10th Federal IT Scorecard Released

I’m on holiday, so just a short post.

On 3 August, the House Oversight and Reform Committee’s Government Operations Subcommittee held its most recent biannual hearing on how United States government agencies are faring in meeting the metrics as laid out in a few key statutes on information technology (IT) development, security, transparency, and other related areas. However, the subcommittee, for reasons that are not immediately clear, did not release the actual scorecard (aka the FITARA Scorecard), and so I’m posting a version of it released by a trade publication.

As for the substance, you can compare to the last scorecard released in December 2019 and see that things mostly remain the same. I think the incentive structure for federal agencies (and probably companies providing these products and services to the federal government) will need to change further before greater gains are made with with the more than $90 billion spent annually in Washington on IT. A big part of the problem is that agencies are still not following the requirements of the “Federal Information Technology Acquisition Reform Act” (FITARA) (P.L. 113-291) regarding the authority of Chief Information Officers (CIO) to manage and acquire IT. These officials should be deciding these matters, and it is not happening in agencies, likely because more CIO authority means less authority elsewhere over significant funding and programs. Hence, good old institutional resistance and warring over turf is part of the problem. There are others, as have been chewed over, and were discussed at the hearing.

Anyway, I just wanted to make the FITARA Scorecard available for those interested but unable to find it.

And, I’ll be back to posting regularly next week.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Michael Schwarzenberger from Pixabay

Big Tech CEOs Appear At Hearing

In a marathon hearing, Democrats make their case on why big tech is engaged in antitrust and anti-competitive practices. Whether this hearing and a future report change anything is an open question.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On  29 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee held its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” with the heads of Amazon, Apple, Google, and Facebook that lasted more than five hours. Democrats largely focused their questions on the documents and information provided by the companies to make the case each had engaged in practices that are at the least anti-competitive if not illegal under the Sherman and Clayton Antitrust Acts. On the other hand, Republicans largely avoided discussing anti-competitive or antitrust issues except in connection with lines of questioning regarding social media moderation of content that is allegedly biased against conservatives and the People’s Republic of China (PRC).

The subcommittee is expected to issue its report in the near term with possible recommendations on how to amend US law to address the problems turned up during the investigation. However, the Republican-controlled Senate and the White House will likely not be receptive to legislation to update the US’ antitrust or anti-competitive laws. And yet, a Democratic White House and Senate may prove more receptive and able to effect changes in these laws. It remains to be seen whether the US Department of Justice (DOJ) and the Federal Trade Commission (FTC) bring broad cases against these companies for potential violations. Likewise, groups of states are collectively investigating Google and Facebook, and the attorney general of California is looking into Amazon’s business practices. Finally, the European Commission (EC) is also investigating a number of this companies as its new leadership considers the size and power of tech companies a central issue in the European Union.

Subcommittee Chair David Cicilline (D-RI) asserted “[a]lthough these four corporations differ in important and meaningful ways, we have observed common patterns and competition problems over the course of our investigation:

  • First, each platform is a bottleneck for a key channel of distribution. Whether they control access to information or to a marketplace, these platforms have the incentive and ability to exploit this power. They can charge exorbitant fees, impose oppressive contracts, and extract valuable data from the people and businesses that rely on them.
  • Second, each platform uses its control over digital infrastructure to surveil other companies—their growth, business activity, and whether they might pose a competitive threat. Each platform has used this data to protect its power, by either buying, copying, or by cutting off access for any actual or potential rival.
  • Third, these platforms abuse their control over current technologies to extend their power. Whether it’s through self-preferencing, predatory pricing, or requiring users to buy additional products, the dominant platforms have wielded their power in destructive, harmful ways in order to expand.

Cicilline stated that

  • At today’s hearing we will examine how each of these companies has used this playbook to achieve and maintain dominance—and how their power shapes and affects our daily lives. Why does this matter? Many of the practices used by these companies have harmful economic effects. They discourage entrepreneurship, destroy jobs, hike costs, and degrade quality. Simply put: They have too much power. This power staves off new forms of competition, creativity, and innovation. And while these dominant firms may still produce some new innovative products, their dominance is killing the small businesses, manufacturing, and overall dynamism that are the engines of the American economy.
  • Several of these firms also harvest and abuse people’s data to sell ads for everything from new books to dangerous “miracle” cures. When everyday Americans learn how much of their data is being mined, they can’t run away fast enough. But in many cases, there is no escape from this surveillance because there is no alternative. People are stuck with bad options. Open markets are predicated on the idea that if a company harms people, consumers, workers, and business partners will choose another option. We are here today because that choice is no longer possible.

Cicilline stated “I am confident that addressing the problems we see in these markets will lead to a stronger, more vibrant economy…[b]ecause concentrated economic power also leads to concentrated political power, this investigation also goes to the heart of whether we, as a people, govern ourselves, or whether we let ourselves be governed by private monopolies.”

Subcommittee Ranking Member James Sensenbrenner (R-WI) lauded the technological innovations the four companies have provided Americans that made coping with the COVID-19 pandemic easier. He reiterated that “being big is not inherently bad” and asserted the opposite was true because in the US success should be rewarded. Sensenbrenner said the hearing is designed to help the subcommittee better understand the roles the companies play in the digital marketplace and the effect on consumers and the public at large. He said that data drives the marketplace and those who control the data, in essence, control the marketplace. Sensenbrenner said there are broader questions around data such as who owns it; do they share data with their customers or competitors; what is the fair market value of that data; is there anything monopolistic in acquiring this data; and what are the implications of monetizing data.

Sensenbrenner claimed that since the “tech investigation” began, “we have heard rumblings from many” who say your companies have grown too large. He stated that since the hearing was announced the complaints have gotten even louder. Sensenbrenner said he found these complaints informative, but he did not plan on litigating each complaint today. He asserted antitrust law and the consumer welfare standard have served the US well for over a century and have provided a framework for some of the US’s most successful and innovative companies. Sensenbrenner allowed that as the economy evolves, antitrust law may need updating to meet the needs of the nation and its consumers. He stated his concern that market dominance in this space is ripe for abuse, “particularly when it comes to free speech,” as Facebook, YouTube, and Twitter have become the public space of today as political debate unfolds in real time. Sensenbrenner said that reports of “dissenting views, often conservative views” are targeted or censored are seriously troubling. He stressed that “conservatives are consumers, too” and “they need the protection of antitrust laws.” He argued that the power to shape debate carries tremendous responsibility.

Sensenbrenner said facts should guide the inquiry. He noted the companies are large, successful, and powerful, all of which are fine. He asserted he wanted to leave the hearing with a better picture of how these qualities affect consumers.

Amazon CEO Jeff Bezos claimed

  • The global retail market we compete in is strikingly large and extraordinarily competitive. Amazon accounts for less than 1% of the $25 trillion global retail market and less than 4% of retail in the U.S. Unlike industries that are winner-take-all, there’s room in retail for many winners. For example, more than 80 retailers in the U.S. alone earn over $1 billion in annual revenue.
  • Like any retailer, we know that the success of our store depends entirely on customers’ satisfaction with their experience in our store. Every day, Amazon competes against large, established players like Target, Costco, Kroger, and, of course, Walmart—a company more than twice Amazon’s size. And while we have always focused on producing a great customer experience for retail sales done primarily online, sales initiated online are now an even larger growth area for other stores. Walmart’s online sales grew 74% in the first quarter.
  • And customers are increasingly flocking to services invented by other stores that Amazon still can’t match at the scale of other large companies, like curbside pickup and in-store returns. The COVID-19 pandemic has put a spotlight on these trends, which have been growing for years. In recent months, curbside pickup of online orders has increased over 200%, in part due to COVID19 concerns. We also face new competition from the likes of Shopify and Instacart—companies that enable traditionally physical stores to put up a full online store almost instantaneously and to deliver products directly to customers in new and innovative ways—and a growing list of omnichannel business models. Like almost every other segment of our economy, technology is used everywhere in retail and has only made retail more competitive, whether online, in physical stores, or in the various combinations of the two that make up most stores today. And we and all other stores are acutely aware that, regardless of how the best features of “online” and “physical” stores are combined, we are all competing for and serving the same customers. The range of retail competitors and related services is constantly changing, and the only real constant in retail is customers’ desire for lower prices, better selection, and convenience.
  • It’s also important to understand that Amazon’s success depends overwhelmingly on the success of the thousands of small and medium-sized businesses that also sell their products in Amazon’s stores. Back in 1999, we took what at the time was the unprecedented step of welcoming third-party sellers into our stores and enabling them to offer their products right alongside our own. Internally, this was extremely controversial, with many disagreeing and some predicting this would be the beginning of a long, losing battle. We didn’t have to invite third-party sellers into the store. We could have kept this valuable real estate for ourselves. But we committed to the idea that over the long term it would increase selection for customers, and that more satisfied customers would be great for both third-party sellers and for Amazon. And that’s what happened.
  • Within a year of adding those sellers, third-party sales accounted for 5% of unit sales, and it quickly became clear that customers loved the convenience of being able to shop for the best products and to see prices from different sellers all in the same store. These small and medium-sized third-party businesses now add significantly more product selection to Amazon’s stores than Amazon’s own retail operation. Third-party sales now account for approximately 60% of physical product sales on Amazon, and those sales are growing faster than Amazon’s own retail sales. We guessed that it wasn’t a zero sum game. And we were right—the whole pie did grow, third-party sellers did very well and are growing fast, and that has been great for customers and for Amazon. There are now 1.7 million small and medium-sized businesses around the world selling in Amazon’s stores. More than 200,000 entrepreneurs worldwide surpassed $100,000 in sales in our stores in 2019. On top of that, we estimate that third-party businesses selling in Amazon’s stores have created over 2.2 million new jobs around the world.

Apple CEO Tim Cook asserted

  • The smartphone market is fiercely competitive, and companies like Samsung, LG, Huawei and Google have built very successful smartphone businesses offering different approaches.
  • Apple does not have a dominant market share in any market where we do business. That is not just true for iPhone; it is true for any product category.
  • What motivates us is the continuous improvement of the user experience, and we focus relentlessly on and invest significantly in new breakthroughs, innovative features and deepening the principles that set us apart.
  • Privacy and security are key examples of this drive. This is true for the iPhone and for every device we make. We build products that, from the ground up, help users protect their fundamental right to the privacy of their personal data. This principle is foundational and touches everything else we do.
  • We created the App Store in 2008 as a feature of the iPhone. Launching with a little more than 500 apps, it was our ambitious attempt to dramatically expand the features and customizability of every user’s device. We wanted to create a safe and trusted place for users to discover apps—and a means of providing a secure and supportive way for developers to develop, test and distribute apps to iPhone users globally.
  • Apple continuously improves, and provides every developer with cutting-edge tools like compilers, programming languages, operating systems, frameworks and more than 150,000 essential software building blocks called APIs. These are not only powerful, but so simple to use that students in elementary schools can and do make apps.
  • The App Store guidelines ensure a high-quality, reliable and secure user experience. They are transparent and applied equally to developers of all sizes and in all categories. They are not set in stone. Rather, they have changed as the world has changed, and we work with developers to apply them fairly.
  • For the vast majority of apps on the App Store, developers keep 100% of the money they make. The only apps that are subject to a commission are those where the developer acquires a customer on an Apple device and where the features or services would be experienced and consumed on an Apple device.
  • Apple’ s commissions are comparable to or lower than commissions charged by the majority of our competitors. And they are vastly lower than the 50 to 70 percent that software developers paid to distribute their work before we launched the App Store.
  • In the more than a decade since the App Store debuted, we have never raised the commission or added a single fee. In fact, we have reduced them for subscriptions and exempted additional categories of apps. The App Store evolves with the times, and every change we have made has been in the direction of providing a better experience for our users and a compelling business opportunity for developers.
  • I am here today because scrutiny is reasonable and appropriate. We approach this process with respect and humility. But we make no concession on the facts.

Alphabet CEO Sundar Pichai contended

  • Google operates in highly competitive and dynamic global markets, in which prices are free or falling, and products are constantly improving. Today’s competitive landscape looks nothing like it did 5 years ago, let alone 21 years ago, when Google launched its first product, Google Search.
  • For example, people have more ways to search for information than ever before — and increasingly this is happening outside the context of only a search engine. Often the answer is just a click or an app away: You can ask Alexa a question from your kitchen; read your news on Twitter; ask friends for information via WhatsApp; and get recommendations on Snapchat or Pinterest. When searching for products online, you may be visiting Amazon, eBay, Walmart, or any one of a number of e-commerce providers, where most online shopping queries happen.
  • Similarly, in areas like travel and real estate, Google faces strong competition for search queries from many businesses that are experts in these areas.
  • A competitive digital ad marketplace gives publishers and advertisers, and therefore consumers, an enormous amount of choice. For example, competition in ads — from Twitter, Instagram, Pinterest, Comcast and others — has helped lower online advertising costs by 40% over the last 10 years, with these savings passed down to consumers through lower prices.
  • We also deliberately build platforms that support the innovation of others. Using Android — a product I worked on for many years — thousands of device makers and mobile operators build and sell devices without any licensing fees to us or any requirement to integrate our products. This greatly reduces device prices, and today billions of consumers around the globe are now able to afford cuing-edge smartphones, some for less than $50. And in doing so they are able to access new opportunities — whether it’s sharing a video with friends and family around the world, gaining an education for themselves or their children, or starting a business. Competition also sets higher standards for privacy and security. I’ve always believed that privacy is a universal right and should be available to everyone, and Google is committed to keeping your information safe, treating it responsibly, and putting you in control of what you choose to share. We also never sell user information to third parties. But more must be done to protect users across industries, which is why we’ve long supported the creation of comprehensive federal privacy laws.

