Further Reading, Other Developments, and Coming Events (17 November)

Further Reading

  • How the U.S. Military Buys Location Data from Ordinary Apps” By Joseph Cox — Vice’s Motherboard. This article confirms the entirely foreseeable: the Department of Defense and its contractors are obtaining and using personal information from smartphones all over the world. Given this practice is common in United States’ (U.S.) law enforcement agencies, it is little surprise the U.S. military is doing the same. Perhaps the fact the U.S. is doing this has been one of the animating force behind the Trump Administration’s moves against applications from the People’s Republic of China (PRC)?
  • Regulators! Stand Back: Under a Biden administration, Big Tech is set for a field day” By Lizzie O’Shea — The Baffler. This piece argues that a Biden Administration may be little more than a return to the Obama Administration’s favorable view of and largely laissez-faire regulatory approach. At least one expert worries the next administration may do enough on addressing big tech to appear to be doing something but not nearly enough to change the current market and societal dynamics.
  • Cheating-detection companies made millions during the pandemic. Now students are fighting back.” By Drew Harwell — The Washington Post. There are scores of problems with online testing platforms, including weak or easily compromised data security and privacy safeguards. Many students report getting flagged for stretching, looking off-screen, and even needing to go to the restroom. However, the companies in the market are in growth-mode and seem unresponsive to such criticisms.
  • Zuckerberg defends not suspending ex-Trump aide Bannon from Facebook: recording” By Katie Paul — Reuters. On an internal company call, Facebook CEO Mark Zuckerberg defended the platform’s decision not to deactivate former White House advisor Steve Bannon’s account after he “metaphorically” advocated for the beheadings of Federal Bureau of Investigation Director Christopher Wray and National Institute of Allergy and Infectious Diseases (NIAID) Director Anthony Fauci. Zuckerberg also reassured employees that a Biden Administration would not necessarily be entirely adversarial to Facebook.
  • How Trump uses Twitter to distract the media – new research” By Ullrich Ecker, Michael Jetter, and Stephan Lewandowsky — The Conversation. Research backs up the assertion that President Donald Trump has tweeted bizarre non-sequiturs to distract from what he perceived to be negative stories, and it worked because the media reported on the tweets almost every time. Trump is not the only politician or leader using this strategy.
  • Bumble Vulnerabilities Put Facebook Likes, Locations And Pictures Of 95 Million Daters At Risk” By Thomas Brewster — Forbes. Users of the dating app, Bumble, were at risk due to weak security white hacker researchers easily circumvented. Worse still, it took the company months to address and fix these vulnerabilities after being informed.

Other Developments

  • A number of United States (U.S.) election security stakeholders issued a statement, carefully and tactfully refuting the claims of President Donald Trump and other Republicans who have claimed that President-elect Joe Biden won the election only because of massive fraud. These officials declared “[t]he November 3rd election was the most secure in American history” and “[t]here is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
    • The officials seemed to flatly contradict Trump and others:
      • While we know there are many unfounded claims and opportunities for misinformation about the process of our elections, we can assure you we have the utmost confidence in the security and integrity of our elections, and you should too.
    • The members of Election Infrastructure Government Coordinating Council (GCC) Executive Committee – Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director Bob Kolasky, U.S. Election Assistance Commission Chair Benjamin Hovland, National Association of Secretaries of State (NASS) President Maggie Toulouse Oliver, National Association of State Election Directors (NASED) President Lori Augino, and Escambia County (Florida) Supervisor of Elections David Stafford – and the members of the Election Infrastructure Sector Coordinating Council (SCC) – Chair Brian Hancock (Unisyn Voting Solutions), Vice Chair Sam Derheimer (Hart InterCivic), Chris Wlaschin (Election Systems & Software), Ericka Haas (Electronic Registration Information Center), and Maria Bianchi (Democracy Works) issued the statement.
  • President Donald Trump signed an executive order that would bar from the United States’ (U.S.) security markets those companies from the People’s Republic of China (PRC) connected to the PRC’s “military-industrial complex.” This order would take effect on 11 January 2021 and seeks, as a matter of national security, to cut off access to U.S. capital for these PRC companies because “the PRC exploits United States investors to finance the development and modernization of its military.” Consequently, Trump declared a national emergency with respect to the PRC’s behavior, which triggers a host of powers at the Administration’s request to deny funds and access to the object of such an order. It remains to be seen whether the Biden Administration will rescind or keep in place this executive order when it takes office ten days after it takes effect. Nevertheless, Trump asserted:
    • that the PRC is increasingly exploiting United States capital to resource and to enable the development and modernization of its military, intelligence, and other security apparatuses, which continues to allow the PRC to directly threaten the United States homeland and United States forces overseas, including by developing and deploying weapons of mass destruction, advanced conventional weapons, and malicious cyber-enabled actions against the United States and its people.
  • Microsoft revealed it has “detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19.” Microsoft attributed these attacks to Russian and North Korean hackers and tied the announcement to its participation to the company’s advocacy at the Paris Peace Forum where the United States (U.S.) multinational reiterated its calls for “the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law.” Microsoft sought to position its cyber efforts among larger diplomatic efforts to define the norms of cyberspace and to bring cyber action into the body of international law. The company asserted:
    • In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.
    • Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials. One is a clinical research organization involved in trials, and one has developed a Covid-19 test. Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for Covid-19 related work.
    • Strontium continues to use password spray and brute force login attempts to steal login credentials. These are attacks that aim to break into people’s accounts using thousands or millions of rapid attempts. Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives. The majority of these attacks were blocked by security protections built into our products. We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered help.
  • The United Kingdom’s (UK) Information Commissioner’s Office (ICO) announced a £1.25 million fine of Ticketmaster UK for failing “to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page” in violation of the General Data Protection Regulation (GDPR). The ICO explained:
    • The breach began in February 2018 when Monzo Bank customers reported fraudulent transactions. The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster. But the company failed to identify the problem.
    • In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page.
    • The ICO’s investigation found that Ticketmaster’s decision to include the chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details.
    • Although the breach began in February 2018, the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect. The chat-bot was completely removed from Ticketmaster UK Limited’s website on 23 June 2018.
    • The ICO added:
      • The data breach, which included names, payment card numbers, expiry dates and CVV numbers, potentially affected 9.4million of Ticketmaster’s customers across Europe including 1.5million in the UK.
      • Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
      • The ICO found that Ticketmaster failed to:
        • Assess the risks of using a chat-bot on its payment page
        • Identify and implement appropriate security measures to negate the risks
        • Identify the source of suggested fraudulent activity in a timely manner
  • The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation issued an interagency paper titled “Sound Practices to Strengthen Operational Resilience.” The agencies stated the paper “generally describes standards for operational resilience set forth in the agencies’ existing rules and guidance for domestic banking organizations that have average total consolidated assets greater than or equal to (1) $250 billion or (2) $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.” The agencies explained the paper also:
    • promotes a principles-based approach for effective governance, robust scenario analysis, secure and resilient information systems, and thorough surveillance and reporting.
    • includes an appendix focused on sound practices for managing cyber risk.
    • In the appendix, the agencies stressed they could not “endorse the use of any particular tool,” they did state:
      • To manage cyber risk and assess cybersecurity preparedness of its critical operations, core business lines and other operations, services, and functions firms may choose to use standardized tools that are aligned with common industry standards and best practices. Some of the tools that firms can choose from include the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework (NIST), the Center for Internet Security Critical Security Controls, and the Financial Services Sector Coordinating Council Cybersecurity Profile.
  • A class action was filed in the United Kingdom (UK) against Facebook over the Cambridge Analytica scandal. Facebook You Owe Us announced its legal action “for the illegal use of one million users’ data in the England and Wales.” The campaign claimed:
    • Group legal actions like Facebook You Owe Us will pave the way for consumers in the UK to gain redress and compensation for the persistent mass misuse of personal data by the world’s largest companies.  
    • Facebook has exhibited a pattern of unethical behaviour including allegations of election interference and failing to remove fake news. The Information Commissioners Office noted when issuing a £500,000 fine against Facebook for the Cambridge Analytica data breach that “protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy.” Facebook You Owe Us aims to fight back by holding the company to account for failing to protect Facebook users’ personal data and showing that Facebook is not above the law.  
    • The launch of Facebook You Owe Us follows Google You Owe Us’ victory in the Court of Appeal. The Google You Owe Us case has been appealed by Google and is now scheduled to be heard before the Supreme Court in April 2021. If successful, the case will demonstrate that personal data is of value to individuals and that companies cannot simply take it and profit from it illegally. Both cases are led by James Oldnall at Milberg London LLP, with Richard Lloyd, the former executive director of Which?. 

Coming Events

  • The Senate Homeland Security and Governmental Affairs Committee’s Regulatory Affairs and Federal Management Subcommittee will hold a hearing on how to modernize telework in light of what was learned during the COVID-19 pandemic on 18 November.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.
  • On 27 November, The European Data Protection Board “is organising a remote stakeholder workshop on the topic of Legitimate Interest.” The EDPB explained “[p]laces will be allocated on a first come, first served basis, depending on availability.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (7 October)

