, and Coming Events (8 December)

Further Reading

  • Facebook failed to put fact-check labels on 60% of the most viral posts containing Georgia election misinformation that its own fact-checkers had debunked, a new report says” By Tyler Sonnemaker — Business Insider. Despite its vows to improve its managing of untrue and false content, the platform is not consistently taking down such material related to the runoffs for the Georgia Senate seats. The group behind this finding argues it is because Facebook does not want to. What is left unsaid is that engagement drives revenue, and so, Facebook’s incentives are not to police all violations. Rather it would be to take down enough to be able to say their doing something.
  • Federal Labor Agency Says Google Wrongly Fired 2 Employees” By Kate Conger and Noam Scheiber — The New York Times. The National Labor Relations Board (NLRB) has reportedly sided with two employees Google fired for activities that are traditionally considered labor organizing. The two engineers had been dismissed for allegedly violating the company’s data security practices when they researched the company’s retention of a union-busting firm and sought to alert others about organizing. Even though Google is vowing to fight the action, which has not been finalized, it may well settle given the view of Big Tech in Washington these days. This action could also foretell how a Biden Administration NLRB may look at the labor practices of these companies.
  • U.S. states plan to sue Facebook next week: sources” By Diane Bartz — Reuters. We could see state and federal antitrust suits against Facebook this week. One investigation led by New York Attorney General Tish James could include 40 states although the grounds for alleged violations have not been leaked at this point. It may be Facebook’s acquisition of potential rivals Instagram and WhatsApp that have allowed it to dominate the social messaging market. The Federal Trade Commission (FTC) may also file suit, and, again, the grounds are unknown. The European Commission (EC) is also investigating Facebook for possible violations of European Union (EU) antitrust law over the company’s use of the personal data it holds and uses and about its operation of it online marketplace.
  • The Children of Pornhub” By Nicholas Kristof — The New York Times. This column comprehensively traces the reprehensible recent history of a Canadian conglomerate Mindgeek that owns Pornhub where one can find reams of child and non-consensual pornography. Why Ottawa has not cracked down on this firm is a mystery. The passage and implementation of the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (P.L. 115-164) that narrowed the liability shield under 47 USC 230 has forced the company to remove content, a significant change from its indifference before the statutory change in law. Kristof suggests some easy, common sense changes Mindgeek could implement to combat the presence of this illegal material, but it seems like the company will do enough to say it is acting without seriously reforming its platform. Why would it? There is too much money to be made. Additionally, those fighting against this sort of material have been pressuring payment platforms to stop doing business with Mindgeek. PayPal has foresworn any  interaction, and due to pressure Visa and Mastercard are “reviewing” their relationship with Mindgeek and Pornhub. In a statement to a different news outlet, Pornhub claimed it is “unequivocally committed to combating child sexual abuse material (CSAM), and has instituted a comprehensive, industry-leading trust and safety policy to identify and eradicate illegal material from our community.” The company further claimed “[a]ny assertion that we allow CSAM is irresponsible and flagrantly untrue….[w]e have zero tolerance for CSAM.”
  • Amazon and Apple Are Powering a Shift Away From Intel’s Chips” By Don Clark — The New York Times. Two tech giants have chosen new faster, cheaper chips signaling a possible industry shift away from Intel, the firm that has been a significant player for decades. Intel will not go quietly, of course, and a key variable is whether must have software and applications are rewritten to accommodate the new chips from a British firm, Arm.