Facebook CEO Mark Zuckerberg asserted

  • Our story would not have been possible without U.S. laws that encourage competition and innovation. I believe that strong and consistent competition policy is vital because it ensures that the playing field is level for all. At Facebook, we compete hard, because we’re up against other smart and innovative companies that are determined to win. We know that our future success is not guaranteed, especially in a global tech industry defined by rapid innovation. The history of technology is often the history of failure, and even industry leading tech companies fail if they don’t stay competitive. This is why we’re focused on delivering better services for people and businesses, and competing as vigorously as we can within the rules.
  • Although people around the world use our products, Facebook is a proudly American company. We believe in values — democracy, competition, inclusion and free expression — that the American economy was built on. Many other tech companies share these values, but there’s no guarantee our values will win out. For example, China is building its own version of the internet focused on very different ideas, and they are exporting their vision to other countries. As Congress and other stakeholders consider how antitrust laws support competition in the U.S., I believe it’s important to maintain the core values of openness and fairness that have made America’s digital economy a force for empowerment and opportunity here and around the world.
  • Like many companies, we’ve both built our own products from the ground up, and we’ve moved others forward through mergers and acquisitions. Our acquisitions have helped drive innovation for people who use our own products and services and for the broader startup community. Acquisitions bring together different companies’ complementary strengths. When you acquire a company, you can benefit from their technology and talent, and when you are acquired you get access to resources and people you otherwise might never have been able to tap into.
  • Facebook has made Instagram and WhatsApp successful as part of our family of apps. Instagram and WhatsApp have been able to grow and operate their services using Facebook’s bespoke, lower-cost infrastructure and tackle spam and harmful content with Facebook’s integrity teams and technology.
  • Following its acquisition, Instagram was able to get help stabilizing infrastructure and controlling runaway spam. It also benefited from the ability to plug into Facebook’s self-serve ads system, sales team and existing advertiser relationships to drive monetization, and was able to build products including IG Direct and IG Video that used Facebook’s technology and infrastructure. Before it was acquired, WhatsApp was a paid app with a reputation for secure communications; together we built on that by introducing end-to-end encryption and making it free to use. Since its acquisition, WhatsApp has also been able to develop products such as voice and video calling that were built on Facebook’s technology stack.
  • These benefits came about as a result of our acquisition of those companies, and would not have happened had we not made those acquisitions. We have developed new products for Instagram and WhatsApp, and we have learned from those companies to bring new ideas to Facebook. The end result is better services that provide more value to people and advertisers, which is a core goal of Facebook’s acquisition strategy.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Jorge Guillen from Pixabay

Further Reading, Other Developments, and Coming Events (31 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 31 July, the House Intelligence Committee will mark up its Intelligence Authorization Act.
  • On 31 July the Select Committee on the Modernization of Congress will hold a business meeting “to consider proposed recommendations.”
  • On 3 August the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
  • The National Institute of Standards and Technology (NIST) will hold the “Exploring Artificial Intelligence (AI) Trustworthiness: Workshop Series Kickoff Webinar,” “a NIST initiative involving private and public sector organizations and individuals in discussions about building blocks for trustworthy AI systems and the associated measurements, methods, standards, and tools to implement those building blocks when developing, using, and testing AI systems” on 6 August.
  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”

Other Developments

  • The European Commission (EC) released a report on the status of efforts across the European Union (EU) to implement the EU Toolbox on 5G Cybersecurity, the bloc’s approach to navigating security issues presented by equipment and services offered by companies from the People’s Republic of China such as Huawei. The EC concluded
    • All  Member  States  reported  that  concrete  steps  have  been  taken  to  implement  the  Toolbox.  Most  Member  States  carried  out  a  gap  analysis  and  launched  a  process  to  review  and  upgrade  existing security measures and enforcement mechanisms. Many Member States have already adopted or are well advanced in the preparation of more advanced security measures on 5G cybersecurity.
    • However,  work  is  still  ongoing  in  many  Member  States  on  defining  the  content  and  scope  of  the  measures and in some cases, political decisions still need to be made in this regard. In addition, even where  measures  are  in  progress  or  being  planned,  not  all  Member  States  have  shared  detailed information about every measure, due to diverse stages in the national implementation processor for national security reasons. Nevertheless, a number of findings can be formulated based on the analysis presented  in  this  report as  regards  the  implementation  of  the  Toolbox  and  areas  where  specific  attention  is  needed  in  the  next  phases  of  the  implementation  of  the  Toolbox  at  national  and/or  EU  level.
  • The United States (US) and Australia released this joint statement after this week’s Australia-United States Ministerial Consultations (AUSMIN) after the heads of their defense and foreign ministries met in Washington DC. The two countries listed a number of steps and initiatives designed to counter the People’s Republic of China (PRC). Among other developments:
    • The US and Australia signed a classified Statement of Principles on Alliance Defense Cooperation and Force Posture Priorities in the Indo-Pacific.
    • The two nations “plan to continue to counter these threats vigorously, including through collaboration with international partners, and through a new working group between the Department of Foreign Affairs and Trade and the Department of State, which will monitor and respond to disinformation efforts.”
    • The US and Australia “expressed deep concern that the targeting of intellectual property and sensitive business information, including information relating to the development of vaccines and treatments for pandemic response, presents an increasing threat to the global economy, and they committed to holding malicious actors accountable.”
    • The countries “noted the role of 5G network security best practices, such as the Prague Proposals, and expressed their intent to work with like-minded partners to develop end-to-end technical solutions for 5G that use trusted vendors….[and] [a]cknowledging that 5G is only the starting point, the two nations also reaffirm their commitment to lifting the security of critical and emerging technologies that will be vital to our nations’ prosperity.”
    • The US and Australia “welcomed the announcement that Lynas has signed a Phase 1 contract with the U.S. Department of Defense for an engineering and market feasibility study for the design of a heavy rare earth separation facility in the United States” and “the continued development of a U.S.-Australia Critical Minerals Plan of Action to improve the security of critical minerals in the United States and Australia.” 
  • The United Kingdom’s National Cyber Security Centre (NCSC) has issued a report titled “The Cyber Threat to Sports Organisations” “to demystify the cyber threat to sports organisations by highlighting the cyber security issues that affect the sector on a daily basis: business email compromise, digital fraud, and venue security.” The NCSC asserted
    • cyber attacks against sports organisations are very common, with 70% of those surveyed experiencing at least one attack per annum. This is significantly higher than the average across UK business.
    • The primary cyber threat comes from cyber criminals with a financial motive. Criminal attacks typically take advantage of poor implementation of technical controls and normal human traits such as trust and ineffective password policies.
    • There have been a small number of Hostile Nation-state attacks against sports organisations; typically, these attacks have exploited the same vulnerabilities used by criminals.
    • The most common outcome of cyber attacks is unauthorised access to email accounts (Business Email Compromise) leading to fraud. Ransomware is also a significant issue in the sector.
  • Top Republicans on one of the committees with jurisdiction over technology have written Google and Apple regarding their “app store and the policies you have in place to ensure apps are appropriately vetted, particularly those with close ties to China and the Chinese Communist Party (CCP).” House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) and Consumer Protection and Commerce Subcommittee Ranking Member Cathy McMorris Rodgers (R-WA) are asking the companies to respond by 12 August to a series of questions. They asserted
    • As with any crisis, there are those that seek to exploit opportunities for their own malicious intent. We believe that bad actors may be taking advantage of the American people’s trust in your brand, which likely extends to apps available through your store. While we want an open and transparent marketplace that does not limit innovators outside your company, we know there are those that seek to use apps as a means to push through pop-up ads or hijack devices to make it a tool for eavesdropping.
    • The level of permissions that these apps require may include access to camera, microphone, and contacts, as well as functionality to load other malware for bad actors to control a device even after the original app has been removed. This is especially alarming when it comes from companies with direct or indirect links to the CCP.
  • A Washington DC think tank published a report written in part with Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) titled “AI and the Workforce.” The Bipartisan Policy Center explained that “[b]ased on our discussions with stakeholders, we have identified the following key principles:
    • 1. The United States should embrace and take a leadership role in the AI-driven economy by filling the AI talent gap and preparing the rest of the workforce for the jobs of the future. However, in doing so, policymakers should make inclusivity and equal opportunity a priority.
    • 2. Closing the AI talent gap requires a targeted approach to training, recruiting, and retaining skilled workers. This AI talent should ideally have a multi-disciplinary skill set that includes ethics.
    • 3. The AI talent gap is not the only challenge of the AI-driven economy, so the federal government should focus more broadly on the jobs of the future and skills that are complemented by AI technology. Additionally, encouraging workers to develop basic AI and technological literacy can help them better determine how to complement AI systems.
    • 4. The educational system from kindergarten through post-college is not yet designed for the AI-driven economy and should be modernized.
    • 5. The skills that will be in demand in the future will continuously change, so lifelong learning and ways to help displaced and mid-career workers transition into new jobs is critical for the workforce of the future.
    • In September 2018, Kelly and Hurd released a white paper detailing the “lessons learned from the Subcommittee’s oversight and hearings on AI and sets forth recommendations for moving forward.” 
  • The National Cyber Security Centre (NCSC) updated its “Mobile Device Guidance” regarding “Windows 10, Android and VPNs. The NCSC stated “[o]ver the next few months, we’ll be bringing our Chrome OS and Ubuntu Linux guidance up to date and into the new format.”
  • Cybersecurity company FireEye released a report on a new type of Russian disinformation campaign where hackers are gaining access to legitimate news sources and planting fake stories that are subsequently amplified on social media.
    • FireEye explained it
      • has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign, ongoing since at least March 2017, aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.”
    • FireEye added
      • Many, though not all, of the incidents we suspect to be part of the Ghostwriter campaign appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries. This falsified content has been referenced as source material in articles and op-eds authored by at least 14 inauthentic personas posing as locals, journalists, and analysts within those countries.

Further Reading

  • Rite Aid deployed facial recognition systems in hundreds of U.S. stores” by Jeffrey Dastin– Reuters. A major United States retailer was using facial recognition technology mostly at stores in poorer, more ethnically diverse areas that seems connected to a company in the People’s Republic of China. Rite Aid has ceased use of this system that was implemented to address shoplifting and other crime and guards and other personnel were supposed to act when the system turned up a hit on a person in the store who had committed a crime or made trouble in another location. Given the accuracy of this sort of technology, there were a range of false positives. Additionally, locations in New York City that had similar crime profiles in majority white, affluent areas were much less likely to have this system. The company, DeepCamLLC, providing the technology appears intimately connected to a Chinese firm, Shenzhen Shenmu, that appears funded by a Beijing run venture capital/investment fund.
  • Facebook Wins Temporary Halt to EU Antitrust Data Demands” by Stephanie Bodoni – Bloomberg. In a setback for the European Commission’s (EC) investigation, the European Union General Court has temporarily blocked data and document requests in a pair of rulings. The court ruled for Facebook in finding the EC’s request “may unavoidably include personal information” and so “it is important to ensure that confidential treatment of such information is safeguarded, especially when the information does, at first sight, not appear to have any link with the subject matter of the commission’s investigation.” A Facebook attorney claimed the requests were going to net “highly sensitive personal information such as employees’ medical information, personal financial documents, and private information about family members of employees.” The court is expected to issue a final decision on the data requests, which has obvious implications for the EC’s investigation of Facebook.
  • Google’s Top Search Result? Surprise! It’s Google” By Adrianne Jeffries and Leon Yin – The Markup. Google’s search results have changed tremendously over the last 15 years from showing the top organic results to now reserving the 50% of the page for Google results and products. As a result a number of online businesses that compete with Google products have withered and some have died. Google denies abusing its market power, but competitors and possibly some regulators think otherwise, possibly foreshadowing future anti-competitive enforcement actions.
  • Five Eyes alliance could expand in scope to counteract China” by Patrick Wintour – The Guardian. The United States, United Kingdom, Canada, New Zealand, and Australia may expand both the scope of heir Five Eyes arrangement and the membership as a means of pushing back on Chinese policies and actions. Japan could possibly join the alliance and perhaps it serves as the basis for a trade agreement to address Beijing.
  • Huawei to double down on HSBC as legal battle over extradition of Meng Wanzhou intensifies” by Zhou Xin – South China Morning Post. As the daughter of Huawei’s founder continues to be held in Canada facing possible extradition to the United States (US) to be tried on charges of violating US sanctions on Iran. Meng Wanzhou’s lawyers are focusing on the evidence provided by Hong Kong based bank HSBC to the US Department of Justice as being deficient in a number of ways. The People’s Republic of China is still holding two Canadians incommunicado who were arrested and charged with espionage after Meng was detained in British Columbia.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (30 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 30 July, the House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing titled “Review of the Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus King (I-ME), Chairman, Cyberspace Solarium Commission
    • Representative Mike Gallagher (R-WI), Chairman, Cyberspace Solarium Commission
    • The Honorable Patrick Murphy, Commissioner, Cyberspace Solarium Commission
    • Mr. Frank Cilluffo, Commissioner, Cyberspace Solarium Commission
  • On 31 July, the House Intelligence Committee will mark up its Intelligence Authorization Act.
  • On 31 July the Select Committee on the Modernization of Congress will hold a business meeting “to consider proposed recommendations.”
  • On 3 August the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
  • The National Institute of Standards and Technology (NIST) will hold the “Exploring Artificial Intelligence (AI) Trustworthiness: Workshop Series Kickoff Webinar,” “a NIST initiative involving private and public sector organizations and individuals in discussions about building blocks for trustworthy AI systems and the associated measurements, methods, standards, and tools to implement those building blocks when developing, using, and testing AI systems” on 6 August.
  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”