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications –
    • The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • Consumer Reports released a study it did on the “California Consumer Privacy Act” (CCPA) (AB 375), specifically on the Do-Not-Sell right California residents were given under the newly effective privacy statute. For those people (like me) who expected a significant number of businesses to make it hard for people to exercise their rights, this study confirms this suspicion. Consumer Reports noted more than 40% of data brokers had hard to find links or extra, complicated steps for people to tell them not to sell their personal information.
    • In “CCPA: Are Consumers Digital Rights Protected?,” Consumer Reports used this methodology:
    • Consumer Reports’ Digital Lab conducted a mixed methods study to examine whether the new CCPA is working for consumers. This study focused on the Do-Not-Sell (DNS) provision in the CCPA, which gives consumers the right to opt out of the sale of their personal information to third parties through a “clear and conspicuous link” on the company’s homepage.1 As part of the study, 543 California residents made DNS requests to 214 data brokers listed in the California Attorney General’s data broker registry. Participants reported their experiences via survey.
    • Consumer Reports found:
      • Consumers struggled to locate the required links to opt out of the sale of their information. For 42.5% of sites tested, at least one of three testers was unable to find a DNS link. All three testers failed to find a “Do Not Sell” link on 12.6% of sites, and in several other cases one or two of three testers were unable to locate a link.
        • Follow-up research focused on the sites in which all three testers did not find the link revealed that at least 24 companies on the data broker registry do not have the required DNS link on their homepage.
        • All three testers were unable to find the DNS links for five additional companies, though follow-up research revealed that the companies did have DNS links on their homepages. This also raises concerns about compliance, since companies are required to post the link in a “clear and conspicuous” manner.
      • Many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt out, highlighting serious flaws in the CCPA’s opt-out model.
        • Some DNS processes involved multiple, complicated steps to opt out, including downloading third-party software.
        • Some data brokers asked consumers to submit information or documents that they were reluctant to provide, such as a government ID number, a photo of their government ID, or a selfie.
        • Some data brokers confused consumers by requiring them to accept cookies just to access the site.
        • Consumers were often forced to wade through confusing and intimidating disclosures to opt out.
        • Some consumers spent an hour or more on a request.
        • At least 14% of the time, burdensome or broken DNS processes prevented consumers from exercising their rights under the CCPA.
      • At least one data broker used information provided for a DNS request to add the user to a marketing list, in violation of the CCPA.
      • At least one data broker required the user to set up an account to opt out, in violation of the CCPA.
      • Consumers often didn’t know if their opt-out request was successful. Neither the CCPA nor the CCPA regulations require companies to notify consumers when their request has been honored. About 46% of the time, consumers were left waiting or unsure about the status of their DNS request.
      • About 52% of the time, the tester was “somewhat dissatisfied” or “very dissatisfied” with the opt-out processes.
      • On the other hand, some consumers reported that it was quick and easy to opt out, showing that companies can make it easier for consumers to exercise their rights under the CCPA. About 47% of the time, the tester was “somewhat satisfied” or “very satisfied” with the opt-out process.
    • Consumer Reports recommended:
      • The Attorney General should vigorously enforce the CCPA to address noncompliance.
      • To make it easier to exercise privacy preferences, consumers should have access to browser privacy signals that allow them to opt out of all data sales in one step.
      • The AG should more clearly prohibit dark patterns, which are user interfaces that subvert consumer intent, and design a uniform opt-out button. This will make it easier for consumers to locate the DNS link on individual sites.
      • The AG should require companies to notify consumers when their opt-out requests have been completed, so that consumers can know that their information is no longer being sold.
      • The legislature or AG should clarify the CCPA’s definitions of “sale” and “service provider” to more clearly cover data broker information sharing.
      • Privacy should be protected by default. Rather than place the burden on consumers to exercise privacy rights, the law should require reasonable data minimization, which limits the collection, sharing, retention, and use to what is reasonably necessary to operate the service.
  • Two agencies of the Department of the Treasury have issued guidance regarding the advisability and legality of paying ransomware to individuals or entities under United States (U.S.) sanction at a time when ransomware attacks are on the rise. It bears note that a person or entity in the U.S. may face criminal and civil liability for paying a sanctioned ransomware entity even if they did not know it was sanctioned. One of the agencies reasoned that paying ransoms to such parties is contrary to U.S. national security policy and only encourages more ransomware attacks.
    • The Office of Foreign Assets Control (OFAC) issued an “advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” OFAC added:
      • Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
    • Financial Crimes Enforcement Network (FinCEN) published its “advisory to alert financial institutions to predominant trends, typologies, and potential indicators of ransomware and associated money laundering activities. This advisory provides information on:
      • (1) the role of financial intermediaries in the processing of ransomware payments;
      • (2) trends and typologies of ransomware and associated payments;
      • (4) reporting and sharing information related to ransomware attacks.
  • The Government Accountability Office (GAO) found uneven implementation at seven federal agencies in meeting the Office of Management and Budget’s (OMB) requirements in using the category management initiative for buying information technology (IT). This report follows in a long line of assessments of how the federal government is not spending its billions of dollars invested in IT to maximum effect. The category management initiative was launched two Administrations ago as a means of driving greater efficiency and savings for the nearly $350 billion the U.S. government spends annually in services and goods, much of which could be bought in large quantities instead of piecemeal by agency as is now the case.
    • The chair and ranking member of the House Oversight Committee and other Members had asked the GAO “to conduct a review of federal efforts to reduce IT contract duplication and/or waste” specifically “to determine the extent to which (1) selected agencies’ efforts to prevent, identify, and reduce duplicative or wasteful IT contracts were consistent with OMB’s category management initiative; and (2) these efforts were informed by spend analyses.” The GAO ended up looking at the Departments of Agriculture (USDA), Defense (DOD), Health and Human Services (HHS), Homeland Security (DHS), Justice (DOJ), State (State), and Veterans Affairs (VA).
    • The GAO found:
      • The seven agencies in our review varied in their implementation of OMB’s category management activities that contribute to identifying, preventing, and reducing duplicative IT contracts. Specifically, most of the agencies fully implemented the two activities to identify a Senior Accountable Official and develop processes and policies for implementing category management efforts, and to engage their workforces in category management training. However, only about half the agencies fully implemented the activities to reduce unaligned IT spending, including increasing the use of Best in Class contract solutions, and share prices paid, terms, and conditions for purchased IT goods and services. Agencies cited several reasons for their varied implementation, including that they were still working to define how to best integrate category management into the agency.
      • Most of the agencies used spend analyses to inform their efforts to identify and reduce duplication, and had developed and implemented strategies to address the identified duplication, which, agency officials reported resulted in millions in actual and anticipated future savings. However, two of these agencies did not make regular use of the spend analyses.
      • Until agencies fully implement the activities in OMB’s category management initiative, and make greater use of spend analyses to inform their efforts to identify and reduce duplicative contracts, they will be at increased risk of wasteful spending. Further, agencies will miss opportunities to identify and realize savings of potentially hundreds of millions of dollars.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) provided “specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure.” CISA took this action “[i]n light of heightened tensions between the United States and China.”
    • CISA asserted
      • According to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.
    • CISA recommends organizations take the following actions:
      • Adopt a state of heightened awareness. Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.
      • Increase organizational vigilance. Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.
      • Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see the Contact Information section below).
      • Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.
  • The Supreme Court of the United States (SCOTUS) declined to hear a case on an Illinois revenge porn law that the Illinois State Supreme Court upheld, finding it did not impinge on a woman’s First Amendment rights. Bethany Austin was charged with a felony under an Illinois law barring the nonconsensual dissemination of private sexual pictures when she printed and distributed pictures of her ex-fiancé’s lover. Because SCOTUS decided not to hear this case, the Illinois case and others like it remain Constitutional.
    • The Illinois State Supreme Court explained the facts of the case:
      • Defendant (aka Bethany Austin) was engaged to be married to Matthew, after the two had dated for more than seven years. Defendant and Matthew lived together along with her three children. Defendant shared an iCloud account with Matthew, and all data sent to or from Matthew’s iPhone went to their shared iCloud account, which was connected to defendant’s iPad. As a result, all text messages sent by or to Matthew’s iPhone automatically were received on defendant’s iPad. Matthew was aware of this data sharing arrangement but took no action to disable it.
      • While Matthew and defendant were engaged and living together, text messages between Matthew and the victim, who was a neighbor, appeared on defendant’s iPad. Some of the text messages included nude photographs of the victim. Both Matthew and the victim were aware that defendant had received the pictures and text messages on her iPad. Three days later, Matthew and the victim again exchanged several text messages. The victim inquired, “Is this where you don’t want to message [because] of her?” Matthew responded, “no, I’m fine. [S]omeone wants to sit and just keep watching want [sic] I’m doing I really do not care. I don’t know why someone would wanna put themselves through that.” The victim replied by texting, “I don’t either. Soooooo baby ….”
      • Defendant and Matthew cancelled their wedding plans and subsequently broke up. Thereafter, Matthew began telling family and friends that their relationship had ended because defendant was crazy and no longer cooked or did household chores.
      • In response, defendant wrote a letter detailing her version of events. As support, she attached to the letter four of the naked pictures of the victim and copies of the text messages between the victim and Matthew. When Matthew’s cousin received the letter along with the text messages and pictures, he informed Matthew.
      • Upon learning of the letter and its enclosures, Matthew contacted the police. The victim was interviewed during the ensuing investigation and stated that the pictures were private and only intended for Matthew to see. The victim acknowledged that she was aware that Matthew had shared an iCloud account with defendant, but she thought it had been deactivated when she sent him the nude photographs.
    • In her petition for SCOTUS to hear her case, Austin asserted:
      • Petitioner Bethany Austin is being prosecuted under Illinois’ revenge porn law even though she is far from the type of person such laws were intended to punish. These laws proliferated rapidly in recent years because of certain reprehensible practices, such as ex-lovers widely posting images of their former mates to inflict pain for a bad breakup, malicious stalkers seeking to damage an innocent person’s reputation, or extortionists using intimate photos to collect ransom. Austin did none of those things, yet is facing felony charges because she tried to protect her reputation from her former fiancé’s lies about the reason their relationship ended.
      • The Illinois Supreme Court rejected Petitioner’s constitutional challenge to the state revenge porn law only because it ignored well-established First Amendment rules: It subjected the law only to intermediate, rather than strict scrutiny, because it incorrectly classified a statute that applies only to sexual images as content neutral; it applied diminished scrutiny because the speech at issue was deemed not to be a matter of public concern; and it held the law need not require a showing of malicious intent to justify criminal penalties, reasoning that such intent can be inferred from the mere fact that the specified images were shared. Each of these conclusions contradicts First Amendment principles recently articulated by this Court, and also is inconsistent with decisions of various state courts, including the Vermont Supreme Court.
    • Illinois argued in its brief to SCOTUS:
      • The nonconsensual dissemination of private sexual images exposes victims to a wide variety of serious harms that affect nearly every aspect of their lives. The physical, emotional, and economic harms associated with such conduct are well-documented: many victims are exposed to physical violence, stalking, and harassment; suffer from emotional and psychological harm; and face limited professional prospects and lowered income, among other repercussions. To address this growing problem and protect its residents from these harms, Illinois enacted section 11-23.5,720 ILCS 5/11-23.5. Petitioner—who was charged with violating section 11-23.5 after she disseminated nude photos of her fiancé’s paramour without consent—asks this Court to review the Illinois Supreme Court’s decision rejecting her First Amendment challenge.
  • Six U.S. Agency for Global Media (USAGM) whistleblowers have filed a complaint concerning “retaliatory actions” with the Office of the Inspector General (OIG) at the Department of State and the Office of Special Counsel, arguing the newly installed head of USAGM punished them for making complaints through proper channels about his actions. This is the latest development at the agency. the United States Court of Appeals for the District of Columbia enjoined USAGM from “taking any action to remove or replace any officers or directors of the OTF,” pending the outcome of the suit which is being expedited.
  • Additionally, USAGM CEO and Chair of the Board Michael Pack is being accused in two different letters of seeking to compromise the integrity and independence of two organizations he oversees. There have been media accounts of the Trump Administration’s remaking of USAGM in ways critics contend are threatening the mission and effectiveness of the Open Technology Fund (OTF), a U.S. government non-profit designed to help dissidents and endangered populations throughout the world. The head of the OTF has been removed, evoking the ire of Members of Congress, and other changes have been implemented that are counter to the organization’s mission. Likewise, there are allegations that politically-motivated policy changes seek to remake the Voice of America (VOA) into a less independent entity.
  • The whistleblowers claimed in their complaint:
    • Each of the Complainants made protected disclosures –whether in the form of OIG complaints, communications with USAGM leadership, and/or communications with appropriate Congressional committees–regarding their concerns about official actions primarily taken by Michael Pack, who has been serving as the Chief Executive Officer for USAGM since June 4, 2020. The Complainants’ concerns involve allegations that Mr. Pack has engaged in conduct that violates federal law and/or USAGM regulations, and that constitutes an abuse of authority and gross mismanagement. Moreover, each of the Complainants was targeted for retaliatory action by Mr. Pack because of his belief that they held political views opposed to his, which is a violation of the Hatch Act.
    • Each of the Complainants was informed by letter, dated August 12, 2020, that their respective accesses to classified information had been suspended pending further investigation. Moreover, they were all concurrently placed on administrative leave. In each of the letters to the Complainants, USAGM claimed that the Complainants had been improperly granted security clearances, and that the Complainants failed to take remedial actions to address personnel and security concerns prior to permitting other USAGM employees to receive security clearances. In addition, many or all of the Complainants were earlier subject to retaliatory adverse personnel actions in the form of substantial limitations on their ability to carry out their work responsibilities(i.e. a significant change in duties and responsibilities), which limitations were imposed without following appropriate personnel procedures.

Further Reading

  • Big Tech Was Their Enemy, Until Partisanship Fractured the Battle Plans” By Cecilia Kang and David McCabe — The New York Times. There’s a bit of court intrigue in this piece about how Republicans declined to join Democrats in the report on the antirust report released this week, sapping the recommendations on how to address Big Tech of power.
  • Facebook Keeps Data Secret, Letting Conservative Bias Claims Persist” By Bobby Allyn — NPR. Still no evidence of an anti-conservative bias at Facebook, according to experts, and the incomplete data available seem to indicate conservative content may be more favored by users than liberal content. Facebook does not release data that settle the question, however, and there are all sorts of definitional questions that need answers before this issue could be definitely settled. And yet, some food for thought is a significant percentage of sharing a link may be driven by bots and not humans.
  • News Corp. changes its tune on Big Tech” By Sara Fischer — Axios.  After beating the drum for years about the effect of Big Tech on journalism, the parent company of the Wall Street Journal and other media outlets is much more conciliatory these days. It may have something to do with all the cash the Googles and Facebooks of the world are proposing to throw at some media outlets for their content. It remains to be seen how this change in tune will affect the Australian Competition and Consumer Commission’s (ACCC) proposal to ensure that media companies are compensated for articles and content online platforms use. In late July the ACCC released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.”
  • Silicon Valley Opens Its Wallet for Joe Biden” By Daniel Oberhaus — WIRED. In what will undoubtedly be adduced as evidence that Silicon Valley is a liberal haven, this article claims according to federal elections data for this election cycle, Alphabet, Amazon, Apple, Facebook, Microsoft, and Oracle employees have contributed $4,787,752 to former Vice President Joe Biden and $239,527 to President Donald Trump. This is only for contributions of $200 and higher, so it is likely these data are not complete.
  • Facebook bans QAnon across its platforms” By Ben Collins and Brandy Zadrozny — NBC News. The social media giant has escalated and will remove all content related to the conspiracy group and theory known as QAnon. However, believers have been adaptable and agile in dropping certain terms and using methods to evade detection. Some experts say Facebook’s actions are too little, too late as these beliefs are widespread and are fueling a significant amount of violence and unrest in the real world.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Katie White from Pixabay

Antitrust Report Released

A far reaching set of recommendations on how the U.S. should remake its antitrust policies to take on Big Tech

The subcommittee of the House Judiciary Committee that has been investigating digital competition for over a year issued its final report and is calling for nothing less than a complete remaking of United States (U.S.) antitrust policy and law. In the view of the subcommittee a handful of technology companies have strangleholds on a number of key markets, and the health of the U.S. economy demands that the companies be broken up and reformed. The four companies the subcommittee focused on are Amazon, Apple, Facebook, and Google, four of the world’s largest companies by market capitalization. Even though the tide has turned against these and other large technology companies that were feted during the Obama Administration, if the response of Republicans on the committee encapsulates the feeling of party members in the Senate, there is no likely path for enactment of many of these proposals even under a Biden Administration unless the filibuster is junked. And even then, tech companies would find many sympathetic moderate and centrist Democrats who could not go along with a wholesale reform of antitrust enforcement.

The House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee started its inquiry over a year ago and held seven hearings, including one this past summer with the CEOs of the four companies. Subcommittee Chair David Cicilline (D-RI) has long made his leanings clear in his opening statements and questions as has the full Committee Chair Jerrold Nadler (D-NY). They agree that these companies are too large and current antitrust enforcement and law are inadequate to the job of addressing dominance of inline markets to rival to trusts from more than 100 years ago.

The Subcommittee found:

  • Over the past decade, the digital economy has become highly concentrated and prone to monopolization. Several markets investigated by the Subcommittee—such as social networking, general online search, and online advertising—are dominated by just one or two firms. The companies investigated by the Subcommittee—Amazon, Apple, Facebook, and Google—have captured control over key channels of distribution and have come to function as gatekeepers. Just a decade into the future, 30% of the world’s gross economic output may lie with these firms, and just a handful of others.
  • In interviews with Subcommittee staff, numerous businesses described how dominant platforms exploit their gatekeeper power to dictate terms and extract concessions that no one would reasonably consent to in a competitive market. Market participants that spoke with Subcommittee staff indicated that their dependence on these gatekeepers to access users and markets requires concessions and demands that carry significant economic harm, but that are “the cost of doing business” given the lack of options.
  • This significant and durable market power is due to several factors, including a high volume of acquisitions by the dominant platforms. Together, the firms investigated by the Subcommittee have acquired hundreds of companies just in the last ten years. In some cases, a dominant firm evidently acquired nascent or potential competitors to neutralize a competitive threat or to maintain and expand the firm’s dominance. In other cases, a dominant firm acquired smaller companies to shut them down or discontinue underlying products entirely—transactions aptly described as “killer acquisitions.”
  • In the overwhelming number of cases, the antitrust agencies did not request additional information and documentary material under their pre-merger review authority in the Clayton Act, to examine whether the proposed acquisition may substantially lessen competition or tend to create a monopoly if allowed to proceed as proposed. For example, of Facebook’s nearly 100 acquisitions, the Federal Trade Commission engaged in an extensive investigation of just one acquisition: Facebook’s purchase of Instagram in 2012.

