Uncertainty As Deadlines Approach On TikTok and WeChat EOs

It is still not clear how matters will play out with a proposed Oracle/TikTok deal and the ban on WeChat (and possibly TikTok if an acceptable deal cannot be made.)

Today, the Trump Administration issued orders barring TikTok and WeChat pursuant to executive orders issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively, the former being much more popular in the United States (U.S.) than the latter. Working in the background is a potential deal between United States’ (U.S.) company Oracle and ByteDance that may address U.S. concerns about TikTok. On this front, there have been multiple stories from the Trump Administration about the positions of stakeholders on whether Oracle’s proposed role as a “trusted technology partner” will satisfy the national security concerns articulated in the executive order banning the app and the order from the United States government to ByteDance to divest a key part of their platform. Moreover, there is growing pressure from Republicans in Congress to reject the Oracle/TikTok arrangement as it stands.

In his public remarks this week, President Donald Trump seemed underwhelmed about the proposed Oracle/TikTok deal. He said that “[c]onceptually, I can tell you I don’t like [ByteDance maintaining a stake].” Trump stated “[i]f that’s the case, I’m not going to be happy with that.” He added any acceptable deal “has to be 100 percent as far as national security is concerned, and no, I’m not prepared to sign off on anything…[and] I have to see the deal.” On the other hand, Secretary of the Treasury and chair of Committee on Foreign Investment in the United States (CFIUS) Steven Mnuchin seemed to be taking a different view. He stated “I will just say from our standpoint, we’ll need to make sure that the code is, one, secure, Americans’ data is secure, that the phones are secure and we’ll be looking to have discussions with Oracle over the next few days with our technical teams.” And to this end, the New York Times is reporting that ByteDance has accepted some unspecified changes to the deal in order to address national security concerns, and Reuters is claiming ByteDance has agreed to an initial public offering within a year.

As noted, the U.S. Department of Commerce (Commerce) issued orders effectuating the executive orders, which are set to take effect this weekend. In a press release, Commerce explained:

As of September 20, 2020, the following transactions are prohibited:

  1. Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  2. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTokthe following transactions are prohibited:

  1. Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  2. Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
  3. Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
  4. Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.

Commerce added:

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the U.S. Government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.

Commerce has submitted notices to be published next week in the Federal Register identifying the transactions that will be illegal regarding TikTok and WeChat:

  • Pursuant to Executive Order 13942, the Secretary of Commerce is publishing the list of prohibited transactions by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, including TikTok Inc., in which any such company has any interest, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13942 posed by mobile application TikTok.
  • Pursuant to Executive Order 13943, the Secretary of Commerce is publishing this Identification of Prohibited Transactions related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent Holdings Ltd. (a.k.a. Téngxùn Kònggŭ Yŏuxiàn Gōngsī), Shenzhen, China, or any subsidiary of that entity, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13943 posed by mobile application WeChat.

While the TikTok order could be rescinded if a deal with Oracle is approved by the U.S. government, it seems unlikely that the WeChat order will be undone, at least in the short term. Moreover, these orders will undoubtedly be challenged further in court. Last month, TikTok filed suit in United States federal court in Northern California, asking for an injunction to stop enforcement of the EO and a declaration that it is illegal. It is possible the company, along with Tencent, WeChat’s parent, ask a federal court to stop the Trump Administration from proceeding.

Moreover, there are questions about enforcement, for the Administration cannot reasonably expect people in the U.S. to stop using and delete TikTok and WeChat. There may also be a case to be made on First Amendment grounds that the orders violate rights of free speech and association.

As mentioned, a number of Republicans have come out against the Oracle/TikTok deal. At the beginning of the week, Senator Josh Hawley (R-MO) wrote Mnuchin “calling on CFIUS to reject Oracle’s proposed partnership with ByteDance to obtain control of TikTok’s U.S. operations…[because]…the proposed partnership allows for continued Chinese Communist Party (CCP) control of TikTok, putting American data at risk and violating President Trump’s executive order.” Hawley added:

CFIUS should promptly reject any Oracle-ByteDance collaboration and send the ball back to ByteDance’s court so that the company can come up with a more acceptable solution. ByteDance can still pursue a full sale of TikTok, its code, and its algorithm to a U.S. company, so that the app can be rebuilt from the ground up to remove any trace of CCP influence.

Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Commerce, Science, and Transportation Committee Chair Roger Wicker (R-MS), and Thom Tillis (R-NC), Rick Scott (R-FL), Dan Sullivan (R-AK), and John Cornyn (R-TX) sent a letter to the President “outlining significant concerns regarding reports that Oracle Corp. confirmed a deal with ByteDance to become a “trusted technology provider” for TikTok’s U.S. operations, including that the “arrangement could violate the requirements set about in the August 6, 2020 Executive Order on Addressing the Threat Posed by TikTok and would do little to satisfy the range of concerns expressed in that order.”

Senator Ted Cruz (R-TX) also wrote Mnuchin arguing:

The Chinese Communist Party and its expansionist actions represent a threat the United States, its interests, and its allies. This Administration has correctly recognized this threat and has taken substantial counter-measures in response to protect our national security. I urge you to do the same when reviewing the newly submitted plan of a transaction between the Chinese company ByteDance and Oracle.

So far, Democrats in Congress, and the Biden campaign, have remained silent, apparently willing to let Republicans criticize the proposed deal from the right. The White House may ultimately prove susceptible to criticism and seek a modified deal to allay these concerns. However, these Republican Senators seem to be laying out a case for a much more dramatic transaction, but one that would likely run afoul of new regulations issued by the People’s Republic of China on export controls. Late last month, two PRC agencies changed the PRC’s export control rules for the first time since 2008 to likely have leverage over TikTok’s sale to a U.S. entity. Ostensibly, the changes are “to regulate technology exports, promote scientific and technological progress and economic and technological cooperation, and maintain national economic security,” but the inclusion of “personalised information recommendation service technology based on data analysis” and “artificial intelligence interactive interfaces” likely point to ByteDance’s app, TikTok. In fact, a researcher with the PRC Ministry of Commerce was quoted as asserting “[t]he time to publish the new update of the export control list has been expedited due to the TikTok sale.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by 雪飞 王 from Pixabay

Further Reading, Other Developments, and Coming Events (16 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The House Homeland Security Committee will hold a hearing titled “Worldwide Threats to the Homeland” on 17 September with the following witnesses:
    • Chad Wolf, Department of Homeland Security
    • Christopher Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center (NCTC)
  • On 17 September, the House Energy and Commerce Committee’s Communications & technology Subcommittee will hold a hearing titled “Trump FCC: Four Years of Lost Opportunities.”
  • The House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing’ titled “Interim Review of the National Security Commission on Artificial Intelligence Effort and Recommendations” on 17 September with these witnesses:
    • Dr. Eric Schmidt , Chairman, National Security Commission on Artificial Intelligence 
    • HON Robert Work, Vice Chairman, National Security Commission on Artificial Intelligence, HON Mignon Clyburn, Commissioner, National Security Commission on Artificial Intelligence 
    • Dr. José-Marie Griffiths, Commissioner, National Security Commission on Artificial Intelligence
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The United States House of Representatives took up and passed two technology bills on 14 September. One of the bills, “Internet of Things (IoT) Cybersecurity Improvement Act of 2020” (H.R. 1668), was discussed in yesterday’s Technology Policy Update as part of an outlook on Internet of Things (IoT) legislation (see here for analysis). The House passed a revised version by voice vote, but its fate in the Senate may lie with the Senate Homeland Security & Governmental Affairs Committee, whose chair, Senator Ron Johnson (R-WI), has blocked a number of technology bills during his tenure to the chagrin of some House stakeholders. The House also passed the “AI in Government Act of 2019” (H.R.2575) that would establish an AI Center of Excellence within the General Services Administration that would
    • “(1) advise and promote the efforts of the Federal Government in developing innovative uses of artificial intelligence by the Federal Government to the benefit of the public; and
    • (2) improve cohesion and competency in the use of artificial intelligence.”
    • Also, this bill would direct the Office of Management and Budget (OMB) to “issue a memorandum to the head of each agency that shall—
      • inform the development of artificial intelligence governance approaches by those agencies regarding technologies and applications that—
        • are empowered or enabled by the use of artificial intelligence within that agency; and
        • advance the innovative use of artificial intelligence for the benefit of the public while upholding civil liberties, privacy, and civil rights;
      • consider ways to reduce barriers to the use of artificial intelligence in order to promote innovative application of those technologies for the benefit of the public, while protecting civil liberties, privacy, and civil rights;
      • establish best practices for identifying, assessing, and mitigating any bias on the basis of any classification protected under Federal nondiscrimination laws or other negative unintended consequence stemming from the use of artificial intelligence systems; and
      • provide a template of the required contents of the agency Governance Plans
    • The House Energy and Commerce Committee marked up and reported out more than 30 bills last week including:
      • The “Consumer Product Safety Inspection Enhancement Act” (H.R. 8134) that “would amend the Consumer Product Safety Act to enhance the Consumer Product Safety Commission’s (CPSC) ability to identify unsafe consumer products entering the United States, especially e-commerce shipments entering under the de minimis value exemption. Specifically, the bill would require the CPSC to enhance the targeting, surveillance, and screening of consumer products. The bill also would require electronic filing of certificates of compliance for all consumer products entering the United States.
      • The bill directs the CPSC to: 1) examine a sampling of de minimis shipments and shipments coming from China; 2) detail plans and timelines to effectively address targeting and screening of de minimis shipments; 3) establish metrics by which to evaluate the effectiveness of the CPSC’s efforts in this regard; 4) assess projected technology, resources, and staffing necessary; and 5) submit a report to Congress regarding such efforts. The bill further directs the CPSC to hire at least 16 employees every year until staffing needs are met to help identify violative products at ports.
      • The “AI for Consumer Product Safety Act” (H.R. 8128) that “would direct the Consumer Product Safety Commission (CPSC) to establish a pilot program to explore the use of artificial intelligence for at least one of the following purposes: 1) tracking injury trends; 2) identifying consumer product hazards; 3) monitoring the retail marketplace for the sale of recalled consumer products; or 4) identifying unsafe imported consumer products.” The revised bill passed by the committee “changes the title of the bill to the “Consumer Safety Technology Act”, and adds the text based on the Blockchain Innovation Act (H.R. 8153) and the Digital Taxonomy Act (H.R. 2154)…[and] adds sections that direct the Department of Commerce (DOC), in consultation with the Federal Trade Commission (FTC), to conduct a study and submit to Congress a report on the state of blockchain technology in commerce, including its use to reduce fraud and increase security.” The revised bill “would also require the FTC to submit to Congress a report and recommendations on unfair or deceptive acts or practices relating to digital tokens.”
      • The “American Competitiveness Of a More Productive Emerging Tech Economy Act” or the “American COMPETE Act” (H.R. 8132) “directs the DOC and the FTC to study and report to Congress on the state of the artificial intelligence, quantum computing, blockchain, and the new and advanced materials industries in the U.S…[and] would also require the DOC to study and report to Congress on the state of the Internet of Things (IoT) and IoT manufacturing industries as well as the three-dimensional printing industry” involving “among other things:1) listing industry sectors that develop and use each technology and public-private partnerships focused on promoting the adoption and use of each such technology; 2) establishing a list of federal agencies asserting jurisdiction over such industry sectors; and 3) assessing risks and trends in the marketplace and supply chain of each technology.
      • The bill would direct the DOC to study and report on the effect of unmanned delivery services on U.S. businesses conducting interstate commerce. In addition to these report elements, the bill would require the DOC to examine safety risks and effects on traffic congestion and jobs of unmanned delivery services.
      • Finally, the bill would require the FTC to study and report to Congress on how artificial intelligence may be used to address online harms, including scams directed at senior citizens, disinformation or exploitative content, and content furthering illegal activity.
  • The National Institute of Standards and Technology (NIST) issued NIST Interagency or Internal Report 8272 “Impact Analysis Tool for Interdependent Cyber Supply Chain Risks” designed to help public and private sector entities better address complicated, complex supply chain risks. NIST stated “[t]his publication de-scribes how to use the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool that has been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.” NIST explained
    • More organizations are becoming aware of the importance of identifying cybersecurity risks associated with extensive, complicated supply chains. Several solutions have been developed to help manage supply chains; most focus on contract management or compliance. There is a need to provide organizations with a systematic and more usable way to evaluate the potential impacts of cyber supply chain risks relative to an organization’s risk appetite. This is especially important for organizations with complex supply chains and highly interdependent products and suppliers.
    • This publication describes one potential way to visualize and measure these impacts: a Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool (hereafter “Tool”), which is designed to provide a basic measurement of the potential impact of a cyber supply chain event. The Tool is not intended to measure the risk of an event, where risk is defined as a function of threat, vulnerability, likelihood, and impact. Research conducted by the authors of this publication found that, at the time of publication, existing cybersecurity risk tools and research focused on threats, vulnerabilities, and likelihood, but impact was frequently overlooked. Thus, this Tool is intended to bridge that gap and enable users and tool developers to create a more complete understanding of an organization’s risk by measuring impact in their specific environments.
    • The Tool also provides the user greater visibility over the supply chain and the relative importance of particular projects, products, and suppliers (hereafter referred to as “nodes”) compared to others. This can be determined by examining the metrics that contribute to a node’s importance, such as the amount of access a node has to the acquiring organization’s IT network, physical facilities, and data. By understanding which nodes are the most important in their organization’s supply chain, the user can begin to understand the potential impact a disruption of that node may cause on business operations. The user can then prioritize the completion of risk mitigating actions to reduce the impact a disruption would cause to the organization’s supply chain and overall business.
  • In a blog post, Microsoft released its findings on the escalating threats to political campaigns and figures during the run up to the United States’ (U.S.) election. This warning also served as an advertisement for Microsoft’s security products. But, be that as it may, these findings echo what U.S. security services have been saying for months. Microsoft stated
    • In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns, as detailed below. We have and will continue to defend our democracy against these attacks through notifications of such activity to impacted customers, security features in our products and services, and legal and technical disruptions. The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported. We also report here on attacks against other institutions and enterprises worldwide that reflect similar adversary activity.
    • We have observed that:
      • Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants
      • Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community
      • Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign
    • The majority of these attacks were detected and stopped by security tools built into our products. We have directly notified those who were targeted or compromised so they can take action to protect themselves. We are sharing more about the details of these attacks today, and where we’ve named impacted customers, we’re doing so with their support.
    • What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers but also those they consult on key issues. These activities highlight the need for people and organizations involved in the political process to take advantage of free and low-cost security tools to protect themselves as we get closer to election day. At Microsoft, for example, we offer AccountGuard threat monitoring, Microsoft 365 for Campaigns and Election Security Advisors to help secure campaigns and their volunteers. More broadly, these attacks underscore the continued importance of work underway at the United Nations to protect cyberspace and initiatives like the Paris Call for Trust and Security in Cyberspace.
  • The European Data Protection Supervisor (EDPS) has reiterated and expanded upon his calls for caution, prudence, and adherence to European Union (EU) law and principles in the use of artificial intelligence, especially as the EU looks to revamp its approach to AI and data protection. In a blog post, EDPS Wojciech Wiewiórowski stated:
    • The expectations of the increasing use of AI and the related economic advantages for those who control the technologies, as well as its appetite for data, have given rise to fierce competition about technological leadership. In this competition, the EU strives to be a frontrunner while staying true to its own values and ideals.
    • AI comes with its own risks and is not an innocuous, magical tool, which will heal the world harmlessly. For example, the rapid adoption of AI by public administrations in hospitals, utilities and transport services, financial supervisors, and other areas of public interest is considered in the EC White Paper ‘essential’, but we believe that prudency is needed. AI, like any other technology, is a mere tool, and should be designed to serve humankind. Benefits, costs and risks should be considered by anyone adopting a technology, especially by public administrations who process great amounts of personal data.
    • The increase in adoption of AI has not been (yet?) accompanied by a proper assessment of what the impact on individuals and on our society as a whole will likely be. Think especially of live facial recognition (remote biometric identification in the EC White Paper). We support the idea of a moratorium on automated recognition in public spaces of human features in the EU, of faces but also and importantly of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals.
    • Let’s not rush AI, we have to get it straight so that it is fair and that it serves individuals and society at large.
    • The context in which the consultation for the Data Strategy was conducted gave a prominent place to the role of data in matters of public interest, including combating the virus. This is good and right as the GDPR was crafted so that the processing of personal data should serve humankind. There are existing conditions under which such “processing for the public good” could already take place, and without which the necessary trust of data subjects would not be possible.
    • However, there is a substantial persuasive power in the narratives nudging individuals to ‘volunteer’ their data to address highly moral goals. Concepts such as ‘Data altruism”, or ‘Data donation” and their added value are not entirely clear and there is a need to better define and lay down their scope, and possible purposes, for instance, in the context of scientific research in the health sector. The fundamental right to the protection of personal data cannot be ‘waived’ by the individual concerned, be it through a ‘donation’ or through a ‘sale’ of personal data. The data controller is fully bound by the personal data rules and principles, such as purpose limitation even when processing data that have been ‘donated’ i.e. when consent to the processing had been given by the individual.