Other Developments

  • The Government Accountability Office (GAO) and the National Academy of Medicine (NAM) have released a joint report on artificial intelligence in healthcare, consisting of GAO’s Technology Assessment: Artificial Intelligence in Health Care: Benefits and Challenges of Technologies to Augment Patient Care and NAM’s Special Publication: Advancing Artificial Intelligence in Health Settings Outside the Hospital and Clinic. GAO’s report “discusses three topics: (1) current and emerging AI tools available for augmenting patient care and their potential benefits, (2) challenges to the development and adoption of these tools, and (3) policy options to maximize benefits and mitigate challenges to the use of AI tools to augment patient care.” NAM’s “paper aims to provide an analysis of: 1) current technologies and future applications of AI in HSOHC, 2) the logistical steps and challenges involved in integrating AI- HSOHC applications into existing provider workflows, and 3) the ethical and legal considerations of such AI tools, followed by a brief proposal of potential key initiatives to guide the development and adoption of AI in health settings outside the hospital and clinic (HSOHC).
    • The GAO “identified five categories of clinical applications where AI tools have shown promise to augment patient care: predicting health trajectories, recommending treatments, guiding surgical care, monitoring patients, and supporting population health management.” The GAO “also identified three categories of administrative applications where AI tools have shown promise to reduce provider burden and increase the efficiency of patient care: recording digital clinical notes, optimizing operational processes, and automating laborious tasks.” The GAO stated:
      • This technology assessment also identifies challenges that hinder the adoption and impact of AI tools to augment patient care, according to stakeholders, experts, and the literature. Difficulties accessing sufficient high-quality data may hamper innovation in this space. Further, some available data may be biased, which can reduce the effectiveness and accuracy of the tools for some people. Addressing bias can be difficult because the electronic health data do not currently represent the general population. It can also be challenging to scale tools up to multiple locations and integrate them into new settings because of differences in institutions and the patient populations they serve. The limited transparency of AI tools used in health care can make it difficult for providers, regulators, and others to determine whether an AI tool is safe and effective. A greater dispersion of data across providers and institutions can make securing patient data difficult. Finally, one expert described how existing case law does not specifically address AI tools, which can make providers and patients reticent to adopt them. Some of these challenges are similar to those identified previously by GAO in its first publication in this series, such as the lack of high-quality, structured data, and others are more specific to patient care, such as liability concerns.
    • The GAO “described six policy options:”
      • Collaboration. Policymakers could encourage interdisciplinary collaboration between developers and health care providers. This could result in AI tools that are easier to implement and use within an existing workflow.
      • Data Access. Policymakers could develop or expand high-quality data access mechanisms. This could help developers address bias concerns by ensuring data are representative, transparent, and equitable.
      • Best Practices. Policymakers could encourage relevant stakeholders and experts to establish best practices (such as standards) for development, implementation, and use of AI technologies. This could help with deployment and scalability of AI tools by providing guidance on data, interoperability, bias, and formatting issues.
      • Interdisciplinary Education. Policymakers could create opportunities for more workers to develop interdisciplinary skills. This could allow providers to use AI tools more effectively, and could be accomplished through a variety of methods, including changing medical curricula or grants.
      • Oversight Clarity. Policymakers could collaborate with relevant stakeholders to clarify appropriate oversight mechanisms. Predictable oversight could help ensure that AI tools remain safe and effective after deployment and throughout their lifecycle.
      • Status Quo. Policymakers could allow current efforts to proceed without intervention.
    • NAM claimed
      • Numerous AI-powered health applications designed for personal use have been shown to improve patient outcomes, building predictions based on large volumes of granular, real-time, and individualized behavioral and medical data. For instance, some forms of telehealth, a technology that has been critical during the COVID-19 pandemic, benefit considerably from AI software focused on natural language processing, which enables efficient triaging of patients based on urgency and type of illness. Beyond patient-provider communication, AI algorithms relevant to diabetic and cardiac care have demonstrated remarkable efficacy in helping patients manage their blood glucose levels in their day-to-day lives and in detecting cases of atrial fibrillation. AI tools that monitor and synthesize longitudinal patient behaviors are also particularly useful in psychiatric care, where of the exact timing of interventions is often critical. For example, smartphone-embedded sensors that track location and proximity of individuals can alert clinicians of possible substance use, prompting immediate intervention. On the population health level, these individual indicators of activity and health can be combined with environmental- and system-level data to generate predictive insight into local and global health trends. The most salient example of this may be the earliest warnings of the COVID-19 outbreak, issued in December 2019 by two private AI technology firms.
      • Successful implementation and widespread adoption of AI applications in HSOHC requires careful consideration of several key issues related to personal data, algorithm development, and health care insurance and payment. Chief among them are data interoperability, standardization, privacy, ameliorating systemic biases in algorithms, reimbursement of AI- assisted services, quality improvement, and integration of AI tools into provider workflows. Overcoming these challenges and optimizing the impact of AI tools on clinical outcomes will involve engaging diverse stakeholders, deliberately designing AI tools and interfaces, rigorously evaluating clinical and economic utility, and diffusing and scaling algorithms across different health settings. In addition to these potential logistical and technical hurdles, it is imperative to consider the legal and ethical issues surrounding AI, particularly as it relates to the fair and humanistic deployment of AI applications in HSOHC. Important legal considerations include the appropriate designation of accountability and liability of medical errors resulting from AI- assisted decisions for ensuring the safety of patients and consumers. Key ethical challenges include upholding the privacy of patients and their data—particularly with regard to non-HIPAA covered entities involved in the development of algorithms—building unbiased AI algorithms based on high-quality data from representative populations, and ensuring equitable access to AI technologies across diverse communities.
  • The National Institute of Standards and Technology (NIST) published a “new study of face recognition technology created after the onset of the COVID-19 pandemic [that] shows that some software developers have made demonstrable progress at recognizing masked faces.” In Ongoing Face Recognition Vendor Test (FRVT) Part 6B: Face Recognition Accuracy with Face Masks Using Post-COVID-19 Algorithms (NISTIR 8331), NIST stated the “report augments its predecessor with results for more recent algorithms provided to NIST after mid-March 2020.” NIST said that “[w]hile we do not have information on whether or not a particular algorithm was designed with face coverings in mind, the results show evidence that a number of developers have adapted their algorithms to support face recognition on subjects potentially wearing face masks.” NIST stated that
    • The following results represent observations on algorithms provided to NIST both before and after the COVID-19 pandemic to date. We do not have information on whether or not a particular algorithm was designed with face coverings in mind. The results documented capture a snapshot of algorithms submitted to the FRVT 1:1 in face recognition on subjects potentially wearing face masks.
      • False rejection performance: All algorithms submitted after the pandemic continue to give in-creased false non-match rates (FNMR) when the probes are masked. While a few pre-pandemic algorithms still remain within the most accurate on masked photos, some developers have submit-ted algorithms after the pandemic showing significantly improved accuracy and are now among the most accurate in our test.
      • Evolution of algorithms on face masks: We observe that a number of algorithms submitted since mid-March 2020 show notable reductions in error rates with face masks over their pre-pandemic predecessors. When comparing error rates for unmasked versus masked faces, the median FNMR across algorithms submitted since mid-March 2020 has been reduced by around 25% from the median pre-pandemic results. The figure below presents examples of developer evolution on both masked and unmasked datasets. For some developers, false rejection rates in their algorithms submitted since mid-March 2020 decreased by as much as a factor of 10 over their pre-pandemic algorithms, which is evidence that some providers are adapting their algorithms to handle facemasks. However, in the best cases, when comparing results for unmasked images to masked im-ages, false rejection rates have increased from 0.3%-0.5% (unmasked) to 2.4%-5% (masked).
      • False acceptance performance: As most systems are configured with a fixed threshold, it is necessary to report both false negative and false positive rates for each group at that threshold. When comparing a masked probe to an unmasked enrollment photo, in most cases, false match rates (FMR) are reduced by masks. The effect is generally modest with reductions in FMR usually being smaller than a factor of two. This property is valuable in that masked probes do not impart adverse false match security consequences for verification.
      • Mask-agnostic face recognition: All 1:1 verification algorithms submitted to the FRVT test since the start of the pandemic are evaluated on both masked and unmasked datasets. The test is de-signed this way to mimic operational reality: some images will have masks, some will not (especially enrollment samples from a database or ID card). And to the extent that the use of protective masks will exist for some time, our test will continue to evaluate algorithmic capability on verifying all combinations of masked and unmasked faces.
  • The government in London has issued a progress report on its current cybersecurity strategy that has another year to run. The Paymaster General assessed how well the United Kingdom (UK) has implemented the National Cyber Security Strategy 2016 to 2021 and pointed to goals yet to be achieved. This assessment comes in the shadow of the pending exit of the UK from the European Union (EU) and Prime Minister Boris Johnson’s plans to increase the UK’s role in select defense issues, including cyber operations. The Paymaster General stated:
    • The global landscape has changed significantly since the publication of the National Cyber Security Strategy Progress Report in May 2019. We have seen unprecedented levels of disruption to our way of life that few would have predicted. The COVID-19 pandemic has increased our reliance on digital technologies – for our personal communications with friends and family and our ability to work remotely, as well as for businesses and government to continue to operate effectively, including in support of the national response.