Regarding the four companies themselves, the Subcommittee claimed:

  • Facebook
    • Facebook has monopoly power in the market for social networking. Internal communications among the company’s Chief Executive Officer, Mark Zuckerberg, and other senior executives indicate that Facebook acquired its competitive threats to maintain and expand its dominance. For example, a senior executive at the company described its acquisition strategy as a “land grab” to “shore up” Facebook’s position, while Facebook’s CEO said that Facebook “can likely always just buy any competitive startups,” and agreed with one of the company’s senior engineers that Instagram was a threat to Facebook.
    • Facebook’s monopoly power is firmly entrenched and unlikely to be eroded by competitive pressure from new entrants or existing firms. In 2012, the company described its network effects as a “flywheel” in an internal presentation prepared for Facebook at the direction of its Chief Financial Officer. This presentation also said that Facebook’s network effects get “stronger every day.”
  • Google
    • Google has a monopoly in the markets for general online search and search advertising. Google’s dominance is protected by high entry barriers, including its click-and-query data and the extensive default positions that Google has obtained across most of the world’s devices and browsers. A significant number of entities—spanning major public corporations, small businesses, and entrepreneurs—depend on Google for traffic, and no alternate search engine serves as a substitute.
    • Google maintained its monopoly over general search through a series of anticompetitive tactics. These include an aggressive campaign to undermine vertical search providers, which Google viewed as a significant threat. Documents show that Google used its search monopoly to misappropriate content from third parties and to boost Google’s own inferior vertical offerings, while imposing search penalties to demote third-party vertical providers. Since capturing a monopoly over general search, Google has steadily proliferated its search results page with ads and with Google’s own content, while also blurring the distinction between paid ads and organic results. As a result of these tactics, Google appears to be siphoning off traffic from the rest of the web, while entities seeking to reach users must pay Google steadily increasing sums for ads. Numerous market participants analogized Google to a gatekeeper that is extorting users for access to its critical distribution channel, even as its search page shows users less relevant results.
    • A second way Google has maintained its monopoly over general search has been through a series of anticompetitive contracts. After purchasing the Android operating system in 2005, Google used contractual restrictions and exclusivity provisions to extend Google’s search monopoly from desktop to mobile. Documents show that Google required smartphone manufacturers to pre-install and give default status to Google’s own apps, impeding competitors in search as well as in other app markets. As search activity now migrates from mobile to voice, third-party interviews suggest Google is again looking for ways to maintain its monopoly over search access points through a similar set of practices.
  • Amazon
    • Amazon has significant and durable market power in the U.S. online retail market. This conclusion is based on the significant record that Subcommittee staff collected and reviewed, including testimonials from third-party sellers, brand manufacturers, publishers, former employees, and other market participants, as well as Amazon’s internal documents. Although Amazon is frequently described as controlling about 40% of U.S. online retail sales, this market share is likely understated, and estimates of about 50% or higher are more credible.
    • As the dominant marketplace in the United States for online shopping, Amazon’s market power is at its height in its dealings with third-party sellers. The platform has monopoly power over many small- and medium-sized businesses that do not have a viable alternative to Amazon for reaching online consumers. Amazon has 2.3 million active third-party sellers on its marketplace worldwide, and a recent survey estimates that about 37% of them—about 850,000 sellers—rely on Amazon as their sole source of income.
    • Amazon achieved its current dominant position, in part, through acquiring its competitors, including Diapers.com and Zappos. It has also acquired companies that operate in adjacent markets, adding customer data to its stockpile and further shoring up its competitive moats. This strategy has entrenched and expanded Amazon’s market power in e-commerce, as well as in other markets. The company’s control over, and reach across, its many business lines enables it to self-preference and disadvantage competitors in ways that undermine free and fair competition. As a result of Amazon’s dominance, other businesses are frequently beholden to Amazon for their success.
    • Amazon has engaged in extensive anticompetitive conduct in its treatment of third-party sellers. Publicly, Amazon describes third-party sellers as “partners.” But internal documents show that, behind closed doors, the company refers to them as “internal competitors.” Amazon’s dual role as an operator of its marketplace that hosts third-party sellers, and a seller in that same marketplace, creates an inherent conflict of interest. This conflict incentivizes Amazon to exploit its access to competing sellers’ data and information, among other anticompetitive conduct.
  • Apple
    • Apple has significant and durable market power in the mobile operating system market. Apple’s dominance in this market, where it controls the iOS mobile operating system that runs on Apple mobile devices, has enabled it to control all software distribution to iOS devices. As a result, Apple exerts monopoly power in the mobile app store market, controlling access to more than 100 million iPhones and iPads in the U.S.
    • Apple’s mobile ecosystem has produced significant benefits to app developers and consumers. Launched in 2008, the App Store revolutionized software distribution on mobile devices, reducing barriers to entry for app developers and increasing the choices available to consumers. Despite this, Apple leverages its control of iOS and the App Store to create and enforce barriers to competition and discriminate against and exclude rivals while preferencing its own offerings. Apple also uses its power to exploit app developers through misappropriation of competitively sensitive information and to charge app developers supra-competitive prices within the App Store. Apple has maintained its dominance due to the presence of network effects, high barriers to entry, and high switching costs in the mobile operating system market.

The Subcommittee summarized its recommendations:

a. Restoring Competition in the Digital Economy

  • Structural separations and prohibitions of certain dominant platforms from operating in adjacent lines of business;
  • Nondiscrimination requirements, prohibiting dominant platforms from engaging in self- preferencing, and requiring them to offer equal terms for equal products and services;
  • Interoperability and data portability, requiring dominant platforms to make their services compatible with various networks and to make content and information easily portable between them;
  • Presumptive prohibition against future mergers and acquisitions by the dominant platforms;
  • Safe harbor for news publishers in order to safeguard a free and diverse press; and
  • Prohibitions on abuses of superior bargaining power, proscribing dominant platforms from engaging in contracting practices that derive from their dominant market position, and requiring due process protections for individuals and businesses dependent on the dominant platforms.

b. Strengthening the Antitrust Laws

  • Reasserting the anti-monopoly goals of the antitrust laws and their centrality to ensuring a healthy and vibrant democracy;
  • Strengthening Section 7 of the Clayton Act, including through restoring presumptions and bright-line rules, restoring the incipiency standard and protecting nascent competitors, and strengthening the law on vertical mergers;
  • Strengthening Section 2 of the Sherman Act, including by introducing a prohibition on abuse of dominance and clarifying prohibitions on monopoly leveraging, predatory pricing, denial of essential facilities, refusals to deal, tying, and anticompetitive self-preferencing and product design; and
  • Taking additional measures to strengthen overall enforcement, including through overriding problematic precedents in the case law.

c. Reviving Antitrust Enforcement

  • Restoring robust congressional oversight of the antitrust laws and their enforcement;
  • Restoring the federal antitrust agencies to full strength, by triggering civil penalties and other relief for “unfair methods of competition” rules, requiring the Federal Trade Commission to engage in regular data collection on concentration, enhancing public transparency and accountability of the agencies, requiring regular merger retrospectives, codifying stricter prohibitions on the revolving door, and increasing the budgets of the FTC and the Antitrust Division; and
  • Strengthening private enforcement, through eliminating obstacles such as forced arbitration clauses, limits on class action formation, judicially created standards constraining what constitutes an antitrust injury, and unduly high pleading standards.

The Ranking Member on the Antitrust, Commercial, and Administrative Law Subcommittee, Jim Sensenbrenner (R-WI) signaled his agreement with some of the recommendations made in the report but articulated his views:

  • I disagree with the view that there needs to be a wholesale rewrite of our country’s antitrust laws.
  • Congressional review of our antitrust laws in the age of Big Tech was absolutely warranted.  Oversight of the existing legal and regulatory framework is one of the key functions of the committee system, and I applaud Chairman Cicilline on his undertaking of this project in a bipartisan manner. 
  • There actually is a lot that we agree on, including the lack of sufficient scrutiny on past activity by these companies.  For example, the report highlights that Facebook only had one acquisition extensively reviewed by the FTC out of nearly 100.  That lack of enforcement raises significant questions. What becomes clear is that better resources and funding for the enforcement agencies are key to having an effective antitrust framework.
  • Ultimately, I am concerned with several of the recommendations made by the committee.  A ‘Glass-Steagall’ like approach to tech regulation does not benefit consumers and will lead to too much government regulation of a very innovative industry.  Likewise, mandating data interoperability could hamper future innovation by preventing the development of new and better systems.
  • I am also opposed to several of the proposed changes to merger activity.  A presumptive ban on future acquisitions, especially now with economic uncertainty plaguing the world, could hinder potentially fruitful, beneficial business decisions. Also, shifting the burden of proof in merger cases misplaces the obligation upon companies to prove their innocence rather than the government proving their guilt.

In his statement, Ranking Member Jim Jordan (R-OH) again chose to ignore the competition and market dominance issues on which a number of his Republican colleagues agreed with Democrats to again reiterate unproven Republican talking points about alleged conservative bias:

Big tech is out to get conservatives. Unfortunately, the Democrats’ partisan report ignores this fundamental problem and potential solutions and instead advances radical proposals that would refashion antitrust law in the vision of the far left.

On the same day, a small group of committee Republicans released their report on “Big Tech” with their proposed policy and legal solutions. This effort was led by Representative Ken Buck (R-CO), a subcommittee member who participated in the hearings in a bipartisan fashion even praising Cicilline for his evenhanded conduct of the proceedings. However, Buck did indicate he could not agree with some of the directions his Democratic colleagues seem to be heading in response to the evidence. Buck was joined by Representatives Matt Gaetz (R-FL), Doug Collins (R-GA), and Andy Biggs (R-AZ).

They noted:

We write this response to join Chairman Cicilline and the majority staff on certain recommendations, offer modifications to some recommendations, and argue against the wisdom of proceeding on a few recommendations. We also want to point out that the committee’s ongoing efforts should emphasize issues that have been ignored but must be addressed in the future for a truly bipartisan approach to reforming Big Tech’s dominant position in the marketplace. Finally, we want to thank the Chairman for not using this report as an opportunity to push a progressive labor, environmental, or other unrelated policy agenda under the guise of antitrust enforcement. We sincerely appreciate the Chairman’s friendship and dedication to making this process open and accessible to all members.

Buck, Gaetz, Collins, and Biggs added:

The majority staff report offers a comprehensive review of the technology marketplace and accurately depicts the harmful effects of Big Tech’s anticompetitive reign over the digital economy. Many of the factual findings detailed in the report are undeniable. The majority staff accurately portrays how Apple, Amazon, Google, and Facebook have used their monopoly power to act as gatekeepers to the marketplace, undermine potential competition, and pick winners and losers, all while simultaneously cozying up to unfriendly nations like China in order to further expand their global footprint.

In terms of where they agree with Cicilline and the Democrats, they remarked:

  • We agree that antitrust enforcement agencies need additional resources and tools to provide proper oversight. However, these potential changes need not be dramatic to be effective. By reinforcing presumptions that certain behaviors are likely to reduce competition, lowering evidentiary burdens in litigated cases, and emphasizing that anticompetitive effects are not limited to price effects and include innovation competition, quality, output, and consumer choice, Congress can make a meaningful difference.
  • We also agree with a number of the majority’s other legislative recommendations, including proposals to shift the burden of proof for companies pursuing mergers and acquisitions and empowering consumers to take control of their user data through data portability and interoperability standards. Additionally, the report offers recommendations where we believe there is common ground, but the subcommittee should receive expert feedback before pushing forward. Some of these proposals include the majority’s monopoly reforms related to predatory pricing, monopoly leveraging, the Essential Facilities Doctrine, and policies related to the Supreme Court’s recent decision related to two-sided markets in Ohio v. American Express Co.

Buck, Gaetz, Collins, and Biggs spelled out the recommendations made by the majority they could not join:

  • However, the majority also offers policy prescriptions that are non-starters for conservatives. These proposals include eliminating arbitration clauses and further opening companies up to class action lawsuits. Similarly, the majority’s desire to institute Glass- Steagall for America’s tech sector and modeling the majority’s equal terms for equal services recommendation on President Obama’s net neutrality rule will not garner support from Republicans.
  • While we agree in principle with the findings identified in the report, we cannot endorse all of the legislative recommendations offered by the majority. We will work with the Chairman in a bipartisan fashion to help enact the legislative solutions where we can agree. However, we are concerned that sweeping changes could lead to overregulation and carry unintended consequences for the entire economy. We prefer a targeted approach, the scalpel of antitrust, rather than the chainsaw of regulation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by xresch from Pixabay

Further Reading, Other Developments, and Coming Events (31 August)