Other Developments

  • Senate Armed Services Committee Chair James Inhofe (R-OK) has publicly placed a hold on the re-nomination of Federal Communications Commission member over the agency’s April decision to permit Ligado to proceed with its plan “to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” This is the latest means of pressing the FCC Inhofe and allies on Capitol Hill and in the Trump Administration have taken. In the recently passed “National Defense Authorization Act (NDAA) for Fiscal Year 2021” (S.4049) there is language requiring “the Secretary of Defense to enter into an agreement with the National Academies of Science, Engineering, and Medicine to conduct an independent technical review of the Order and Authorization adopted by the FCC on April 19, 2020 (FCC 20–48). The independent technical review would include a comparison of the two different approaches used for evaluation of potential harmful interference. The provision also would require the National Academies of Science, Engineering, and Medicine to submit a report on the independent technical review.” This provision may make it into the final FY 2021 NDAA, which would stop Ligado from proceeding before the conclusion of the study.
  • Senator Josh Hawley (R-MO) has released yet another bill amending 47 USC 230 (aka Section 230), the “Behavioral Advertising Decisions Are Downgrading Services (BAD ADS) Act,” that “remove Section 230 immunity from Big Tech companies that display manipulative, behavioral ads or provide data to be used for them.” Considering that targeting advertising forms a significant part of the revenue stream for such companies, this seems to be of a piece with other bills of Hawley’s and others to pressure social media platforms. Hawley noted he “has been a leading critic of Section 230’s protection of Big Tech firms and recently called for Twitter to lose immunity if it chooses to editorialize on political speech.”
  • The United States National Counterintelligence and Security Center (US NCSC) issued a statement on election security on the 100th day before the 2020 Presidential Election. US NCSC Director William Evanina described the risks facing the US heading into November but did not detail US efforts to address and counter the efforts of foreign nations to influence and disrupt Presidential and Congressional elections this fall. The US NCSC explained it is working with other federal agencies and stakeholders, however.
    • US NCSC Director William Evanina explained the purpose of the press release is to “share insights with the American public about foreign threats to our election and offer steps to citizens across the country to build resilience and help mitigate these threats…[and] to update Americans on the evolving election threat landscape, while also safeguarding our intelligence sources and methods.” Evanina noted “Office of the Director of National Intelligence (ODNI) has been providing robust intelligence-based briefings on election security to the presidential campaigns, political committees, and Congressional audiences.” Including the assertion “[i]n leading these classified briefings, I have worked to ensure fidelity, accountability, consistency and transparency with these stakeholders and presented the most timely and accurate information we have to offer” may be Evanina’s way of pushing back on concerns that the White House has placed people loyal to the President at the top of some IC entities who may lack independence. Top Democrats
    • The US NCSC head asserted “[e]lection security remains a top priority for the Intelligence Community and we are committed in our support to the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), given their leadership roles in this area.”
    • Evanina claimed “[a]t this time, we’re primarily concerned with China, Russia and Iran — although other nation states and non-state actors could also do harm to our electoral process….[and] [o]ur insights and judgments will evolve as the election season progresses:
      • China is expanding its influence efforts to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and counter criticism of China. Beijing recognizes its efforts might affect the presidential race.
      • Russia’s persistent objective is to weaken the United States and diminish our global role. Using a range of efforts, including internet trolls and other proxies, Russia continues to spread disinformation in the U.S. that is designed to undermine confidence in our democratic process and denigrate what it sees as an anti-Russia “establishment” in America.
      • Iran seeks to undermine U.S. democratic institutions and divide the country in advance of the elections. Iran’s efforts center around online influence, such as spreading disinformation on social media and recirculating anti-U.S. content.
    • Speaker of the House Nancy Pelosi (D-CA), Senate Minority Leader Chuck Schumer (D-NY), House Intelligence Committee Chair Adam Schiff (D-CA), and Senate Intelligence Committee Ranking Member Mark Warner (D-VA) released their response to the NCSC statement:
      • The statement just released by NCSC Director William Evanina does not go nearly far enough in arming the American people with the knowledge they need about how foreign powers are seeking to influence our political process. The statement gives a false sense of equivalence to the actions of foreign adversaries by listing three countries of unequal intent, motivation and capability together. The statement, moreover, fails to fully delineate the goal, nature, scope and capacity to influence our election, information the American people must have as we go into November. To say without more, for example, that Russia seeks to ‘denigrate what it sees as an anti-Russia ‘establishment’ in America’ is so generic as to be almost meaningless. The statement omits much on a subject of immense importance.
      • “In our letter two weeks ago, we called on the FBI to provide a defensive briefing to the entire Congress about specific threats related to a concerted foreign disinformation campaign, and this is more important than ever.  But a far more concrete and specific statement needs to be made to the American people, consistent with the need to protect sources and methods.  We can trust the American people with knowing what to do with the information they receive and making those decisions for themselves. But they cannot do so if they are kept in the dark about what our adversaries are doing, and how they are doing it.  When it comes to American elections, Americans must decide.”
    • Senate Majority Leader Mitch McConnell (R-KY) and Senate Intelligence Committee Chair Marco Rubio (R-FL) issued their own statement:
      • We are disappointed by the statement from Senator Schumer, Senator Warner, Speaker Pelosi, and Representative Schiff about Bill Evanina, the Director of the National Counterintelligence and Security Center. Evanina is a career law enforcement and intelligence professional with extensive experience in counterintelligence. His reputation as a straight-shooter immune from politics is well-deserved. It is for this reason that Evanina received overwhelming support from the Senate when he was confirmed to be Director of the NCSC and again when the Administration tapped him to lead the nation’s efforts to protect the 2020 elections from foreign interference.
      • We believe the statement baselessly impugns his character and politicizes intelligence matters. Their manufactured complaint undercuts Director Evanina’s nonpartisan public outreach to increase Americans’ awareness of foreign influence campaigns right at the beginning of his efforts.
      • Prior to their public statements, Director Evanina had previewed his efforts and already offered to provide another round of briefings to the Congress on the threat and steps the US government has taken over the last three and a half years to combat it. We believe the threat is real, and is more complex than many partisans may wish to admit. We welcome these briefings, and hope our colleagues will listen to the career professionals who have been given this mission.
      •  We will not discuss classified information in public, but we are confident that while the threat remains, we are far better prepared than four years ago. The intelligence community, law enforcement, election officials, and others involved in securing our elections are far better postured, and Congress dramatically better informed, than any of us were in 2016—and our Democrat colleagues know it.
  • The Australian Cyber Security Centre (ACSC) and the Digital Transformation Agency (DTA) issued “new Cloud Security Guidance co-designed with industry to support the secure adoption of cloud services across government and industry.” The agencies stated this new release “will guide organisations including government, Cloud Service Providers (CSP), and Information Security Registered Assessors Program (IRAP) assessors on how to perform a comprehensive assessment of a cloud service provider and its cloud services, so a risk-informed decision can be made about its suitability to handle an organisation’s data.” ACSC and DTA added “The Cloud Security Guidance is supported by forthcoming updates to the Australian Government Information Security Manual (ISM), the Attorney-General’s Protective Security Policy Framework (PSPF), and the DTA’s Secure Cloud Strategy.”
  • The National Institute of Standards and Technology (NIST) studied how well facial recognition technology and services could identify people wearing masks and, to no great surprise, the results were not good with respect to accuracy. NIST stressed that the facial recognition technology were not calibrated for masks in qualifying its results. In its Interagency Report NISTIR 8311, NIST found
    • Algorithm accuracy with masked faces declined substantially across the board. Using unmasked images, the most accurate algorithms fail to authenticate a person about 0.3% of the time. Masked images raised even these top algorithms’ failure rate to about 5%, while many otherwise competent algorithms failed between 20% to 50% of the time.
    • Masked images more frequently caused algorithms to be unable to process a face, technically termed “failure to enroll or template” (FTE). Face recognition algorithms typically work by measuring a face’s features — their size and distance from one another, for example — and then comparing these measurements to those from another photo. An FTE means the algorithm could not extract a face’s features well enough to make an effective comparison in the first place.
    • The more of the nose a mask covers, the lower the algorithm’s accuracy. The study explored three levels of nose coverage — low, medium and high — finding that accuracy degrades with greater nose coverage.
    • While false negatives increased, false positives remained stable or modestly declined. Errors in face recognition can take the form of either a “false negative,” where the algorithm fails to match two photos of the same person, or a “false positive,” where it incorrectly indicates a match between photos of two different people. The modest decline in false positive rates show that occlusion with masks does not undermine this aspect of security.
    • The shape and color of a mask matters. Algorithm error rates were generally lower with round masks. Black masks also degraded algorithm performance in comparison to surgical blue ones, though because of time and resource constraints the team was not able to test the effect of color completely.
    • NIST explained this report
      • is the first of a series of reports on the performance of face recognition algorithms on faces occluded by protective face masks [2] commonly worn to reduce inhalation of viruses or other contaminants. This study is being run under the Ongoing Face Recognition Vendor Test (FRVT) executed by the National Institute of Standards and Technology (NIST). This report documents accuracy of algorithms to recognize persons wearing face masks. The results in this report apply to algorithms provided to NIST before the COVID-19 pandemic, which were developed without expectation that NIST would execute them on masked face images.
  • The United States National Science Foundation (NSF) and the Office of Science and Technology Policy (OSTP) inside the White House announced the establishment of the Quantum Leap Challenges Institutes program and “$75 million for three new institutes designed to have a tangible impact in solving” problems associated with quantum information science and engineering. NSF added “Quantum Leap Challenge Institutes also form the centerpiece of NSF’s Quantum Leap, an ongoing, agency-wide effort to enable quantum systems research and development.” NSF and OSTP named the following institutes:
    • NSF Quantum Leap Challenge Institute for Present and Future Quantum Computing. Today’s quantum computing prototypes are rudimentary, error-prone, and small-scale. This institute, led by the University of California, Berkeley, plans to learn from these to design advanced, large-scale quantum computers, develop efficient algorithms for current and future quantum computing platforms, and ultimately demonstrate that quantum computers outperform even the best conceivable classical computers.
  • The United States Department of Energy (DOE) published its “Blueprint for the Quantum Internet” “that lays out a blueprint strategy for the development of a national quantum internet, bringing the United States to the forefront of the global quantum race and ushering in a new era of communications” and held an event to roll out the new document and approach. The Blueprint is part of the Administration’s effort to implement the “National Quantum Initiative Act” (P.L. 115-368), a bill “[t]o provide for a coordinated Federal program to accelerate quantum research and development for the economic and national security of the United States.” Under Secretary of Energy for Science Paul Dabbar explained in a blog post that “[t]he Blueprint lays out four priority research opportunities to make this happen:
    • Providing the foundational building blocks for Quantum Internet;
    • Integrating Quantum networking devices;
    • Creating repeating, switching, and routing technologies for Quantum entanglement;
    • Enabling error correction of Quantum networking functions.
  • The European Commission (EC) is requesting feedback until 10 September on its impact assessment for future European Union legislation on artificial intelligence (AI). The EC explained “the  overall  policy  objective  is  to  ensure  the  development  and  uptake  of lawful  and trustworthy  AI across the Single Market through the creation of an ecosystem of trust.” Earlier this year, as part of its Digital Strategy, the EC recently released a white paper earlier this year, “On Artificial Intelligence – A European approach to excellence and trust,” in which the Commission articulates its support for “a regulatory and investment oriented approach with the twin objective of promoting the uptake of AI and of addressing the risks associated with certain uses of this new technology.” The EC stated that “[t]he purpose of this White Paper is to set out policy options on how to achieve these objectives…[but] does not address the development and use of AI for military purposes.”