Further Reading

  • Peter Thiel Met With The Racist Fringe As He Went All In On Trump” By Rosie Gray and Ryan Mac — BuzzFeed News. A fascinating article about one of the technology world’s more interesting figures. As part of his decision to ally himself with Donald Trump when running for president, Peter Thiel also met with avowed white supremacists. However, it appears that the alliance is no longer worthy of his financial assistance or his public support as he supposedly was disturbed about the Administration’s response to the pandemic. However, Palantir, his company has flourished during the Trump Administration and may be going public right before matters may change under a Biden Administration.
  • TikTok’s Proposed Deal Seeks to Mollify U.S. and China” By David McCabe, Ana Swanson and Erin Griffith — The New York Times. ByteDance is apparently trying to mollify both Washington and Beijing in bringing Oracle onboard as “trusted technology partner,” for the arrangement may be acceptable to both nations under their export control and national security regimes. Oracle handling and safeguarding TikTokj user data would seem to address the Trump Administration’s concerns, but not selling the company nor permitting Oracle to access its algorithm for making recommendations would seem to appease the People’s Republic of China (PRC). Moreover, United States (U.S.) investors would hold control over TikTok even though PRC investors would maintain their stakes. Such an arrangement may satisfy the Committee on Foreign Investment in the United States (CFIUS), which has ordered ByteDance to sell the app that is an integral part of TikTok. The wild card, as always, is where President Donald Trump ultimately comes out on the deal.
  • Oracle’s courting of Trump may help it land TikTok’s business and coveted user data” By Jay Greene and Ellen Nakashima — The Washington Post. This piece dives into why Oracle, at first blush, seems like an unlikely suitor to TikTok, but it’s eroding business position visa vis cloud companies like Amazon explains its desire to diversify. Also, Oracle’s role as a data broker makes all the user data available from TikTok very attractive.
  • Chinese firm harvests social media posts, data of prominent Americans and military” By Gerry Shih — The Washington Post. Another view on Shenzhen Zhenhua Data Technology, the entity from the People’s Republic of China (PRC) exposed for collecting the personal data of more than 2.4 million westerners, many of whom hold positions of power and influence. This article quotes a number of experts allowed to look at what was leaked of the data base who are of the view the PRC has very little in the way of actionable intelligence, at this point. The country is leveraging publicly available big data from a variety of sources and may ultimately makes something useful from these data.
  • “‘This is f—ing crazy’: Florida Latinos swamped by wild conspiracy theories” By Sabrina Rodriguez and Marc Caputo — Politico. A number of sources are spreading rumors about former Vice President Joe Biden and the Democrats generally in order to curb support among a key demographic the party will need to carry overwhelmingly to win Florida.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alexander Sinn on Unsplash

PRC Response To U.S. Clean Networks

The PRC responds to  the U.S.’ Clean Networks with call for international, multilateral standards

In a speech given by the People’s Republic of China’s (PRC) Foreign Minister Wang Yi, the PRC proposed international, multilateral cooperation in addressing data security around the globe. In doing, Wang took some obvious shots at recent policies announced by the United States (U.S.) and longer term actions such as surveillance by the National Security Agency (NSA). The PRC floated a “Global Initiative on Data Security” that would, on its face, seem to argue against actions being undertaken by Beijing against the U.S. and some of its allies. For example, this initiative would bar the stealing of “important data,” yet the PRC stands accused of hacking Australia’s Parliament. Nonetheless, the PRC is likely seeking to position itself as more internationalist than the U.S., which under President Donald Trump has become more isolationist and unilateralist in its policies. The PRC is also calling for the rule of law, especially around “security issues,” most likely a reference to the ongoing trade/national security dispute between the two nations playing out largely in their technology sectors.

Wang’s speech came roughly a month after the U.S. Department of State unveiled its Clean Networks program, an initiative aimed at countering the national security risks posed by PRC technology companies, hardware, software, and apps (see here for more analysis.) He even went so far as to condemn unilateral actions by one nation in particular looking to institute a “clean” networks program. Wang framed this program as aiming to blunt the PRC’s competitive advantage by playing on national security fears. The Trump Administration has sought to persuade, cajole, and lean on other nations to forgo use of Huawei equipment and services in building their next generation 5G networks with some success.

And yet, since the Clean Networks program lacks much in the way of apparent enforcement mechanisms, the Department of States’s announcement may have had more to do with optics as the Trump Administration and many of its Republican allies in Congress have pinned the blame on COVID-19 on the PRC and cast the country as the primary threat to the U.S. This has played out as the Trump Administration has been choking off access to advanced semiconductors and chips to PRC firms, banned TikTok and WeChat, and order ByteDance to sell musical.ly, the app and platform that served as the fulcrum by which TikTok was launched in the U.S.

Wang asserted the PRC “believes that to effectively address the risks and challenges to data security, the following principles must be observed:

  • First, uphold multilateralism. Pursuing extensive consultation and joint contribution for shared benefits is the right way forward for addressing the deficit in global digital governance. It is important to develop a set of international rules on data security that reflect the will and respect the interests of all countries through broad-based participation. Bent on unilateral acts, a certain country keeps making groundless accusations against others in the name of “clean” network and used security as a pretext to prey on enterprises of other countries who have a competitive edge. Such blatant acts of bullying must be opposed and rejected.
  • Second, balance security and development. Protecting data security is essential for the sound growth of digital economy. Countries have the right to protect data security according to law. That said, they are also duty-bound to provide an open, fair and non-discriminatory environment for all businesses. Protectionism in the digital domain runs counter to the laws of economic development and the trend of globalization. Protectionist practices undermine the right of global consumers to equally access digital services and will eventually hold back the country’s own development.
  • Third, ensure fairness and justice. Protection of digital security should be based on facts and the law. Politicization of security issues, double standards and slandering others violate the basic norms governing international relations, and seriously disrupt and hamper global digital cooperation and development.

Wang continued, “[i]n view of the new issues and challenges emerging in this field, China would like to propose a Global Initiative on Data Security, and looks forward to the active participation of all parties…[and] [l]et me briefly share with you the key points of our Initiative:

  • First, approach data security with an objective and rational attitude, and maintain an open, secure and stable global supply chain.
  • Second, oppose using ICT activities to impair other States’ critical infrastructure or steal important data.
  • Third, take actions to prevent and put an end to activities that infringe upon personal information, oppose abusing ICT to conduct mass surveillance against other States or engage in unauthorized collection of personal information of other States.
  • Fourth, ask companies to respect the laws of host countries, desist from coercing domestic companies into storing data generated and obtained overseas in one’s own territory.
  • Fifth, respect the sovereignty, jurisdiction and governance of data of other States, avoid asking companies or individuals to provide data located in other States without the latter’s permission.
  • Sixth, meet law enforcement needs for overseas data through judicial assistance or other appropriate channels.
  • Seventh, ICT products and services providers should not install backdoors in their products and services to illegally obtain user data.
  • Eighth, ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products.

As mentioned in the opening paragraph of this article, the U.S. and many of its allies and partners would argue the PRC has transgressed a number of these proposed rules. However, the Foreign Ministry was very clever in how they drafted and translated these principles, for in the second key principle, the PRC is proposing that no country should use “ICT activities to impair other States’ critical infrastructure.” And yet, two international media outlets reported that the African Union’s (AU) computers were transmitting reams of sensitive data to Shanghai daily between 2012 and 2017. If this claim is true, and the PRC’s government was behind the exfiltration, is it fair to say the AU’s critical infrastructure was impaired? One could argue the infrastructure was not even though there was apparently massive data exfiltration. Likewise, in the third key principle, the PRC appears to be condemning mass surveillance of other states, but just this week a PRC company was accused of compiling the personal information of more than 2.4 million worldwide, many of them in influential positions like the Prime Ministers of the United Kingdom and Australia. And yet, if this is the extent of the surveillance, it is not of the same magnitude as U.S. surveillance over the better part of the last two decades. Moreover, the PRC is not opposing a country using mass surveillance of its own people as the PRC is regularly accused of doing, especially against its Uighur minority.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Hanson Lu on Unsplash

Further Reading, Other Developments, and Coming Events (14 September)