Today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • A group of Democratic Senators wrote the Federal Communications Commission (FCC) “to express our profound frustration that the [agency] has failed to take forceful action to keep households connected during the COVID-19 pandemic.” They asserted that “[a]s millions of American families face unprecedented financial pressures and educational challenges, we urge the FCC to reverse proposed changes to the Lifeline program, take immediate steps to open its assistance to more households, and ensure that its services meet the pressing needs of families during this crisis.”
    • They claimed
      • Since the first weeks of [FCC Chair Ajit Pai’s tenure], the FCC has sought to block new broadband providers’ participation in the Lifeline program, curtail benefits in tribal areas, exclude existing carriers, rollback reforms for registering new carriers, make it harder for new applicants  to subscribe, prevent carriers from offering free in-person distribution of phones, reduce incentives to enroll subscribers, and add more barriers for participating carriers and subscriber. These proposals have been so extreme that they would lead to cutting off carriers serving almost 70% of Lifeline subscribers.
    • They urged Pai “to immediately take the following steps:
      • 1.) Take emergency measures to provide additional financial support to Lifeline providers during the pandemic to temporarily support unlimited mobile data and voice minutes, and notify Congress if additional funding is needed for such changes.
      • 2.) Extend all current FCC waivers on Lifeline usage and subscriber documentation requirements for at least a full year, until August 2021or when we have recovered from the pandemic.
      • 3.) Close the currently outstanding Lifeline proposed rulemakings that would create new obstacles for eligible households and add unwarranted burden on carriers.
      • 4.)Pause the scheduled changes to Lifeline program’s minimum service standards until the Commission studies such impacts on the market in its upcoming 2021 State of Lifeline Marketplace Report, to avoid disruptions to customers’ services.
      • 5.) Restore the monthly subsidy to $9.25 for plans offering voice services for subscribers who value voice over data-heavy plans and pause the planned decrease in contributions for voice support.
      • 6.) Work with states to increase the automated verification of state databases with the National Verifier program by the end of this year.
  • New Zealand’s National Cyber Security Centre (NCSC) released a “General Security Advisory: ongoing campaign of Denial of Service (DoS) attacks affecting New Zealand entities” after four days of DoS attacks against New Zealand’s stock market coming from somewhere offshore. The NCSC recommended best practices the Australian Cyber Security Centre (ACSC) had published. The NCSC stated
    • [It] is aware of an ongoing campaign of DoS attacks affecting New Zealand entities.
    • The campaign has included the targeting of a number of global entities, predominantly in the financial sector. 
    • The NCSC strongly encourages all organisations in this sector to consider the risk to their organisation of DoS and ensure appropriate mitigations are in place.
  • Senator Mark Warner (D-VA) letters to DellAppleHPSamsungGoogleMicrosoftAcer America, and ASUS USA asking the “companies to do what they can to help bridge the “homework gap” – the lack of reliable computer or internet access that prevents school-aged children from being able to do school work from home.” Warner’s letter is in response to the nationwide shortage of lost laptops and tablets facing families as many children will be starting school online this fall. Warner stated:
    • There are a range of actions your company can take, including educational product discounts, the provision of complimentary or donated computers (including for home lending programs many educational institutions operate), and the provision of refurbished or returned products in good working condition for school districts and higher education institutions to distribute to educators and students. While I understand the strains placed on the global supply chain, your prioritization of these matters would greatly assist struggling families at this challenging time.
  • The United States Department of Defense (DOD) updated its list of ““Communist Chinese military companies” operating directly or indirectly in the United States in accordance with the statutory requirement of Section 1237 of the National Defense Authorization Act for Fiscal Year 1999, as amended.” The eleven companies from the People’s Republic of China (PRC) were added to the existing list sent “to Congress in June 2020,” some 20 years after Congress tasked the DOD with this responsibility. This action is most likely in response to a letter sent last year to fulfill this responsibility. Notably, any company on the list could be sanctioned by the President under the same authorities recently used against TikTok and WeChat.
    • In a September 2019 letter to Secretary of Defense Mark Esper, Senate Minority Leader Chuck Schumer (D-NY) and Senator Tom Cotton (R-AR) were joined by Representatives Ruben Gallego (D-AZ) and Mike Gallagher (R-WI) in asking whether the DOD has been updating a list of “those persons operating directly or indirectly in the United States or any of its territories and possessions that are Communist Chinese military companies” as directed by Section 1237 of the FY 1999 NDAA. They noted that China’s Communist Party has adopted a Military-Civilian Fusion strategy “to achieve its national objectives,” including the acquisition of U.S. technology through any means such as espionage, forced technology transfers, and the purchase of or investment in U.S. technology forms. Schumer, Cotton, Gallego, and Gallagher urged the Trump Administration “reexamine all statutory authorities at its disposal to confront the CCP’s strategy of Military-Civilian Fusion, including powers that have laid dormant for years.”
    • Unstated in this letter, however, is that the first part of Section 1237 grants the President authority to “exercise International Emergency Economic Powers Act (IEEPA) authorities (other than authorities relating to importation) without regard to section 202 of the IEEPA (50 U.S.C. 1701) in the case of any commercial activity in the United States by a person that is on the list.” Of IEEPA grants the President sweeping powers to prohibit transactions and block property and property interests for nations and other groups subject to an IEEPA national emergency declaration. Consequently, those companies identified by the DOD on a list per Section 1237 could be blocked and prohibited from doing business with U.S. entities and others and those that do business with such Chinese companies could be subject to enforcement actions by the U.S. government (e.g. the U.S.’s actions against ZTE for doing business with Iran in violation of an IEEPA national emergency).
    • The statute defines a “Communist Chinese military company” as “any person identified in the Defense Intelligence Agency publication numbered VP-1920-271-90, dated September 1990, or PC-1921-57-95, dated October 1995, and any update of those publications for the purposes of this section; and any other person that is owned or controlled by the People’s Liberation Army; and is engaged in providing commercial services, manufacturing, producing, or exporting.” Considering that the terms “owned” and “controlled” are not spelled out in this section, the executive branch may have very wide latitude in deeming a non-Chinese company as owned or controlled and therefore subject to the President’s use of IEEPA powers. Moreover, since the President already has the authority to declare an emergency and then use IEEPA powers, this language would seem to allow the President to bypass any such declaration and immediately use such powers, except those regarding importation, against any Chinese entities identified on this list by the Pentagon.
  • District of Columbia Attorney General Karl Racine (D) filed suit against Instacart alleging the company “violated the District’s Consumer Protection Procedures Act and tax law by: 
    • Charging District consumers millions of dollars in deceptive service fees: Prior to 2016, Instacart’s checkout screen contained an option to tip workers, set as a default 10 percent of the consumer’s subtotal for groceries that users could adjust. In 2016, Instacart swapped the tip option for a service fee, which was also set to a default 10 percent and could be adjusted, and displayed it where the tip option used to be. Consumers paid the service fee believing they were tipping workers. In reality, the service fee was a second charge—on top of a delivery fee—imposed by Instacart to cover delivery costs and operating expenses. Additionally, Instacart failed to clearly disclose that service fees were optional and that consumers could choose not to pay them.
    • Misleading consumers about how service fees contributed to worker pay: When Instacart announced the new service fees, it told consumers that “100% of the variable service amount is used to pay all shoppers more consistently for each and every delivery, not just the last shopper to touch the order.” Instacart also stated that the company collected a service fee because “multiple shoppers may have been involved in a single order” and the “service fee is used to pay this entire set of shoppers.” In fact, the shoppers who fulfilled a consumer’s order were paid the same whether or not a consumer paid the service fee.
    • Failing to pay at hundreds of thousands of dollars in District sales tax: Under District law, Instacart is responsible for collecting sales tax on the delivery services it provides. The entire time Instacart has operated in the District, it has failed to collect sales tax on the service fees and delivery fees it charged users.
  • Two large United States (U.S.) technology companies are facing class actions in the Netherlands and the United Kingdom (UK) that argue the companies’ use of third party cookies in order to sell real time bidding advertising violated the European Union’s General Data Protection Regulation (GDPR) by not obtaining the consent of people before their personal information is collected and processed. The suit against Oracle and Salesforce is being brought by The Privacy Collective, a European non-profit, that could result in damages of more than €10 billion.
  • As part of its lawsuit against Google “for deceptive and unfair practices used to obtain users’ location data, which Google then exploits for its lucrative advertising business,” the Office of the Attorney General of Arizona released emails obtained during the course of discovery that may demonstrate the company’s knowledge that its interface and operating system were trying to frustrate a user’s desire to truly turn off location data.
  • The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) released A Draft Consumer Privacy Framework for Health Data, “a collaborative effort addressing gaps in legal protections for consumer health data outside of the Health Insurance Portability and Accountability Act’s (HIPAA) coverage.” Feedback is welcome until 25 September.
    • The organizations asserted
      • The standards’ emphasis is on transparency, accountability, and the limitation on health data collection, disclosure, and use. Importantly, the standards:
        • (1) move beyond outdated notice and consent models,
        • (2) cover all health information, and
        • (3) cover all entities that use, disclose or collect consumer health information, regardless of the size or business model of the covered entity.
      • This proposal is not designed to be a replacement for necessary comprehensive data privacy legislation. Given that Congressional action to pass such a law is likely some time away, this effort is designed to build consensus on best practices and to do what we can now, in the interim, to shore up protections for non-HIPAA covered health data.

Further Reading

  • Big Oil Faded. Will Big Tech?” By Shira Ovide – The New York Times. This piece suggests that the so-called Big Tech companies may someday wane as many energy companies like Exxon are currently doing. The interesting point is made that a company or field’s preeminence can rapidly disappear and it can seem dominant until it is not. And this frequently happens for reasons that do not seem apparent or related. Ironically, Exxon essentially got pushed out of the Dow Jones Industrial Average because Apple had to split its stock because of its surging valuation. Another tech company, Salesforce, will replace Exxon.
  • Apple wants to stop advertisers from following you around the web. Facebook has other ideas.” By Peter Kafka – Recode. Apple will extend a feature from Safari to its next iOS for iPhones where users will soon be asked whether they want to allow apps to track them across the web and other apps in order to deliver them targeted, personalized advertising. To no great surprise, it is being assumed many users will say no, diminishing a prime mode by which companies reap data and show people advertisements that are intimately tied to what they read and watch online. Consequently, advertisers will be less willing to spend dollars on more general ads and income will be depressed for the two major players in this market: Facebook and Google. Facebook has already declared it will not use Apple’s device identifier unique to every iPhone or Apple Watch, meaning users downloading the Facebook app will not get the choice of whether to say no to the companies tracking them. It is not clear how well this workaround will mitigate the projected loss in ad revenue for Facebook, but it does represent the latest chapter in the fight between the two companies. Facebook has lined up with Epic Games, maker of Fortnite, in its suit against Apple regarding App Store policies. It is very likely Apple sees this change to iOS 14 as a means of burnishing its reputation as being more concerned about its users privacy than competitors in Silicon Valley, which it can afford to be considering it does not earn most of its revenue the same way Facebook does, and curry favor in Washington and Brussels where it is facing antitrust scrutiny.
  • Want a Free Amazon Halo Wearable? Just Hand Over Your Data to This Major Insurance Company” By Emily Mullin – OneZero. Amazon has teamed with insurer John Hancock to offer a wearable health and fitness tracker that will be used to collect personal data on wearers that is designed to nudge them into better behaviors and better health. This is not the first such pairing, and it raises a host of policy issues, for healthier people would be poised to reap benefits not available to less healthy people. Some insurers are offering modest amounts of cash or gift cards for exercising regularly or other benefits that would not go to less healthy people. These sorts of programs are similar to employee health and wellness programs that were enshrined in the “Patient Protection and Affordable Care Act” that studies have suggested do not work very well. Additionally, companies like Amazon and John Hancock will be collecting and processing all sorts of very sensitive personal information, making them likely targets of hacking operations. Also, there are privacy implications, for these wearable devices will likely allow companies to know the most intimate details of wearers’ lives.
  • TikTok Deal Is Complicated by New Rules From China Over Tech Exports” By Paul Mozur, Raymond Zhong and David McCabe – The New York Times; “TikTok Is Said to Wrestle With Two Competing Offers” By Mike Isaac – The New York Times; “China’s new tech export restrictions further cloud US TikTok sale and raise the risk of protectionism” By Coco Feng, Tracy Qu and Amanda Lee– South China Morning Post; “China puts drones and laser tech on restricted export list after US tightens rules” By Sidney Leng – South China Morning Post; “TikTok Chief Executive Kevin Mayer Resigns” By Mike Isaac – The New York Times.In a surprise announcement from two agencies late last week, the People’s Republic of China changed its export control rules for the first time since 2008 to likely have leverage over TikTok’s sale to a United States (U.S.) entity. Ostensibly, the changes are “to regulate technology exports, promote scientific and technological progress and economic and technological cooperation, and maintain national economic security,” but the inclusion of “personalised information recommendation service technology based on data analysis” and “artificial intelligence interactive interfaces” likely point to ByteDance’s app, TikTok. In fact a researcher with the PRC Ministry of Commerce was quoted as asserting “[t]he time to publish the new update of the export control list has been expedited due to the TikTok sale.” Moreover, the PRC’s timeline for deciding on whether an export license is needed is the same as the Trump Administration’s second executive order directing ByteDance to divest TikTok. Incidentally, these changes are probably in response to tighten of U.S. export controls against the PRC, which could set off retaliatory moves. In any event, Beijing will now have to approve any sale of TikTok operations in the U.S. Also, Walmart has apparently joined forces with Microsoft in preparing a bid on TikTok in competition with Oracle which threw its proverbal hat into the ring last week. And, new TikTok CEO Kevin Mayer stepped down in a surprise move citing ByteDance’s changed circumstances.
  • Trump aides interviewing replacement for embattled FTC chair” By Leah Nylen, Betsy Woodruff Swan, John Hendel and Daniel Lippman – Politico. The Trump Administration may be trying to force out Federal Trade Commission Chair Joe Simons or merely interviewing replacements if he steps down next year should President Donald Trump still be in the White House next year. Given the reports that Simons has resisted pressure from the White House to comply with the executive order on Section 230 by investigating social media platforms, Simons has likely not won any new fans at 1600 Pennsylvania Avenue. Having said that, removing an FTC Commissioner is much harder than other top positions in the U.S. government, and the FTC is designed to be insulated from political pressure. However, Commissioners are politicians, too, and carefully gauge the direction the wind is blowing. That being said, Simons has also sent out signals he will step down next year and return to private practice, so the interviewing of possible successors may be entirely normal in an Administration that usually does not operate normally.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gordon Johnson from Pixabay

Further Reading, Other Developments, and Coming Events (21 August)