    • These new ways of living and working highlight the importance of cyber security, which is also underlined by wider trends. An ever greater reliance on digital networks and systems, more rapid advances in new technologies, a wider range of threats, and increasing international competition on underlying technologies and standards in cyberspace, emphasise the need for good cyber security practices for individuals, businesses and government.
    • Although the scale and international nature of these changes present challenges, there are also opportunities. With the UK’s departure from the European Union in January 2020, we can define and strengthen Britain’s place in the world as a global leader in cyber security, as an independent, sovereign nation.
    • The sustained, strategic investment and whole of society approach delivered so far through the National Cyber Security Strategy has ensured we are well placed to respond to this changing environment and seize new opportunities.
    • The Paymaster General asserted:
      • [The] report has highlighted growing risks, some accelerated by the COVID-19 pandemic, and longer-term trends that will shape the environment over the next decade:
      • Ever greater reliance on digital networks and systems as daily life moves online, bringing huge benefits but also creating new systemic and individuals risks.
      • Rapid technological change and greater global competition, challenging our ability to shape the technologies that will underpin our future security and prosperity.
      • A wider range of adversaries as criminals gain easier access to commoditised attack capabilities and cyber techniques form a growing part of states’ toolsets.
      • Competing visions for the future of the internet and the risk of fragmentation, making consensus on norms and ethics in cyberspace harder to achieve.
      • In February 2020 the Prime Minister announced the Integrated Review of Security, Defence, Development and Foreign Policy. This will define the government’s ambition for the UK’s role in the world and the long-term strategic aims of our national security and foreign policy. It will set out the way in which the UK will be a problem-solving and burden-sharing nation, and a strong direction for recovery from COVID-19, at home and overseas.
      • This will help to shape our national approach and priorities on cyber security beyond 2021. Cyber security is a key element of our international, defence and security posture, as well as a driving force for our economic prosperity.
  • The University of Toronto’s Citizen Lab published a report on an Israeli surveillance firm that uses “[o]ne of the widest-used—but least appreciated” means of surveilling people (i.e., “leveraging of weaknesses in the global mobile telecommunications infrastructure to monitor and intercept phone calls and traffic.” Citizen Lab explained that an affiliate of the NSO Group, “Circles is known for selling systems to exploit Signaling System 7 (SS7) vulnerabilities, and claims to sell this technology exclusively to nation-states.” Citizen Lab noted that “[u]nlike NSO Group’s Pegasus spyware, the SS7 mechanism by which Circles’ product reportedly operates does not have an obvious signature on a target’s phone, such as the telltale targeting SMS bearing a malicious link that is sometimes present on a phone targeted with Pegasus.” Citizen Lab found that
    • Circles is a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the location of phones around the globe. Circles is affiliated with NSO Group, which develops the oft-abused Pegasus spyware.
    • Circles, whose products work without hacking the phone itself, says they sell only to nation-states. According to leaked documents, Circles customers can purchase a system that they connect to their local telecommunications companies’ infrastructure, or can use a separate system called the “Circles Cloud,” which interconnects with telecommunications companies around the world.
    • According to the U.S. Department of Homeland Security, all U.S. wireless networks are vulnerable to the types of weaknesses reportedly exploited by Circles. A majority of networks around the globe are similarly vulnerable.
    • Using Internet scanning, we found a unique signature associated with the hostnames of Check Point firewalls used in Circles deployments. This scanning enabled us to identify Circles deployments in at least 25 countries.
    • We determine that the governments of the following countries are likely Circles customers: Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates (UAE), Vietnam, Zambia, and Zimbabwe.
    • Some of the specific government branches we identify with varying degrees of confidence as being Circles customers have a history of leveraging digital technology for human rights abuses. In a few specific cases, we were able to attribute the deployment to a particular customer, such as the Security Operations Command (ISOC) of the Royal Thai Army, which has allegedly tortured detainees.
  • Senators Ron Wyden (D-OR) Elizabeth Warren (D-MA) Edward J. Markey (D-MA) and Brian Schatz (D-HI) “announced that the Department of Homeland Security (DHS) will launch an inspector general investigation into Customs and Border Protection’s (CBP) warrantless tracking of phones in the United States following an inquiry from the senators earlier this year” per their press release.
    • The Senators added:
      • As revealed by public contracts, CBP has paid a government contractor named Venntel nearly half a million dollars for access to a commercial database containing location data mined from applications on millions of Americans’ mobile phones. CBP officials also confirmed the agency’s warrantless tracking of phones in the United States using Venntel’s product in a September 16, 2020 call with Senate staff.
      • In 2018, the Supreme Court held in Carpenter v. United States that the collection of significant quantities of historical location data from Americans’ cell phones is a search under the Fourth Amendment and therefore requires a warrant.
      • In September 2020, Wyden and Warren successfully pressed for an inspector general investigation into the Internal Revenue Service’s use of Venntel’s commercial location tracking service without a court order.
    • In a letter, the DHS Office of the Inspector General (OIG) explained:
      • We have reviewed your request and plan to initiate an audit that we believe will address your concerns. The objective of our audit is to determine if the Department of Homeland Security (DHS) and it [sic] components have developed, updated, and adhered to policies related to cell-phone surveillance devices. In addition, you may be interested in our audit to review DHS’ use and protection of open source intelligence. Open source intelligence, while different from cell phone surveillance, includes the Department’s use of information provided by the public via cellular devices, such as social media status updates, geo-tagged photos, and specific location check-ins.
    • In an October letter, these Senators plus Senator Sherrod Brown (D-OH) argued:
      • CBP is not above the law and it should not be able to buy its way around the Fourth Amendment. Accordingly, we urge you to investigate CBP’s warrantless use of commercial databases containing Americans’ information, including but not limited to Venntel’s location database. We urge you to examine what legal analysis, if any, CBP’s lawyers performed before the agency started to use this surveillance tool. We also request that you determine how CBP was able to begin operational use of Venntel’s location database without the Department of Homeland Security Privacy Office first publishing a Privacy Impact Assessment.
  • The American Civil Liberties Union (ACLU) has filed a lawsuit in a federal court in New York City, seeking an order to compel the United States (U.S.) Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP), and U.S. Immigration and Customs Enforcement (ICE) “to release records about their purchases of cell phone location data for immigration enforcement and other purposes.” The ACLU made these information requests after numerous media accounts showing that these and other U.S. agencies were buying location data and other sensitive information in ways intended to evade the bar in the Fourth Amendment against unreasonable searches.
    • In its press release, the ACLU asserted:
      • In February, The Wall Street Journal reported that this sensitive location data isn’t just for sale to commercial entities, but is also being purchased by U.S. government agencies, including by U.S. Immigrations and Customs Enforcement to locate and arrest immigrants. The Journal identified one company, Venntel, that was selling access to a massive database to the U.S. Department of Homeland Security, U.S. Customs and Border Protection, and ICE. Subsequent reporting has identified other companies selling access to similar databases to DHS and other agencies, including the U.S. military.
      • These practices raise serious concerns that federal immigration authorities are evading Fourth Amendment protections for cell phone location information by paying for access instead of obtaining a warrant. There’s even more reason for alarm when those agencies evade requests for information — including from U.S. senators — about such practices. That’s why today we asked a federal court to intervene and order DHS, CBP, and ICE to release information about their purchase and use of precise cell phone location information. Transparency is the first step to accountability.
    • The ACLU explained in the suit:
      • Multiple news sources have confirmed these agencies’ purchase of access to databases containing precise location information for millions of people—information gathered by applications (apps) running on their smartphones. The agencies’ purchases raise serious concerns that they are evading Fourth Amendment protections for cell phone location information by paying for access instead of obtaining a warrant. Yet, more than nine months after the ACLU submitted its FOIA request (“the Request”), these agencies have produced no responsive records. The information sought is of immense public significance, not only to shine a light on the government’s use of powerful location-tracking data in the immigration context, but also to assess whether the government’s purchase of this sensitive data complies with constitutional and legal limitations and is subject to appropriate oversight and control.
  • Facebook’s new Oversight Board announced “the first cases it will be deliberating and the opening of the public comment process” and “the appointment of five new trustees.” The cases were almost all referred by Facebook users and the new board is asking for comments on the right way to manage what may be objectionable content. The Oversight Board explained it “prioritizing cases that have the potential to affect lots of users around the world, are of critical importance to public discourse or raise important questions about Facebook’s policies.”
    • The new trustees are:
      • Kristina Arriaga is a globally recognized advocate for freedom of expression, with a focus on freedom of religion and belief. Kristina is president of the advisory firm Intrinsic.
      • Cherine Chalaby is an expert on internet governance, international finance and technology, with extensive board experience. As Chairman of ICANN, he led development of the organization’s five-year strategic plan for 2021 to 2025.
      • Wanda Felton has over 30 years of experience in the financial services industry, including serving as Vice Chair of the Board and First Vice President of the Export-Import Bank of the United States.
      • Kate O’Regan is a former judge of the Constitutional Court of South Africa and commissioner of the Khayelitsha Commission. She is the inaugural director of the Bonavero Institute of Human Rights at the University of Oxford.
      • Robert Post is an American legal scholar and Professor of Law at Yale Law School, where he formerly served as Dean. He is a leading scholar of the First Amendment and freedom of speech.