Coming Events

  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The House Homeland Security Committee will hold a hearing titled “Worldwide Threats to the Homeland” on 17 September with the following witnesses:
    • Chad Wolf, Department of Homeland Security
    • Christopher Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center (NCTC)
  • On 17 September, the House Energy and Commerce Committee’s Communications & technology Subcommittee will hold a hearing titled “Trump FCC: Four Years of Lost Opportunities.”
  • The House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing’ titled “Interim Review of the National Security Commission on Artificial Intelligence Effort and Recommendations” with these witnesses:
    • Dr. Eric Schmidt , Chairman, National Security Commission on Artificial Intelligence 
    • HON Robert Work, Vice Chairman, National Security Commission on Artificial Intelligence, HON Mignon Clyburn, Commissioner, National Security Commission on Artificial Intelligence 
    • Dr. José-Marie Griffiths, Commissioner, National Security Commission on Artificial Intelligence
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • After Ireland’s Data Protection Commission (DPC) directed Facebook to stop transferring the personal data of European Union citizens to the United States (U.S.), the company filed suit in Ireland’s court to stop enforcement of the order and succeeded in staying the matter until the court rules on the merits of the challenge. Earlier this summer, the Court of Justice for the European Union (CJEU) struck down the adequacy decision for the agreement between the European Union (EU) and United States (U.S.) that had provided the easiest means to transfer the personal data of EU citizens to the U.S. for processing under the General Data Protection Regulation (GDPR) (i.e. the EU-U.S. Privacy Shield). In the case known as Schrems II, the CJEU also cast doubt on whether standard contractual clauses (SCC) used to transfer personal data o the U.S. would pass muster given the grounds for finding the Privacy Shield inadequate: the U.S.’s surveillance regime and lack of meaningful redress for EU citizens. Consequently, it has appeared as if data protection authorities throughout the EU would need to revisit SCCs for transfers to the U.S., and it appears the DPC was looking to stop Facebook from using its SCC. Facebook is apparently arguing in its suit that it will suffer “extremely significant adverse effects” if the DPC’s decision is implemented.
  • In a related development, the European Data Protection Board (EDPB) has established “a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement.” The EDPB noted the 101 identical complaints “lodged with EEA Data Protection Authorities against several controllers in the European Economic Area (EEA) member states regarding their use of Google/Facebook services which involve the transfer of personal data.” The Board added “[s]pecifically the complainants, represented by the NGO NOYB, claim that Google/Facebook transfer personal data to the U.S. relying on the EU-U.S. Privacy Shield or Standard Contractual Clauses and that according to the recent CJEU judgment in case C-311/18 the controller is unable to ensure an adequate protection of the complainants’ personal data.” The EDPB claimed “[t]he taskforce will analyse the matter and ensure a close cooperation among the members of the Board…[and] [t]his taskforce will prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.” EDPB Chair Andrea Jelinek cautioned “the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse…[and] [t]herefore, there cannot be a one-size-fits-all, quick fix solution.” She added “[e]ach organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”
  • An Australian court ruled against Facebook in its efforts to dismiss a suit brought against the company for its role in retaining and providing personal data to Cambridge Analytica. A Federal Court of Australia dismissed Facebook’s filings to reverse a previous ruling that allowed the Office of the Australian Information Commissioner (OAIC) to sue Facebook’s United States and Irish entities.
    • In March, the OAIC filed suit in federal court in Australia, alleging the two companies transgressed the privacy rights of 311,127 Australians under Australia’s Privacy Act. The two companies could face liability as high as $1.7 million ASD per violation.
    • In its November 2018 report to Parliament titled “Investigation into the use of data analytics in political campaigns”, the ICO explained
      • One key strand of our investigation involved allegations that an app, ultimately referred to as ‘thisisyourdigitallife’, was developed by Dr Aleksandr Kogan and his company Global Science Research (GSR) in order to harvest the data of up to 87 million global Facebook users, including one million in the UK. Some of this data was then used by Cambridge Analytica, to target voters during the 2016 US Presidential campaign process.
    • In its July 2018 report titled “Democracy disrupted? Personal information and political influence,” the ICO explained
      • The online targeted advertising model used by Facebook is very complex, and we believe a high level of transparency in relation to political advertising is vital. This is a classic big-data scenario: understanding what data is going into the system; how users’ actions on Facebook are determining what interest groups they are placed in; and then the rules that are fed into any dynamic algorithms that enable organisations to target individuals with specific adverts and messaging.
      • Our investigation found significant fair-processing concerns both in terms of the information available to users about the sources of the data that are being used to determine what adverts they see and the nature of the profiling taking place. There were further concerns about the availability and transparency of the controls offered to users over what ads and messages they receive. The controls were difficult to find and were not intuitive to the user if they wanted to control the political advertising they received. Whilst users were informed that their data would be used for commercial advertising, it was not clear that political advertising would take place on the platform.
      • The ICO also found that despite a significant amount of privacy information and controls being made available, overall they did not effectively inform the users about the likely uses of their personal information. In particular, more explicit information should have been made available at the first layer of the privacy policy. The user tools available to block or remove ads were also complex and not clearly available to users from the core pages they would be accessing. The controls were also limited in relation to political advertising.
  • The Australian Competition & Consumer Commission (ACCC) announced it “will be examining the experiences of Australian consumers, developers, suppliers and others in a new report scrutinising mobile app stores” according to the agency’s press release. The ACCC’s inquiry comes at the same time regulators in the United States and the European Union are investigating the companies for their app store practices, which could lead to enforcement actions. The ACCC is also looking to institute a code that would require Google and Facebook to pay Australian media outlets for content used on their platforms. The ACCC stated that “[i]ssues to be examined include the use and sharing of data by apps, the extent of competition between Google and Apple’s app stores, and whether more pricing transparency is needed in Australia’s mobile apps market.” The ACCC added:
    • Consumers are invited to share their experiences with buying and using apps through a short survey. The ACCC has also released an issues paper seeking views and feedback from app developers and suppliers.
    • In the issues paper, the ACCC explained “[p]otential outcomes” could be:
      • findings regarding structural, competitive or behavioural issues affecting the supply of apps
      • increased information about competition, pricing and other practices in the supply of apps and on app marketplaces
      • ACCC action to address any conduct that raises concerns under the Competition and Consumer Act 2010, and
      • recommendations to the Government for legislative reform to address systemic issues.
  • The Government Accountability Office (GAO) found an agency has implemented spotty, incomplete privacy measures in using facial recognition technology (FRT) at ports of entry.
    • The House Homeland Security and Senate Homeland Security and Governmental Affairs asked the GAO
      • to review United States (U.S.) Customs and Border Protection (CBP) and Transportation Security Administration’s (TSA) facial recognition technology capabilities for traveler identity verification. This report addresses (1) the status of CBP’s testing and deployment of facial recognition technology at ports of entry, (2) the extent to which CBP’s use of facial recognition technology has incorporated privacy principles consistent with applicable laws and policies, (3) the extent to which CBP has assessed the accuracy and performance of its facial recognition capabilities at ports of entry, and (4) the status of TSA’s testing of facial recognition capabilities and the extent to which TSA’s facial recognition pilot tests incorporated privacy principles.
    • The GAO noted:
      • Most recently, in 2017, we reported that CBP had made progress in testing biometric exit capabilities, including facial recognition technology, but challenges continued to affect CBP’s efforts to develop and implement a biometric exit system, such as differences in the logistics and infrastructure among ports of entry. As we previously reported, CBP had tested various biometric technologies in different locations to determine which type of technology could be deployed on a large scale without disrupting legitimate travel and trade, while still meeting its mandate to implement a biometric entry-exit system. Based on the results of its testing, CBP concluded that facial recognition technology was the most operationally feasible and traveler-friendly option for a comprehensive biometric solution. Since then, CBP has prioritized testing and deploying facial recognition technology at airports (referred to as air exit), with seaports and land ports of entry to follow. These tests and deployments are part of CBP’s Biometric Entry-Exit Program.
      • As part of TSA’s mission to protect the nation’s transportation systems and to ensure freedom of movement for people and commerce, TSA has been exploring facial recognition technology for identity verification at airport checkpoints. Since 2017, TSA has conducted a series of pilot tests—some in partnership with CBP—to assess the feasibility of using facial recognition technology to automate traveler identity verification at airport security checkpoints. In April 2018, TSA signed a policy memorandum with CBP on the development and implementation of facial recognition capabilities at airports.
    • The GAO made recommendations to CBP:
      • The Commissioner of CBP should ensure that the Biometric Entry-Exit Program’s privacy notices contain complete and current information, including all of the locations where facial recognition is used and how travelers can request to opt out as appropriate. (Recommendation 1)
      • The Commissioner of CBP should ensure that the Biometric Entry-Exit Program’s privacy signage is consistently available at all locations where CBP is using facial recognition. (Recommendation 2)
      • The Commissioner of CBP should direct the Biometric Entry-Exit Program to develop and implement a plan to conduct privacy audits of its commercial partners’, contractors’, and vendors’ use of personally identifiable information. (Recommendation 3)
      • The Commissioner of CBP should develop and implement a plan to ensure that the biometric air exit capability meets its established photo capture requirement. (Recommendation 4)
      • The Commissioner of CBP should develop a process by which Biometric Entry-Exit program officials are alerted when the performance of air exit facial recognition falls below established thresholds. (Recommendation 5)
  • The United States (U.S.) Agency for Global Media (USAGM) is being sued by an entity it funds and oversees because
    • Previously, the United States Court of Appeals for the District of Columbia enjoined USAGM from “taking any action to remove or replace any officers or directors of the OTF,” pending the outcome of the suit which is being expedited.
    • Additionally, USAGM CEO and Chair of the Board Michael Pack is being accused in two different letters of seeking to compromise the integrity and independence of two organizations he oversees. There have been media accounts of the Trump Administration’s remaking of USAGM in ways critics contend are threatening the mission and effectiveness of the Open Technology Fund (OTF), a U.S. government non-profit designed to help dissidents and endangered populations throughout the world. The head of the OTF has been removed, evoking the ire of Members of Congress, and other changes have been implemented that are counter to the organization’s mission. Likewise, there are allegations that politically-motivated policy changes seek to remake the Voice of America (VOA) into a less independent entity.
      • In a letter to Pack, OTF argued that a number of recent actions Pack has undertaken have violated “firewall protections” in the organization’s grant agreement. They further argue that Pack is conflicted and should turn over the investigation to the United States (U.S.) Department of State’s Office of the Inspector General (OIG). OTF alleged the following:
        • 1. Attempts to compromise and undermine OTF’s independence: USAGM has repeatedly attempted to undermine OTF’s independence over the past several months.
        • 2. Attempts to compromise and undermine integrity: USAGM has also attempted to undermine the integrity of OTF by publicly making numerous false and misleading claims about OTF to the internet freedom community, the general public, and even to Congress.
        • 3. Attempts to compromise and undermine security: USAGM has attempted to undermine the security of OTF, our staff, and our project partners -many of whom operate in highly sensitive environments -by
          • 1) attempting to gain unauthorized and unsupervised access to our office space and
          • 2) by requesting vast amounts of sensitive information and documentation with no apparent grant-related purpose, and no regard for the security of that information and documentation
        • 4. Attempts to compromise and undermine privacy: Closely related to USAGM’s attempts to undermine OTF’s security, USAGM has also attempted to undermine the privacy of OTF’s staff and partners by requesting that OTF provide Personally Identifiable Information(PII) without a clearly articulated grant-related purpose, and with no guarantee that the PII will be handled in a secure manner.
        • 5. Attempts to compromise and undermine effectiveness: USAGM’s actions have undermined the effectiveness of OTF by:
          • 1) freezing and subsequently withholding $19,181,791 in congressionally appropriated funding from OTF, forcing OTF to issue stop-work orders to 49 of our 60 internet freedom projects;
          • 2) providing unjustified, duplicative, overbroad, and unduly burdensome requests for information and documentation, without any clear grant-related purpose, and with clearly unreasonable deadlines;
          • 3) attempting to divert and redirect funding obligated by USAGM to OTF in an effort to duplicate OTF’s work; and
          • 4) threatening to terminate OTF’s Grant Agreement.
    • OTF asserted
      • These actions individually serve to seriously undermine OTF’s organizational and programmatic effectiveness. In their combined aggregate they threaten to dismantle OTF’s basic ability to effectively carry out its congressionally mandated mission to the detriment of USAGM and the cause of internet freedom globally
    • A group of VOA journalists wrote the entity’s acting director, asserting that Pack’s actions risk crippling programs and projects for some countries that are considered national security priorities.” They added:
      • He has ordered the firing of contract journalists, with no valid reason, by cancelling their visas, forcing them back to home countries where the lives of some of them may be in jeopardy. Now the purge appears to be expanding to include U.S. permanent residents and even U.S. citizens, with Mr. Pack recklessly expressing that being a journalist is “a great cover for a spy.
  • The Cyberspace Solarium Commission (CSC) issued its latest white paper to address a continuing problem for the United States’ government: how to attract or train a sufficient cyber workforce when private sector salaries are generally better. In “Growing A Stronger Federal Cyber Workforce,” the CSC claimed “Currently more than one in three public-sector cyber jobs sits open…[and] [f]illing these roles has been a persistent and intractable problem over the past decade, in large part due to a lack of coordination and leadership.” The CSC averred “[i]n the context of this pervasive challenge, the fundamental purpose of this paper is to outline the elements required for a coherent strategy that enables substantive and coordinated investment in cyber workforce development and calls for a sustained investment in that strategy.” The CSC then proceeds to lay out “five elements to guide development of a federal cyber workforce strategy:
    • Organize: Federal departments and agencies must have flexible tools for organizing and managing their workforce that can adapt to each organization’s individual mission while also providing coherence across the entirety of the federal government. To appropriately organize the federal cyber workforce, the CSC recommends properly identifying and utilizing cyber-specific occupational classifications to allow more tailored workforce policies, building a federal cyber service to provide clear and agile hiring authorities and other personnel management tools, and establishing coordination structures to provide clear leadership for federal workforce development e orts.
    • Recruit: Federal leaders must focus on the programs that make public service an attractive prospect to talented individuals. In many ways, the federal government’s greatest tool for recruitment is the mission and unique learning opportunities inherent in federal work. To capitalize on these advantages, the government should invest in existing programs such as CyberCorps: Scholarship for Service and the Centers of Academic Excellence, while also working to mitigate recruitment barriers that stem from the personnel security clearance process.
    • Develop: e federal government, like all cyber employers, cannot expect every new employee to have hands-on experience, a four-year degree, and a list of industry certifications. Rather, the federal government will be stronger if it draws from a broad array of educational backgrounds and creates opportunities for employees to gain knowledge and experience as they work. is e ort will call for many innovative approaches, among which the Commission particularly recommends apprenticeship programs and upskilling opportunities to support cyber employee development.
    • Retain: Federal leaders should take a nuanced view of retention, recognizing that enabling talent to move flexibly between the public and private sectors enables a stronger cyber workforce overall. However, federal employers can take steps to encourage their employees to increase the time they spend in public service. Improving pay flexibility is a major consideration, but continuing the development of career pathways and providing interesting career development opportunities like rotational and exchange programs also can be critical. Of particular note, federal employers can increase retention of underrepresented groups through the removal of inequities and barriers to advancement in the workplace.
    • Stimulate growth: e federal government cannot simply recruit a larger share of the existing national talent pool. Rather, leaders must take steps to grow the talent pool itself in order to increase the numbers of those available for federal jobs. To promote growth of the talent pool nationwide, the federal government must first coordinate government efforts working toward this goal. Executive branch and congressional leaders should also invest in measures to promote diversity across the national workforce and incentivize research to provide a greater empirical understanding of cyber workforce dynamics. Finally, federal leaders must work to increase the military cyber workforce, which has a significant impact on the national cyber workforce because it serves as both a source and an employer of cyber talent.