Further Reading

  • Google Takes Aim at Amazon. Again.” – The New York Times. For the fifth time in the last decade, Google will try to take on Amazon, in part, because the latter’s dominance in online retailing is threatening the former’s dominance in online advertising. Google is offering a suite of inducements for retailers to use its platform, Google Shopping. One wonders if Google gains traction whether Amazon would point to the competition as proof it is not engaged in anti-competitive practices to regulators.
  • Twitter’s security woes included broad access to user accounts” – Ad Age. This piece details the years long tension inside the social media giant between strengthening internal security and developing features to make more money. Not surprisingly, the latter consideration almost always trumped the former, a situation exacerbated by Twitter’s growing use of third-party contractors to handle back end functions, including security. Apparently, many contractors would spy on celebrities’ accounts, sometimes using workarounds to defeat Twitter’s security. Even though this article claims it was only contractors, one wonders if some Twitter employees were doing the same. Whatever the case, Twitter’s board has been warned about weak security for years and opted against heeding this advice, a factor that likely allowed the platform to get hacked a few weeks ago. Worse still, the incentives do not seem aligned to drive better security in the future. 
  • We’re in the middle of the COVID-19 crisis. Big Tech is already preparing for the next one.” – Protocol. For people who think large technology companies have not had a prominent enough role during the current pandemic, this news will be reassuring. The Consumer Technology Association (CTA), a non-profit organized under Section 501(c)(6) of United States’ tax laws, has commenced with a “Public Health Tech Initiative” “[t]o ensure an effective public sector response to future pandemics like COVID-19.” This group “will explore and create recommendations for the use of technology in dealing with and recovering from future public health emergencies.”
  • Car Companies Want to Monitor Your Every Move With Emotion-Detecting AI” – Vice’s Motherboard. A number of companies are selling auto manufacturers on a suite of technology that could record everything that happens in your car, including facial analysis algorithms, for a variety of purposes with financial motives such as behavioral advertising, setting insurance rates, and others. The United States does not have any laws that directly regulate such practices whereas the European Union does, suggesting such technology would be deployed less in Europe.
  • Russian Intelligence Agencies Push Disinformation on Pandemic” – The New York Times. United States (US) intelligence agencies declassified and share intelligence with journalists purporting to show how Russian Federation intelligence agencies have adapted their techniques in their nonstop disinformation campaign against the US, the North Atlantic Treaty Organization, and others. As Facebook, Twitter, and others have grown adept at locating and removing content from obvious Russian outlets like RT and Sputnik, Russian agencies are utilizing more subtle techniques, aiming at the same goal of undermining confidence among Americans and elsewhere in the government.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Trump Administration Asks FCC To Act on Social Media EO

NTIA is asking the FCC to interpret Section 230 in a way that would reduce the liability protection of social media companies with the goal of pressuring these companies to reduce moderation of conservative viewpoints .

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Trump Administration has proceeded with a step in implementing its executive order (EO) to regulate social media platforms for alleged violations of freedom of speech through a clarification of 47 USC 230 (aka Section 230). At issue is the liability shield companies like Twitter, Facebook, and others enjoy in federal law to most claims for content posted by third parties that the Trump Administration is arguing has been misconstrued both from Congress’ original intent and the plain language of the 1996 law. Moreover, the Trump Administration and many Republicans claim some of these companies are actively censoring conservative viewpoints unfairly and in violation of Section 230 and imply First Amendment rights are being violated, too. Many on the left are also unhappy with how Section 230 seems to be insulating large technology companies from legal responsibility to take down what they see as violent and extremist content, especially white supremacist material and untrue claims. The EO that set this proceeding into motion had been rumored for more than a year, possibly as leverage over Twitter and Facebook so they would not moderate conservative content. Lending credence to this view is the fact that the EO was hurriedly issued after Twitter fact checked two of President Donald Trump’s untrue claims about mail voting.

Following the directive in the EO, on 27 July, the Department of Commerce’s the National Telecommunications and Information Administration (NTIA) filed a petition with the Federal Communications Commission (FCC), asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself.

The NTIA asserted “[t]he FCC should use its authorities to clarify ambiguities in section 230 so as to make its interpretation appropriate to the current internet marketplace and provide clearer guidance to courts, platforms, and users…[and] urges the FCC to promulgate rules addressing the following points:

  1. Clarify the relationship between subsections (c)(1) and (c)(2), lest they be read and applied in a manner that renders (c)(2) superfluous as some courts appear to be doing.
  2. Specify that Section 230(c)(1) has no application to any interactive computer service’s decision, agreement, or action to restrict access to or availability of material provided by another information content provider or to bar any information content provider from using an interactive computer service.
  3. Provide clearer guidance to courts, platforms, and users, on what content falls within (c)(2) immunity, particularly section 230(c)(2)’s “otherwise objectionable” language and its requirement that all removals be done in “good faith.”
  4. Specify that “responsible, in whole or in part, for the creation or development of information” in the definition of “information content provider,” 47 U.S.C.
    § 230(f)(3), includes editorial decisions that modify or alter content, including but not limited to substantively contributing to, commenting upon, editorializing about, or presenting with a discernible viewpoint content provided by another information content provider.
  5. Mandate disclosure for internet transparency similar to that required of other internet companies, such as broadband service providers.

NTIA argued that

  • Section 230(c)(1) has a specific focus: it prohibits “treating” “interactive computer services,” i.e., internet platforms, such as Twitter or Facebook, as “publishers.” But, this provision only concerns “information” provided by third parties, i.e., “another internet content provider”68 and does not cover a platform’s own content or editorial decisions.
  • Section (c)(2) also has a specific focus: it eliminates liability for interactive computer services that act in good faith “to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.”

The FCC has discretion in whether it will accede to the NTIA’s petition that it conduct this rulemaking. If the agency determines action is justified by the petition, it could either start a notice and comment rulemaking with a proposed rule being released for comment or it could merely issue a final rule. If the FCC decides the NTIA’s petition does not require agency action, it must notify the NTIA why it is rejecting its petition.

It is possible the FCC will prove receptive to the NTIA petition and start a rulemaking that may or may not conclude before the election or a potential Biden Administration in January. The agency will need to process and analyze the likely voluminous comments and arguments that will be submitted under FCC rules on the NTIA’s petition. It may also be the case that the agency is privately not receptive to the Trump Administration’s arguments and slow walks the process. The agency could sidestep this petition in a number of ways. First, its regulations provide “[p]etitions which are moot, premature, repetitive, frivolous, or which plainly do not warrant consideration by the Commission may be denied or dismissed without prejudice to the petitioner.” Second, the agency may be able to argue with justification it is working through the numerous comments and legal ramifications. Thirdly, there is at least one lawsuit pending to enjoin action on the EO that the agency could use as justification for not immediately acting.

Executive Order 13925, “Preventing Online Censorship” was issued in late May after Twitter factchecked two of his Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic, Trump signed the long rumored EO seen by many as a means of cowing social media platforms. Given that the First Amendment to the United States Constitution guarantees freedom of speech in relation to government action, it is not clear how Twitter would be considered a government agency and therefore subject to the First Amendment.

Twitter’s first factchecking of Trump’s tweeting occurred when he made false claims about California’s plan to mail ballots to registered voters, and, not as the President claimed, to all residents of California. On 26 May, Trump tweeted across two Tweets:

There is NO WAY (ZERO!) that Mail-In Ballots will be anything less than substantially fraudulent. Mail boxes will be robbed, ballots will be forged & even illegally printed out & fraudulently signed. The Governor of California is sending Ballots to millions of people, anyone….. ….living in the state, no matter who they are or how they got there, will get one. That will be followed up with professionals telling all of these people, many of whom have never even thought of voting before, how, and for whom, to vote. This will be a Rigged Election. No way!

On 27 May, Twitter added “a label to two @realDonaldTrump Tweets about California’s vote-by-mail plans as part of our efforts to enforce our civic integrity policy. We believe those Tweets could confuse voters about what they need to do to receive a ballot and participate in the election process.”

In the next day after Twitter added this label, word began to leak from the White House that a long rumored executive order regarding Section 230 of the Communications Decency Act was being prepared for the president’s signature. And, late in the day on 28 May, after a day of reporting on the EO by media, Trump did indeed sign the “Executive Order on Preventing Online Censorship,” which asserted

Section 230 was not intended to allow a handful of companies to grow into titans controlling vital avenues for our national discourse under the guise of promoting open forums for debate, and then to provide those behemoths blanket immunity when they use their power to censor content and silence viewpoints that they dislike.  When an interactive computer service provider removes or restricts access to content and its actions do not meet the criteria of subparagraph (c)(2)(A), it is engaged in editorial conduct.  It is the policy of the United States that such a provider should properly lose the limited liability shield of subparagraph (c)(2)(A) and be exposed to liability like any traditional editor and publisher that is not an online provider.

Consequently, the EO directs that “all executive departments and agencies should ensure that their application of section 230(c) properly reflects the narrow purpose of the section and take all appropriate actions in this regard.”

In addition to tasking the NTIA to file a petition with the FCC, the EO directed other agencies to act. Elsewhere in the EO, it is provided that the head of each federal agency must review their online spending and then report to the Office of Management and Budget (OMB). The Department of Justice would then “review the viewpoint-based speech restrictions imposed by each online platform identified in the [reports submitted to OMB] and assess whether any online platforms are problematic vehicles for government speech due to viewpoint discrimination, deception to consumers, or other bad practices.”

The Federal Trade Commission (FTC) must consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

Of course, the House’s FY 2021 Financial Services and General Government Appropriations Act (H.R. 7668) has a provision that would bar either the FTC or FCC from taking certain actions related to EO. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gerd Altmann from Pixabay

EDPB Issues FAQs On Privacy Shield Decision

While the EDPB does not provide absolute answers on how US entities looking to transfer EU personal data should proceed, the agencies provide their best thinking on what the path forward looks like.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 24 July, the European Data Protection Board (EDPB) has addressed, in part, the implications of the recent decision that struck down the European Union-United States Privacy Shield, an agreement that had allowed US companies to transfer and process the personal data of EU citizens. The EDPB fully endorsed the view that the United States’ (US) surveillance regime, notably Section 702 of the “Foreign Intelligence Surveillance Act” (FISA) and Executive Order (EO) 12333, makes most transfers to the US illegal except perhaps if entities holding and using the data take extra steps to protect it. The EDPB references another means that allows for transfers to possibly continue but that generally requires informed and explicit consent from each and every EU person involved. Finally, the EDPB does not address whether the European Commission (EC) and the US are able to execute a third agreement that would be legal under EU law.

The EDPB, which is comprised of the European Union’s (EU) data protection authorities (DPAs), has formally adopted a document spelling out its view on if data transfers under Privacy Shield to the US are still legal and how companies should proceed in using standard contractual clauses (SCCs) and Binding Corporate Rules (BCR), two alternative means of transferring data aside from Privacy Shield. The EDPB’s views suggest the DPAs and supervisory authorities (SA) in each EU nation are going to need to work on a case-by-case basis regarding the latter two means, for the EDPB stressed these are to be evaluated individually. Given recent criticism of how nations are funding and resourcing their DPAs, there may be capacity issues in managing this new work alongside existing enforcement and investigation matters. Moreover, the EDPB discusses use of the exceptions available in Article 49 of the General Data Privacy Regulation (GDPR), stressing that most such transfers are to be occasional.

In last week’s decision, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s adequacy decision on the EU-US Privacy Shield, thus throwing into question all transfers of personal data from the EU into the US that relied on this means. The CJEU was more circumspect in ruling on the use of standard contractual clauses (SCC), another way to legally transfer personal data out of the EU in compliance with the bloc’s law. The court seems to suggest there may be cases in which the use of SCCs may be inadequate given a country’s inadequate protections of the data of EU residents, especially with respect to national security and law enforcement surveillance. The EDPB issued a statement when the decision was made supporting the CJEU but has now adopted a more detailed explanation of its views on the implications of the decision for data controllers, data processors, other nations, EU DPAs and SAs.

In “Frequently Asked Questions (FAQ) on the judgment of the CJEU in Case C-311/18 -Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems,” the EDPB explains its current thinking on the decision, much of which is built on existing guidance and interpretation of the GDPR. The EDPB explained that the FAQ “aims at presenting answers to some frequently asked questions received by SAs and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the CJEU.”