Coming Events

  • The National Institute of Standards and Technology (NIST) will hold a webinar on the Draft Federal Information Processing Standards (FIPS) 201-3 on 9 December.
  • On 9 December, the Senate Commerce, Science, and Transportation Committee will hold a hearing titled “The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows” with the following witnesses:
    • The Honorable Noah Phillips, Commissioner, Federal Trade Commission
    • Ms. Victoria Espinel, President and Chief Executive Officer, BSA – The Software Alliance
    • Mr. James Sullivan, Deputy Assistant Secretary for Services, International Trade Administration, U.S. Department of Commerce
    • Mr. Peter Swire, Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia Tech Scheller College of Business, and Research Director, Cross-Border Data Forum
  • The Senate Judiciary Committee will hold an executive session at which the “Online Content Policy Modernization Act” (S.4632), a bill to narrow the liability shield in 47 USC 230, may be marked up.
  • On 10 December, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Securing the Communications Supply Chain. The Commission will consider a Report and Order that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed. (WC Docket No. 18-89)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Allowing Earlier Equipment Marketing and Importation Opportunities. The Commission will consider a Notice of Proposed Rulemaking that would propose updates to its marketing and importation rules to permit, prior to equipment authorization, conditional sales of radiofrequency devices to consumers under certain circumstances and importation of a limited number of radiofrequency devices for certain pre-sale activities. (ET Docket No. 20-382)
    • Promoting Broadcast Internet Innovation Through ATSC 3.0. The Commission will consider a Report and Order that would modify and clarify existing rules to promote the deployment of Broadcast Internet services as part of the transition to ATSC 3.0. (MB Docket No. 20-145)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gerd Altmann from Pixabay

Further Reading, Other Development, and Coming Events (7 December)

Further Reading

  • Facebook steps up campaign to ban false information about coronavirus vaccines” By Elizabeth Dwoskin — The Washington Post. In its latest step to find and remove lies, misinformation, and disinformation, the social media giant is now committing to removing and blocking untrue material about COVID-19 vaccines, especially from the anti-vaccine community. Will the next step be to take on anti-vaccination proponents generally?
  • Comcast’s 1.2 TB data cap seems like a ton of data—until you factor in remote work” By Rob Pegoraro — Fast Company. Despite many people and children working and learning from home, Comcast is reimposing a 1.2 terabyte limit on data for homes. Sounds like quite a lot until you factor in video meetings, streaming, etc. So far, other providers have not set a cap.
  • Google’s star AI ethics researcher, one of a few Black women in the field, says she was fired for a critical email” By Drew Harwell and Nitasha Tiku — The Washington Post. Timnit Gebru, a top flight artificial intelligence (AI) computer scientist, was fired for questioning Google’s review of a paper she wanted to present at an AI conference that is likely critical of the company’s AI projects. Google claims she resigned, but Gebru says she was fired. She has long been an advocate for women and minorities in tech and AI and her ouster will likely only increase scrutiny of and questions about Google’s commitment to diversity and an ethical approach to the development and deployment of AI. It will also probably lead to more employee disenchantment about the company that follows in the wake of protests about Google’s involvement with the United States Department of Defense’s Project Maven and hiring of former United States Department of Homeland Security chief of staff Miles Taylor who was involved with the policies that resulted in caging children and separating families on the southern border of the United States.
  • Humans Can Help Clean Up Facebook and Twitter” By Greg Bensinger — The New York Times. In this opinion piece, the argument is made that social media platforms should redeploy their human monitors to the accounts that violate terms of service most frequently (e.g., President Donald Trump) and more aggressively label and remove untrue or inflammatory content, they would have a greater impact on lies, misinformation, and disinformation.
  • Showdown looms over digital services tax” By Ashley Gold — Axios. Because the Organization for Economic Cooperation and Development (OECD) has not reached a deal on digital services taxes, a number of the United States (U.S.) allies could move forward with taxes on U.S. multinationals like Amazon, Google, and Apple. The Trump Administration has variously taken an adversarial position threatening to retaliate against countries like France who have enacted a tax that has not been collected during the OECD negotiations. The U.S. also withdrew from talks. It is probable the Biden Administration will be more willing to work in a multi-lateral fashion and may strike a deal on an issue that it not going away as the United Kingdom, Italy, and Canada also have plans for a digital tax.
  • Trump’s threat to veto defense bill over social-media protections is heading to a showdown with Congress” By Karoun Demirjian and Tony Romm — The Washington Post. I suppose I should mention of the President’s demands that the FY 2021 National Defense Authorization Act (NDAA) contain a repeal of 47 U.S.C. 230 (Section 230 of the Communications Act) that came at the eleventh hour and fifty-ninth minute of negotiations on a final version of the bill. Via Twitter, Donald Trump threatened to veto the bill which has been passed annually for decades. Republicans were not having it, however, even if they agreed on Trump’s desire to remove liability protection for technology companies. And yet, if Trump continues to insist on a repeal, Republicans may find themselves in a bind and the bill could conceivably get pulled until President-elect Joe Biden is sworn in. On the other hand, Trump’s veto threats about renaming military bases currently bearing the names of Confederate figures have not been renewed even though the final version of the bill contains language instituting a process to do just that.