Further Reading

  • Oracle reportedly wins deal for TikTok’s US operations as ‘trusted tech partner’” By Tom Warren and Nick Statt – The Verge. ByteDance chose Oracle over Microsoft but not for buying its operations in the United States (U.S.), Australia, Canada, and New Zealand. Now, Oracle is proposing to be TikTok’s trusted technology partner, which seems to be hosting TikTok’s operations in the U.S. and managing its data as a means of allaying the concerns of the U.S. government about access by the People’s Republic of China (PRC).
  • Why Do Voting Machines Break on Election Day?” By Adrianne Jeffries – The Markup. This piece seeks to debunk the hype by explaining that most voting issues are minor and easily fixed, which may well be a welcome message in the United States (U.S.) given the lies and fretting about the security and accuracy of the coming election. Nonetheless, the mechanical and systemic problems encountered by some Americans do speak to the need to update voting laws and standards. Among other problems are the high barriers to entry for firms making and selling voting machines.
  • Twitter steps up its fight against election misinformation” By Elizabeth Dwoskin – The Washington Post. Twitter and Google announced policy changes like Facebook did last week to help tamp down untrue claims and lies about voting and elections in the United States. Twitter will take a number of different approaches to handling lies and untrue assertions. If past is prologue, President Donald Trump may soon look to test the limits of this policy as he did shortly after Facebook announced its policy changes. Google will adjust searches on election day to place respected, fact oriented organizations at the top of search results.
  • China’s ‘hybrid war’: Beijing’s mass surveillance of Australia and the world for secrets and scandal” By Andrew Probyn and Matthew Doran – ABC News; “Zhenhua Data leak: personal details of millions around world gathered by China tech company” By Daniel Hurst in Canberra, Lily Kuo in Beijing and Charlotte Graham-McLay in Wellington – The Guardian. A massive database leaked to to an American shows the breadth and range of information collected by a company in the People’s Republic of China (PRC) alleged to be working with the country’s military and security services. Zhenhua Data is denying any wrongdoing or anything untoward, but the database contains information on 2.4 million people, most of whom live in western nations in positions of influence and power such as British and Australian prime Ministers Boris Johnson and Scott Morrison. Academics claim this sort of compilation of information from public and private sources is unprecedented and would allow the PRC to run a range of influence operations.
  • Europe Feels Squeeze as Tech Competition Heats Up Between U.S. and China” By Steven Erlanger and Adam Satariano – The New York Times. Structural challenges in the European Union (EU) and a lack of large technology companies have left the EU is a delicate position. It seeks to be the world’s de facto regulator but is having trouble keeping with the United States and the People’s Republic of China, the two dominant nations in technology.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by PixelAnarchy from Pixabay

Further Reading, Other Developments, and Coming Events (8 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The National Institute of Standards and Technology (NIST) announced a 15 and 16 September webinar to discuss its Draft Outline of Cybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. NIST stated it “seeks insight and feedback on this Annotated Outline to improve the PNT cybersecurity profile, which is scheduled for publication in February 2021…[and] [a]reas needing more input include feedback on the description of systems that use PNT services and the set of standards, guidelines, and practices addressing systems that use PNT services.” NIST explained that “[t]hrough the Profile development process, NIST will engage the public and private sectors on multiple occasions to include a request for information, participation in workshops, solicitation of feedback on this annotated outline, and public review and comment on the draft Profile.” The agency added “[t]he Profile development process is iterative and, in the end state, will identify and promote the responsible use of PNT services from a cybersecurity point of view.”
    • In June, NIST released a request for information (RFI) “about public and private sector use of positioning, navigation, and timing (PNT) services, and standards, practices, and technologies used to manage cybersecurity risks, to systems, networks, and assets dependent on PNT services.” This RFI is being undertaken per direction in a February executive order (EO) to serve as the foundation for the Trump Administration’s efforts to lessen the reliance of United States’ (U.S.) critical infrastructure on current PNT systems and services. Specifically, the EO seeks to build U.S. capacity to meet and overcome potential disruption or manipulation of the PNT systems and services used by virtually every key sector of the public and private sectors of the U.S.
    • NIST explained “Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services, was issued on February 12, 2020 and seeks to protect the national and economic security of the United States from disruptions to PNT services that are vital to the functioning of technology and infrastructure, including the electrical power grid, communications infrastructure and mobile devices, all modes of transportation, precision agriculture, weather forecasting, and emergency response.” The EO directed NIST “to develop and make available, to at least the appropriate agencies and private sector users, PNT profiles.” NIST said “[r]esponses to this RFI will inform NIST’s development of a PNT profile, using the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework), that will enable the public and private sectors to identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated cybersecurity risks to the systems, networks, and assets dependent on PNT services.”
    • The EO defines the crucial term this RFI uses: “PNT profile” means a description of the responsible use of PNT services—aligned to standards, guidelines, and sector-specific requirements—selected for a particular system to address the potential disruption or manipulation of PNT services.
    • In April, the Department of Homeland Security (DHS) released a Congressionally required report, “Report on Positioning, Navigation, and Timing (PNT) Backup and Complementary Capabilities to the Global Positioning System (GPS)” as required by Section 1618 of the “2017 National Defense Authorization Act (NDAA) (P.L. 114–328) that was due in December 2017. DHS offered “recommendations to address the nation’s PNT requirements and backup or complementary capability gaps.”
  • Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) has reversed itself and decided that the Swiss-U.S. Privacy Shield does not provide adequate protection for Swiss citizens whose data is transferred for processing into the United States (U.S.) However, it does not appear that there will be any practical effect as of yet. The FDPIC determined that the agreement “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP).” This decision comes two months after the Court of Justice of the European Union (CJEU) struck down the European Union-U.S. Privacy Shield. The FDPIC noted this determination followed “his annual assessment of the Swiss-US Privacy Shield regime and recent rulings on data protection by the CJEU.” The FDPIC also issued a policy paper explaining the determination. The FDPIC added
    • As a result of this assessment, which is based on Swiss law, the FDPIC has deleted the reference to ‘adequate data protection under certain conditions’ for the US in the FDPIC’s list of countries. Since the FDPIC’s assessment has no influence on the continued existence of the Privacy Shield regime, and those concerned can invoke the regime as long as it is not revoked by the US, the comments on the Privacy Shield in the list of countries will be retained in an adapted form.
  • The United States Department of Defense (DOD) released its statutorily required annual report on the People’s Republic of China (PRC) that documented the rising power of the nation, especially with respect to cybersecurity and information warfare. The Pentagon noted
    • 2020 marks an important year for the People’s Liberation Army (PLA) as it works to achieve important modernization milestones ahead of the Chinese Communist Party’s (CCP) broader goal to transform China into a “moderately prosperous society” by the CCP’s centenary in 2021. As the United States continues to respond to the growing strategic challenges posed by the PRC, 2020 offers a unique opportunity to assess both the continuity and changes that have taken place in the PRC’s strategy and armed forces over the past two decades.
    • Regarding Cyberwarfare, the DOD asserted
      • The development of cyberwarfare capabilities is consistent with PLA writings, which identify Information Operations (IO) – comprising cyber, electronic, and psychological warfare – as integral to achieving information superiority and as an effective means for countering a stronger foe. China has publicly identified cyberspace as a critical domain for national security and declared its intent to expedite the development of its cyber forces.
      • The PRC presents a significant, persistent cyber espionage and attack threat to military and critical infrastructure systems. China seeks to create disruptive and destructive effects—from denial-of- service attacks to physical disruptions of critical infrastructure— to shape decision-making and disrupt military operations in the initial stages of a conflict by targeting and exploiting perceived weaknesses of militarily superior adversaries. China is improving its cyberattack capabilities and has the ability to launch cyberattacks—such as disruption of a natural gas pipeline for days to weeks—in the United States.
      • PLA writings note the effectiveness of IO and cyberwarfare in recent conflicts and advocate targeting C2 and logistics networks to affect an adversary’s ability to operate during the early stages of conflict. Authoritative PLA sources call for the coordinated employment of space, cyber, and EW as strategic weapons to “paralyze the enemy’s operational system of systems” and “sabotage the enemy’s war command system of systems” early in a conflict. Increasingly, the PLA considers cyber capabilities a critical component in its overall integrated strategic deterrence posture, alongside space and nuclear deterrence. PLA studies discuss using warning or demonstration strikes—strikes against select military, political, and economic targets with clear “awing effects”—as part of deterrence. Accordingly, the PLA probably seeks to use its cyberwarfare capabilities to collect data for intelligence and cyberattack purposes; to constrain an adversary’s actions by targeting network-based logistics, C2, communications, commercial activities, and civilian and defense critical infrastructure; or, to serve as a force-multiplier when coupled with kinetic attacks during armed conflict.
      • The PLA’s ongoing structural reforms may further change how the PLA organizes and commands IO, particularly as the Strategic Support Force (SSF) evolves over time. By consolidating cyber and other IO-related elements, the SSF likely is generating synergies by combining national-level cyber reconnaissance, attack, and defense capabilities in its organization.
    • The DOD also noted the PLA’s emphasis on intelligentized warfare:
      • The PLA sees emerging technologies as driving a shift to “intelligentized” warfare from today’s “informatized” way of war. PLA strategists broadly describe intelligentized warfare as the operationalization of artificial intelligence (AI) and its enabling technologies, such as cloud computing, big data analytics, quantum information, and unmanned systems, for military applications. These technologies, according to PRC leaders—including Chairman Xi Jinping— represent a “Revolution in Military Affairs” for which China must undertake a whole-of-government approach to secure critical economic and military advantages against advanced militaries.
  • The United States’ (U.S.) Citizenship and Immigration Services (USCIS) of the Department of Homeland Security (DHS) is proposing a rule “to amend DHS regulations concerning the use and collection of biometrics in the enforcement and administration of immigration laws by USCIS, U.S. Customs and Border Protection (CBP), and U.S. Immigration and Customs Enforcement (ICE).”
    • USCIS further explained:
    • First, DHS proposes that any applicant, petitioner, sponsor, beneficiary, or individual filing or associated with an immigration benefit or request, including United States citizens, must appear for biometrics collection without regard to age unless DHS waives or exempts the biometrics requirement.
    • Second, DHS proposes to authorize biometric collection, without regard to age, upon arrest of an alien for purposes of processing, care, custody, and initiation of removal proceedings.
    • Third, DHS proposes to define the term biometrics.
    • Fourth, this rule proposes to increase the biometric modalities that DHS collects, to include iris image, palm print, and voice print.
    • Fifth, this rule proposes that DHS may require, request, or accept DNA test results, which include a partial DNA profile, to prove the existence of a claimed genetic relationship and that DHS may use and store DNA test results for the relevant adjudications or to perform any other functions necessary for administering and enforcing immigration and naturalization laws.
    • Sixth, this rule would modify how VAWA and T nonimmigrant petitioners demonstrate good moral character, as well as remove the presumption of good moral character for those under the age of 14. 
    • Lastly, DHS proposes to further clarify the purposes for which biometrics are collected from individuals filing immigration applications or petitions, to include criminal history and national security background checks; identity enrollment, verification, and management; secure document production, and to administer and enforce immigration and naturalization laws.

Further Reading

  • State aid helps China tech leaders shrug off US sanctions” By Kenji Kawase – Nikkei Asian Review. A number of companies placed on the United States’ no-trade list have received generous subsidies from their government in Beijing. The People’s Republic of China (PRC) sees the health of a number of these companies as vital to its long term development and is willing to prop them up. Some companies have received multiples of their net profit to keep them afloat.
  • Facebook Says Trump’s Misleading Post About Mail-In Voting Is OK. Employees Say It’s Not.” By Craig Silverman and Ryan Mac – BuzzFeed News. There is more internal dissension at Facebook even after the company’s announcement it would not accept political advertising the last week of the election and correct misinformation about voting. Within hours of this policy change, President Donald Trump encouraged voters to possibly vote twice, which many Facebook employees saw as a violation of the new policy. The company disagreed and appended a claim from a bipartisan think tank study finding that mail-in voting is largely fraud free.
  • Why Facebook’s Blocking of New Political Ads May Fall Short” By Davey Alba and Sheera Frenkel – The New York Times. This piece explains in detail why Facebook’s new policy to combat political misinformation is likely to fall quite short of addressing the problem.
  • Student arrested for cyberattack against Miami schools used ‘easy to prevent’ program” By Colleen Wright and David Ovalle – Miami Herald. The United States’ fourth largest school district fell victim to a distributed denial of service attack launched by a 16-year-old student using more than a decade old tools downloaded from the internet. This unnamed hacker foiled the Miami-Dade school district’s first three days of online classes, raising questions about the cybersecurity of the school system if such an old attack succeeded so easily and how safe the personal information of students is in this school system and others around the country.
  • Trump and allies ratchet up disinformation efforts in late stage of campaign” By Ashley Parker – The Washington Post. It has been apparent for some that President Donald Trump and a number of his Republican allies are intentionally or recklessly spreading false information to try to help his campaign cover ground against frontrunner former Vice President Joe Biden. The goal is to so muddy the waters that the average person will neither be able to discern the truth of a claim not be concerned about doing so. This approach is the very same Russia’s leader Vladimir Putin has successfully executed in pushing his country into a post-truth world. Experts are warning that a continuation of this trend in the United States (U.S.) could wreak potentially irreparable harm.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by wal_172619 from Pixabay