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The National Institute of Standards and Technology (NIST) published for input Four Principles of Explainable Artificial Intelligence (Draft NISTIR 8312) in which the authors stated:
    • We introduce four principles for explainable artificial intelligence (AI) that comprise the fundamental properties for explainable AI systems. They were developed to encompass the multidisciplinary nature of explainable AI, including the fields of computer science,  engineering, and psychology. Because one size fits all explanations do not exist, different users will require different types of explanations. We present five categories of explanation and summarize theories of explainable AI. We give an overview of the algorithms in the field that cover the major classes of explainable algorithms. As a baseline comparison, we assess how well explanations provided by people follow our four principles. This assessment provides insights to the challenges of designing explainable AI systems.
    • NIST said “our four principles of explainable AI are:
      • Explanation: Systems deliver accompanying evidence or reason(s) for all outputs.
      • Meaningful: Systems provide explanations that are understandable to individual users.
      • Explanation Accuracy: The explanation correctly reflects the system’s process for generating the output.
      • Knowledge Limits: The system only operates under conditions for which it was designed or when the system reaches a sufficient confidence in its output.
    • A year ago, NIST published “U.S. LEADERSHIP IN AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tools” as required by Executive Order (EO) 13859, Maintaining American Leadership in Artificial Intelligence in response to an August 10, 2019 due date. 
      • NIST explained that “[t]here are a number of cross-sector (horizontal) and sector-specific (vertical) AI standards available now and many others are being developed by numerous standards developing organizations (SDOs)…[and] [s]ome areas, such as communications, have well-established and regularly maintained standards in widespread use, often originally developed for other technologies. Other aspects, such as trustworthiness, are only now being considered.” NIST explained that its AI plan “identifies the following nine areas of focus for AI standards: 
        • Concepts and terminology
        • Data and knowledge 
        • Human interactions 
        • Metrics
        • Networking
        • Performance testing and reporting methodology
        • Safety
        • Risk management
        • Trustworthiness
      • NIST asserting that “[i]n deciding which standards efforts merit strong Federal government involvement, U.S. government agencies should prioritize AI standards efforts that are:
        • Consensus-based, where decision-making is based upon clearly established terms or agreements that are understood by all involved parties, and decisions are reached on general agreement.
        • Inclusive and accessible, to encourage input reflecting diverse and balanced communities of users, developers, vendors, and experts. Stakeholders should include representatives from diverse technical disciplines as well as experts and practioners from non-traditional disciplines of special importance to AI such as ethicists, economists, legal professionals, and policy makers: essentially, accommodating all desiring a “seat at the table.”
        • Multi-path, developed through traditional and novel standards-setting approaches and organizations that best meet the needs of developers and users in the marketplace as well as society at large.
        • Open and transparent, operating in a manner that: provides opportunity for participation by all directly- and materially- affected; has well-established and readily accessible operating rules, procedures, and policies that provide certainty about decision making processes; allows timely feedback for further consideration of the standard; and ensures prompt availability of the standard upon adoption.
        • Result in globally relevant and non-discriminatory standards, where standards avoid becoming non-tariff trade barriers or locking in particular technologies or products.
  • Consumer Watchdog has sued Zoom Video Communications “for making false and deceptive representations to consumers about its data security practices in violation of the District of Columbia Consumer Protection Procedures Act (CPPA).” The advocacy organization asserted
    • To distinguish itself from competitors and attract new customers, Zoom began advertising and touting its use of a strong security feature called “end-to-end encryption” to protect communications on its platform, meaning that the only people who can access the communicated data are the sender and the intended recipient. Using end-to-end encryption prevents unwanted third parties—including the company that owns the platform (in this case, Zoom)—from accessing communications, messages, and data transmitted by users.
    • Unfortunately, Zoom’s claims that communications on its platform were end-to-end encrypted were false. Zoom only used the phrase “end-to-end encryption” as a marketing device to lull consumers and businesses into a false sense of security.
    • The reality is that Zoom is, and has always been, capable of intercepting and accessing any and all of the data that users transmit on its platform—the very opposite of end-to-end encryption. Nonetheless, Zoom relied on its end-to-end encryption claim to attract customers and to build itself into a publicly traded company with a valuation of more than $70 billion.
    • Consumer Watchdog is seeking the greater of treble damages or $1,500 per violation along with other relief
    • Zoom is being sued in a number of other cases, including two class action suits in United States courts in Northern California (#1 and #2).
  • The United States (U.S.) Government Accountability Office (GAO) decided the Trump Administration violated the order of succession at the U.S. Department of Homeland Security by naming the Customs and Border Protection (CBP) Commissioner of Kevin McAleenan the acting Secretary after former Secretary Kirstjen Nielsen resigned early in 2019. The agency’s existing order of succession made clear that Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs was next in line to lead DHS. The GAO added “[a]s such, the subsequent appointments of Under Secretary for Strategy, Policy, and Plans, Chad Wolf and Principal Deputy Director of U.S. Citizenship and Immigration Services (USCIS) Ken Cuccinelli were also improper because they relied on an amended designation made by Mr. McAleenan.”
    • However, GAO is punting the question of what the implications of its findings are:
      • In this decision we do not review the consequences of Mr. McAleenan’s service as Acting Secretary, other than the consequences of the November delegation, nor do we review the consequences of Messers. Wolf and Cuccinelli service as Acting Secretary and Senior Official Performing the Duties of Deputy Secretary respectively.
      • We are referring the question as to who should be serving as the Acting Secretary and the Senior Official Performing the Duties of Deputy Secretary to the DHS Office of Inspector General for its review.
      • We also refer to the Inspector General the question of consequences of actions taken by these officials, including consideration of whether actions taken by these officials may be ratified by the Acting Secretary and Senior Official Performing the Duties of Deputy Secretary as designated in the April Delegation.
    • The GAO also denied DHS’s request to rescind this opinion because “DHS has not shown that our decision contains either material errors of fact or law, nor has DHS provided information not previously considered that warrants reversal or modification of the decision.”
    • The chairs of the House Homeland Security and Oversight and Reform Committees had requested the GAO legal opinion and claimed in their press release the opinion “conclude[es] that President Donald Trump’s appointments to senior leadership positions at the Department of Homeland Security were illegal and circumvented both the Federal Vacancy Reform Act and the Homeland Security Act.”
  • Top Democrats on the House Energy and Commerce Committee wrote the members of the Facebook Oversight Board expressing their concern the body “does not have the power it needs to change Facebook’s harmful policies.” Chair Frank Pallone, Jr. (D-NJ), Communications and Technology Subcommittee Chair Mike Doyle (D-PA) and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) “encouraged the newly appointed members to exert pressure on Facebook to listen to and act upon their policy recommendations, something that is not currently included in the Board Members’ overall responsibilities.” They asserted:
    • The Committee leaders believe Facebook is intentionally amplifying divisive and conspiratorial content because such content attracts more customer usage and, with it, advertising revenue. Pallone, Doyle and Schakowsky were also troubled by recent reports that Facebook had an opportunity to retune its systems responsible for the amplification of this content, but chose not to. 
    • The three Committee leaders wrote that the public interest should be the Oversight Board’s priority and that it should not be influenced by the profit motives of Facebook executives. Pallone, Doyle and Schakowsky also requested the board members answer a series of questions in the coming weeks.
  • The United States (U.S.) Government Accountability Office (GAO) examined how well the United States Department of Homeland Security and selected federal agencies are implementing a cybersecurity program designed to give the government better oversight and control of their networks. In auditing the Continuous Diagnostics and Mitigation (CDM), the GAO found limited success and ongoing, systemic roadblocks preventing increased levels of security. DHS has estimated the program will cost $10.9 billion over ten years.
    • The GAO concluded
      • Selected agencies reported that the CDM program had helped improve their awareness of hardware on their networks. However, although the program has been in existence for several years, these agencies had only implemented the foundational capability for managing hardware to a limited extent, including not associating hardware devices with FISMA systems. In addition, while most agencies implemented requirements for managing software, all of them inconsistently implemented requirements for managing configuration settings. Moreover, poor data quality resulting from these implementation shortcomings diminished the usefulness of agency dashboards to support security-related decision making. Until agencies fully and effectively implement CDM program capabilities, including the foundational capability of managing hardware on their networks, agency and federal dashboards will not accurately reflect agencies’ security posture. Part of the reason that agencies have not fully implemented key CDM requirements is that DHS had not ensured integrators had addressed shortcomings with integrators’ CDM solutions for managing hardware and vulnerabilities. Although DHS has taken various actions to address challenges identified by agencies, without further assistance from DHS in helping agencies overcome implementation shortcomings, the program—costing billions of dollars— will likely not fully achieve expected benefits.
    • The chairs and ranking members of the Senate Homeland Security & Governmental Affairs and House Homeland Security Committees, the chair of the House Oversight and Reform Committee, and other Members requested that the GAO study and report on this issue.
  • Google and the Australian Competition and Consumer Commission (ACCC) have exchanged public letters, fighting over the latter’s proposal to ensure that media companies are compensated for articles and content the former uses.
    • In an Open Letter to Australians, Google claimed:
      • A proposed law, the News Media Bargaining Code, would force us to provide you with a dramatically worse Google Search and YouTube, could lead to your data being handed over to big news businesses, and would put the free services you use at risk in Australia.
      • You’ve always relied on Google Search and YouTube to show you what’s most relevant and helpful to you. We could no longer guarantee that under this law. The law would force us to give an unfair advantage to one group of businesses – news media businesses – over everyone else who has a website, YouTube channel or small business. News media businesses alone would be given information that would help them artificially inflate their ranking over everyone else, even when someone else provides a better result. We’ve always treated all website owners fairly when it comes to information we share about ranking. The proposed changes are not fair and they mean that Google Search results and YouTube will be worse for you.
      • You trust us with your data and our job is to keep it safe. Under this law, Google has to tell news media businesses “how they can gain access” to data about your use of our products. There’s no way of knowing if any data handed over would be protected, or how it might be used by news media businesses.
      • We deeply believe in the importance of news to society. We partner closely with Australian news media businesses — we already pay them millions of dollars and send them billions of free clicks every year. We’ve offered to pay more to license content. But rather than encouraging these types of partnerships, the law is set up to give big media companies special treatment and to encourage them to make enormous and unreasonable demands that would put our free services at risk.
    • In its response, the ACCC asserted:
      • The open letter published by Google today contains misinformation about the draft news media bargaining code which the ACCC would like to address. 
      • Google will not be required to charge Australians for the use of its free services such as Google Search and YouTube, unless it chooses to do so.
      • Google will not be required to share any additional user data with Australian news businesses unless it chooses to do so.
      • The draft code will allow Australian news businesses to negotiate for fair payment for their journalists’ work that is included on Google services.
      • This will address a significant bargaining power imbalance between Australian news media businesses and Google and Facebook.
    • Late last month, the ACCC released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury and the companies.
    • The ACCC explained
      • The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
    • This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
    • A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
  • The United States Coast Guard is asking for information on “the introduction and development of automated and autonomous commercial vessels and vessel technologies subject to U.S. jurisdiction, on U.S. flagged commercial vessels, and in U.S. port facilities.” The Coast Guard is particularly interested in the “barriers to the development of autonomous vessels.” The agency stated
    • On February 11, 2019, the President issued Executive Order (E.O.) 13859, “Maintaining American Leadership in Artificial Intelligence.”The executive order announced the policy of the United States Government to sustain and enhance the scientific, technological, and economic leadership position of the United States in artificial intelligence (AI) research and development and deployment through a coordinated Federal Government strategy. Automation is a broad category that may or may not incorporate many forms of technology, one of which is AI. This request for information (RFI) will support the Coast Guard’s efforts to accomplish its mission consistent with the policies and strategies articulated in E.O. 13859. Input received from this RFI will allow the Coast Guard to better understand, among other things, the intersection between AI and automated or autonomous technologies aboard commercial vessels, and to better fulfill its mission of ensuring our Nation’s maritime safety, security, and stewardship.

Further Reading

  • ‘Boring and awkward’: students voice concern as colleges plan to reopen – through Minecraft” By Kari Paul – The Guardian. A handful of universities in the United States (U.S.) are offering students access to customized Minecraft, an online game that allows players to build worlds. The aim seems to be to allow students to socialize online in replicas on their campuses. The students interviewed for this story seemed underwhelmed by the effort, however.
  • When regulators fail to rein in Big Tech, some turn to antitrust litigation” – By Reed Albergotti and Jay Greene – The Washington Post. This article places Epic Games suit against Apple and Google into the larger context of companies availing themselves of the right to sue themselves under antitrust laws in the United States. However, for a number of reasons, these suits have not often succeeded, and one legal commentator opined that judges tend to see these actions as sour grapes. However, revelations turned up during discovery can lead antitrust regulators to jump into proceedings, giving the suit additional heft.
  • What Can America Learn from Europe About Regulating Big Tech?” By Nick Romeo – The New Yorker.  A former Member of the European Parliament, Marietje Schaake, from the Netherlands is now a professor at Stanford and is trying to offer a new path on regulating big tech that would rein in the excesses and externalities while allowing new technologies and competition to flourish. The question is whether there is a wide enough appetite for her vision in the European Union let alone the United States.
  • Facebook employees internally question policy after India content controversy – sources, memos” By Aditya Kalra and Munsif Vengattil – Reuters. The tech giant is also facing an employee revolt in the world’s largest democracy. Much like in the United States and elsewhere, employees are pressing leadership to explain why they are seemingly not applying the platform’s rules on false and harmful material to hateful speech by leaders. In this case, it was posts by a member of the ruling Bharatiya Janata Party (BJP) calling Indian Muslims traitors. And, in much the same way accusations have been leveled at a top Facebook lobbyist in Washington who has allegedly interceded on behalf of Republicans and far right interests on questionable material, a lobbyist in New Delhi has done the same the BJB.
  • List of 2020 election meddlers includes Cuba, Saudi Arabia and North Korea, US intelligence official says” By Shannon Vavra – cyberscoop. At a virtual event this week, National Counterintelligence and Security Center (NCSC) Director William Evanina claimed that even more nations are trying to disrupt the United States election this fall, including Cuba, Saudi Arabia, and North Korea. Evanina cautioned anyone lest they think the capabilities of these nations rise to the level of the Russian Federation, People’s Republic of China, and Iran. Earleir this month, Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the PRC, and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Silentpilot from Pixabay