Other Developments

  • The Senate Judiciary Committee held over its most recent bill to narrow 47 U.S.C. 230 (Section 230 of the Communications Act) that provides liability protection for technology companies for third-party material posted on their platforms and any decisions to edit, alter, or remove such content. The committee opted to hold the “Online Content Policy Modernization Act” (S.4632), which may mean the bill’s chances of making it to the Senate floor are low. What’s more, even if the Senate passes Section 230 legislation, it is not clear there will be sufficient agreement with Democrats in the House to get a final bill to the President before the end of this Congress. On 1 October, the committee also decided to hold over bill to try to reconcile the fifteen amendments submitted for consideration. The Committee could soon meet again to formally markup and report out this legislation.
    • At the earlier hearing, Chair Lindsey Graham (R-SC) submitted an amendment revising the bill’s reforms to Section 230 that incorporate some of the below amendments but includes new language. For example, the bill includes a definition of “good faith,” a term not currently defined in Section 230. This term would be construed as a platform taking down or restricting content only according to its publicly available terms of service, not as a pretext, and equally to all similarly situated content. Moreover, good faith would require alerting the user and giving him or her an opportunity to respond subject to certain exceptions. The amendment also makes clear that certain existing means of suing are still available to users (e.g. suing claiming a breach of contract.)
    • Senator Mike Lee (R-UT) offered a host of amendments:
      • EHF20913 would remove “user[s]” from the reduced liability shield that online platforms would receive under the bill. Consequently, users would still not be legally liable for the content posted by another user.
      • EHF20914 would revise the language the language regarding the type of content platforms could take down with legal protection to make clear it would not just be “unlawful” content but rather content “in violation of a duly enacted law of the United States,” possibly meaning federal laws and not state laws. Or, more likely, the intent would be to foreclose the possibility a platform would say it is acting in concert with a foreign law and still assert immunity.
      • EHF20920 would add language making clear that taking down material that violates terms of service or use according to an objectively reasonable belief would be shielded from liability.
      • OLL20928 would expand legal protection to platforms for removing or restricting spam,
      • OLL20929 would bar the Federal Communications Commission (FCC) from a rulemaking on Section 230.
      • OLL20930 adds language making clear if part of the revised Section 230 is found unconstitutional, the rest of the law would still be applicable.
      • OLL20938 revises the definition of an “information content provider,” the term of art in Section 230 that identifies a platform, to expand when platforms may be responsible for the creation or development of information and consequently liable for a lawsuit.
    • Senator Josh Hawley (R-MO) offered an amendment that would create a new right of action for people to sue large platforms for taking down his or her content if not done in “good faith.” The amendment limits this right only to “edge providers” who are platforms with more than 30 million users in the U.S. , 300 million users worldwide, and with revenues of more than $1.5 billion. This would likely exclude all platforms except for Twitter, Facebook, Instagram, TikTok, Snapchat, and a select group of a few others.
    • Senator John Kennedy (R-LA) offered an amendment that removes all Section 230 legal immunity from platforms that collect personal data and then uses an “automated function” to deliver targeted or tailored content to a user unless a user “knowingly and intentionally elect[s]” to receive such content.
  • The Massachusetts Institute of Technology’s (MIT) Work of the Future Task Force issued its final report and drew the following conclusions:
    • Technological change is simultaneously replacing existing work and creating new work. It is not eliminating work altogether.
    • Momentous impacts of technological change are unfolding gradually.
    • Rising labor productivity has not translated into broad increases in incomes because labor market institutions and policies have fallen into disrepair.
    • Improving the quality of jobs requires innovation in labor market institutions.
    • Fostering opportunity and economic mobility necessitates cultivating and refreshing worker skills.
    • Investing in innovation will drive new job creation, speed growth, and meet rising competitive challenges.
    • The Task Force stated:
      • In the two-and-a-half years since the Task Force set to work, autonomous vehicles, robotics, and AI have advanced remarkably. But the world has not been turned on its head by automation, nor has the labor market. Despite massive private investment, technology deadlines have been pushed back, part of a normal evolution as breathless promises turn into pilot trials, business plans, and early deployments — the diligent, if prosaic, work of making real technologies work in real settings to meet the demands of hard-nosed customers and managers.
      • Yet, if our research did not confirm the dystopian vision of robots ushering workers off of factor y floors or artificial intelligence rendering superfluous human expertise and judgment, it did uncover something equally pernicious: Amidst a technological ecosystem delivering rising productivity, and an economy generating plenty of jobs (at least until the COVID-19 crisis), we found a labor market in which the fruits are so unequally distributed, so skewed towards the top, that the majority of workers have tasted only a tiny morsel of a vast har vest.
      • As this report documents, the labor market impacts of technologies like AI and robotics are taking years to unfold. But we have no time to spare in preparing for them. If those technologies deploy into the labor institutions of today, which were designed for the last century, we will see similar effects to recent decades: downward pressure on wages, skills, and benefits, and an increasingly bifurcated labor market. This report, and the MIT Work of the Future Task Force, suggest a better alternative: building a future for work that har vests the dividends of rapidly advancing automation and ever-more powerful computers to deliver opportunity and economic security for workers. To channel the rising productivity stemming from technological innovations into broadly shared gains, we must foster institutional innovations that complement technological change.
  • The European Data Protection Supervisor (EDPS) Wojciech Wiewiorówski published his “preliminary opinion on the European Commission’s (EC) Communication on “A European strategy for data” and the creation of a common space in the area of health, namely the European Health Data Space (EHDS).” The EDPS lauded the goal of the EHDS, “the prevention, detection and cure of diseases, as well as for evidence-based decisions in order to enhance effectiveness, accessibility and sustainability of the healthcare systems.” However, Wiewiorówski articulated his concerns that the EC needs to think through the applicability of the General Data Protection Regulation (GDPR), among other European Union (EU) laws before it can legally move forward. The EDPS stated:
    • The EDPS calls for the establishment of a thought-through legal basis for the processing operations under the EHDS in line with Article 6(1) GDPR and also recalls that such processing must comply with Article 9 GDPR for the processing of special categories of data.
    • Moreover, the EDPS highlights that due to the sensitivity of the data to be processed within the EHDS, the boundaries of what constitutes a lawful processing and a compatible further processing of the data must be crystal-clear for all the stakeholders involved. Therefore, the transparency and the public availability of the information relating to the processing on the EHDS will be key to enhance public trust in the EHDS.
    • The EDPS also calls on the Commission to clarify the roles and responsibilities of the parties involved and to clearly identify the precise categories of data to be made available to the EHDS. Additionally, he calls on the Member States to establish mechanisms to assess the validity and quality of the sources of the data.
    • The EDPS underlines the importance of vesting the EHDS with a comprehensive security infrastructure, including both organisational and state-of-the-art technical security measures to protect the data fed into the EHDS. In this context, he recalls that Data Protection Impact Assessments may be a very useful tool to determine the risks of the processing operations and the mitigation measures that should be adopted.
    • The EDPS recommends paying special attention to the ethical use of data within the EHDS framework, for which he suggests taking into account existing ethics committees and their role in the context of national legislation.
    • The EDPS is convinced that the success of the EHDS will depend on the establishment of a strong data governance mechanism that provides for sufficient assurances of a lawful, responsible, ethical management anchored in EU values, including respect for fundamental rights. The governance mechanism should regulate, at least, the entities that will be allowed to make data available to the EHDS, the EHDS users, the Member States’ national contact points/ permit authorities, and the role of DPAs within this context.
    • The EDPS is interested in policy initiatives to achieve ‘digital sovereignty’ and has a preference for data being processed by entities sharing European values, including privacy and data protection. Moreover, the EDPS calls on the Commission to ensure that the stakeholders taking part in the EHDS, and in particular, the controllers, do not transfer personal data unless data subjects whose personal data are transferred to a third country are afforded a level of protection essentially equivalent to that guaranteed within the European Union.
    • The EDPS calls on Member States to guarantee the effective implementation of the right to data portability specifically in the EHDS, together with the development of the necessary technical requirements. In this regard, he considers that a gap analysis might be required regarding the need to integrate the GDPR safeguards with other regulatory safeguards, provided e.g. by competition law or ethical guidelines.
  • The Office of Management and Budget (OMB) extended a guidance memorandum directing agencies to consolidate data centers after Congress pushed back the sunset date for the program. OMB extended OMB Memorandum M-19-19, Update to Data Center Optimization Initiative (DCOI) through 30 September 2022, which applies “to the 24 Federal agencies covered by the Chief Financial Officers (CFO) Act of 1990, which includes the Department of Defense.” The DCOI was codified in the “Federal Information Technology Acquisition Reform” (FITARA) (P.L. 113-291) and extended in 2018 until October 1, 2020. And this sunset was pushed back another two years in the FY 2020 National Defense Authorization Act (NDAA) (P.L. 116-92).
    • In March 2020, the Government Accountability Office (GAO) issued another of its periodic assessments of the DCOI, started in 2012 by the Obama Administration to shrink the federal government’s footprint of data centers, increase efficiency and security, save money, and reduce energy usage.
    • The GAO found that 23 of the 24 agencies participating in the DCOI met or planned to meet their FY 2019 goals to close 286 of the 2,727 data centers considered part of the DCOI. This latter figure deserves some discussion, for the Trump Administration changed the definition of what is a data center to exclude smaller ones (so-called non-tiered data centers). GAO asserted that “recent OMB DCOI policy changes will reduce the number of data centers covered by the policy and both OMB and agencies may lose important visibility over the security risks posed by these facilities.” Nonetheless, these agencies are projecting savings of $241.5 million when all the 286 data centers planned for closure in FY 2019 actually close. It bears note that the GAO admitted in a footnote it “did not independently validate agencies’ reported cost savings figures,” so these numbers may not be reliable.
    • In terms of how to improve the DCOI, the GAO stated that “[i]n addition to reiterating our prior open recommendations to the agencies in our review regarding their need to meet DCOI’s closure and savings goals and optimization metrics, we are making a total of eight new recommendations—four to OMB and four to three of the 24 agencies. Specifically:
      • The Director of the Office of Management and Budget should (1) require that agencies explicitly document annual data center closure goals in their DCOI strategic plans and (2) track those goals on the IT Dashboard. (Recommendation 1)
      • The Director of the Office of Management and Budget should require agencies to report in their quarterly inventory submissions those facilities previously reported as data centers, even if those facilities are not subject to the closure and optimization requirements of DCOI. (Recommendation 2)
      • The Director of the Office of Management and Budget should document OMB’s decisions on whether to approve individual data centers when designated by agencies as either a mission critical facility or as a facility not subject to DCOI. (Recommendation 3)
      • The Director of the Office of Management and Budget should take action to address the key performance measurement characteristics missing from the DCOI optimization metrics, as identified in this report. (Recommendation 4)
  • Australia’s Inspector-General of Intelligence and Security (IGIS) released its first report on how well the nation’s security services did in observing the law with respect to COVID  app  data. The IGIS “is satisfied that the relevant agencies have policies and procedures in place and are taking reasonable steps to avoid intentional collection of COVID app data.” The IGIS revealed that “[i]ncidental collection in the course of the lawful collection of other data has occurred (and is permitted by the Privacy Act); however, there is no evidence that any agency within IGIS jurisdiction has decrypted, accessed or used any COVID app data.” The IGIS is also “satisfied  that  the intelligence agencies within IGIS jurisdiction which have the capability to incidentally collect a least some types of COVID app data:
    • Are aware of their responsibilities under Part VIIIA of the Privacy Act and are taking active steps to minimise the risk that they may collect COVID app data.
    • Have appropriate  policies  and  procedures  in  place  to  respond  to  any  incidental  collection of COVID app data that they become aware of. 
    • Are taking steps to ensure any COVID app data is not accessed, used or disclosed.
    • Are taking steps to ensure any COVID app data is deleted as soon as practicable.
    • Have not decrypted any COVID app data.
    • Are applying the usual security measures in place in intelligence agencies such that a ‘spill’ of any data, including COVID app data, is unlikely.
  • New Zealand’s Government Communications Security Bureau’s National Cyber Security Centre (NCSC) has released its annual Cyber Threat Report that found that “nationally significant organisations continue to be frequently targeted by malicious cyber actors of all types…[and] state-sponsored and non-state actors targeted public and private sector organisations to steal information, generate revenue, or disrupt networks and services.” The NCSC added:
    • Malicious cyber actors have shown their willingness to target New Zealand organisations in all sectors using a range of increasingly advanced tools and techniques. Newly disclosed vulnerabilities in products and services, alongside the adoption of new services and working arrangements, are rapidly exploited by state-sponsored actors and cyber criminals alike. A common theme this year, which emerged prior to the COVID-19 pandemic, was the exploitation of known vulnerabilities in internet-facing applications, including corporate security products, remote desktop services and virtual private network applications.
  • The former Director of the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) wrote an opinion piece disputing President Donald Trump’s claims that the 2020 Presidential Election was fraudulent. Christopher Krebs asserted:
    • While I no longer regularly speak to election officials, my understanding is that in the 2020 results no significant discrepancies attributed to manipulation have been discovered in the post-election canvassing, audit and recount processes.
    • This point cannot be emphasized enough: The secretaries of state in Georgia, Michigan, Arizona, Nevada and Pennsylvania, as well officials in Wisconsin, all worked overtime to ensure there was a paper trail that could be audited or recounted by hand, independent of any allegedly hacked software or hardware.
    • That’s why Americans’ confidence in the security of the 2020 election is entirely justified. Paper ballots and post-election checks ensured the accuracy of the count. Consider Georgia: The state conducted a full hand recount of the presidential election, a first of its kind, and the outcome of the manual count was consistent with the computer-based count. Clearly, the Georgia count was not manipulated, resoundingly debunking claims by the president and his allies about the involvement of CIA supercomputers, malicious software programs or corporate rigging aided by long-gone foreign dictators.