Further Reading, Other Developments, and Coming Events (7 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • A federal appeals court found that the National Security Agency (NSA) exceeded it lawful remit in operating the bulk collection of metadata program former contractor Edward Snowden exposed. Even though the United States Court of Appeals for the Ninth Circuit did not reverse the convictions of four Somalis convicted of providing assistance to terrorists, the court did find the telephony metadata program exceeded Congress’ authorization provided in the Foreign Surveillance Intelligence Act (FISA). The court also suggested the NSA may have also violated the Fourth Amendment’s ban on unreasonable searches without deciding the question. The NSA closed the program in 2015 and had a great deal of difficulty with a successor program authorized the same year that was also shut down in 2018. However, the Trump Administration has asked for a reauthorization of the most recent version even though it has admitted it has no plans to restart the program in the immediate future.
  • The top Democrats on five House and Senate committees wrote the new Director of National Intelligence (DNI) calling on him to continue briefing committees of jurisdiction on intelligence regarding election interference. Reportedly, DNI John Ratcliffe wrote these committees in late August, stating his office would still provide Congress written briefings but would no longer conduct in-person briefings because of alleged leaking by Democrats. However, the chair of the Senate Intelligence Committee claimed his committee would still be briefed in person.
    • In an interview, Ratcliffe explained his rationale for ending in person briefings:
      • I reiterated to Congress, look, I’m going to keep you fully and currently informed, as required by the law. But I also said, we’re not going to do a repeat of what happened a month ago, when I did more than what was required, at the request of Congress, to brief not just the Oversight Committees, but every member of Congress. And yet, within minutes of that — one of those briefings ending, a number of members of Congress went to a number of different publications and leaked classified information, again, for political purposes, to create a narrative that simply isn’t true, that somehow Russia is a greater national security threat than China.
    • Senate Rules Committee Ranking Member Amy Klobuchar (D-MN), House Administration Committee Chair Zoe Lofgren (D-CA), Senate Judiciary Committee Ranking Member Dianne Feinstein (D-CA), House Judiciary Committee Chair Jerrold Nadler (D-NY), and House Homeland Security Committee Chair Bennie Thompson (D-MS) expressed “serious alarm regarding your decision to stop providing in-person election security briefings to Congress, and to insist that you immediately reschedule these critical briefings ahead of the November general election.” They added
      • The important dialogue that comes from a briefing cannot be understated, as you’re well aware. This is why the Intelligence Community (IC) has for decades arranged for senior members of every administration to have intelligence briefers who provide regular, often daily, briefings, rather than simply sending written products to review. Intelligence memos are not a substitute for full congressional briefings. It is also unacceptable to fully brief only one Committee on matters related to federal elections.
      • As Members of the House and Senate with jurisdiction over federal elections, we call on you to immediately resume in-person briefings. We also remind you that the ODNI does not own the intelligence it collects on behalf of the American people, it is a custodian of the information. In addition to the power to establish and fund the ODNI, Congress has the power to compel information from it.
    • In his statement, acting Senate Intelligence Committee Chair Marco Rubio (R-FL) asserted
      • Intelligence agencies have a legal obligation to keep Congress informed of their activities. And Members of Congress have a legal obligation to not divulge classified information. In my short time as Acting Chair of the Senate Select Committee on Intelligence, I have witnessed firsthand how this delicate balance has been destroyed.
      • Divulging access to classified information in order to employ it as a political weapon is not only an abuse, it is a serious federal crime with potentially severe consequences on our national security. This situation we now face is due, in no small part, to the willingness of some to commit federal crimes for the purpose of advancing their electoral aims.
      • Yet, this grotesque criminal misconduct does not release the Intelligence Community from fulfilling its legal requirements to respond to Congressional oversight committees and to keep Members of Congress fully informed of relevant information on a timely basis. I have spoken to Director Ratcliffe who stated unequivocally that he will continue to fulfill these obligations. In particular, he made explicitly clear that the Senate Select Committee on Intelligence will continue receiving briefings on all oversight topics, including election matters. 
    • In early August, National Counterintelligence and Security Center (NCSC) Director William Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the People’s Republic of China (PRC), and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).
    • In a statement, Pelosi and House Intelligence Committee Chair Adam Schiff (D-CA) expressed gratitude for the additional detail but took issue with the statement for implying through its structure that the risks each nation presents are equal. It would seem to make sense that Pelosi and Schiff are arguing that the Russian Federation is the biggest threat in light of its history in successfully spreading disinformation and misinformation in 2016 to benefit then candidate Donald Trump and harm former Secretary of State Hillary Clinton. This assertion would also serve to rebut the notion that the PRC is the top threat given its placement as the first nation mentioned and Trump Administration rhetoric to this effect.
  • The Federal Acquisition Security Council (FASC) has released an interim regulation that took effect upon being published, but the body will be accepting comments on a still-to-be drafted final regulation. This entire effort is aimed at helping the United States government identify and remove risky and untrustworthy information technology from its systems. However, the FASC is some nine months late in issuing this rule, suggesting that some of the same troubles that have slowed other Trump Administration efforts to secure the federal government’s information and communications technology supply chain delayed this rule. Other efforts have been slowed by industry stakeholder pushback because a number of American multinationals have supply chains in the People’s Republic of China (PRC) and have resisted efforts to decrease sourcing from that country. This rulemaking was required by the “Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act” (SECURE Technology Act) (P.L. 115-390). The council has one year to fashion and release a final rule.
    • FASC explained that the interim final rule “implement[s] the requirements of the laws that govern the operation of the FASC, the sharing of supply chain risk information, and the exercise of its authorities to recommend issuance of removal and exclusion orders to address supply chain security risks…[and] [w]ritten comments must be received on or before November 2, 2020.”
    • FASC stated
      • Information and communications technology and services (ICTS) are essential to the proper functioning of U.S. government information systems. The U. S. government’s efforts to evaluate threats to and vulnerabilities in ICTS supply chains have historically been undertaken by individual or small groups of agencies to address specific supply chain security risks. Because of the scale of supply chain risks faced by government agencies, and the need for better coordination among a broader group of agencies, there was an organized effort within the executive branch to support Congressional efforts in 2018 to pass new legislation to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks.
    • FASC explained the interim rule is divided into three parts:
      • Subpart A explains the scope of this IFR, provides definitions for relevant terms, and establishes the membership of the FASC. Subpart B establishes the role of the FASC’s Information Sharing Agency (ISA). DHS, acting primarily through the Cybersecurity and Infrastructure Security Agency, will serve as the ISA. The ISA will standardize processes and procedures for submission and dissemination of supply chain information, and will facilitate the operations of a Supply Chain Risk Management (SCRM) Task Force under the FASC. This FASC Task Force (hereafter referred to as “Task Force”) will be comprised of designated technical experts that will assist the FASC in implementing its information sharing, risk analysis, and risk assessment functions. Subpart B also prescribes mandatory and voluntary information sharing criteria and associated information protection requirements. Subpart C provides the criteria and procedures by which the FASC will evaluate supply chain risk from sources and covered articles and recommend issuance of orders requiring removal of covered articles from executive agency information systems (removal orders) and orders excluding sources or covered articles from future procurements (exclusion orders). Subpart C also provides the process for issuance of removal orders and exclusion orders and agency requests for waivers from such orders.
    • The FASC noted it was required to select “an appropriate executive agency—the FASC’s Information Sharing Agency (ISA)—to perform the administrative information sharing functions on behalf of the FASC,” and it has chosen the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA).
  • The Federal Communications Commission (FCC) released “the results of its efforts to identify use of Huawei and ZTE equipment and services in U.S. telecommunications networks that receive support from the federal Universal Service Fund.” The FCC initiated this proceeding with its the 2019 Supply Chain Order, 85 FR 230, and then Congress came behind the agency and enacted the “Secure and Trusted Communications Networks Act of 2019” (Secure Networks Act) (P.L. 116-124), which authorized in law much of what the FCC was doing. However, this statute did not appropriate any funds for the FCC to implement the identification and removal of Huawei and ZTE equipment from U.S. telecommunications networks. It is possible Congress could provide these funds in an annual appropriations bill for the coming fiscal year.
    • The FCC stated
      • Based on data Commission staff collected through the information collection, all filers report it could cost an estimated $1.837 billion to remove and replace Huawei and ZTE equipment in their networks. Of that total, filers that appear to initially qualify for reimbursement under the Secure and Trusted Communications Network Act of 2019 report it could require approximately $1.618 billion to remove and replace such equipment. Other providers of advanced communications service may not have participated in the information collection and yet still be eligible for reimbursement under the terms of that Act.
  • Australia’s government has released “a voluntary Code of Practice to improve the security of the Internet of Things (IoT),” “a first step in the Australian Government’s approach to improve the security of IoT devices in Australia.” These standards are optional but may foretell future mandatory requirements. The Department of Home Affairs and the Australian Signals Directorate’s Australian Cyber Security Centre developed the Code and explained:
    • This Code of Practice is a voluntary set of measures the Australian Government recommends for industry as the minimum standard for IoT devices. The Code of Practice will also help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.
    • The Code of Practice is designed for an industry audience and comprises 13 principles. The Australian Government recommends industry prioritise the top three principles because action on default passwords, vulnerability disclosure and security updates will bring the largest security benefits in the short term.
    • In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.
  • The Office of the Privacy Commissioner of Canada (OPC) issued “Privacy guidance for manufacturers of Internet of Things devices” intended to provide “practical information to help ensure that your business practices and the devices you make are privacy protective and compliant with the “Personal Information Protection and Electronic Documents Act” (PIPEDA). The OPC cautioned “[i]f your IoT device is collecting, using or disclosing personal data in the course of commercial activity, then you are subject to PIPEDA and must follow the principles set out in Schedule 1 of PIPEDA…[and] [t]hese principles…are rooted in international data protection standards and reflect the Canadian Standards Association’s Model Privacy Code for the Protection of Personal Information.” OPC offered this checklist:
    • What you must do to fulfill your responsibilities under PIPEDA:
      • Be accountable by instituting practices that protect the personal information under the control of your organization
      • Before collecting personal information, identify the purposes for its collection
      • Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed
      • Design your devices to limit collection to that which is necessary to fulfil their stated purposes
      • Use and disclose personal information only for the purpose for which it was collected
      • Ensure that personal information is as accurate, up-to-date and complete as is necessary for the purposes for which it is to be used, especially when making a decision about individuals or when sharing it with others
      • Ensure the personal information you are accountable for is appropriately safeguarded
      • Inform individuals about your policies and practices for information management
      • Give individuals the ability to access and correct their information
      • Provide recourse to individuals by developing complaint procedures
      • Limit what you collect, use, share and retain about your customers, including children
      • Protect personal information through technological safeguards such as encryption and password protection
    • What you should do to supplement your responsibilities under the law:
      • Create device specific privacy policies to improve the transparency of your information practices. For example, include a list of every sensor a device possesses in your policy’s section on disclosures and state the minimum length of time these devices will receive security updates
      • Consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection.
      • Perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices
      • Design your devices to have consumers use of strong and unique passwords
      • Provide consumers with user-friendly options to permanently delete information you hold about them and inform them of how to do so
      • Ensure that the end user can patch or update the firmware on the device
  • The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) published a joint technical alert “about an ongoing automated teller machine (ATM) cash-out scheme by North Korean government cyber actors – referred to by the U.S. government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.” The agencies asserted
    • [The Democratic People’s Republic of Korea’s (DPRK)] intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts. This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs. Additionally, this activity poses significant operational risk to the Financial Services sector and erodes the integrity of the financial system.
  • In a short statement released late on a Friday heading into the Labor Day three day weekend, the Department of Defense (DOD) signaled the end of “its comprehensive re-evaluation of the Joint Enterprise Defense Infrastructure (JEDI) Cloud proposals and determined that Microsoft’s proposal continues to represent the best value to the Government.” Microsoft bested Amazon for the contract in late 2019, but the latter’s court challenge alleged bias against the company as evidenced by comments from President Donald Trump. This case is ongoing, and Amazon will almost certainly challenge this award, too. In a blog posting, Amazon declared “we will not back down in the face of targeted political cronyism or illusory corrective actions, and we will continue pursuing a fair, objective, and impartial review.” The DOD explained that the potentially $10 billion contract “will make a full range of cloud computing services available to the DOD.” The Pentagon conceded that “[w]hile contract performance will not begin immediately due to the Preliminary Injunction Order issued by the Court of Federal Claims on February 13, 2020, DOD is eager to begin delivering this capability to our men and women in uniform.”