Further Reading, Other Developments, and Coming Events (19 August)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The United States (U.S.) Department of Commerce tightened its chokehold on Huawei’s access to United States’ semiconductors and chipsets vital to its equipment and services. This rule follows a May rule that significantly closed off Huawei’s access to the point that many analysts are projecting the People’s Republic of China company will run out of these crucial technologies sometime next year without a suitable substitute, meaning the company may not be able to sell its smartphone and other leading products. In its press release, the department asserted the new rule “further restricts Huawei from obtaining foreign made chips developed or produced from U.S. software or technology to the same degree as comparable U.S. chips.”
    • Secretary of Commerce Wilbur Ross argued “Huawei and its foreign affiliates have extended their efforts to obtain advanced semiconductors developed or produced from U.S. software and technology in order to fulfill the policy objectives of the Chinese Communist Party.” He contended “[a]s we have restricted its access to U.S. technology, Huawei and its affiliates have worked through third parties to harness U.S. technology in a manner that undermines U.S. national security and foreign policy interests…[and] his multi-pronged action demonstrates our continuing commitment to impede Huawei’s ability to do so.”
    • The Department of Commerce’s Bureau of Industry and Security (BIS) stated in the final rule that it is “making three sets of changes to controls for Huawei and its listed non-U.S. affiliates under the Export Administration Regulations (EAR):
      • First, BIS is adding additional non-U.S. affiliates of Huawei to the Entity List because they also pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.
      • Second, this rule removes a temporary general license for Huawei and its non-U.S. affiliates and replaces those provisions with a more limited authorization that will better protect U.S. national security and foreign policy interests.
      • Third, in response to public comments, this final rule amends General Prohibition Three, also known as the foreign-produced direct product rule, to revise the control over certain foreign-produced items recently implemented by BIS.”
    • BIS claimed “[t]hese revisions promote U.S. national security by limiting access to, and use of, U.S. technology to design and produce items outside the United States by entities that pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.”
    • One technology analyst claimed “[t]he U.S. moves represent a significant tightening of restrictions over Huawei’s ability to procure semiconductors…[and] [t]hat puts into significant jeopardy its ability to continue manufacturing smartphones and base stations, which are its core products.”
  • The Office of Management and Budget (OMB) and the Office of Science and Technology Policy (OSTP) have released their annual guidance to United States department and agencies to direct their budget requests for FY 2022 with respect to research and development (R&D). OMB explained:
  • For FY2022, the five R&D budgetary priorities in this memorandum ensure that America remains at the global forefront of science and technology (S&T) discovery and innovation. The Industries of the Future (IotF) -artificial intelligence (AI), quantum information sciences (QIS), advanced communication networks/5G, advanced manufacturing, and biotechnology-remain the Administration’s top R&D priority. This includes fulfilling President Trump’s commitment to double non-defense AI and QIS funding by FY2022:
    • American Public Health Security and Innovation
    • American Leadership in the Industries of the Future and Related Technologies
    • American Security
    • American Energy and Environmental Leadership
    • American Space Leadership
  • In light of the significant health and economic disruption caused by the COVID-19 pandemic, the FY2022 memorandum includes a new R&D priority aimed at American Public Health Security and Innovation. This priority brings under a single, comprehensive umbrella biomedical and biotechnology R&D aimed at responding to the pandemic and ensuring the U.S. S&T enterprise is maximally prepared for any health-related threats.
  • Lastly, this memorandum also describes/our high-priority crosscutting actions. These actions include research and related strategies that underpin the five R&D priorities and ensure departments and agencies deliver maximum return on investment to the American people:
    • Build the S&T Workforce of the Future
    • Optimize Research Environments and Results
    • Facilitate Multisector Partnerships and Technology Transfer
    • Leverage the Power of Data
  • Despite the Trump Administration touting its R&D priorities and achievements, the non-partisan Congressional Research Service noted
    • President Trump’s budget request for FY2021 includes approximately $142.2 billion for research and development (R&D) for FY 2021, $13.8 billion (8.8%) below the FY2020 enacted level of $156.0 billion. In constant FY 2020 dollars, the President’s FY 2021 R&D request would result in a decrease of $16.6 billion (10.6%) from the FY 2020 level.
  • Two key chairs of subcommittees of the Senate Commerce, Science, and Transportation Committee are pressing the Federal Trade Commission (FTC) to investigate TikTok’s data collection and processing practices. This Committee has primary jurisdiction over the FTC in the Senate and is a key stakeholder on data and privacy issues.
    • In their letter, Consumer Protection Subcommittee Chair Jerry Moran (R-KS) and Communications, Technology, Innovation Chair John Thune (R-SD) explained they are “are seeking specific answers from the FTC related to allegations from a Wall Street Journal article that described TikTok’s undisclosed collection and transmission of unique persistent identifiers from millions of U.S. consumers until November 2019…[that] also described questionable activity by the company as it relates to the transparency of these data collection activities, and the letter seeks clarity on these practices.”
    • Moran and Thune asserted “there are allegations that TikTok discretely collected media access control (MAC) addresses, commonly used for advertisement targeting purposes, through Google Android’s operating system under an “unusual layer of encryption” through November 2019.” They said “[g]iven these reports and their potential relevancy to the “Executive Order on Addressing the Threat Posed by TikTok,” we urge the Federal Trade Commission (FTC) to investigate the company’s consumer data collection and processing practices as they relate to these accusations and other possible harmful activities posed to consumers.”
    • If the FTC were to investigate, find wrongdoing, and seek civil fines against TikTok, the next owner may be left to pay as the White House’s order to ByteDance to sell the company within three months will almost certainly be consummated before any FTC action is completed.
  • Massachusetts Attorney General Maura Healey (D) has established a “Data Privacy and Security Division within her office to protect consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy.” Healey has been one of the United States’ more active attorneys general on data privacy and technology issues, including her suit and settlement with Equifax for its massive data breach.
    • Her office explained:
      • The Data Privacy and Security Division investigates online threats and the unfair or deceptive collection, use, and disclosure of consumers’ personal data through digital technologies. The Division aims to empower consumers in the digital economy, ensure that companies are protecting consumers’ personal data from breach, protect equal and open access to the internet, and protect consumers from data-driven technologies that unlawfully deny them fair access to socioeconomic opportunities. The Division embodies AG Healey’s commitment to continue and grow on this critical work and ensure that data-driven technologies operate lawfully for the benefit of all consumers.
  • A California appeals court ruled that Amazon can be held liable for defective products their parties sell on its website. The appellate court reversed the trial court which held Amazon could not be liable.
    • The appeals court recited the facts of the case:
      • Plaintiff Angela Bolger bought a replacement laptop computer battery on Amazon, the popular online shopping website operated by defendant Amazon.com, LLC. The Amazon listing for the battery identified the seller as “E-Life, ”a fictitious name used on Amazon by Lenoge Technology (HK) Ltd. (Lenoge). Amazon charged Bolger for the purchase, retrieved the laptop battery from its location in an Amazon warehouse, prepared the battery for shipment in Amazon-branded packaging, and sent it to Bolger. Bolger alleges the battery exploded several months later, and she suffered severe burns as a result.
      • Bolger sued Amazon and several other defendants, including Lenoge. She alleged causes of action for strict products liability, negligent products liability, breach of implied warranty, breach of express warranty, and “negligence/negligent undertaking.”
    • The appeals court continued:
      • Amazon moved for summary judgment. It primarily argued that the doctrine of strict products liability, as well as any similar tort theory, did not apply to it because it did not distribute, manufacture, or sell the product in question. It claimed its website was an “online marketplace” and E-Life (Lenoge) was the product seller, not Amazon. The trial court agreed, granted Amazon’s motion, and entered judgment accordingly.
      • Bolger appeals. She argues that Amazon is strictly liable for defective products offered on its website by third-party sellers like Lenoge. In the circumstances of this case, we agree.
  • The National Institute of Standards and Technology (NIST) issued Special Publication 800-207, “Zero Trust Architecture,” that posits a different conceptual model for an organization’s cybersecurity than perimeter security. NIST claimed:
    • Zero trust security models assume that an attacker is present in the environment and that an enterprise-owned environment is no different—or no more trustworthy—than any nonenterprise-owned environment. In this new paradigm, an enterprise must assume no implicit trust and continually analyze and evaluate the risks to its assets and business functions and then enact protections to mitigate these risks. In zero trust, these protections usually involve minimizing access to resources (such as data and compute resources and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request.
    • A zero trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement. This publication discusses ZTA, its logical components, possible deployment scenarios, and threats. It also presents a general road map for organizations wishing to migrate to a zero trust design approach and discusses relevant federal policies that may impact or influence a zero trust architecture.
    • ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level [FIPS199]. Transitioning to ZTA is a journey concerning how an organization evaluates risk in its mission and cannot simply be accomplished with a wholesale replacement of technology. That said, many organizations already have elements of a ZTA in their enterprise infrastructure today. Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect their data assets and business functions by use case. Most enterprise infrastructures will operate in a hybrid zero trust/perimeter-based mode while continuing to invest in IT modernization initiatives and improve organization business processes.
  • The United Kingdom’s Government Communications Headquarters’ (GCHQ) National Cyber Security Centre (NCSC) released “Cyber insurance guidance” “for organisations of all sizes who are considering purchasing cyber insurance…not intended to be a comprehensive cyber insurance buyers guide, but instead focuses on the cyber security aspects of cyber insurance.” The NCSC stated “[i]f you are considering cyber insurance, these questions can be used to frame your discussions…[and] [t]his guidance focuses on standalone cyber insurance policies, but many of these questions may be relevant to cyber insurance where it is included in other policies.”

Further Reading

  • I downloaded Covidwise, America’s first Bluetooth exposure-notification app. You should, too.” By Geoffrey Fowler – The Washington Post. The paper’s technology columnist blesses the Apple/Google Bluetooth exposure app and claims it protects privacy. One person on Twitter pointed out the Android version will not work unless location services are turned on, which is contrary to the claims made by Google and Apple, an issue the New York Times investigated last month. A number of European nations have pressed Google to remove this feature, and a Google spokesperson claimed the Android Bluetooth tracing capability did not use location services, begging the question why the prompt appears. Moreover, one of the apps Fowler names has had its own privacy issues as detailed by The Washington Post in May. As it turns out Care19, a contact tracing app developed when the governor of North Dakota asked a friend who had designed a app for football fans to meet up, is violating its own privacy policy according to Jumbo, the maker of privacy software. Apparently, Care19 shares location and personal data with FourSquare when used on iPhones. Both Apple and state officials are at a loss to explain how this went unnoticed when the app was scrubbed for technical and privacy problems before being rolled out.
  • Truss leads China hawks trying to derail TikTok’s London HQ plan” By Dan Sabbagh – The Guardian. ByteDance’s plan to establish a headquarters in London is now under attack by members of the ruling Conservative party for the company’s alleged role in persecuting the Uighur minority in Xinjiang. ByteDance has been eager to move to London and also eager to avoid the treatment that another tech company from the People’s Republic of China has gotten in the United Kingdom (UK): Huawei. Nonetheless, this decision may turn political as the government’s reversal on Huawei and 5G did. Incidentally, if Microsoft does buy part of TikTok, it would be buying operations in four of the five Five Eyes nations but not the UK.
  • Human Rights Commission warns government over ‘dangerous’ use of AI” By Fergus Hunter – The Sydney Morning Herald. A cautionary tale regarding the use of artificial intelligence and algorithms in government decision-making. While this article nominally pertains to Australia’s Human Rights Commission advice to the country’s government, it is based, in large part, on a scandal in which an automated process illegally collected $721 million AUD from welfare beneficiaries. In the view of the Human Rights Commission, decision-making by humans is still preferable and more accurate than automated means.
  • The Attack That Broke Twitter Is Hitting Dozens of Companies” By Andy Greenberg – WIRED. In the never-ending permutations of hacking, the past has become the present because the Twitter hackers use phone calls to talk their way into gaining access to a number of high-profile accounts (aka phone spear phishing.) Other companies are suffering the same onslaught, proving the axiom that people may be the weakest link in cybersecurity. However, the phone calls are based on exacting research and preparation as hackers scour the internet for information on their targets and the companies themselves. A similar hack was reportedly executed by the Democratic People’s Republic of Korea (DPRK) against Israeli defense firms.
  • Miami Police Used Facial Recognition Technology in Protester’s Arrest” By Connie Fossi and Phil Prazan – NBC Miami. The Miami Police Department used Clearview AI to identify a protestor that allegedly injured an officer but did not divulge this fact to the accused or her attorney. The department’s policy on facial recognition technology bars officers from making arrests solely on the basis of identification through such a system. Given the error rates many facial recognition systems have experienced with identifying minorities and the use of masks during the pandemic, which further decreases accuracy, it is quite likely people will be wrongfully accused and convicted using this technology.
  • Big Tech’s Domination of Business Reaches New Heights” By Peter Eavis and Steve Lohr – The New York Times. Big tech has gotten larger, more powerful, and more indispensable in the United States (U.S.) during the pandemic, and one needs to go back to the railroads in the late 19th Century to find comparable companies. It is an open question whether their size and influence will change much no matter who is president of the U.S. next year.
  • License plate tracking for police set to go nationwide” By Alfred Ng – c/net. A de facto national license plate reader may soon be activated in the United States (U.S.). Flock Safety unveiled the “Total Analytics Law Officers Network,” (TALON) that will link its systems of cameras in more than 700 cities, allowing police departments to track cars across multiple jurisdictions. As the U.S. has no national laws regulating the use of this and other similar technologies, private companies may set policy for the country in the short term.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (13 August)

Here are Further Reading, Other Developments, and Coming Events:

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.