Here are notable excerpts:

  • Is there any grace period during which I can keep on transferring data to the U.S. without assessing my legal basis for the transfer? No, the Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. This assessment has to be taken into account for any transfer to the U.S.
  • I was transferring data to a U.S. data importer adherent to the Privacy Shield, what should I do now? Transfers on the basis of this legal framework are illegal. Should you wish to keep on transferring data to the U.S., you would need to check whether you can do so under the conditions laid down below.
  • I am using SCCs with a data importer in the U.S., what should I do? The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.
  • I am using Binding Corporate Rules (“BCRs”) with an entity in the U.S., what should I do? Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool.
  • Whether or not you can transfer personal data on the basis of BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.
  • Can I rely on one of the derogations of Article 49 GDPR to transfer data to the U.S.? It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 GDPR provided the conditions set forth in this Article apply. The EDPB refers to its guidelines on this provision. In particular, it should be recalled that when transfers are based on the consent of the data subject, it should be:
    • explicit,
    • specific for the particular data transfer or set of transfers (meaning that the data exporter must make sure to obtain specific consent before the transfer is put in place even if this occurs after the collection of the data has been made),and
    • informed, particularly as to the possible risks of the transfer (meaning the data subject should also informed of the specific risks resulting from the fact that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented).
  • With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”. In any case, this derogation can only be relied upon when the transfer is objectively necessary for the performance of the contract.
  • In relation to transfers necessary for important reasons of public interest(which must be recognized in EU or Member States’ law), the EDPB recalls that the essential requirement for the applicability of this derogation is the finding of an important public interest and not the nature of the organisation, and that although this derogation is not limited to data transfers that are “occasional”, this does not mean that data transfers on the basis of the important public interest derogation can take place on a large scale and in a systematic manner. Rather, the general principle needs to be respected according to which the derogations as set out in Article 49 GDPR should not become “the rule” in practice, but need to be restricted to specific situations and each data exporter needs to ensure that the transfer meets the strict necessity test.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Maret H. from Pixabay

Further Reading, Other Developments, and Coming Events (28 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 28 July, the House Rules Committee will consider the rule for and amendments to the H.R. 7617—Department of Defense Appropriations Act, 2021 [Defense, Commerce, Justice, Science, Energy and Water Development, Financial Services and General Government, Homeland Security, Labor, Health and Human Services, Education, Transportation, Housing, and Urban Development Appropriations Act, 2021].
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  • On  29 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • The United States’ (US) Office of Management and Budget (OMB), an agency within the Executive Office of the President, has issued a memorandum in the same vein as other Trump Administration initiatives to increase the US government’s buying of goods and services produced domestically. Noting that 40% of the funds provided by Congress through annual legislation will be spent between 1 July and 30 September (roughly $200 billion), OMB urged federal agencies “to keep the following considerations in mind to support timely awards and maximize return on investment from each taxpayer dollar” among others:
    • Take full advantage of acquisition flexibilities and innovative tools. This week, the President’s Management Agenda unveiled a new cross-agency priority goal (CAP Goal) on “frictionless acquisition.” This CAP Goal creates a management platform to leverage modem buying strategies that have been shown to achieve just-in-time delivery with improved customer satisfaction and enable access to a broader and more innovative suite of companies and solutions. Agencies can review the resources on acquisition innovation and opportunities for collaboration by going to the frictionless CAP Goal on performance.gov.
      • The Goal Statement of this new CAP is “The Federal Government will deliver commercial items at the same speed as the market place & manage customers’ delivery expectations for acquisitions of non-commercial items by breaking down barriers to entry using modern business practices and technologies” as explained in a detailed presentation on frictionless acquisition released this month.
    • Use the resources of category management. As part of the ongoing transformation of federal acquisition, procurement involving common needs has been organized around categories of spending led by market experts who share business intelligence and help agencies avoid duplicative contracting work. This business structure has saved taxpayers more than $27 billion since FY 2016 and made it much easier for buyers to make rapid, well­ informed decisions on how best to acquire IT hardware, security, consulting services and many other every day needs that account for more than half of all contract spending. To stay current with market trends and available federal solutions, agencies should bookmark the category management dashboards on the acquisition gateway at https://hallways.cap.gsa.gov/app/#/.
    • Buy American. E.O. 13881 strengthens the general preference for American-made goods and, for the first time in 65 years, increases the percentage of U.S. manufactured content that must be in a product to qualify for the preference, including a very high standard for iron and steel. Agencies are encouraged to work with the Federal Acquisition Regulatory Council (FAR Council) to consider early implementation, as appropriate, while the rulemaking process proceeds.
    • In a related memorandum issued earlier this month, OMB asserted
      • Under the President’s Management Agenda and the leadership of OMB ‘s Office of Federal Procurement Policy (OFPP), the Administration has elevated the importance of acquisition innovation and category management as key pillars of a modernized procurement system. These pillars are proving to be critical assets in the face of market conditions that require heightened agility and the ongoing need r physical distancing as communities take steps to reopen. We are seeing smart use of existing contract vehicles and resources, supported by our category management market experts, such as for cleaning and distinction, information technology related to telework and healthcare, and enhanced entry screening services. We are also seeing growing examples of agencies leveraging innovative business practices, such as virtual acquisitions, that save time and enable acquisitions to continue where they might otherwise have been stopped.
      • OMB went on to detail best practices and examples in how agencies have adapted their procurement authority to the pandemic commensurate with ongoing Administration priorities such as category management
  • Senator Amy Klobuchar (D-MN) and some of her Democratic colleagues wrote Attorney General William Barr “to raise serious concerns regarding Google LLC’s (Google) proposed acquisition of Fitbit, Inc. (Fitbit)”. They stated
    • We are aware that the Antitrust Division of the Department of Justice is investigating this transaction and has issued a Second Request to gather additional information about the acquisition’s potential effects on competition. Amid reports that Google is offering modest, short-term concessions to overseas enforcers to avoid a full-scale investigation of the transaction in Europe, we write to urge the Division to continue with its efforts to conduct a thorough and comprehensive review of this proposed merger and to take any and all enforcement action warranted by the law and the evidence.
    • This letter comes at a time when the Department of Justice is considering Google’s potential antitrust practices and whether to file suit. The European Commission is also investigating the Google acquisition of FitBit.
    • Klobuchar is the Ranking Member of the Senate Judiciary Committee’s Antitrust, Competition Policy and Consumer Rights Subcommittee and was joined on the letter by Senators Richard Blumenthal (D-CT), Cory Booker (D-NJ), Mazie K. Hirono (D-HI), Sherrod Brown (D-OH), Mark Warner (D-VA), and Elizabeth Warren (D-MA).
  • Facebook and members of a class action and their attorneys have reached a second settlement in a suit brought under Illinois’ “Biometric Information Privacy Act” after a first settlement was rejected by the judge overseeing Patel, et al. v. Facebook, Inc.,. In January, the plaintiffs and Facebook agreed on a $550 million settlement to resolve claims the social media giant used and stored  people’s images contrary to the Illinois ban on such practices absent explicit consent. Facebook faced liability of up to $5000 per person affected and more than $40 billion in total potential liability. However, the judge thought the settlement was too low considering the Illinois legislature expressed its intention that violations would be punished more on the order of $1000 per person. Now, the parties have added $100 million, arriving at a $650 million settlement the judge will still need to bless.
  • Secretary of State Mike Pompeo made a speech at the Ronald Reagan Library “to make clear that the threats to Americans that President Trump’s China policy aims to address are clear and our strategy for securing those freedoms established.” Pompeo’s speech in the fourth in a series of Trump Administration officials making the Administration’s case against the People’s Republic of China (PRC), in some cases conflating PRC’s vying with the United States worldwide with the COVID-19 pandemic, suggesting the PRC is responsible for the course of the virus in the US and not Trump Administration policy.
  • The Department of Defense’s National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “released an advisory for critical infrastructure Operational Technology (OT) and Industrial Controls Systems (ICS) assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.” The agencies asserted “[d]ue to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggression.”
  • The Secretary of Defense released a memorandum for Department of Defense (DOD) regarding “poor Proper Operations Security (OPSEC) practices within DOD in the past have resulted in the unauthorized disclosure or ” leaks” of controlled unclassified information (CUI), including information to be safeguarded under the CUI category for OPSEC, as well as classified national security information (together referred to here as “non-public information”). Secretary of Defense Mark Esper asserted “[o]ngoing reviews reveal a culture of insufficient OPSEC practices and habits within the DOD” and stated “[m]y goal, through an OPSEC campaign, is to change that culture across DOD by reminding DOD personnel.”
  • The United Kingdom’s Information Commissioner’s Office (ICO) published its annual report for 2019-2020, “covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.” The ICO offered these highlights:
    • Supporting and protecting the public and organisations
      • The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.
      • We intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of our work to ensure that the use of this technology does not infringe people’s rights.  As a response to the judgement, we issued the first Commissioner’s Opinion.
      • Our new freedom of information strategy was launched which sets out how we work to create a culture of openness in public authorities.  It also commits us to making the case for reform of the access to information law as set out previously in our Outsourcing Oversight report.
      • In figures:
        • We received 38,514 data protection complaints.
        • We closed 39,860 data protection cases (up from 34,684 in 2018/19) .
        • We received 6,367 freedom of information complaint cases.
    • Enforcement
      • We took regulatory action 236 times in response to breaches of the legislation that we regulate. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.  
      • Over 2,100 investigations were conducted.
    • Innovation
      • Through our successful regulatory sandbox service, we have worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy.
      • We also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data.
      • In January, we launched our consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.
    • International
      • On a global scale, we continue to chair the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizen’s personal data as it crosses borders and helps UK businesses operating internationally.
      • Due to the period covered by the report it does not reflect the impact of COVID-19 although, acknowledging the pandemic, Ms Denham said: ”The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”

Further Reading

  • The Twitter Hacks Have to Stop” – The Atlantic. Bruce Schneier makes the case that the United States and other western democracies must step in and regulate vital platforms like Twitter for security and size given the central role they play in most societies. Letting these companies implement their own security without oversight or transparency has led to a situation where the account of world leaders or government agencies are vulnerable to hacks and misinformation. Schneier thinks the size and dominance of Twitter, Facebook, etc is a major part of this problem that must also be addressed.
  • US and Australia set to launch campaign to counter disinformation” – Sydney Morning Herald. Two of the Five Eyes allies met in Washington on 27 July for their annual Australia-U.S. Ministerial Consultations (AUSMIN) and part of their planning on how to counter the People’s Republic of China (PRC) is working together on an effort to address the PRC’s disinformation campaigns. The already close relationship between Washington and Canberra has deepened as tensions between the United States (US) and PRC continue to escalate. However, the US and Australia are framing this initiative as aiming to counter all disinformation in the Indo-Pacific region, suggesting other nations may be waging disinformation campaigns of concern, including the Russian Federation and the Democratic People’s Republic of Korea.
  • Russia’s GRU Hackers Hit US Government and Energy Targets” – WIRED. Starting in December 2018, APT28 (aka Fancy Bear), a Russian hacking group, targeted and penetrated a number of United States (US) entities, including federal and state governments, educational institutions, and energy companies. APT28 is closely associated with Glavnoye razvedyvatel’noye upravleniye (GRU), the Main Directorate of the General Staff of the Armed Forces of the Russian Federation and is the entity behind the takedowns of Ukraine’s electrical grid in 2015 and 2016 among other high profile hacks and attacks. The timing of these attacks, sometimes executed as phishing attacks, is interesting for it comes after US Cyber Command and possibly the Central Intelligence Agency (CIA) took down Russia’s Internet Research Agency and other actions designed to deter Russian interference in the 2019 mid-term elections in November 2018.
  • “Hurting People  At Scale” – Facebook’s Employees Reckon With The Social Network They’ve Built” – BuzzFeed News. This article documents the dissent and turmoil inside the company about content moderation, which some see the social media giant doing dismally. Some employees and ex-employees are taking issue with how CEO Mark Zuckerberg and his leadership are acting or not to take down extreme and violent content.
  • Big Tech Funds a Think Tank Pushing for Fewer Rules. For Big Tech.” – The New York Times. The Global Antitrust Institute at George Mason University’s Antonin Scalia Law School has been pushing for less regulation of antitrust statutes and regulations, especially in “educating” antitrust officials at conferences. It has also been financially supported by large technology companies which benefit from these policies and has not been transparent about its funding or the extent to which these companies’ positions on antitrust inform its efforts and output. A similar New York Times investigation into other Washington DC think tanks exposed the transactional nature of some of these institutions, donors, and positions.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

PRC Legislation and Report

The chair and ranking member of a Senate committee mark out their perspectives on how the US should change its foreign policy to address the PRC.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Before the Senate Foreign Relations Committee held its hearing on competition between the United States (US) and the People’s Republic of China (PRC), committee Republicans and the top Democrat articulated their views on how the US should respond to the PRC’s rise in the form of legislation for the former and a report for the latter. There is agreement the PRC’s actions poses problems for the US in a variety of ways, but there are significant differences in the proposed policy solutions to the PRC. A significant limit that should be acknowledged are the Constitutional limits on how far Congress can direct or influence the powers of the President to conduct foreign policy. Consequently, these Members direct the executive branch to report on certain ideal actions, which can create pressure on Administration officials to comply so long as there is not conflict with current Administration policy.