Further Reading

  • Race for Coronavirus Vaccine Pits Spy Against Spy” By Julian E. Barnes and Michael Venutolo-Mantovani – The New York Times. Reportedly, hackers from the People’s Republic of China (PRC), Russian Federation, and the Islamic Republic of Iran have widened their list of targets to include research universities in the United States (U.S.) working on COVID-19 vaccine research. Officials quoted in the piece explain the likely motivations as being knowing what the U.S. is up to considering their research capabilities are not as good, “checking” their own research against the U.S., and possibly even prestige if they can leverage the intelligence gained into a viable vaccine more quickly than the U.S. or other western nations. Perhaps there is an even more basic motivation: they want a vaccine as fast as possible and are willing to steal one to save their citizens. Nonetheless, this article follows the announcements during the summer by Five Eyes security services that the three nations were targeting pharmaceutical companies and seems to be of the same piece. The article only hints at the possibility that the U.S. and its allies may be doing exactly the same to those nations to monitor their efforts as well. One final interesting strand. Russia seems to be gearing up for a major influence campaign to widen the split in U.S. society about the proper response to COVID-19 by sowing doubt about vaccinations generally.
  • Forget TikTok. China’s Powerhouse App Is WeChat, and Its Power Is Sweeping.” By Paul Mozur – The New York Times. This article delves deeply into WeChat the do-all app most people inside and from the People’s Republic of China (PRC) have on their phone. It is a combination WhatsApp, Amazon, Apple Pay, Facebook, and other functionality that has become indispensable to those living in the PRC. One person who lived in Canada and returned wishes she could dispense with the app that has become central to Beijing’s efforts to censor and control its people. The PRC employs algorithms and human monitoring to ensure nothing critical of the government is posted or disseminated. One user in North America was shocked to learn the depiction of Donald Trump on the app as being deeply respected be everyone in the United States (U.S.) was wrong when talking to others. A few of the experts quoted expressed doubt that banning the app in the U.S. will change much.
  • U.S. considers cutting trade with China’s biggest semiconductor manufacturer” By Jeanne Whalen – The Washington Post; “Trump administration weighs blacklisting China’s chipmaker SMIC” by Idrees Ali, Alexandra Alper, and Karen Freifeld – Reuters.
  •  The People’s Republic of China’s (PRC) biggest semiconductor maker may be added to the United States’ (U.S.) no-trade list soon in what may be another move to further cut Huawei’s access to crucial western technology. Ostensibly, the Semiconductor Manufacturing International Corp. (SMIC) is being accused of having ties that too close with the PRC’s military. However, the company rejected this allegation in its statement: “The company manufactures semiconductors and provides services solely for civilian and commercial end-users and end-uses. We have no relationship with the Chinese military.” A different PRC chip maker was added to the list in 2018: Fujian Jinhua Integrated Circuit Co.
  • Pasco’s sheriff created a futuristic program to stop crime before it happens. It monitors and harasses families across the county.” By Kathleen Mcgrory and Neil Bedi – Tampa Bay Times. Eevn though most of the truly alarming aspects of this sheriff’s office are human based, the notion that using technology and intelligence methods will allow someone to predict crime are dystopian and disconcerting. What this sheriff’s department has done to mostly minors guilty of at most petty misdemeanors should give anyone pause about employing technology to predict crime and criminals.
  • DHS, FBI rebut reports about hacked voter data on Russian forum” By Tim Starks – Politico. The United States Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) and Federal Bureau of Investigation rebutted claims made by journalist Julia Ioffe that Michigan voter data were in the hands of Russian hackers. However, statements by CISA, the FBI, and the state of Michigan explained there has been no hack, and that these data may have been obtained through a Freedom of Information Act request.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Republica from Pixabay

Further Reading, Other Developments, and Coming Events ( 4 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Election Assistance Commission (EAC) “released the Election Risk Profile Tool, a user-friendly assessment tool to equip election officials and federal agencies in prioritizing and managing cybersecurity risks to the Election Infrastructure Subsector.” The agencies stated “[t]he new tool is designed to help state and local election officials understand the range of risks they face and how to prioritize mitigation efforts…[and] also addresses areas of greatest risk, ensures technical cybersecurity assessments and services are meeting critical needs, and provides a sound analytic foundation for managing election security risk with partners at the federal, state and local level.”
    • CISA and the EAC explained “[t]he Election Risk Profile Tool:
      • Is a user-friendly assessment tool for state and local election officials to develop a high-level risk profile across a jurisdiction’s specific infrastructure components;
      • Provides election officials a method to gain insights into their cybersecurity risk and prioritize mitigations;
      • Accepts inputs of a jurisdiction’s specific election infrastructure configuration; and
      • Outputs a tailored risk profile for jurisdictions, which identifies specific areas of highest risk and recommends associated mitigation measures that the jurisdiction could implement to address the risk areas.
  • The cybersecurity agencies of the Five Eyes nations have released a Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity that “highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices.” The agencies asserted “[t]he purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”
    • The Australian Cyber Security Centre, Canada’s Communications Security Establishment, the United States’ Cybersecurity and Infrastructure Security Agency, the United Kingdom’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team summarized the key takeaways from the Joint Advisory:
      • When addressing potential incidents and applying best practice incident response procedures:
      • First, collect and remove for further analysis:
        • Relevant artifacts,
        • Logs, and
        • Data.
      • Next, implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
      • Finally, consider soliciting incident response support from a third-party IT security organization to:
        • Provide subject matter expertise and technical support to the incident response,
        • Ensure that the actor is eradicated from the network, and
        • Avoid residual issues that could result in follow-up compromises once the incident is closed.
  • The United States’ (U.S.) Department of Justice (DOJ) and Federal Trade Commission (FTC) signed an Antitrust Cooperation Framework with their counterpart agencies from Australia, Canada, New Zealand, And United Kingdom. The Multilateral Mutual Assistance and Cooperation Framework for Competition Authorities (Framework) “aims to strengthen cooperation between the signatories, and provides the basis for a series of bilateral agreements among them focused on investigative assistance, including sharing confidential information and cross-border evidence gathering.” Given that a number of large technology companies are under investigation in the U.S., the European Union (EU) and elsewhere, signaling a shift in how technology multinationals are being viewed, this agreement may enable cross-border efforts to collectively address alleged abuses. However, the Framework “is not intended to be legally binding and does not give rise to legal rights or obligations under domestic or international law.” The Framework provides:
    • Recognising that the Participants can benefit by sharing their experience in developing, applying, and enforcing Competition Laws and competition policies, the Participants intend to cooperate and provide assistance, including by:
      • a) exchanging information on the development of competition issues, policies and laws;
      • b) exchanging experience on competition advocacy and outreach, including to consumers, industry, and government;
      • c) developing agency capacity and effectiveness by providing advice or training in areas of mutual interest, including through the exchange of officials and through experience-sharing events;
      • d) sharing best practices by exchanging information and experiences on matters of mutual interest, including enforcement methods and priorities; and
      • e) collaborating on projects of mutual interest, including via establishing working groups to consider specific issues.
  • Dynasplint Systems alerted the United States Department of Health and Human Services (HHS) that it suffered a breach affecting more than 100,000 people earlier this year. HHS’ Office of Civil Rights (OCR) is investigating possible violations of Health Insurance Portability and Accountability Act regulations regarding the safeguarding of patients’ health information. If Dynasplint failed to properly secure patient information or its systems, OCR could levy a multimillion dollar fine for the size breach. For example, in late July, OCR fined a company over $1 million for the theft of an unencrypted laptop that exposed the personal information of a little more than 20,000 people.
    • Dynasplint, a Maryland manufacturer of range of motion splints, explained:
      • On June 4, 2020, the investigation determined that certain information was accessed without authorization during the incident.
      • The information may have included names, addresses, dates of birth, Social Security numbers, and medical information.
      • Dynasplint Systems reported this matter to the FBI and will provide whatever cooperation is necessary to hold perpetrators accountable.
  • The California Legislature has sent two bills to Governor Gavin Newsom (D) that would change how technology is regulated in the state, including one that would alter the “California Consumer Privacy Act” (AB 375) (CCPA) if the “California Privacy Rights Act” (CPRA) (Ballot Initiative 24) is not enacted by voters in the November election. The two bills are:
    • AB 1138 would amend the recently effective “Parent’s Accountability and Child Protection Act” would bar those under the age of 13 from opening a social media account unless the platform got the explicit consent from their parents. Moreover, “[t]he bill would deem a business to have actual knowledge of a consumer’s age if it willfully disregards the consumer’s age.”
    •  AB 1281 would extend the carveout for employers to comply with the CCPA from 1 January 2021 to 1 January 2022. The CCPA “exempts from its provisions certain information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified…[and also] exempts from specified provisions personal information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.” AB 1281 “shall become operative only” if the CPRA is not approved by voters.
  • Senators Senator Shelley Moore Capito (R-WV), Amy Klobuchar (D-MN) and Jerry Moran (R-KS) have written “a letter to Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application (app) Premom” and “to request information on the steps that the FTC plans to take to address this issue.” They asserted:
    • A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent.
    • Moore Capito, Klobuchar, and Moran stated “[i]n light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:
      • 1. Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?  
      • 2. Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?
      • 3. Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?
      • 4. Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.
      • 5. How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in?

Further Reading

  • Justice Dept. Plans to File Antitrust Charges Against Google in Coming Weeks” By Katie Benner and Cecilia Kang – The New York Times; “The Justice Department could file a lawsuit against Google this month, overriding skepticism from its own top lawyers” By Tonty Romm – The Washington Post; “There’s a partisan schism over the timing of a Google antitrust lawsuit” By Timothy B. Lee – Ars Technica. The New York Times explains in its deeply sourced article that United States Department of Justice (DOJ) attorneys want more time to build a better case against Google, but that Attorney General William Barr is pressing for the filing of a suit as early as the end of this month in order for the Trump Administration to show voters it is taking on big tech. Additionally, a case against a tech company would help shore up the President’s right flank as he and other prominent conservatives continue to insist in the absence of evidence that technology companies are biased against the right. The team of DOJ attorneys has shrunk from 40 to about 20 as numerous lawyers asked off the case once it was clear what the Attorney General wanted. These articles also throw light on to the split between Republican and Democratic state attorneys general in the case they have been working on with the former accusing the latter of stalling for time in the hopes a Biden DOJ will be harsher on the company and the latter accusing the former of trying to file a narrow case while Donald Trump is still President that would impair efforts to address the range of Google’s alleged antitrust abuses.
  • Facebook Moves to Limit Election Chaos in November” By Mike Isaac – The New York Times. The social network giant unveiled measures to fight misinformation the week before the United States election and afterwards should people try to make factually inaccurate claims about the results. Notably, political advertisements will be banned a week before the 3 November election, but this seems like pretty weak tea considering it will be business as usual until late October. Even though the company frames these moves as “additional steps we’re taking to help secure the integrity of the U.S. elections by encouraging voting, connecting people to authoritative information, and reducing the risks of post-election confusion,” the effect of misinformation, disinformation, and lies that proliferate on Facebook will have likely already taken root by late October. It is possible the company still wants the advertising revenue it would forgo if it immediately banned political advertising. Another proposed change is to provide accurate information about voting generally and COVID-19 and voting. In fact, the platform corrected a post of President Donald Trump’s that expressed doubts about mail-in voting.
  • Washington firm ran fake Facebook accounts in Venezuela, Bolivia and Mexico, report finds” By Craig Timberg and Elizabeth Dwoskin – The Washington Post. In tandem with taking down fake content posted by the Internet Research Agency, Facebook also removed accounts traced back to a Washington, D.C. public relations firm, CLS Strategies, that was running multiple accounts to support the government in Bolivia and the opposition party in Venezuela, both of which are right wing. Using information provided by Facebook, Stanford University’s Internet Observatory released a report stating that “Facebook removed a network of 55 Facebook accounts,4 2 Pages and 36 Instagram accounts attributed to the US-based strategic communications firm CLS Strategies for engaging in coordinated inauthentic behavior (CIB).” Stanford asserted these key takeaways:
    • 11 Facebook pages related to Bolivia mainly supported Bolivia’s Interim President Jeanine Áñez and disparaged Bolivia’s former president Evo Morales. All had similar creation dates and manager location settings.
    • Venezuela-focused assets supported and promoted Venezuelan opposition leaders but changed in tone in 2020, reflecting factional divides in the opposition and a turn away from Juan Guaidó.
    • In addition to fake accounts, removed Facebook accounts include six profiles that match the names and photos of CLS Strategies employees listed publicly on their website and appear to be their real accounts.
    • CLS Strategies has a disclosed contract with the Bolivian government to provide strategic communications counsel for Bolivia’s 2020 elections and to strengthen democracy and human rights in Bolivia.
    • Coordinated inauthentic behavior reports from Facebook and Twitter have increasingly included assets linked to marketing and PR firms originating and acting around the world. The firms’ actions violate the platforms’ terms by operating internationally and failing to identify their origins and motivations to users.
    • In its release on the issue, Facebook explained:
      • In August, we removed three networks of accounts, Pages and Groups. Two of them — from Russia and the US — targeted people outside of their country, and another from Pakistan focused on both domestic audiences in Pakistan and also in India. We have shared information about our findings with law enforcement, policymakers and industry partners.
  • Belarusian Officials Shut Down Internet With Technology Made by U.S. Firm” By Ryan Gallagher – Bloomberg. A United States firm, Sandvine, sold deep packet inspection technology to the government in Belarus through a Russian intermediary. The technology was ostensibly to be used by the government to fend off dangers to the nation’s networks but was instead deployed to shut down numerous social media and news sites on the internet the day of the election. However, Belarusian activists quickly determined how to use workarounds, launching the current unrest that threatens to topple the regime. The same company’s technology has been used elsewhere in the world to cut off access to the internet as detailed by the University of Toronto’s Citizen Lab in 2018.
  • Canada has effectively moved to block China’s Huawei from 5G, but can’t say so” – Reuters. In a move reminiscent of how the People’s Republic of China (PRC) tanked Qualcomm’s proposed purchase of NXP Semiconductors in 2018, Canada has effectively barred Huawei from its 5G networks by not deciding, which eventually sent a signal to its telecommunications companies to use Ericsson and Nokia instead. This way, there is no public announcement or policy statement the PRC can object to, and the country toes the line with its other Five Eyes partners that have banned Huawei in varying degrees. Additionally, given that two Canadian nationals are being held because Huawei Chief Financial Officer Meng Wanzhou is being detained in Canada awaiting extradition to the Unted States to face criminal charges, Ottawa needs to manage its relations with the PRC gingerly.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Simon Steinberger from Pixabay

Further Reading, Other Developments, and Coming Events (2 September)