Other Developments

  • Senate Intelligence Committee Acting Chair Marco Rubio (R-FL) and Vice Chairman Mark Warner (D-VA) released a statement indicating the committee had voted to adopt the fifth and final volume of its investigation of the Russian Federation’s interference in the 2016 election. The committee had submitted the report to the Intelligence Community for vetting and have received the report with edits and redactions. The report could be released sometime over the next few weeks.  Rubio and Warner stated “the Senate Intelligence Committee voted to adopt the classified version of the final volume of the Committee’s bipartisan Russia investigation. In the coming days, the Committee will work to incorporate any additional views, as well as work with the Intelligence Community to formalize a properly redacted, declassified, publicly releasable version of the Volume 5 report.” The Senate Intelligence Committee’s has released four previous reports:
  • The National Institute of Standards and Technology (NIST) is accepting comments until 11 September on draft Special Publication 800-53B, “Control Baselines for Information Systems and Organizations,” a guidance document that will serve a key role in the United States government’s efforts to secure and protect the networks and systems it operates and those run by federal contractors. NIST explained:
    • This publication establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. The use of the security control baselines is mandatory, in accordance with OMB Circular A-130 [OMB A-130] and the provisions of the Federal Information Security Modernization Act4 [FISMA], which requires the implementation of a set of minimum controls to protect federal information and  information systems. Whereas use of the privacy control baseline is not mandated by law or [OMB A-130], SP 800-53B, along with other supporting NIST publications, is designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974 [PRIVACT], selected OMB policies (e.g., [OMB A-130]), and designated Federal Information Processing Standards (FIPS), among others
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released an “Election Vulnerability Reporting Guide
    to provide “election administrators with a step-by-step guide, list of resources, and a template for establishing a successful vulnerability disclosure program to address possible vulnerabilities in their state and local election systems…[and] [t]he six steps include:
    • Step 1: Identify Systems Where You Would Accept Security Testing, and those Off-Limits
    • Step 2: Draft an Easy-to-Read Vulnerability Disclosure Policy (See Appendix III)
    • Step 3: Establish a Way to Receive Reports/Conduct Follow-On Communication
    • Step 4: Assign Someone to Thank and Communicate with Researchers
    • Step 5: Assign Someone to Vet and Fix the Vulnerabilities
    • Step 6: Consider Sharing Information with Other Affected Parties
  • The United Kingdom’s Information Commissioner’s Office (ICO) has issued “Guidance on AI and data protection” that “clarifies how you can assess the risks to rights and freedoms that AI can pose from a data protection perspective; and the appropriate measures you can implement to mitigate them.” The ICO explained “[w]hile data protection and ‘AI ethics’ overlap, this guidance does not provide generic ethical or design principles for your use of AI.” The ICO stated “[i]t corresponds to data protection principles, and is structured as follows:
    • part one addresses accountability and governance in AI, including data protection impact assessments (DPIAs);
    • part two covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination;
    • part three addresses data minimisation and security; and
    • part four covers compliance with individual rights, including rights related to automated decision-making.
  •  20 state attorneys general wrote Facebook Chief Executive Officer Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg “to request  that  you  take  additional  steps  to prevent   Facebook   from   being used   to   spread   disinformation   and   hate   and   to   facilitate discrimination.” They also asked “that you take more steps to provide redress for users who fall victim to intimidation and harassment, including violence and digital abuse.” The attorneys general said that “[b]ased on our collective experience, we believe that Facebook should take additional actions including the following steps—many of which are highlighted in Facebook’s recent Civil Rights Audit—to strengthen its commitment to civil rights and fighting disinformation and discrimination:
    • Aggressively enforce Facebook policies against hate speech and organized hate organizations: Although Facebook has developed policies against hate speech and organizations that peddle it, we remain concerned that Facebook’s policies on Dangerous Individuals and Organizations, including but not limited to its policies on white nationalist and white supremacist content, are not enforced quickly and comprehensively enough. Content that violates Facebook’s own policies too often escapes removal just because it comes as coded language, rather than specific magic words. And even where Facebook takes steps to address a particular violation, it often fails to proactively address the follow-on actions by replacement or splinter groups that quickly emerge.
    • Allow public, third-party audits of hate content and enforcement: To gauge the ongoing progress of Facebook’s enforcement efforts, independent experts should be permitted access to the data necessary to conduct regular, transparent third-party audits of hate and hate-related misinformation on the platform, including any information made available to the Global Oversight Board. As part of this effort, Facebook should capture data on the prevalence of different forms of hate content on the platform, whether or not covered by Facebook’s own community standards, thus allowing the public to determine whether enforcement of anti-hate policies differs based on the type of hate content at issue.
    • Commit to an ongoing, independent analysis of Facebook’s content population scheme and the prompt development of best practices guidance: By funneling users toward particular types of content, Facebook’s content population scheme, including its algorithms, can push users into extremist online communities that feature divisive and inflammatory messages, often directed at particular groups. Although Facebook has conducted research and considered programs to reduce this risk, there is still no mandatory guidance for coders and other teams involved in content population. Facebook should commit to an ongoing, independent analysis of its content population scheme, including its algorithms, and also continuously implement mandatory protocols as best practices are identified to curb bias and prevent recommendations of hate content and groups.
    • Expand policies limiting inflammatory advertisements that vilify minority groups: Although Facebook currently prohibits ads that claim that certain people, because of their membership in a protected group, pose a threat to the physical safety of communities or the nation, its policies still allow attacks that characterize such groups as threats to national culture or values. The current prohibition should be expanded to include such ads.
  • New Zealand’s Ministry of Statistics “launched the Algorithm Charter for Aotearoa New Zealand” that “signals that [the nation’s agencies] are committed to being consistent, transparent and accountable in their use of algorithms.”
    • The Ministry explained “[t]he Algorithm Charter is part of a wider ecosystem and works together with existing tools, networks and research, including:
      • Principles for the Safe and Effective Use of Data and Analytics (Privacy Commissioner and Government Chief Data Steward, 2018)
      • Government Use of Artificial Intelligence in New Zealand (New Zealand Law Foundation and Otago University, 2019)
      • Trustworthy AI in Aotearoa – AI Principles (AI Forum New Zealand, 2020)
      • Open Government Partnership, an international agreement to increase transparency.
      • Data Protection and Use Policy (Social Wellbeing Agency, 2020)
      • Privacy, Human Rights and Ethics Framework (Ministry of Social Development).
  • The European Union (EU) imposed its first cyber sanctions under its Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (aka the cyber diplomacy toolbox) against six hackers and three entities from the Russian Federation, the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea for attacks against the against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, the malware attacks known as Petya and WannaCry, and Operation Cloud Hopper. The EU’s cyber sanctions follow sanctions the United States has placed on a number of people and entities from the same nations and also indictments the U.S. Department of Justice has announced over the years. The sanctions are part of the effort to levy costs on nations and actors that conduct cyber attacks. The EU explained:
    • The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
    • “WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.
    • “NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
    • “Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.
  • The United States’ Federal Communications Commission (FCC) is asking for comments on the Department of Commerce’s the National Telecommunications and Information Administration’s (NTIA) petition asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself. The NTIA was acting per direction in an executive order allegedly aiming to correct online censorship. Executive Order 13925, “Preventing Online Censorship” was issued in late May after Twitter factchecked two of President Donald Trump’s Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic. Comments are due by 2 September.
  • The Australian Competition & Consumer Commission (ACCC) released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury
    • The ACCC explained
      • The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
    • This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
    • A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “released core guidance documentation for the Trusted Internet Connections (TIC) program, developed to assist agencies in protecting modern information technology architectures and services.” CISA explained “In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: Update to the TIC Initiative, TIC 3.0 expands on the original initiative to drive security standards and leverage advances in technology to secure a wide spectrum of agency network architectures.” Specifically, CISA released three core guidance documents:
    • Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
    • Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
  • Senators Ron Wyden (D-OR), Bill Cassidy (R-LA) and ten other Members wrote the Federal Trade Commission (FTC) urging the agency “to investigate widespread privacy violations by companies in the advertising technology (adtech) industry that are selling private data about millions of Americans, collected without their knowledge or consent from their phones, computers, and smart TVs.” They asked the FTC “to use its authority to conduct broad industry probes under Section 6(b) of the FTC Act to determine whether adtech companies and their data broker partners have violated federal laws prohibiting unfair and deceptive business practices.” They argued “[t]he FTC should not proceed with its review of the Children’s Online Privacy Protection Act (COPPA) Rule before it has completed this investigation.”
  •  “100 U.S. women lawmakers and current and former legislators from around the world,” including Speaker of the House Nancy Pelosi (D-CA), sent a letter to Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg urging the company “to take decisive action to protect women from rampant and increasing online attacks on their platform that have caused many women to avoid or abandon careers in politics and public service.” They noted “[j]ust a few days ago, a manipulated and widely shared video that depicted Speaker Pelosi slurring her speech was once again circulating on major social media platforms, gaining countless views before TikTok, Twitter, and YouTube all removed the footage…[and] [t]he video remains on Facebook and is labeled “partly false,” continuing to gain millions of views.” The current and former legislators “called on Facebook to enforce existing rules, including:
    • Quick removal of posts that threaten candidates with physical violence, sexual violence or death, and that glorify, incite or praise violence against women; disable the relevant accounts, and refer offenders to law enforcement.
    • Eliminate malicious hate speech targeting women, including violent, objectifying or dehumanizing speech, statements of inferiority, and derogatory sexual terms;
    • Remove accounts that repeatedly violate terms of service by threatening, harassing or doxing or that use false identities to attack women leaders and candidates; and
    • Remove manipulated images or videos misrepresenting women public figures.
  • The United States’ Departments of Commerce and Homeland Security released an update “highlighting more than 50 activities led by industry and government that demonstrate progress in the drive to counter botnet threats.” in May 2018, the agencies submitted “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” that identified a number of steps and prompted a follow on “A Road Map Toward Resilience Against Botnets” released in November 2018.
  • United States (U.S.) Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders released a joint statement explaining that “[t]he U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
    • Maximillian Schrems filed a complaint against Facebook with Ireland’s Data Protection Commission (DPC) in 2013, alleging that the company’s transfer of his personal data violated his rights under European Union law because of the mass U.S. surveillance revealed by former National Security Agency (NSA) contractor Edward Snowden. Ultimately, this case resulted in a 2015 Court of Justice of the European Union (CJEU) ruling that invalidated the Safe Harbor agreement under which the personal data of EU residents was transferred to the US by commercial concerns. The EU and US executed a follow on agreement, the EU-U.S. Privacy Shield, that was designed to address some of the problems the CJEU turned up, and the U.S. passed a law, the “Judicial Redress Act of 2015” (P.L. 114-126), to provide EU citizens a way to exercise their EU rights in US courts via the “Privacy Act of 1974.”
    • However, Schrems continued and soon sought to challenge the legality of the European Commission’s signing off on the Privacy Shield agreement, the adequacy decision issued in 2016, and also the use of standard contractual clauses (SCC) by companies for the transfer of personal data to the US. The CJEU struck down the adequacy decision, throwing into doubt many entities’ transfers out of the EU into the U.S. but upheld SCCs in a way that suggested EU data protection authorities (DPA) may need to review all such agreements to ensure they comply with EU law.
  • The European Commission (EC) announced an “an in-depth investigation to assess the proposed acquisition of Fitbit by Google under the EU Merger Regulation.” The EC voiced its concern “that the proposed transaction would further entrench Google’s market position in the online advertising markets by increasing the already vast amount of data that Google could use for personalisation of the ads it serves and displays.” The EC detailed its “preliminary competition concerns:
    • Following its first phase investigation, the Commission has concerns about the impact of the transaction on the supply of online search and display advertising services (the sale of advertising space on, respectively, the result page of an internet search engine or other internet pages), as well as on the supply of ”ad tech” services (analytics and digital tools used to facilitate the programmatic sale and purchase of digital advertising). By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to Fitbit’s one.
    • The data collected via wrist-worn wearable devices appears, at this stage of the Commission’s review of the transaction, to be an important advantage in the online advertising markets. By increasing the data advantage of Google in the personalisation of the ads it serves via its search engine and displays on other internet pages, it would be more difficult for rivals to match Google’s online advertising services. Thus, the transaction would raise barriers to entry and expansion for Google’s competitors for these services, to the ultimate detriment of advertisers and publishers that would face higher prices and have less choice.
    • At this stage of the investigation, the Commission considers that Google:
      • is dominant in the supply of online search advertising services in the EEA countries (with the exception of Portugal for which market shares are not available);
      • holds a strong market position in the supply of online display advertising services at least in Austria, Belgium, Bulgaria, Croatia, Denmark, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom, in particular in relation to off-social networks display ads;
      • holds a strong market position in the supply of ad tech services in the EEA.
    • The Commission will now carry out an in-depth investigation into the effects of the transaction to determine whether its initial competition concerns regarding the online advertising markets are confirmed.
    • In addition, the Commission will also further examine:
      • the effects of the combination of Fitbit’s and Google’s databases and capabilities in the digital healthcare sector, which is still at a nascent stage in Europe; and
      • whether Google would have the ability and incentive to degrade the interoperability of rivals’ wearables with Google’s Android operating system for smartphones once it owns Fitbit.
    • In February after the deal had been announced, the European Data Protection Board (EDPB) made clear it position that Google and Fitbit will need to scrupulously observe the General Data Protection Regulation’s privacy and data security requirements if the body is sign off on the proposed $2.2 billion acquisition. Moreover, at present Google has not informed European Union (EU) regulators of the proposed deal. The deal comes at a time when both EU and U.S. regulators are already investigating Google for alleged antitrust and anticompetitive practices, and the EDPB’s opinion could carry weight in this process.
  • The United States’ (U.S.) Department of Homeland Security released a Privacy Impact Assessment for the U.S. Border Patrol (USPB) Digital Forensics Programs that details how it may conduct searches of electronic devices at the U.S. border and ports of entry. DHS explained
    • As part of USBP’s law enforcement duties, USBP may search and extract information from electronic devices, including: laptop computers; thumb drives; compact disks; digital versatile disks (DVDs); mobile phones; subscriber identity module (SIM) cards; digital cameras; vehicles; and other devices capable of storing electronic information.
    • Last year, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
    • In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.
  • The Inter-American Development Bank (IDB) and the Organization of Americans States (OAS) released their second assessment of cybersecurity across Latin America and the Caribbean that used the Cybersecurity Capacity Maturity Model for Nations (CMM) developed at University of Oxford’s Global Cyber Security Capacity Centre (GSCC). The IDB and OAS explained:
    • When the first edition of the report “Cybersecurity: Are We Ready in Latin America and the Caribbean?” was released in March 2016, the IDB and the OAS aimed to provide the countries of Latin America and the Caribbean (LAC) not only with a picture of the state of cybersecurity but also guidance about the next steps that should be pursued to strengthen national cybersecurity capacities. This was the first study of its kind, presenting the state of cybersecurity with a comprehensive vision and covering all LAC countries.
    • The great challenges of cybersecurity, like those of the internet itself, are of a global nature. Therefore, it is undeniable that the countries of LAC must continue to foster greater cooperation among themselves, while involving all relevant actors, as well as establishing a mechanism for monitoring, analysis, and impact assessment related to cybersecurity both nationally and regionally. More data in relation to cybersecurity would allow for the introduction of a culture of cyberrisk management that needs to be extended both in the public and private sectors. Countries must be prepared to adapt quickly to the dynamic environment around us and make decisions based on a constantly changing threat landscape. Our member states may manage these risks by understanding the impact on and the likelihood of cyberthreats to their citizens, organizations, and national critical infrastructure. Moving to the next level of maturity will require a comprehensive and sustainable cybersecurity policy, supported by the country’s political agenda, with allocation of  financial resources and qualified human capital to carry it out.
    • The COVID-19 pandemic will pass, but events that will require intensive use of digital technologies so that the world can carry on will continue happening. The challenge of protecting our digital space will, therefore, continue to grow. It is the hope of the IDB and the OAS that this edition of the report will help LAC countries to have a better understanding of their current state of cybersecurity capacity and be useful in the design of the policy initiatives that will lead them to increase their level of cyberresilience.
  • The European Data Protection Supervisor (EDPS) issued an opinion on “the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final), published on 7 May 2020.” The EDPS asserted:
    • While  the  EDPS acknowledges the  importance  of  the  fight  against money  laundering  and terrorism financing as an objective of general interest, we call for the legislation to strike a balance between the interference with the fundamental rights of privacy and personal data protection and  the measures that  are  necessary  to  effectively  achieve  the  general  interest goals on anti-money  laundering  and  countering the  financing  of terrorism (AML/CFT) (the principle of proportionality).
    • The EDPS recommends that the Commission monitors the effective implementation of the existing  AML/CFT  framework while ensuring that the  GDPR  and  the  data  protection framework are respected and complied with. This is particularly relevant for the works on the interconnection of central bank account mechanisms and beneficial ownership registers that should be largely inspired by the principles of data minimisation, accuracy and privacy-by-design and by default.  