Chair Jim Risch (R-ID), East Asia, The Pacific, and International Cybersecurity Policy Subcommittee Chair Cory Gardner (R-CO), Near East, South Asia, Central Asia, and Counterterrorism Subcommittee Chair Mitt Romney (R-UT), and Multilateral International Development, Multilateral Institutions, and International Economic, Energy, and Environmental Policy Subcommittee Chair Todd Young (R-IN) introduced the “Strengthening Trade, Regional Alliances, Technology, and Economic and Geopolitical Initiatives Concerning China Act” (STRATEGIC Act) (S.4272), a comprehensive package of policy and funding changes the US should make to counter the rise of the PRC, some of which necessarily pertains to technology issues.

In their press release, Risch, Gardner, Romney, and Young highlighted “[k]ey provisions:”

  • Tackle China’s economic practices that distort global markets and hurt U.S. businesses, especially intellectual property (IP) theft and mass government subsidization and sponsorship of Chinese companies.
  • Confront tech competition by increasing technology collaboration with allies and partners.
  • Safeguard institutions from malign and undue PRC influence.
  • Strengthen U.S. posture in the Indo-Pacific to protect its interests, allies, and partners.
  • Prioritize cooperation over conflict when possible on areas such as arms control, North Korea, and the environment, if the PRC demonstrates good faith and transparency.

The STRATEGIC Act would, among other things do the following:

  • Not later than 1 year after the date of the enactment of this Act, and not less frequently than annually thereafter, the Secretary of State, in coordination with the Secretary of Commerce, the United States Trade Representative, and the Director of National Intelligence, shall create a list (referred to in this section as the ‘‘intellectual property violators list’’), which identifies all centrally administered, state-owned enterprises:
    • a significant act or series of acts of intellectual property theft that subjected a United States economic sector or particular company incorporated in the United States to harm; or
    • an act or government policy of involuntary or coerced technology transfer of intellectual property ultimately owned by a company incorporated in the United States.”
  • Not later than 1 year after the date of the enactment of this Act, and annually thereafter, the Secretary of State, in coordination with the United States Trade Representative and the Secretary of Commerce, shall publish an unclassified report in the Federal Register that comprehensively identifies and measures—
    • subsidies provided by the Government of the PRC to enterprises in the PRC in contravention of agreed trade and other rules; and
    • discriminatory treatment favoring enterprises in the PRC over foreign market participants.
  • The President, acting through the Secretary of Commerce, and in consultation with the Secretary of State and any other individuals the President determines should be consulted, shall issue regulations requiring United States entities with at least $100,000,000 of assets or other investment in the PRC to submit a semiannual report regarding the impact of the corporate social credit system on the ability of such United States companies to conduct business or otherwise operate in the PRC.
  • Not later than 180 days after the date of the enactment of this Act, and annually thereafter for the following 5 years, the Secretary of State, in consultation with the Director of National Intelligence and the Secretary of the Treasury, shall submit an unclassified report to the appropriate congressional committees that describes the risks posed to the United States by the presence in United States capital markets of companies incorporated in the PRC.
  • The Secretary of State, in coordination with the heads of other participating executive branch agencies, shall establish and develop a program to facilitate and encourage regular dialogues between United States Government regulatory and technical agencies and their counterpart organizations in allied and partner countries, both bilaterally and in relevant multilateral institutions and organizations
  • The Secretary of State, in coordination with the Secretary of Commerce, is authorized to establish a program to facilitate the contracting by United States embassies for the professional services of qualified experts, on a reimbursable fee for service basis, to assist interested United States persons and business entities with supply chain management issues related to the PRC
  • The President, acting through the Secretary of State, should undertake regular efforts to coordinate with other members of the coalition…to establish and advocate for norms, standards, and regulations to ensure that the development and application of new and emerging technologies uphold the goals of shared prosperity, security, and commitment to human rights, including through engagement in international organizations and standards-setting bodies
  • The President shall establish an interagency working group to provide assistance and technical expertise to enhance the representation and leadership of the United States at international bodies that set standards for equipment, systems, software, and virtually-defined networks that support 5th and future generations mobile telecommunications systems and infrastructure, such as the International Telecommunication Union and the 3rd Generation Partnership Project; and work with allies, partners, and the private sector to increase productive engagement.
  • The President may issue a finding that a country constitutes a significant threat to the national security of the United States and should be designated a ‘country of national security concern’
  • Ban Senate confirmed Department of State officials from representing countries of national security concern and ban the confirmation by the Senate for Department of State nominees who have represented such nations.
  • The Secretary of State shall establish, within the Bureau of International Organization Affairs of the Department of State, the Office of Integrity in the United Nations System
  • Not later than 180 days after the date of the enactment of this Act, the Secretary of State, in consultation with the Secretary of Agriculture, the Administrator of the United States Agency for International Development, the Director of the United States Fish and Wildlife Service, the Administrator of the National Oceanic and Atmospheric Administration, and the heads of other relevant Federal agencies, as appropriate, shall develop a strategy for cooperation with the PRC to combat wildlife and related trafficking

Also, before the Senate Foreign Relations Committee’s hearing on the People’s Republic of China, Ranking Member Bob Menendez (D-NJ) released a report “The New Big Brother: China and Digital Authoritarianism,” a year-long “effort to provide a holistic study of the threats posed to the United States, our allies, and the international community” by “digital authoritarianism” defined as “[t]he use of information and communications technology (ICT) products and services to surveil, repress, and manipulate domestic and foreign populations.” Menendez proposes targeted proposals so the US can push back on the digital authoritarianism of the PRC and other nations such as the Russian Federation. Some of these ideas could get folded into the STRATEGIC Act or similar legislation in order to garner Democratic support for a Republican bill.

Menendez explained the problem:

  • The growth and development of the digital domain worldwide has fundamentally changed how individuals, companies, and nations interact, work, and communicate –and with it the structure of global governance. Digitally-enabled technologies ranging from the Internet to mobile communications to emerging technologies, such as artificial intelligence, are accelerating the transmittal and receiving of information, enabling greater trade interactions and economic development, securing communications for our military and our allies, and aiding in the development of even newer, more capable technologies, amongst many other benefits. The United States has not only played a primary role in developing these new technologies, but it has worked to ensure the digital domain operates with openness, stability, reliability, interoperability, security, and respect for human rights.
  • These principles are under threat from authoritarian regimes, however, which see the advent of new technologies in a far more sinister light: as a means of surveilling and controlling populations, stifling the free flow of information, ensuring the survival of their governments, and as tools for malign influence campaigns worldwide. While multiple authoritarian governments have begun to utilize the digital domain in this manner, the People’s Republic of China is at the forefront of developing and expanding a new, different, and deeply troubling governance model for the digital domain: digital authoritarianism.
  • The rise of this new and worrying model of digital authoritarianism holds the potential to fundamentally alter the character of the digital domain.

In the cover letter to the report, Menendez asserted

The report’s comprehensive analysis of China’s digital authoritarianism describes how the People’s Republic of China is successfully developing and implementing its malign governance model internally and, increasingly, making inroads with other countries to also embrace its new digital doctrine. It further illustrates how the expansion of digital authoritarianism in China and abroad has drastic consequences for U.S. and allied security interests, the promotion of human rights, and the future stability of cyberspace. Consequently, the report calls for a series of both Congressional and Executive actions designed to counter China’s efforts to expand its model of digital authoritarianism; to strengthen U.S. technological innovation; and, to reinvigorate our diplomatic endeavors around the globe on digital issues.

In a separate document, Menendez pulled out the key findings and recommendations made by staff:

Key Findings

  • China’s efforts to advance and proliferate its information and communications technology (ICT) hardware and systems, both in China and overseas, represent not only a desire to continually expand its economy, but also a push to establish, expand, internationalize, and institutionalize a model for digital governance that this report describes as “digital authoritarianism.”
  • If left unchecked, China, not the U.S. and our allies, will write the rules of the digital domain, opening the doors for digital authoritarianism to govern the Internet and associated technologies.
  • To CCP leadership, the digital domain is a space that must be controlled by the Party. As such, development of new digitally enabled technologies must operate in line with Party principles. Without such control, CCP leaders fear these technologies could weaken the CCP’s hold over its citizens.
  • By building out so much of the digital infrastructure in the developing world, China could end up dominating a large portion of the global communications market, positioning it to potentially pressure other governments or conduct espionage.
  • At the United Nations, China has played a counterproductive role in efforts to build consensus on a free and fair future of cyberspace. China’s behavior echoes its consistent undermining of UN efforts that could highlight its own poor human rights record
  • The Administration’s current policy is insufficient to combat China’s digital authoritarianism, and its alienation of allies has further stunted the United States’ ability to influence other countries away from China’s digital authoritarianism model.
  • The surveillance system in Xinjiang has aided in the detention of possibly more than 2 million Uyghurs, ethnic Kazakhs, and members of other Muslim groups in Xinjiang, according to the U.S. State Department. In Xinjiang, Chinese government and police authorities retain what amounts to near absolute control of the entire ICT domain, and, through that control, have been able to repress and subjugate Uyghurs and other ethnic minorities in the region.
  • Foreign technology platforms are restricted from operating in China, allowing Chinese platforms that offer similar services to thrive and expand into new markets. Thanks to this market inefficiency, China now retains some of the most valuable Internet companies in the world by market capitalization, including Alibaba, Tencent, and Baidu.
  • The United States currently does not have a domestic 5G supplier for the equipment that makes up the Radio Access Network (RAN) for 5G. Instead, countries seeking viable alternatives to Chinese 5G RAN infrastructure rely on companies such as Swedish company Ericsson, South Korea-based Samsung, or Finnish firm Nokia to build out core components of their layer of the 5G infrastructure.
  • The United States could find a future advantage by leading on mmWave technologies, since 1) this band is the spectrum where ultra-fast innovations may arise and 2) a fully actualized 5G network will see devices seamlessly utilize and transition between both the sub-6 and mmWave bands.