Coming Events

  • The National Institute of Standards and Technology (NIST) will hold a webinar on the Draft Federal Information Processing Standards (FIPS) 201-3 on 9 December.
  • On 9 December, the Senate Commerce, Science, and Transportation Committee will hold a hearing titled “The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows” with the following witnesses:
    • The Honorable Noah Phillips, Commissioner, Federal Trade Commission
    • Ms. Victoria Espinel, President and Chief Executive Officer, BSA – The Software Alliance
    • Mr. James Sullivan, Deputy Assistant Secretary for Services, International Trade Administration, U.S. Department of Commerce
    • Mr. Peter Swire, Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia Tech Scheller College of Business, and Research Director, Cross-Border Data Forum
  • On 10 December, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Securing the Communications Supply Chain. The Commission will consider a Report and Order that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed. (WC Docket No. 18-89)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Allowing Earlier Equipment Marketing and Importation Opportunities. The Commission will consider a Notice of Proposed Rulemaking that would propose updates to its marketing and importation rules to permit, prior to equipment authorization, conditional sales of radiofrequency devices to consumers under certain circumstances and importation of a limited number of radiofrequency devices for certain pre-sale activities. (ET Docket No. 20-382)
    • Promoting Broadcast Internet Innovation Through ATSC 3.0. The Commission will consider a Report and Order that would modify and clarify existing rules to promote the deployment of Broadcast Internet services as part of the transition to ATSC 3.0. (MB Docket No. 20-145)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Daniel Schludi on Unsplash

Further Reading, Other Developments, and Coming Events (18 November)