Here is today’s Further Reading, Other Developments, and Coming Events

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The Department of Commerce’s Bureau of Industry and Security (BIS) released for comment an advanced notice of proposed rulemaking to implement a provision from a 2018 rewrite of the United States (U.S.) export control of certain technology, namely “foundational technology” in this case. The Export Control Reform Act (ECRA) (P.L. 115-232) required the Department of Commerce to establish “a regular, ongoing interagency process to identify emerging and foundational technologies,” and Commerce began the process with an advanced notice of proposed rulemaking to identify only emerging technologies in November 2018. Yet the agency has not followed up with draft regulations on managing the export control process for emerging technologies. BIS explained
    • Pursuant to the Export Control Reform Act of 2018, BIS and its interagency partners are engaged in a process to identify emerging and foundational technologies that are essential to the national security of the United States. Foundational technologies essential to the national security are those that may warrant stricter controls if a present or potential application or capability of that technology poses a national security threat to the United States. In order to determine if technologies are foundational, BIS will evaluate specific items, including items currently subject only to anti-terrorism (AT) controls on the CCL or those designated as EAR99.
    • Under ECRA, emerging and foundational technologies are those technologies that are essential to the national security of the United States and are not critical technologies described in Section 721(a)(6)(A)(i)-(v) of the Defense Production Act of 1950, as amended (DPA).
    • Section 1758 of ECRA requires that foundational technologies be identified, and that BIS establish appropriate controls for that technology under the EAR. At a minimum, such controls would apply to countries subject to an embargo, including an arms embargo, imposed by the United States.
    • ECRA also requires that the interagency process is to take into account:
      • The development of foundational technologies in foreign countries;
      • The effect export controls may have on the development of such technologies in the United States; and
      • The effectiveness of export controls imposed pursuant to ECRA on limiting the proliferation of foundational technologies to foreign countries.
  • The Privacy Commissioner of Canada Daniel Therrien responded to an inquiry from Members of Parliament “about the privacy implications of the federal government’s COVID-19 exposure notification application (COVID Alert) and the ArriveCAN application.” The OPC explained
    • Our review of the COVID Alert application highlighted serious weaknesses with our current federal privacy legislation. In this case, the government took the position that its privacy laws do not apply in light of its assertion that personal information is not collected by the application. Further, while the design of the application is good, and that the government has agreed to be subject to an independent review, the government was not bound to make these commitments. The government chose to respect the principles put forth in our guidance documents because public trust is vital to the application’s success. However, without robust laws, other programs and applications could be introduced in the future that are not so privacy-sensitive.
  • The Department of Commerce’s Bureau of Industry and Security (BIS) “added 24 Chinese companies to the Entity List for their role in helping the Chinese military construct and militarize the internationally condemned artificial islands in the South China Sea,” including a number of technology companies. BIS explained:
    • The Entity List is a tool utilized by BIS to restrict the export, re-export, and transfer (in-country) of items subject to the Export Administration Regulations (EAR) to persons (individuals, organizations, companies) reasonably believed to be involved, or to pose a significant risk of becoming involved, in activities contrary to the national security or foreign policy interests of the United States.
    • Additionally, in a related action, “the Department of State will begin imposing visa restrictions on People’s Republic of China (PRC) individuals responsible for, or complicit in, either the large-scale reclamation, construction, or militarization of disputed outposts in the South China Sea, or the PRC’s use of coercion against Southeast Asian claimants to inhibit their access to offshore resources.” The Department of State stated that “[t]hese individuals will now be inadmissible into the United States, and their immediate family members may be subject to these visa restrictions as well.”
  • The Trump Administration announced “more than $1 billion in awards for the establishment of 12 new AI and QIS research and development (R&D) institutes nationwide,” a substantial portion of which Congress would need to appropriate in future years. The White House claimed the National Science Foundation’s (NSF) Artificial Intelligence (AI) Research Institutes and the Department of Energy’s (DOE) quantum information science (QIS) Research Centers “will serve as national R&D hubs for these critical industries of the future, spurring innovation, supporting regional economic growth, and training our next generation workforce.”
  • The Trump Administration explained:
    • The National Science Foundation and additional Federal partners are awarding $140 million over five years to a total of seven NSF-led AI Research Institutes. These collaborative research and education institutes will focus on a range of AI R&D areas, such as machine-learning, synthetic manufacturing, precision agriculture, and forecasting prediction. Research will take place at universities around the country, including the University of Oklahoma at Norman, the University of Texas at Austin, the University of Colorado at Boulder, the University of Illinois at Urbana-Champaign, the University of California at Davis, and the Massachusetts Institute of Technology.
    • NSF anticipates making additional AI Research Institute awards in the coming years, with more than $300 million in total awards, including contributions from partner agencies, expected by next summer. Overall, NSF invests more than $500 million in artificial intelligence activities annually and is the largest Federal driver of nondefense AI R&D.
    • To establish the QIS Research Centers, DOE is announcing up to $625 million over five years to five centers that will be led by DOE National Laboratory teams at Argonne, Brookhaven, Fermi, Oak Ridge, and Lawrence Berkeley National Laboratories. Each QIS Center will incorporate a collaborative research team spanning multiple institutions as well as scientific and engineering disciplines. The private sector and academia will be providing another $300 million in contributions for the centers.

Further Reading

  • Facebook takes down Russian operation that recruited U.S. journalists, amid rising concerns about election misinformation” By Elizabeth Dwoskin and Craig Timberg – The Washington Post; “Russians Again Targeting Americans With Disinformation, Facebook and Twitter Say” By Sheera Frenkel and Julian E. Barnes; “Russian internet trolls hired U.S. journalists to push their news website, Facebook says” By Kevin Collier and Ken Dilanian – NBC News. In what is more evidence that the Russian Federation’s tactics have changed even though its goals have not, Facebook and Twitter announced the takedown of content written by Americans for a fake new source created and run by the Internet Research Agency. The purported online publications, Peace Data, has posted a number of articles aimed at turning far left voters off to the Biden-Harris campaign. In a sign of evolution, however, they hired freelance American journalists to write content that was then amplified elsewhere on the internet. A very curious aspect of this incident is why the FBI merely tipped off Facebook and Twitter instead of a more vigorous approach to addressing efforts to again create distrust and chaos in a U.S. election. One of the articles claims the FBI does not respond to state-sponsored influence operations as they may not be against U.S. law.
  • Big Tech Embraces New Cold War Nationalism” By JS Tan – Foreign Policy. This piece argues that Silicon Valley’s worldview and strategies have changed now in large part because of the rise of companies from the People’s Republic of China (PRC) like Huawei, TikTok, Tencent, and Alibaba. Now companies like Facebook and Google are discarding their internationalist, neoliberal approach and have aligned themselves with the United States (U.S.) government for a variety of reasons, including an inability to compete fairly inside the PRC. However, Silicon Valley and Washington’s interests on the PRC may be aligned, but in a number of other, very significant ways, especially with the current government, there are considerable differences.
  • Amazon Is Spying on Its Workers in Closed Facebook Groups, Internal Reports Show” By Lauren Kaori Gurley and Joseph Cox – Vice. Another article about the online giant’s distaste for unions and labor organizing activity. In this piece, we learn that Amazon is monitoring public posts by Amazon Flex drivers and possibly even penetrating closed or private groups on platforms like Facebook and hen reportedly extensively inside the company on The other day, Vice broke a story about Amazon posting two positions for intelligence analysts to help the company track labor organizing. The company took down the positions after the story was posted.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by WikiImages from Pixabay

Further Reading, Other Developments, and Coming Events (31 August)

Today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • A group of Democratic Senators wrote the Federal Communications Commission (FCC) “to express our profound frustration that the [agency] has failed to take forceful action to keep households connected during the COVID-19 pandemic.” They asserted that “[a]s millions of American families face unprecedented financial pressures and educational challenges, we urge the FCC to reverse proposed changes to the Lifeline program, take immediate steps to open its assistance to more households, and ensure that its services meet the pressing needs of families during this crisis.”
    • They claimed
      • Since the first weeks of [FCC Chair Ajit Pai’s tenure], the FCC has sought to block new broadband providers’ participation in the Lifeline program, curtail benefits in tribal areas, exclude existing carriers, rollback reforms for registering new carriers, make it harder for new applicants  to subscribe, prevent carriers from offering free in-person distribution of phones, reduce incentives to enroll subscribers, and add more barriers for participating carriers and subscriber. These proposals have been so extreme that they would lead to cutting off carriers serving almost 70% of Lifeline subscribers.
    • They urged Pai “to immediately take the following steps:
      • 1.) Take emergency measures to provide additional financial support to Lifeline providers during the pandemic to temporarily support unlimited mobile data and voice minutes, and notify Congress if additional funding is needed for such changes.
      • 2.) Extend all current FCC waivers on Lifeline usage and subscriber documentation requirements for at least a full year, until August 2021or when we have recovered from the pandemic.
      • 3.) Close the currently outstanding Lifeline proposed rulemakings that would create new obstacles for eligible households and add unwarranted burden on carriers.
      • 4.)Pause the scheduled changes to Lifeline program’s minimum service standards until the Commission studies such impacts on the market in its upcoming 2021 State of Lifeline Marketplace Report, to avoid disruptions to customers’ services.
      • 5.) Restore the monthly subsidy to $9.25 for plans offering voice services for subscribers who value voice over data-heavy plans and pause the planned decrease in contributions for voice support.
      • 6.) Work with states to increase the automated verification of state databases with the National Verifier program by the end of this year.
  • New Zealand’s National Cyber Security Centre (NCSC) released a “General Security Advisory: ongoing campaign of Denial of Service (DoS) attacks affecting New Zealand entities” after four days of DoS attacks against New Zealand’s stock market coming from somewhere offshore. The NCSC recommended best practices the Australian Cyber Security Centre (ACSC) had published. The NCSC stated
    • [It] is aware of an ongoing campaign of DoS attacks affecting New Zealand entities.
    • The campaign has included the targeting of a number of global entities, predominantly in the financial sector. 
    • The NCSC strongly encourages all organisations in this sector to consider the risk to their organisation of DoS and ensure appropriate mitigations are in place.
  • Senator Mark Warner (D-VA) letters to DellAppleHPSamsungGoogleMicrosoftAcer America, and ASUS USA asking the “companies to do what they can to help bridge the “homework gap” – the lack of reliable computer or internet access that prevents school-aged children from being able to do school work from home.” Warner’s letter is in response to the nationwide shortage of lost laptops and tablets facing families as many children will be starting school online this fall. Warner stated:
    • There are a range of actions your company can take, including educational product discounts, the provision of complimentary or donated computers (including for home lending programs many educational institutions operate), and the provision of refurbished or returned products in good working condition for school districts and higher education institutions to distribute to educators and students. While I understand the strains placed on the global supply chain, your prioritization of these matters would greatly assist struggling families at this challenging time.
  • The United States Department of Defense (DOD) updated its list of ““Communist Chinese military companies” operating directly or indirectly in the United States in accordance with the statutory requirement of Section 1237 of the National Defense Authorization Act for Fiscal Year 1999, as amended.” The eleven companies from the People’s Republic of China (PRC) were added to the existing list sent “to Congress in June 2020,” some 20 years after Congress tasked the DOD with this responsibility. This action is most likely in response to a letter sent last year to fulfill this responsibility. Notably, any company on the list could be sanctioned by the President under the same authorities recently used against TikTok and WeChat.
    • In a September 2019 letter to Secretary of Defense Mark Esper, Senate Minority Leader Chuck Schumer (D-NY) and Senator Tom Cotton (R-AR) were joined by Representatives Ruben Gallego (D-AZ) and Mike Gallagher (R-WI) in asking whether the DOD has been updating a list of “those persons operating directly or indirectly in the United States or any of its territories and possessions that are Communist Chinese military companies” as directed by Section 1237 of the FY 1999 NDAA. They noted that China’s Communist Party has adopted a Military-Civilian Fusion strategy “to achieve its national objectives,” including the acquisition of U.S. technology through any means such as espionage, forced technology transfers, and the purchase of or investment in U.S. technology forms. Schumer, Cotton, Gallego, and Gallagher urged the Trump Administration “reexamine all statutory authorities at its disposal to confront the CCP’s strategy of Military-Civilian Fusion, including powers that have laid dormant for years.”
    • Unstated in this letter, however, is that the first part of Section 1237 grants the President authority to “exercise International Emergency Economic Powers Act (IEEPA) authorities (other than authorities relating to importation) without regard to section 202 of the IEEPA (50 U.S.C. 1701) in the case of any commercial activity in the United States by a person that is on the list.” Of IEEPA grants the President sweeping powers to prohibit transactions and block property and property interests for nations and other groups subject to an IEEPA national emergency declaration. Consequently, those companies identified by the DOD on a list per Section 1237 could be blocked and prohibited from doing business with U.S. entities and others and those that do business with such Chinese companies could be subject to enforcement actions by the U.S. government (e.g. the U.S.’s actions against ZTE for doing business with Iran in violation of an IEEPA national emergency).
    • The statute defines a “Communist Chinese military company” as “any person identified in the Defense Intelligence Agency publication numbered VP-1920-271-90, dated September 1990, or PC-1921-57-95, dated October 1995, and any update of those publications for the purposes of this section; and any other person that is owned or controlled by the People’s Liberation Army; and is engaged in providing commercial services, manufacturing, producing, or exporting.” Considering that the terms “owned” and “controlled” are not spelled out in this section, the executive branch may have very wide latitude in deeming a non-Chinese company as owned or controlled and therefore subject to the President’s use of IEEPA powers. Moreover, since the President already has the authority to declare an emergency and then use IEEPA powers, this language would seem to allow the President to bypass any such declaration and immediately use such powers, except those regarding importation, against any Chinese entities identified on this list by the Pentagon.
  • District of Columbia Attorney General Karl Racine (D) filed suit against Instacart alleging the company “violated the District’s Consumer Protection Procedures Act and tax law by: 
    • Charging District consumers millions of dollars in deceptive service fees: Prior to 2016, Instacart’s checkout screen contained an option to tip workers, set as a default 10 percent of the consumer’s subtotal for groceries that users could adjust. In 2016, Instacart swapped the tip option for a service fee, which was also set to a default 10 percent and could be adjusted, and displayed it where the tip option used to be. Consumers paid the service fee believing they were tipping workers. In reality, the service fee was a second charge—on top of a delivery fee—imposed by Instacart to cover delivery costs and operating expenses. Additionally, Instacart failed to clearly disclose that service fees were optional and that consumers could choose not to pay them.
    • Misleading consumers about how service fees contributed to worker pay: When Instacart announced the new service fees, it told consumers that “100% of the variable service amount is used to pay all shoppers more consistently for each and every delivery, not just the last shopper to touch the order.” Instacart also stated that the company collected a service fee because “multiple shoppers may have been involved in a single order” and the “service fee is used to pay this entire set of shoppers.” In fact, the shoppers who fulfilled a consumer’s order were paid the same whether or not a consumer paid the service fee.
    • Failing to pay at hundreds of thousands of dollars in District sales tax: Under District law, Instacart is responsible for collecting sales tax on the delivery services it provides. The entire time Instacart has operated in the District, it has failed to collect sales tax on the service fees and delivery fees it charged users.
  • Two large United States (U.S.) technology companies are facing class actions in the Netherlands and the United Kingdom (UK) that argue the companies’ use of third party cookies in order to sell real time bidding advertising violated the European Union’s General Data Protection Regulation (GDPR) by not obtaining the consent of people before their personal information is collected and processed. The suit against Oracle and Salesforce is being brought by The Privacy Collective, a European non-profit, that could result in damages of more than €10 billion.
  • As part of its lawsuit against Google “for deceptive and unfair practices used to obtain users’ location data, which Google then exploits for its lucrative advertising business,” the Office of the Attorney General of Arizona released emails obtained during the course of discovery that may demonstrate the company’s knowledge that its interface and operating system were trying to frustrate a user’s desire to truly turn off location data.
  • The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) released A Draft Consumer Privacy Framework for Health Data, “a collaborative effort addressing gaps in legal protections for consumer health data outside of the Health Insurance Portability and Accountability Act’s (HIPAA) coverage.” Feedback is welcome until 25 September.
    • The organizations asserted
      • The standards’ emphasis is on transparency, accountability, and the limitation on health data collection, disclosure, and use. Importantly, the standards:
        • (1) move beyond outdated notice and consent models,
        • (2) cover all health information, and
        • (3) cover all entities that use, disclose or collect consumer health information, regardless of the size or business model of the covered entity.
      • This proposal is not designed to be a replacement for necessary comprehensive data privacy legislation. Given that Congressional action to pass such a law is likely some time away, this effort is designed to build consensus on best practices and to do what we can now, in the interim, to shore up protections for non-HIPAA covered health data.