Recommendations

  • It is critical that the United States government stimulate technological innovation in the United States by increasing government research and development funding, adopting a more extensive industrial policy, developing and attracting superior talent to the United States’ technology sector, strengthening bilateral and multilateral technology initiatives with like- minded allies and partners, and ensuring a competitive advantage for domestic companies in overseas markets.
  • Create an Industry Consortium on 5G: Congress should create a consortium comprised of leading U.S. telecommunications and technology companies that would be mandated to create the American 5G telecommunications alternative, exploring both cost-effective hardware and software solutions.
  • Establish a Digital Rights Promotion Fund: Congress should establish and authorize a Digital Rights Promotion Fund, which will provide grants and investments directly to entities that support the promotion of a free, secure, stable, and open digital domain and fight against the authoritarian use of information and communications technologies. The fund will provide these groups, especially those existing in countries experiencing undue surveillance or other forms of digital authoritarianism, the resources needed to better push back against the spread of digital authoritarianism. Groups able to receive money would include:
    • Local activist organizations promoting a free digital domain and working to counter oppressive surveillance regimes in countries where digital authoritarianism is apparent or on the rise.
    • Nonprofit organizations that advocate for the adoption of international governance standards for the digital domain based on openness, transparency, and the rule of law, including the protection of human rights.
    • Think tanks and other institutional bodies that provide scholarship and policy recommendations for best paths forward to protect against the rise of authoritarian surveillance.
  • Establish a Cyber Service Academy: Through legislative action, Congress should establish a new federal service academy similar to our other military service academies, with the specific aim of developing the future of our technology force. In addition to providing students a four year undergraduate education, the academy shall prepare students to become future military leaders in key digital and emerging technology fields, including robotics, artificial intelligence (AI), and cybersecurity.
  • Build a Coalition of Likeminded Allies on Critical Technology Issues: The President should lead an international effort, in coordination with our allies and partners, to counter Chinese efforts to develop and proliferate digital domain products, technologies, and services that are not predicated on free, democratic values.
  • Establish and Empower New Cyber Leadership within the State Department: Congress should pass the Cyber Diplomacy Act of 2019, or similar legislation, that establishes a new office or bureau of cyber issues at the State Department, which shall report to the Under Secretary for Political Affairs.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (24 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  •  On 28 July, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee will hold a hearing titled “Secure, Safe, and Auditable: Protecting the Integrity of the 2020 Elections” with these witnesses:
    • Mr. David Levine, Elections Integrity Fellow, Alliance for Securing Democracy, German Marshall Fund of the United States
    • Ms. Sylvia Albert, Director of Voting and Elections, Common Cause
    • Ms. Amber McReynolds, Chief Executive Officer, National Vote at Home Institute
    • Mr. John Gilligan, President and Chief Executive Officer, Center for Internet Security, Inc.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • Slack filed an antitrust complaint with the European Commission (EC) against Microsoft alleging that the latter’s tying Microsoft Teams to Microsoft Office is a move designed to push the former out of the market. A Slack vice president said in a statement “Slack threatens Microsoft’s hold on business email, the cornerstone of Office, which means Slack threatens Microsoft’s lock on enterprise software.” While the filing of a complaint does not mean the EC will necessarily investigate, under its new leadership the EC has signaled in a number of ways its intent to address the size of some technology companies and the effect on competition.
  • The National Institute of Standards and Technology (NIST) has issued for comment NIST the 2nd Draft of NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). NIST claimed this guidance document “promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches…[and] contains the same main concepts as the initial public draft, but their presentation has been revised to clarify the concepts and address other comments from the public.” Comments are due by 21 August 2020.
  • The United States National Security Commission on Artificial Intelligence (NSCAI) published its Second Quarter Recommendations, a compilation of policy proposals made this quarter. NSCAI said it is still on track to release its final recommendations in March 2021. The NSCAI asserted
    • The recommendations are not a comprehensive follow-up to the interim report or first quarter memorandum. They do not cover all areas that will be included in the final report. This memo spells out recommendations that can inform ongoing deliberations tied to policy, budget, and legislative calendars. But it also introduces recommendations designed to build a new framework for pivoting national security for the artificial intelligence (AI) era.
    • The NSCAI stated it “has focused its analysis and recommendations on six areas:
    • Advancing the Department of Defense’s internal AI research and development capabilities. The Department of Defense (DOD) must make reforms to the management of its research and development (R&D) ecosystem to enable the speed and agility needed to harness the potential of AI and other emerging technologies. To equip the R&D enterprise, the NSCAI recommends creating an AI software repository; improving agency- wide authorized use and sharing of software, components, and infrastructure; creating an AI data catalog; and expanding funding authorities to support DOD laboratories. DOD must also strengthen AI Test and Evaluation, Verification and Validation capabilities by developing an AI testing framework, creating tools to stand up new AI testbeds, and using partnered laboratories to test market and market-ready AI solutions. To optimize the transition from technological breakthroughs to application in the field, Congress and DOD need to reimagine how science and technology programs are budgeted to allow for agile development, and adopt the model of multi- stakeholder and multi-disciplinary development teams. Furthermore, DoD should encourage labs to collaborate by building open innovation models and a R&D database.
    • Accelerating AI applications for national security and defense. DOD must have enduring means to identify, prioritize, and resource the AI- enabled applications necessary to fight and win. To meet this challenge, the NSCAI recommends that DOD produce a classified Technology Annex to the National Defense Strategy that outlines a clear plan for pursuing disruptive technologies that address specific operational challenges. We also recommend establishing mechanisms for tactical experimentation, including by integrating AI-enabled technologies into exercises and wargames, to ensure technical capabilities meet mission and operator needs. On the business side, DOD should develop a list of core administrative functions most amenable to AI solutions and incentivize the adoption of commercially available AI tools.
    • Bridging the technology talent gap in government. The United States government must fundamentally re-imagine the way it recruits and builds a digital workforce. The Commission envisions a government-wide effort to build its digital talent base through a multi-prong approach, including: 1) the establishment of a National Reserve Digital Corps that will bring private sector talent into public service part-time; 2) the expansion of technology scholarship for service programs; and, 3) the creation of a national digital service academy for growing federal technology talent from the ground up.
    • Protecting AI advantages for national security through the discriminate use of export controls and investment screening. The United States must protect the national security sensitive elements of AI and other critical emerging technologies from foreign competitors, while ensuring that such efforts do not undercut U.S. investment and innovation. The Commission proposes that the President issue an Executive Order that outlines four principles to inform U.S. technology protection policies for export controls and investment screening, enhance the capacity of U.S. regulatory agencies in analyzing emerging technologies, and expedite the implementation of recent export control and investment screening reform legislation. Additionally, the Commission recommends prioritizing the application of export controls to hardware over other areas of AI-related technology. In practice, this requires working with key allies to control the supply of specific semiconductor manufacturing equipment critical to AI while simultaneously revitalizing the U.S. semiconductor industry and building the technology protection regulatory capacity of like-minded partners. Finally, the Commission recommends focusing the Committee on Foreign Investment in the United States (CFIUS) on preventing the transfer of technologies that create national security risks. This includes a legislative proposal granting the Department of the Treasury the authority to propose regulations for notice and public comment to mandate CFIUS filings for investments into AI and other sensitive technologies from China, Russia and other countries of special concern. The Commission’s recommendations would also exempt trusted allies and create fast tracks for vetted investors.
    • Reorienting the Department of State for great power competition in the digital age. Competitive diplomacy in AI and emerging technology arenas is a strategic imperative in an era of great power competition. Department of State personnel must have the organization, knowledge, and resources to advocate for American interests at the intersection of technology, security, economic interests, and democratic values. To strengthen the link between great power competition strategy, organization, foreign policy planning, and AI, the Department of State should create a Strategic Innovation and Technology Council as a dedicated forum for senior leaders to coordinate strategy and a Bureau of Cyberspace Security and Emerging Technology, which the Department has already proposed, to serve as a focal point and champion for security challenges associated with emerging technologies. To strengthen the integration of emerging technology and diplomacy, the Department of State should also enhance its presence and expertise in major tech hubs and expand training on AI and emerging technology for personnel at all levels across professional areas. Congress should conduct hearings to assess the Department’s posture and progress in reorienting to address emerging technology competition.
    • Creating a framework for the ethical and responsible development and fielding of AI. Agencies need practical guidance for implementing commonly agreed upon AI principles, and a more comprehensive strategy to develop and field AI ethically and responsibly. The NSCAI proposes a “Key Considerations” paradigm for agencies to implement that will help translate broad principles into concrete actions.
  • The Danish Defence Intelligence Service’s Centre for Cyber Security (CFCS) released its fifth annual assessment of the cyber threat against Denmark and concluded:
    • The cyber threat pose a serious threat to Denmark. Cyber attacks mainly carry economic and political consequences.
    • Hackers have tried to take advantage of the COVID-19 pandemic. This constitutes a new element in the general threat landscape.
    • The threat from cyber crime is VERY HIGH. No one is exempt from the threat. There is a growing threat from targeted ransomware attacks against Danish public authorities and private companies.  The threat from cyber espionage is VERY HIGH.
    • The threat is especially directed against public authorities dealing with foreign and security policy issues as well as private companies whose knowledge is of interest to foreign states. 
    • The threat from destructive cyber attacks is LOW. It is less likely that foreign states will launch destructive cyber attacks against Denmark. Private companies and public authorities operating in conflict-ridden regions are at a greater risk from this threat. 
    • The threat from cyber activism is LOW. Globally, the number of cyber activism attacks has dropped in recent years,and cyber activists rarely focus on Danish public authorities and private companies. The threat from cyber terrorism is NONE. Serious cyber attacks aimed at creating effects similar to those of conventional terrorism presuppose a level of technical expertise and organizational resources that militant extremists, at present, do not possess. Also, the intention remains limited. 
    • The technological development, including the development of artificial intelligence and quantum computing, creates new cyber security possibilities and challenges.

Further Reading

  • Accuse, Evict, Repeat: Why Punishing China and Russia for Cyberattacks Fails” – The New York Times. This piece points out that the United States (US) government is largely using 19th Century responses to address 21st Century conduct by expelling diplomats, imposing sanctions, and indicting hackers. Even a greater use of offensive cyber operations does not seem to be deterring the US’s adversaries. It may turn out that the US and other nations will need to focus more on defensive measures and securing its valuable data and information.
  • New police powers to be broad enough to target Facebook” – Sydney Morning Herald. On the heels of a 2018 law that some argue will allow the government in Canberra to order companies to decrypt users communications, Australia is considering the enactment of new legislation because of concern among the nation’s security services about end-to-end encryption and dark browsing. In particular, Facebook’s proposed changes to secure its networks is seen as fertile ground of criminals, especially those seeking to prey on children sexually.
  • The U.S. has a stronger hand in its tech battle with China than many suspect” – The Washington Post. A national security writer makes the case that the cries that the Chinese are coming may prove as overblown as similar claims made about the Japanese during the 1980s and the Russian during the Cold War. The Trump Administration has used some levers that may appear to impede the People’s Republic of China’s attempt to displace the United States. In all, this writer is calling for more balance in viewing the PRC and some of the challenges it poses.
  • Facebook is taking a hard look at racial bias in its algorithms” – Recode. After a civil rights audit that was critical of Facebook, the company is assembling and deploying teams to try to deal with the biases in its algorithms on Facebook and Instagram. Critics doubt the efforts will turn out well because economic incentives are aligned against rooting out such biases and the lack of diversity at the company.
  • Does TikTok Really Pose a Risk to US National Security?” – WIRED. This article asserts TikTok is probably no riskier than other social media apps even with the possibility that the People’s Republic of China (PRC) may have access to user data.
  • France won’t ban Huawei, but encouraging 5G telcos to avoid it: report” – Reuters. Unlike the United States, the United Kingdom, and others, France will not outright ban Huawei from their 5G networks but will instead encourage their telecommunications companies to use European manufacturers. Some companies already have Huawei equipment on the networks and may receive authorization to use the company’s equipment for up to five more years. However, France is not planning on extending authorizations past that deadline, which will function a de facto sunset. In contrast, authorizations for Ericsson or Nokia equipment were provided for eight years. The head of France’s cybersecurity agency stressed that France was not seeking to move against the People’s Republic of China (PRC) but is responding to security concerns.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

US Indictments Handed Down Against PRC Hackers

Two PRC nationals were indicted for hacking to help their country’s security services and for financial gain in a wide-ranging complaint. The charges come during a time when the DOJ and other US agencies are accusing the PRC of a range of actions that threaten the US and its allies.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The United States (US) Department of Justice (DOJ) made public two grand jury indictments of nationals of the People’s Republic of China (PRC) who allegedly led long term penetrations and hacking of a range of US public and private sector entities. The DOJ is claiming these hackers both worked closely with PRC government agencies in executing the hacks and sought to benefit financially from these activities. The indictments are the most recent development in the US-PRC dispute that continues to grow seemingly by the day. While it is very unlikely the US will ever succeed in extraditing or apprehending these hackers, many cybersecurity and national security experts see value in “naming and shaming” and filing charges as a means of shaping public opinion and rallying allies and like-minded nations against nations engaged in cyber attacks and hacking.

According to the materials released by the DOJ, these two PRC hackers were detected in trying to on the networks of Department of Energy’s Hanford Site which is engaged in cleanup from the production of plutonium during the Cold War. This suggests the hackers succeeded in penetrated these networks and possibly others at the Department of Energy. However, the DOJ stressed these hackers’ work in trying to access and exfiltrate information related to COVID-19 research, which echoes the claim made in a May unclassified public service announcement issued by the Federal Bureau of Investigation (FBI) and CISA that named the PRC as a nation waging a cyber campaign against U.S. COVID-19 researchers. It is possible these indictments and that claim are related. Moreover, the DOJ stressed the information these hackers stole from defense contractors and possibly universities involved with defense activities. Incidentally, if the claims are true, it would lend more weight to the Trump Administration’s previously made claims that the PRC is again violating the 2015 agreement struck to stop the “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

In the indictment against LI Xiaoyu (李啸宇) and DONG Jiazhi (董家志), the DOJ claimed:

LI and DONG, former classmates at an electrical engineering college in Chengdu, China, used their technical training to hack the computer networks of a wide range of victims, such as companies engaged in high tech manufacturing; civil, industrial, and medical device engineering; business, educational, and gaming software development; solar energy; and pharmaceuticals. More recently, they researched vulnerabilities in the networks of biotech and other firms publicly known for work on COVID-19 vaccines, treatments, and testing technology. Their victim companies were located all over the world, including among other places the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom.

The DOJ further claimed

  • The Defendants stole hundreds of millions of dollars’ worth of trade secrets, intellectual property, and other valuable business information. At least once, they returned to a victim from which they had stolen valuable source code to attempt an extortion –threatening to publish on the internet, and thereby destroy the value of, the victim’s intellectual property unless a ransom was paid.
  • LI and DONG did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC’s Government’s Ministry of State Security (MSS). LI and DONG worked with, and were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, known to the Grand Jury, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department GSSD).
  • When stealing information of interest to the MSS, LI and DONG in most instances obtained data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the U.S. and abroad, LI and DONG stole information regarding military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems.