Further Reading

  • Trump fires top DHS official who refuted his claims that the election was rigged” By Ellen Nakashima and Nick Miroff — The Washington Post. As rumored, President Donald Trump has decapitated the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Director Christopher Krebs was fired via Twitter, after he had endorsed a letter by 59 experts on election security who said there was no fraud in the election. Trump tweeted: “The recent statement by Chris Krebs on the security of the 2020 Election was highly inaccurate, in that there were massive improprieties and fraud — including dead people voting, Poll Watchers not allowed into polling locations, ‘glitches’ in the voting machines which changed votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.” Of course, the statement CISA cosigned and issued last week asserting there was no evidence of fraud or wrongdoing in the election probably did not help his prospects. Additionally, CISA Deputy Director Matthew Travis was essentially forced out when he was informed the normal succession plan would be ignored and he would not become the acting head of CISA. A CISA senior civil servant, Brandon Wales, will helm the agency in an acting basis. Last week, CISA’s Assistant Director for Cybersecurity Bryan Ware was forced out.
  • NSA Spied On Denmark As It Chose Its Future Fighter Aircraft: Report” By Thomas Newdick — The Drive. A Danish media outlet is claiming the United States U.S. National Security Agency (NSA) spied Denmark’s Ministry of Finance, the Ministry of Foreign Affairs, and the defense firm Terma in order to help Lockheed Martin’s bid to sell F-35 Joint Strike Fighters to Denmark. Eurofighter GmbH and Saab were offering their Typhoon and Gripen fighters to replace Denmark’s F-16s. Reportedly, the NSA used an existing arrangement with Denmark to obtain information from a program allowing the NSA access to fiber optics cables in the country. It is likely Denmark did not have such surveillance in mind when it struck this agreement with the U.S. Two whistleblowers reports have been filed with the Forsvarets Efterretningstjeneste (FE), Denmark’s Defense Intelligence Service, and there are allegations that the U.S. surveillance was illegal. However, the surveillance appears not to have influenced the Danish government, which opted for the F-35. Earlier this year, there were allegations the FE was improperly sharing Danish cables containing information on Danish citizens improperly.
  • Facebook Knows That Adding Labels To Trump’s False Claims Does Little To Stop Their Spread” By Craig Silverman and Ryan Mac — BuzzFeed News. These reporters must know half of Facebook’s staff because they always see what is going on internally with the company. In this latest scoop, they say they have seen internal numbers showing that labeling President Donald Trump’s false tweets have done little to slow their spread. In fact, labelling may only slow their spread by 8%. This outcome is contrary to a practice Facebook employed in 2017 under which fact checkers would label untrue posts as false. This reduced their virality by 80%.
  • Apple Halves Its App Store Fee for the Smaller Companies” By Jack Nicas — The New York Times. The holiday spirit must already be afoot in Cupertino, California, for small app developers will now only pay Apple 15% of in-app purchases for the privilege of being in the App Store. Of course, this decision has nothing to do with the antitrust pressure the company is facing in the European Union and United States (U.S.) and will have very little impact on their bottom line since app developers with less than $1 million in revenue (i.e., those entitled to a reduction) account for 2% of App Store revenue. It does give Apple leadership and executive some great talking points when pressed by antitrust investigators, legislators, and the media.
  • Inside the behind-the-scenes fight to convince Joe Biden about Silicon Valley” By Theodore Schleifer — recode. The jockeying among factions in the Democratic party and other stakeholders is fierce and will only grow fiercer when it comes to who will serve where in a Biden Administration. Silicon Valley and those who would reform tech are fighting to get people amenable to their policy goals placed in the new Administration. President-elect Joe Biden and his campaign were ambiguous on many tech policy issues and have flexibility which has been further helped by appointing people respected in both camps like new White House Chief of Staff Ron Klain.
  • Group of 165 Google critics calls for swift EU antitrust action – letter” By Foo Yun Chee — Reuters. A wide-ranging group of companies and industry associations are urging the European Union to investigate and punish what they see as Google’s anti-competitive dominance of online search engines, especially the One Box that now appears at the top of search results that points people to Google sites and products.