Further Reading

  • Big Oil Faded. Will Big Tech?” By Shira Ovide – The New York Times. This piece suggests that the so-called Big Tech companies may someday wane as many energy companies like Exxon are currently doing. The interesting point is made that a company or field’s preeminence can rapidly disappear and it can seem dominant until it is not. And this frequently happens for reasons that do not seem apparent or related. Ironically, Exxon essentially got pushed out of the Dow Jones Industrial Average because Apple had to split its stock because of its surging valuation. Another tech company, Salesforce, will replace Exxon.
  • Apple wants to stop advertisers from following you around the web. Facebook has other ideas.” By Peter Kafka – Recode. Apple will extend a feature from Safari to its next iOS for iPhones where users will soon be asked whether they want to allow apps to track them across the web and other apps in order to deliver them targeted, personalized advertising. To no great surprise, it is being assumed many users will say no, diminishing a prime mode by which companies reap data and show people advertisements that are intimately tied to what they read and watch online. Consequently, advertisers will be less willing to spend dollars on more general ads and income will be depressed for the two major players in this market: Facebook and Google. Facebook has already declared it will not use Apple’s device identifier unique to every iPhone or Apple Watch, meaning users downloading the Facebook app will not get the choice of whether to say no to the companies tracking them. It is not clear how well this workaround will mitigate the projected loss in ad revenue for Facebook, but it does represent the latest chapter in the fight between the two companies. Facebook has lined up with Epic Games, maker of Fortnite, in its suit against Apple regarding App Store policies. It is very likely Apple sees this change to iOS 14 as a means of burnishing its reputation as being more concerned about its users privacy than competitors in Silicon Valley, which it can afford to be considering it does not earn most of its revenue the same way Facebook does, and curry favor in Washington and Brussels where it is facing antitrust scrutiny.
  • Want a Free Amazon Halo Wearable? Just Hand Over Your Data to This Major Insurance Company” By Emily Mullin – OneZero. Amazon has teamed with insurer John Hancock to offer a wearable health and fitness tracker that will be used to collect personal data on wearers that is designed to nudge them into better behaviors and better health. This is not the first such pairing, and it raises a host of policy issues, for healthier people would be poised to reap benefits not available to less healthy people. Some insurers are offering modest amounts of cash or gift cards for exercising regularly or other benefits that would not go to less healthy people. These sorts of programs are similar to employee health and wellness programs that were enshrined in the “Patient Protection and Affordable Care Act” that studies have suggested do not work very well. Additionally, companies like Amazon and John Hancock will be collecting and processing all sorts of very sensitive personal information, making them likely targets of hacking operations. Also, there are privacy implications, for these wearable devices will likely allow companies to know the most intimate details of wearers’ lives.
  • TikTok Deal Is Complicated by New Rules From China Over Tech Exports” By Paul Mozur, Raymond Zhong and David McCabe – The New York Times; “TikTok Is Said to Wrestle With Two Competing Offers” By Mike Isaac – The New York Times; “China’s new tech export restrictions further cloud US TikTok sale and raise the risk of protectionism” By Coco Feng, Tracy Qu and Amanda Lee– South China Morning Post; “China puts drones and laser tech on restricted export list after US tightens rules” By Sidney Leng – South China Morning Post; “TikTok Chief Executive Kevin Mayer Resigns” By Mike Isaac – The New York Times.In a surprise announcement from two agencies late last week, the People’s Republic of China changed its export control rules for the first time since 2008 to likely have leverage over TikTok’s sale to a United States (U.S.) entity. Ostensibly, the changes are “to regulate technology exports, promote scientific and technological progress and economic and technological cooperation, and maintain national economic security,” but the inclusion of “personalised information recommendation service technology based on data analysis” and “artificial intelligence interactive interfaces” likely point to ByteDance’s app, TikTok. In fact a researcher with the PRC Ministry of Commerce was quoted as asserting “[t]he time to publish the new update of the export control list has been expedited due to the TikTok sale.” Moreover, the PRC’s timeline for deciding on whether an export license is needed is the same as the Trump Administration’s second executive order directing ByteDance to divest TikTok. Incidentally, these changes are probably in response to tighten of U.S. export controls against the PRC, which could set off retaliatory moves. In any event, Beijing will now have to approve any sale of TikTok operations in the U.S. Also, Walmart has apparently joined forces with Microsoft in preparing a bid on TikTok in competition with Oracle which threw its proverbal hat into the ring last week. And, new TikTok CEO Kevin Mayer stepped down in a surprise move citing ByteDance’s changed circumstances.
  • Trump aides interviewing replacement for embattled FTC chair” By Leah Nylen, Betsy Woodruff Swan, John Hendel and Daniel Lippman – Politico. The Trump Administration may be trying to force out Federal Trade Commission Chair Joe Simons or merely interviewing replacements if he steps down next year should President Donald Trump still be in the White House next year. Given the reports that Simons has resisted pressure from the White House to comply with the executive order on Section 230 by investigating social media platforms, Simons has likely not won any new fans at 1600 Pennsylvania Avenue. Having said that, removing an FTC Commissioner is much harder than other top positions in the U.S. government, and the FTC is designed to be insulated from political pressure. However, Commissioners are politicians, too, and carefully gauge the direction the wind is blowing. That being said, Simons has also sent out signals he will step down next year and return to private practice, so the interviewing of possible successors may be entirely normal in an Administration that usually does not operate normally.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gordon Johnson from Pixabay

TikTok Sues Trump Administration

TikTok files a longshot lawsuit that may soon be moot if the company’s operations in the U.S. are sold.     

No one in the White House or Administration should be terribly surprised that TikTok decided to sue over the 6 August “Executive Order on Addressing the Threat Posed by TikTok.” The company is alleging the President and his Administration exceeded the bounds of authority granted by Congress and violated the company’s rights under the United States (U.S.) Constitution. The company wants a court to stop the Trump Administration from moving forward with implementing the executive order (EO) and for the court to deem the EO unconstitutional and illegal. It is possible the court rules on whether it will enjoin the Trump Administration in the short term, but it will likely take much more time to decide on the substance of the case. In any event, this suit could soon be moot if ByteDance sells off its U.S. operations of TikTok to a U.S. company, for the EO would likely be rescinded in such a case.

The EO bars all transactions between U.S. entities and people, starting 45 days after issuance of the EO, with TikTok and their subsidiaries. Specifically, “to the extent permitted under applicable law: any transaction [is prohibited] by any person, or with respect to any property, subject to the jurisdiction of the United States, with [ByteDance], or its subsidiaries, in which any such company has any interest…” The Trump Administration claimed:

TikTok, a video-sharing mobile application owned by the Chinese company ByteDance Ltd., has reportedly been downloaded over 175 million times in the United States and over one billion times globally.  TikTok automatically captures vast swaths of information from its users, including Internet and other network activity information such as location data and browsing and search histories.  This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.

In the suit filed in United States federal court in Northern California, TikTok is asking for an injunction to stop enforcement of the EO and a declaration that it is illegal. The company specifically asserts:

The executive order and, necessarily, any implementing regulations are unlawful and unconstitutional for a number of independent reasons:

  • By banning TikTok with no notice or opportunity to be heard (whether before or after the fact), the executive order violates the due process protections of the Fifth Amendment.
  • The order is ultra vires because it is not based on a bona fide national emergency and authorizes the prohibition of activities that have not been found to pose “an unusual and extraordinary threat.”
  • The order is ultra vires because its prohibitions sweep broadly to prohibit any transactions with ByteDance, although the purported threat justifying the order is limited to TikTok, just one of ByteDance’s businesses.
  • The order is ultra vires because it restricts personal communications and the transmission of informational materials, in direct violation of International Emergency Economic Powers Act (IEEPA).
  • IEEPA lacks any intelligible principle to guide or constrain the President’s action and thereby violates the non-delegation doctrine, as the President’s overbroad and unjustified claim of authority in this matter confirms.
  • By demanding that Plaintiffs make a payment to the U.S. Treasury as a condition for the sale of TikTok, the President has taken Plaintiffs’ property without compensation in violation of the Fifth Amendment.
  • By preventing TikTok Inc. from operating in the United States the executive order violates TikTok Inc.’s First Amendment rights in its code, an expressive means of communication.

In a press release, TikTok contended

To be clear, we far prefer constructive dialogue over litigation. But with the [EO] threatening to bring a ban on our US operations – eliminating the creation of 10,000 American jobs and irreparably harming the millions of Americans who turn to this app for entertainment, connection, and legitimate livelihoods that are vital especially during the pandemic – we simply have no choice.

It bears note that rarely have suits against the use of a President’s use of IEEPA succeeded, notably on many of the same grounds TikTok is using. Courts have rejected claims that a President’s use of these powers violate the Fifth and First Amendments and the non-delegation doctrine.

Additionally, a TikTok employee has filed suit against the Trump Administration, making some of the same arguments against the EO, but contending further

Given the severe civil and criminal penalties in place for violating the Executive Order, and the overbroad nature of its language, it is obvious that TikTok and its employees, as well as other companies involved in the process of distributing wages and salaries to U.S. employees, such as ADP, banks, and credit companies, would not dare to engage in any activity that might be construed as a violation. The broad language of the order necessarily will create a chilling effect for any person or entity that has contracted with or that does business with TikTok.

Of course, there is litigation pending against TikTok for alleged violations, including one case before the same court in Northern California. A college student filed suit, arguing:

Unknown to its users, however, is that TikTok also includes Chinese surveillance software. TikTok clandestinely has vacuumed up and transferred to servers in China vast quantities of private and personally-identifiable user data that can be employed to identify, profile and track the location and activities of users in the United States now and in the future. TikTok also has surreptitiously taken user content, such as draft videos never intended for publication, without user knowledge or consent. In short, TikTok’s lighthearted fun comes at a heavy cost. Meanwhile, TikTok unjustly profits from its secret harvesting of private and personally-identifiable user data by, among other things, using such data to derive vast targeted-advertising revenues and profits. Its conduct violates statutory, Constitutional, and common law privacy, data, and consumer protections.

The plaintiff asserted TikTok violated the following U.S. and California laws and common law legal doctrines:

  • Computer Fraud and Abuse Act, 18 U.S.C. § 1030
  • California Comprehensive Data Access and Fraud Act, Cal. Pen. C. § 502
  • Right to Privacy – California Constitution
  • Intrusion upon Seclusion
  • California Unfair Competition Law, Bus. & Prof. C. §§ 17200 et seq.
  • California False Advertising Law, Bus. & Prof. C. §§ 17500 et seq.
  • Negligence
  • Restitution / Unjust Enrichment

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.