The DOJ added in its statement on the case:

According to the indictment, to gain initial access to victim networks, the defendants primarily exploited publicly known software vulnerabilities in popular web server software, web application development suites, and software collaboration programs.  In some cases, those vulnerabilities were newly announced, meaning that many users would not have installed patches to correct the vulnerability.  The defendants also targeted insecure default configurations in common applications.  The defendants used their initial unauthorized access to place malicious web shell programs (e.g., the “China Chopper” web shell) and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers.

The DOJ has filed the following charges and will seek these penalties per the agency’s press release:

  • The indictment charges the defendants with conspiring to steal trade secrets from at least eight known victims, which consisted of technology designs, manufacturing processes, test mechanisms and results, source code, and pharmaceutical chemical structures.  Such information would give competitors with a market edge by providing insight into proprietary business plans and savings on research and development costs in creating competing products.
  • The defendants are each charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit theft of trade secrets, which carries a maximum sentence of ten years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; one count of unauthorized access of a computer, which carries a maximum sentence of five years in prison; and seven counts of aggravated identity theft, which each carries a mandatory sentence of two non-consecutive years in prison.

The indictments come a few days after US Attorney General William Barr and Assistant Attorney General for National Security John Demers made remarks at separate events that cast the activities of the PRC as existential threats to the US and western democracy. Their remarks continued the Trump Administration’s rhetoric, echoed by many Republicans in Congress, warning of the dangers posed by the PRC and sometimes explicitly or implicitly blaming the nation for the COVID-19 virus as a means of shifting the focus from the Trump Administration’s response that has left the US with higher infection and death rates per capita than any comparable nation. For example, earlier today, in London, in describing his talks with British Foreign Secretary Dominic Raab, Secretary of State Mike Pompeo contended

We of course began with the challenge presented by the Chinese Communist Party and the COVID-19 virus that originated in Wuhan, China.  On behalf of the American people I want to extend my condolences to the British people from your losses from this preventable pandemic.  The CCP’s exploitation of this disaster to further its own interests has been disgraceful.

Earlier this month, Federal Bureau of Investigation (FBI) Director Christopher Wray delivered a speech at a conservative think tank that continued the Trump Administration’s focus on the PRC that followed the late June speech by National Security Advisor Robert O’Brien at the occasion of the announcement that Taiwan Semiconductor Manufacturing Corporation (TSMC) would build a plant in Arizona. In mid-June at the Copenhagen Democracy Summit Pompeo urged European leaders to work together to address the malign intentions and actions of the PRC that also threaten Europe. And, tomorrow Pompeo will “deliver a speech on Communist China and the future of the free world” at the Richard Nixon Presidential Library in Yorba Linda, California.

In his remarks, Barr compared the US’s situation to the challenges the “free enterprise system” faced at the end of the 1960’s within the US and from the former Soviet Union and called on private sector companies to stand together against the economic hegemony Beijing is seeking to enforce in part by coopting these companies and their technology. He lauded the refusal of some large tech companies to cooperate with the PRC’s change in national security law in Hong Kong and urged US firms doing business in the PRC to diversify supply chains and rare earth supplies in order to blunt growing Chinese dominance. Barr called for greater cooperation between the public and private sectors in the name of protecting the US and fending off the PRC.

Barr claimed

  • The PRC is now engaged in an economic blitzkrieg—an aggressive, orchestrated, whole-of-government (indeed, whole-of-society) campaign to seize the commanding heights of the global economy and to surpass the United States as the world’s preeminent superpower.  A centerpiece of this effort is the Communist Party’s “Made in China 2025” initiative, a plan for PRC domination of high-tech industries like robotics, advanced information technology, aviation, and electric vehicles.  Backed by hundreds of billions of dollars in subsidies, this initiative poses a real threat to U.S. technological leadership.  Despite World Trade Organization rules prohibiting quotas for domestic output, “Made in China 2025” sets targets for domestic market share (sometimes as high as 70 percent) in core components and basic materials for industries such as robotics and telecommunications.  It is clear that the PRC seeks not merely to join the ranks of other advanced industrial economies, but to replace them altogether.
  • “Made in China 2025” is the latest iteration of the PRC’s state-led, mercantilist economic model.  For American companies in the global marketplace, free and fair competition with China has long been a fantasy.  To tilt the playing field to its advantage, China’s communist government has perfected a wide array of predatory and often unlawful tactics: currency manipulation, tariffs, quotas, state-led strategic investment and acquisitions, theft and forced transfer of intellectual property, state subsidies, dumping, cyberattacks, and espionage.  About 80% of all federal economic espionage prosecutions have alleged conduct that would benefit the Chinese state, and about 60% of all trade secret theft cases have had a nexus to China.

Barr added

Just as consequential, however, are the PRC’s plans to dominate the world’s digital infrastructure through its “Digital Silk Road” initiative.  I have previously spoken at length about the grave risks of allowing the world’s most powerful dictatorship to build the next generation of global telecommunications networks, known as 5G.  Perhaps less widely known are the PRC’s efforts to surpass the United States in other cutting-edge fields like artificial intelligence.  Through innovations such as machine learning and big data, artificial intelligence allows machines to mimic human functions, such as recognizing faces, interpreting spoken words, driving vehicles, and playing games of skill such as chess or the even more complex Chinese strategy game Go.  AI long ago outmatched the world’s chess grandmasters.  But the PRC’s interest in AI accelerated in 2016, when AlphaGo, a program developed by a subsidiary of Google, beat the world champion Go player at a match in South Korea.  The following year, Beijing unveiled its “Next Generation Artificial Intelligence Plan,” a blueprint for leading the world in AI by 2030.  Whichever nation emerges as the global leader in AI will be best positioned to unlock not only its considerable economic potential, but a range of military applications, such as the use of computer vision to gather intelligence.

The PRC’s drive for technological supremacy is complemented by its plan to monopolize rare earth materials, which play a vital role in industries such as consumer electronics, electric vehicles, medical devices, and military hardware.  According to the Congressional Research Service, from the 1960s to the 1980s, the United States led the world in rare earth production. “Since then, production has shifted almost entirely to China,” in large part due to lower labor costs and lighter environmental regulation.

The United States is now dangerously dependent on the PRC for these materials.  Overall, China is America’s top supplier, accounting for about 80 percent of our imports.  The risks of dependence are real.  In 2010, for example, Beijing cut exports of rare earth materials to Japan after an incident involving disputed islands in the East China Sea.  The PRC could do the same to us.

As China’s progress in these critical sectors illustrates, the PRC’s predatory economic policies are succeeding.  For a hundred years, America was the world’s largest manufacturer — allowing us to serve as the world’s “arsenal of democracy.”  China overtook the United States in manufacturing output in 2010.  The PRC is now the world’s “arsenal of dictatorship.”

American companies must understand the stakes.  The Chinese Communist Party thinks in terms of decades and centuries, while we tend to focus on the next quarterly earnings report.  But if Disney and other American corporations continue to bow to Beijing, they risk undermining both their own future competitiveness and prosperity, as well as the classical liberal order that has allowed them to thrive.

Barr asserted

  • During the Cold War, Lewis Powell — later Justice Powell — sent an important memorandum to the U.S. Chamber of Commerce.  He noted that the free enterprise system was under unprecedented attack, and urged American companies to do more to preserve it.  “[T]he time has come,” he said, “indeed, it is long overdue—for the wisdom, ingenuity and resources of American business to be marshaled against those who would destroy it.”
  • So too today.  The American people are more attuned than ever to the threat that the Chinese Communist Party poses not only to our way of life, but to our very lives and livelihoods.  And they will increasingly call out corporate appeasement.
  • If individual companies are afraid to make a stand, there is strength in numbers.  As Justice Powell wrote: “Strength lies in organization, in careful long-range planning and implementation, in consistency of action over an indefinite period of years, in the scale of financing available only through joint effort, and in the political power available only through united action and national organizations.” 
  • Despite years of acquiescence to communist authorities in China, American tech companies may finally be finding their courage through collective action.  Following the recent imposition of the PRC’s draconian national security law in Hong Kong, many big tech companies, including Facebook, Google, Twitter, Zoom, and LinkedIn, reportedly announced that they would temporarily suspend compliance with governmental requests for user data.  True to form, communist officials have threatened imprisonment for noncompliant company employees.  We will see if these companies hold firm.  I hope they do.  If they stand together, they will provide a worthy example for other American companies in resisting the Chinese Communist Party’s corrupt and dictatorial rule.
  • The CCP has launched an orchestrated campaign, across all of its many tentacles in Chinese government and society, to exploit the openness of our institutions in order to destroy them.  To secure a world of freedom and prosperity for our children and grandchildren, the free world will need its own version of the whole-of-society approach, in which the public and private sectors maintain their essential separation but work together collaboratively to resist domination and to win the contest for the commanding heights of the global economy.  America has done that before.  If we rekindle our love and devotion for our country and each other, I am confident that we—the American people, American government, and American business together—can do it again.  Our freedom depends on it. 

In his speech, Assistant Attorney General for National Security John Demers walked through the DOJ’s efforts in “working with our interagency partners to protect against adversaries that would exploit our country’s open investment climate to harm our national security interests,” most likely a reference to the PRC that echoes Barr’s claim Beijing is taking advantage of the US. Demers discussed recent statutory and regulatory changes in the Committee on Foreign Investment in the United States process, the newly established Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (aka Team Telecom), and the DOJ’s National Security Division’s recently restructured and expanded Foreign Investment Review Section (FIRS) that is charged with crafting and overseeing agreements with companies seeking US government assent to deals involving significant foreign investment. Demers talked in generalities in explaining the Trump Administration’s approach as it pertains to the DOJ except when he referenced a Team Telecom recommendation to revoke the licenses to operate in the US of a PRC telecommunications company.

Demers explained

  • Looking at the numbers, only very few of the transactions we review are blocked.  That does not necessarily mean the others pose no national security risk; rather, for most transactions that involve national security risk, we are successful in working with companies to craft mitigation measures that enable us to resolve the risk without resort to barring the transaction.  Our ability to negotiate mitigation agreements with parties and then monitor compliance is often overlooked in public discussions of foreign investment review, but that part of our program is absolutely crucial.  For that reason, today I would like to focus on the “back end” or “compliance tail” of our reviewed transactions, and to provide what I hope are some helpful insights into our compliance priorities and how those priorities can inform your own approach to mitigation and compliance.
  • One of the major activities of DOJ’s National Security Division is working with our interagency partners to protect against adversaries that would exploit our country’s open investment climate to harm our national security interests.  This conference is devoted to that aspect of our work, and offers an opportunity to engage with the private sector about the threats we face, the steps taken to address those threats.
  • What I would like to discuss with you today is one specific element of our Division’s foreign investment review work, which is our increasing focus on compliance and enforcement.

Demers stated

the Department of Justice’s mitigation activities related to foreign investment arise chiefly in the context of two interagency groups: (1) the Committee on Foreign Investment in the United States; and (2) the newly minted Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.  This new committee was established this past spring by Executive Order, and formalized the process known for years as Team Telecom, but unfortunately burdened it with the nearly unpronounceable acronym of CAFPUSTSS (pronounced caf-PUSS-tiss).  Here, for ease of our conversation, I will set aside this tongue twisting acronym and instead continue to refer to the committee as Team Telecom.

Demers added

  • In both of these interagency groups, the Department of Justice and our interagency partners can usually resolve national security and law enforcement risks by negotiating mitigation measures with the transaction parties.  Those measures can range from the relatively straightforward, such as routine notice requirements to the very complex – for example, imposing certain governance restrictions.  Once memorialized in a written agreement, we monitor compliance to ensure our identified concerns remain mitigated.
  • Since 2012, the number of mitigation agreements monitored by the Department of Justice has nearly doubled, and this upward trend shows no signs of abating.  Without effective mitigation monitoring by both the government and the parties themselves, the number of reviewed transactions able to clear CFIUS and Team Telecom would be far fewer.  For this reason, robust and effective compliance programs are in the mutual interest of both government and industry.

Finally, Demers remarked

I would like to make brief mention of recent enforcement activities regarding the U.S. subsidiary of China Telecom, which is a Chinese state-owned entity.  As you may be aware from our April 2020 recommendation to the FCC, the Executive Branch agencies identified substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations, which is why we recommended that the FCC revoke its licenses.  That recommendation was based on several factors, but many of them relate to the company’s failure to comply with a 2007 mitigation agreement.  Other factors include the company’s inaccurate statements concerning the storage of U.S. records and its cybersecurity policies.  The company’s operations also provided opportunities for P.R.C. state actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of U.S. communications.  And, it followed logically that additional mitigation terms would give us no comfort with a party we cannot not trust to follow them.  The Foreign Investment Review Section identified those compliance issues through its mitigation monitoring program.  As a result, the Executive Branch agencies concluded that the national security and law enforcement risks associated with China Telecom’s international Section 214 authorizations could not be mitigated by additional mitigation terms.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.