Other Developments

  • The European Union (EU) announced a revision of its export control process for allowing the export of dual use items, including cyber surveillance tools. The European Commission (EC) asserted “[t]hanks to the new Regulation, the EU can now effectively protect its interests and values and, in particular, address the risk of violations of human rights associated with trade in cyber-surveillance technologies without prior agreement at multilateral level…[and] also enhances the EU’s capacity to control trade flows in sensitive new and emerging technologies. The EC explained “[t]he new Regulation includes many of the Commission proposals for a comprehensive “system upgrade”, and will make the existing EU Export control system more effective by:
    • introducing a novel ‘human security’ dimension so the EU can respond to the challenges posed by emerging dual-use technologies – especially cyber-surveillance technologies – that pose a risk to national and international security, including protecting human rights;
    • updating key notions and definitions (e.g. definition of an “exporter” to apply to natural persons and researchers involved in dual-use technology transfers);
    • simplifying and harmonising licensing procedures and allowing the Commission to amend – by ‘simplified’ procedure, i.e. delegated act – the list of items or destinations subject to specific forms of control, thereby making the export control system more agile and able to evolve and adjust to circumstances;
    • enhancing information-exchange between licensing authorities and the Commission with a view to increasing transparency of licensing decisions;
    • coordination of, and support for, robust enforcement of controls, including enhancing secure electronic information-exchange between licensing and enforcement agencies;
    • developing an EU capacity-building and training programme for Member States’ licensing and enforcement authorities;
    • outreach to industry and transparency with stakeholders, developing a structured relationship with the private sector through specific consultations of stakeholders by the relevant Commission group of Member-State experts, and;
    • setting up a dialogue with third countries and seeking a level playing field at global level.
    • The European Parliament contended:
      • The reviewed rules, agreed by Parliament and Council negotiators, govern the export of so-called dual use goods, software and technology – for example, high-performance computers, drones and certain chemicals – with civilian applications that might be repurposed to be used in ways which violate human rights.
      • The current update, made necessary by technological developments and growing security risks, includes new criteria to grant or reject export licenses for certain items.
      • The Parliament added its negotiators
        • got agreement on setting up an EU-wide regime to control cyber-surveillance items that are not listed as dual-use items in international regimes, in the interest of protecting human rights and political freedoms;
        • strengthened member states’ public reporting obligations on export controls, so far patchy, to make the cyber-surveillance sector in particular more transparent;
        • increased the importance of human rights as licensing criterion; and
        • agreed on rules to swiftly include emerging technologies in the regulation.
  • The United States House of Representatives passed three technology bills by voice vote yesterday. Two of these bills would address in different ways the United States’ (U.S.) efforts to make up ground on the People’s Republic of China in the race to roll out 5G networks. It is possible but not foreseeable whether the Senate will take up these bills before year’s end and send them to the White House. It is possible given how discrete the bills are in scope. The House Energy and Commerce Committee provided these summaries:
    • The “Utilizing Strategic Allied (USA) Telecommunications Act of 2020” (H.R.6624) creates a new grant program through the National Telecommunications and Information Administration (NTIA) to promote technology that enhances supply chain security and market competitiveness in wireless communications networks.
      • One of the bill’s sponsors, House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ) stated:
        • Earlier this year, the House passed, and the President signed, my Secure and Trusted Communications Networks Act to create a program to fund the replacement of suspect network equipment. Suspect equipment, including that produced by Huawei and ZTE, could allow foreign adversaries to surveil Americans at home or, worse, disrupt our communications systems.
        • While we are still pushing for Congress to appropriate funds to that end, it is important to recognize that my legislation was only half the battle, even when it is funded. We also need to create and foster competition for trusted network equipment that uses open interfaces so that the United States is not beholden to a market for network equipment that is becoming less competitive. This bill before us today, the Utilizing Strategic Allied Telecommunications Act, or the USA Telecommunications Act, does just that.
        • The bipartisan legislation creates a grant program and authorizes $750 million in funding for the National Telecommunications and Information Administration to help promote and deploy Open Radio Access Network technologies that can spur that type of competition. We must support alternatives to companies like Huawei and ZTE…
    • The “Spectrum IT Modernization Act of 2020” (H.R.7310) requires NTIA – in consultation with the Policy and Plans Steering Group – to submit to Congress a report on its plans to modernize agency information technology systems relating to managing the use of federal spectrum. 
      • A sponsor of the bill, House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) explained:
      • H.R. 7310 would require NTIA to establish a process to upgrade their spectrum management infrastructure for the 21st century. The bill would direct the policy coordination arm of NTIA to submit a plan to Congress as to how they will standardize the data collection across agencies and then directs agencies with Federal spectrum assignments from NTIA to issue an implementation plan to interoperate with NTIA’s plan.
      • This is a good-government bill–it really is–and with continued support and oversight from Congress, we can continue the United States’ leadership in making Federal spectrum available for flexible use by the private sector.
    • The “Reliable Emergency Alert Distribution Improvement (READI) Act of 2020” (H.R.6096) amends the Warning, Alert, and Response Network Act to classify emergency alerts from the Federal Emergency Management Agency as a type of alert that commercial mobile service providers may not allow subscribers to block from their devices. The bill also directs the Federal Communications Commission (FCC) to adopt regulations to facilitate coordination with State Emergency Communications Committees in developing and modernizing State Emergency Alert System plans. Finally, the READI Act directs the FCC to examine the feasibility of modernizing the Emergency Alert System by expanding alert distribution to the internet and streaming services.  
  • The same privacy activists that brought the suits that resulted in the striking down of the Safe Harbor and Privacy Shield agreements have filed complaints in Spain and Germany that Apple has violated the European Union’s (EU) e-Privacy Directive and laws in each nation through its use of IDFA (Apple’s Identifier for Advertisers). Because the General Data Protection Regulation (GDPR) is not the grounds for the complaints, each nation could act without needing to consult other EU nations. Moreover, a similar system used by Google is also being investigated for possible violations. The group none of your business (noyb) asserted:
    • IDFA – the cookie in every iPhone user’s pocket. Each iPhone runs on Apple’s iOS operating system. By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. Just like a license plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”).
    • Tracking without user consent. Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.
    • Insufficient “improvement” on third-party access. Recently Apple announced plans for future changes to the IDFA system. These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself). Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company.
    • No need for EU cooperation. As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.
  • The Federal Trade Commission (FTC) Chair made remarks at antitrust conference on how antitrust law should view “an acquisition of a nascent competitive threat by a monopolist when there is reason to think that the state of competition today may not tell the whole story.” Chair Joseph Simons views are timely for a number of reasons, particularly the extent to which large technology firms have sought and bought smaller, newer companies. Obviously, the acquisitions of WhatsApp and Instagram by Facebook and YouTube and AdSense by Google come to mind as the sorts of acquisitions United States (U.S.) regulators approved, possibly without much thought given to what a future market may look like for competition if the larger, dominant company is allowed to proceed. Simons suggested regulators and courts would be wise to give this aspect of antitrust mush more thought, which could theoretically inform the approach the Biden Department of Justice and FTC take. Simons stated:
    • And if firms are looking to the future, then antitrust enforcers should too. We must be willing and able to recognize that harm to competition might not be obvious from looking at the marketplace as it stands. If we confine ourselves to examining a static picture of the market at the moment we investigate a practice or transaction, without regard to the dynamic business realities at work, then we risk forfeiting the benefits of competition that could arise in the future to challenge the dominant firm, even when this future competition is to some extent uncertain.
    • Simons asserted:
      • A merger or acquisition can of course constitute anticompetitive conduct for purposes of Section 2 [of the Sherman Act]
      • From a competition perspective, a monopolist can “squash” a nascent competitor by buying it, not just by targeting it with anticompetitive actions as Microsoft did. In fact, from the monopolist’s perspective, it may be easier and more effective to buy the nascent threat (even if only to keep it out of the hands of others) than to target it with other types of anticompetitive conduct.
      • A central issue in potential competition cases is the nature and strength of evidence that the parties will become actual competitors in the future. Some cases have applied Section 7 [of the Clayton Act] narrowly in this context: too narrowly, I think, given that the purpose of Section 7 is to prohibit acquisitions that “may” substantially lessen competition or “tend” to create a monopoly.
    • Simons concluded:
      • But uncertainty has always been a feature of the competitive process, even in markets that appear to be simple or traditional, and dealing with uncertainty is all in a day’s work for an antitrust enforcer. I have referred to the Microsoft case repeatedly today, so, in closing, let me remind everyone that there was some uncertainty about the future in Microsoft as well. The court, in holding that the plaintiff does not and should not bear the burden of “reconstruct[ing] a product’s hypothetical development,” observed that the defendant should appropriately be “made to suffer the uncertain consequences of its own undesirable conduct.” The same holds when the monopolist has simply chosen to acquire the threat.
  • The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) revised the Workforce Framework for Cybersecurity (NICE Framework) that “improves communications about how to identify, recruit, develop, and retain cybersecurity talent ­ – offering a common, consistent lexicon that categorizes and describes cybersecurity work.” NIST explained:
    • The NICE Framework assists organizations with managing cybersecurity risks by providing a way to discuss the work and learners associated with cybersecurity. These cybersecurity risks are an important input into enterprise risk decisions as described in NIST Interagency Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).
    • NIST stated “[r]evisions to the NICE Framework (NIST Special Publication 800-181) provide:
      • A streamlined set of “building blocks” comprised of Task, Knowledge, and Skill Statements;
      • The introduction of Competencies as a mechanism for organizations to assess learners; and
      • A reference to artifacts, such as Work Roles and Knowledge Skills and Abilities statements, that will live outside of the publication to enable a more fluid update process.
  • A left center think tank published a report on how the United States (U.S.) and likeminded nations can better fight cybercrime. In the report addressed to President-elect Joe Biden and Vice President-elect Kamala Harris, the Third Way presented the results of a “multiyear effort to define concrete steps to improve the government’s ability to tackle the scourge of cybercrime by better identifying unlawful perpetrators and imposing meaningful consequences on them and those behind their actions.” In “A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?,” the Third Way made a list of detailed recommendations on how the Biden Administration could better fight cybercrime, but in the cover letter to the report, there was a high level summary of these recommendations:
    • In this roadmap, we identify the challenges the US government faces in investigating and prosecuting these crimes and advancing the level of international cooperation necessary to do so. Cyberattackers take great pains to hide their identity, using sophisticated tools that require technical investigative and forensic expertise to attribute the attacks. The attacks are often done at scale, where perpetrators prey on multiple victims across many jurisdictions and countries, requiring coordination across criminal justice agencies. The skills necessary to investigate these crimes are in high demand in the private sector, making it difficult to retain qualified personnel. A number of diplomatic barriers make cross-border cooperation difficult, a challenge exacerbated often by blurred lines line between state and non-state actors in perpetrating these crimes.
    • This roadmap recommends actions that your administration can take to develop a comprehensive strategy to reduce cybercrime and minimize its impact on the American people by identifying the perpetrators and imposing meaningful consequences on them. We propose you make clear at the outset to the American public and global partners that cyber enforcement will be a top priority for your administration. In reinstating a White House cybersecurity position, we have extensive recommendations on how that position should address cybercrime. And, to make policy from an intelligence baseline, we believe you should request a National Intelligence Estimate on the linkages between cybercrime and nation-state cyber actors to understand the scope of the problem.
    • Our law enforcement working group has detailed recommendations to improve and modernize law enforcement’s ability to track and respond to cybercrime. And our global cooperation working group has detailed recommendations on creating a cohesive international cyber engagement strategy; assessing and improving the capacity of foreign partners on cybercrime; and improving the process for cross-border data requests that are critical to solving these crimes. We believe that with these recommendations, you can make substantial strides in bringing cybercriminals to justice and deterring future cybercriminals from victimizing Americans.

Coming Events

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.