Further Reading

  • China already has your data. Trump’s TikTok and WeChat bans can’t stop that.” By Aynne Kokas – The Washington Post. This article persuasively makes the case that even if a ban on TikTok and WeChat were to work, and there are substantive questions as to how a ban would given how widely the former has been downloaded, the People’s Republic of China (PRC) is almost certainly acquiring massive reams of data on Americans through a variety of apps, platforms, and games. For example, Tencent, owner of WeChat, has a 40% stake in Epic Games that has Fortnite, a massively popular multiplayer game (if you have never heard of it, ask one of the children in your family). Moreover, a recent change to PRC law mandates that companies operating in the PRC must share their data bases for cybersecurity reviews, which may be an opportunity aside from hacking and exfiltrating United States entities, to access data. In summation, if the Trump Administration is serious about stopping the flow of data from the U.S. to the PRC, these executive orders will do very little.
  • Big Tech Makes Inroads With the Biden Campaign” by David McCabe and Kenneth P. Vogel – The New York Times. Most likely long before former Vice President Joe Biden clinched the Democratic nomination, advisers volunteered to help plot out his policy positions, a process that intensified this year. Of course, this includes technology policy, and many of those volunteering for the campaign’s Innovation Policy Committee have worked or are working for large technology companies directly or as consultants or lobbyists. This piece details some of these people and their relationships and how the Biden campaign is managing possible conflicts of interest. Naturally, those on the left wing of the Democratic Party calling for tighter antitrust, competition, and privacy regulation are concerned that Biden might be pulled away from these positions despite his public statements arguing that the United States government needs to get tougher with some practices.
  • A Bible Burning, a Russian News Agency and a Story Too Good to Check Out” By Matthew Rosenberg and Julian E. Barnes – The New York Times. The Russian Federation seems to be using a new tactic with some success for sowing discord in the United States that is the information equivalent of throwing fuel onto a fire. In this case, a fake story manufactured by a Russian outlet was seized on by some prominent Republicans, in part, because it fits their preferred world view of protestors. In this instance, a Russian outlet created a fake story amplifying an actual event that went viral. We will likely see more of this, and it is not confined to fake stories intended to appeal to the right. The same is happening with content meant for the left wing in the United States.
  • Facebook cracks down on political content disguised as local news” by Sara Fischer – Axios. As part of its continuing effort to crack down on violations of its policies, Facebook will no longer allow groups with a political viewpoint to masquerade as news. The company and outside experts have identified a range of instances where groups propagating a viewpoint, as opposed to reporting, have used a Facebook exemption by pretending to be local news outlets.
  • QAnon groups have millions of members on Facebook, documents show” By Ari Sen and Brandy Zadrozny – NBC News. It appears as if some Facebooks are leaking the results of an internal investigation that identified more than 1 million users who are part of QAnon groups. Most likely these employees want the company to take a stronger stance on the conspiracy group QAnon like the company has with COVID-19 lies and misinformation.
  • And, since Senator Kamala Harris (D-CA) was named former Vice President Joe Biden’s (D-DE) vice presidential pick, this article has become even more relevant than when I highlighted it in late July: “New Emails Reveal Warm Relationship Between Kamala Harris And Big Tech” – HuffPost. Obtained via an Freedom of Information request, new email from Senator Kamala Harris’ (D-CA) tenure as her state’s attorney general suggest she was willing to overlook the role Facebook, Google, and others played and still play in one of her signature issues: revenge porn. This article makes the case Harris came down hard on a scammer running a revenge porn site but did not press the tech giants with any vigor to take down such material from their platforms. Consequently, the case is made if Harris is former Vice President Joe Biden’s vice presidential candidate, this would signal a go easy approach on large companies even though many Democrats have been calling to break up these companies and vigorously enforce antitrust laws. Harris has largely not engaged on tech issues during her tenure in the Senate. To be fair, many of these companies are headquartered in California and pump billions of dollars into the state’s economy annually, putting Harris in a tricky position politically. Of course, such pieces should be taken with a grain of salt since it may have been suggested or planted by one of Harris’ rivals for the vice president nomination or someone looking to settle a score.
  • Unwanted Truths: Inside Trump’s Battles With U.S. Intelligence Agencies” by Robert Draper – The New York Times. A deeply sourced article on the outright antipathy between President Donald Trump and Intelligence Community officials, particularly over the issue of how deeply Russia interfered in the election in 2016. A number of former officials have been fired or forced out because they refused to knuckle under to the White House’s desire to soften or massage conclusions of Russia’s past and current actions to undermine the 2020 election in order to favor Trump.
  • Huawei says it’s running out of chips for its smartphones because of US sanctions” By Kim Lyons – The Verge and “Huawei: Smartphone chips running out under US sanctions” by Joe McDonald – The Associated Press. United States (U.S.) sanctions have started biting the Chinese technology company Huawei, which announced it will likely run out of processor chips for its smartphones. U.S. sanctions bar any company from selling high technology items like processors to Huawei, and this capability is not independently available in the People’s Republic of China (PRC) at present.
  • Targeting WeChat, Trump Takes Aim at China’s Bridge to the World” By Paul Mozur and Raymond Zhong – The New York Times. This piece explains WeChat, the app, the Trump Administration is trying to ban in the United States (U.S.) without any warning. It is like a combination of Facebook, WhatsApp, news app, and payment platform and is used by more than 1.2 billion people.
  • This Tool Could Protect Your Photos From Facial Recognition” By Kashmir Hill – The New York Times. Researchers at the University of Chicago have found a method of subtly altering photos of people that appears to foil most facial recognition technologies. However, a number of experts interviewed said it is too late to stop companies like AI Clearview.
  • I Tried to Live Without the Tech Giants. It Was Impossible.” By Kashmir Hill – The New York Times. This New York Times reporter tried living without the products of large technology companies, which involved some fairly obvious challenges and some that were not so obvious. Of course, it was hard for her to skip Facebook, Instagram, and the like, but cutting out Google and Amazon proved hardest and basically impossible because of the latter’s cloud presence and the former’s web presence. The fact that some of the companies cannot be avoided if one wants to be online likely lends weight to those making the case these companies are anti-competitive.
  • To Head Off Regulators, Google Makes Certain Words Taboo” by Adrianne Jeffries – The Markup. Apparently, in what is a standard practice at large companies, employees at Google were coached to avoid using certain terms or phrases that antitrust regulators would take notice of such as: “market,” “barriers to entry,” and “network effects.” The Markup obtained a 16 August 2019 document titled “Five Rules of Thumb For Written Communications” that starts by asserting “[w]ords matter…[e]specially in antitrust laws” and goes on to advise Google’s employees:
    • We’re out to help users, not hurt competitors.
    • Our users should always be free to switch, and we don’t lock anyone in.
    • We’ve got lots of competitors, so don’t assume we control or dominate any market.
    • Don’t try and define a market or estimate our market share.
    • Assume every document you generate, including email, will be seen by regulators.
  • Facebook Fired An Employee Who Collected Evidence Of Right-Wing Pages Getting Preferential Treatment” By Craig Silverman and Ryan Mac – BuzzFeed News. A Facebook engineer was fired after adducing proof in an internal communications system that the social media platform is more willing to change false and negative ratings to claims made by conservative outlets and personalities than any other viewpoint. If this is true, it would be opposite to the narrative spun by the Trump Administration and many Republicans in Congress. Moreover, Facebook’s incentives would seem to align with giving conservatives more preferential treatment because many of these websites advertise on Facebook, the company probably does not want to get crosswise with the Administration, sensational posts and content drive engagement which increases user numbers that allows for higher ad rates, and it wants to appear fair and impartial.
  • How Pro-Trump Forces Work the Refs in Silicon Valley” By Ben Smith – The New York Times. This piece traces the nearly four decade old effort of Republicans to sway mainstream media and now Silicon Valley to its viewpoint.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo credit: Gerd Altmann on Pixabay

Further Reading and Other Developments (20 June)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The House Financial Services Committee’s National Security, International Development, and Monetary Policy Subcommittee held a virtual hearing titled “Cybercriminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic.”
  • The Senate Appropriations Committee’s Financial Services and General Government Subcommittee held a hearing titled “Oversight of FCC Spectrum Auctions Program.”
  • The Commerce, Science, and Transportation Committee held a hearing on a number of nominations, including a re-nomination of Federal Communications Commission Commissioner Michael O’Reilly for another full term.
  • The Department of Commerce’s Industry and Security Bureau released an interim final rule to amend “the Export Administration Regulations (EAR) to authorize the release of certain technology to Huawei and its affiliates on the Entity List without a license if such release is made for the purpose of contributing to the revision or development of a “standard” in a “standards organization.” The Department added in its press release “The rule returns U.S. industry to the status quo ante, from an Entity List perspective, with respect to disclosures of such technology to Huawei and its affiliates in legitimate standards development contexts only, and not for commercial purposes. Disclosures for commercial purposes remain “subject to the EAR” and are still subject to recordkeeping and all other applicable EAR requirements.” Comments are due on 17 August 2020.
  • The National Transportation Safety Board (NTSB) released its “Safety Recommendation Report” that “called for a change in air cargo shipping requirements for some types of lithium-ion batteries” following its investigation “into the shipment of lithium-ion batteries that ignited while in transport on a delivery truck in Canada.” The NTSB recommended that the Pipeline and Hazardous Materials Safety Administration:
    • Propose to the International Civil Aviation Organization to remove its special provision A88 from its Technical Instructions for the Safe Transport of Dangerous Goods by Air allowing special permits for low-production or prototype lithium-ion cells or batteries shipped by airplane and eliminate any exceptions to the testing of United Nations Manual of Tests and Criteria, Part III, Sub-section 38.3 requirements for all lithium-ion batteries before transport by air.( A-20-31)
    • Once the International Civil Aviation Organization removes special provision A88 from the Technical Instructions for the Safe Transport of Dangerous Goods by Air, remove the exemption from United Nations Manual of Tests and Criteria, Part III, Sub-section 38.3 testing from Title 49 Code of Federal Regulations 173.185(e) for low-production or prototype lithium-ion batteries, when transported by air. (A-20-32)
  • The Carnegie Endowment for International Peace’s Partnership for Countering Influence Operations (PCIO) released “The Challenges of Countering Influence Operations” with these “Key Takeaways:”
    • Influence operations defy easy categorization. Influence operations often fail to fit neatly into boxes outlined by individual policies or legislation. They are run in a complex environment where actors overlap, borders are easily crossed and blurred, and motives are mixed—making enforcement challenging. In this case study, actors share highly politicized online content but also appear to benefit financially from their actions, making it difficult to ascertain whether their motives are primarily political, commercial, or both.
    • Relevant policies by social media platforms tend to be a patchwork of community standards that apply to individual activities of an influence campaign, not the operation as a whole. Policies published by social media companies often focus on individual components of influence operations. This approach attempts to neatly categorize and distinguish actors (foreign versus domestic), motives (political influence and profit), activities (including misrepresentation, fraud, and spamming behavior), and content (such as misinformation, hate speech, and abuse). This piecemeal approach to enforcement raises questions about whether officials within social media platforms fully understand how influence operations work and how such campaigns are more than the individual behaviors that compose them.
    • Social media networks have more opportunities to counter influence operations through their platform policies than governments do with existing legislation. Social media companies have implemented various policies to govern how their platforms are used, providing opportunities for combating influence operations. They also have greater access to information about how their platforms are used and have domain-specific expertise that allows them to create more tailored solutions. Fewer avenues exist for countering such influence operations using government-led legal mechanisms. This is not only because of the relative paucity of laws that govern online activity but also because law enforcement requires attribution before they can act, and such attribution can be difficult to ascertain in these cases. This means that governments have generally done little to help private industry actors determine what kinds of influence operations are unacceptable and should be combated. In the absence of such guidance, industry actors are de facto drawing those lines for society. Governments could do more to help guide industry players as they determine the boundaries of acceptable behavior by participating in multi-stakeholder efforts—some of which have been set up by think tanks and nonprofits—and by considering legal approaches that emphasize transparency rather than criminalization.
    • The influence operations uncovered by media scrutiny are not always as easy to counter as those writing about them might hope. Savvy influence operators understand how to evade existing rules, so that their activities and content do not breach known policies or legislation. Media coverage that showcases examples of influence operations seldom explains whether and how these operators violate existing platform policies or legislation. This is a problem because distasteful influence operations do not always overtly violate existing policies or laws—raising questions about where the lines are (and should be) between what is tolerable and what is not, and, moreover, who should be determining those lines. Even when existing policies clearly do apply, these questions persist. Stakeholders should more clearly assess what constitutes problematic behavior before rushing to demand enforcement.
  • A number of privacy and civil liberties groups released “principles to protect the civil rights and privacy of all persons, especially those populations who are at high risk for the virus and communities of color, when considering the deployment of technological measures in response to the COVID-19 crisis.” These groups also sent these principles in letters to both the House and the Senate.
  • The Technology Coalition, formed 15 years ago “when industry leaders came together to fight online child sexual exploitation and abuse (CSEA),” announced “Project Protect: A plan to combat online child sexual abuse – a renewed investment and ongoing commitment to our work seeking to prevent and eradicate online CSEA” with these elements:
    • Execute a Strategic “Five Pillar” Plan to reinforce the cross-industry approach to combating CSEA, putting in place the structure, membership models, and staffing needed to support the Technology Coalition’s long term objectives.
    • Establish a multi-million dollar Research and Innovation Fund to build crucial technological tools needed to more effectively prevent and work to eradicate CSEA.
    • Commit to publishing an Annual Progress Report on industry efforts to combat CSEA.
    • Create an annual Forum for CSEA experts bringing together industry, governments, and civil society to share best practices and drive collective action.
  • Amnesty International’s Security Lab named Bahrain, Kuwait and Norway as having “some of the most invasive COVID-19 contact tracing apps around the world, putting the privacy and security of hundreds of thousands of people at risk.”
  • The Knight Foundation and Gallup released “Free Expression, Harmful Speech, and Censorship in a Digital World,” “a study to gauge Americans’ opinions on [social media companies, the internet, and the role of government], delving specifically into two potential paths forward — amending Section 230 of the Communications Decency Act, which largely shields internet companies from legal liability for content shared on their sites, and the relatively new notion of content oversight boards” with these topline findings:
    • Americans prefer social media apps and sites to be places of open expression.
    • Even as Americans voice a preference for open expression, there are several forms of online content that many say should be restricted or never allowed
    • Many Americans have personally been targeted by harmful online behavior.
    • Americans are somewhat divided on Section 230 of the Communications Decency Act, which largely shields major internet companies from liability for content posted on their websites and apps by third parties.
    • A majority of Americans do not trust social media companies to make the right decisions about what content appears on their sites or apps.
    • Despite misgivings about major internet companies making the right decisions related to harmful online content, Americans are more likely to favor the companies, rather than government, setting policies to regulate such content
    • Americans’ opinions of content oversight boards are largely favorable, tending to prefer them to social media companies or the government to make decisions about what can and cannot appear on social media websites and apps. 
    • Americans’ favorability toward content oversight boards increases when they know more about them.
    • The most important content oversight board attributes for Americans are transparency and diversity, followed closely by independence — i.e., who appoints board members. Less valuable is the board’s ability to compel social media companies to enact its decisions or guidelines.
    • Americans’ trust in a social media company will not automatically increase solely because the company adopts a content oversight board. Rather, trust can be gained based on the board’s features relating to its independence, transparency, diversity and ability to enforce decisions.
  • Graphika released a report titled “Exposing Secondary Infektion: Forgeries, interference, and attacks on Kremlin critics across six years and 300 sites and platforms,” “a long-running Russian information operation, encompassing multiple campaigns on social media run by a central entity, which was already active in 2014 and that was still running in early 2020.”
  • The University of Toronto’s Citizen Lab and Amnesty International released a report on “nine Indian lawyers, activists, and journalists….targeted in 2019 in a coordinated malware campaign” with “NetWire, a commercially available spyware.”

Further Reading

  • The Economy Is Reeling. The Tech Giants Spy Opportunity.” – The New York Times. All of the large technology companies are continuing the same pace of acquisition and product roll outs as last year. Critics fear that companies’ expansion through buying new businesses, technologies, and platforms will further cement their dominance of the United States (US) and world economies. Moreover, these companies have also been rolling out new services to compete with upstarts (e.g. Google’s meeting service to try to grab market share from Zoom.) It remains to be seen whether antitrust and anti-competitive actions in the US, European Union and elsewhere will stop or even reverse the continued growth of Google, Apple, Amazon, and others.
  • Amazon’s Ring has 29 new police agreements since the killing of George Floyd” – Protocol. In spite of its pledge to hold off on selling its facial recognition technology to police departments for a year, Amazon has continued to sign up local law enforcement for participation in partnerships using its Ring and Neighbors technology platforms. These systems make available to police footage from the camera/doorbell system Amazon is marketing as a security must have. Critics of the system and how Amazon operates it argue it has already disproportionately affected African Americans and other minorities in gentrifying areas and offers a workaround to warrant requirements for officers would not need to go to court to obtain this footage since private parties are not bound by the Fourth Amendment like government agencies.
  • Big Tech’s Pandemic Power Grab” – The Atlantic. This article foresees government regulation of large technology companies in the United States (US) that solidifies their preeminence, in large part, because these companies have been partnering with and working for the US government. And, in making this bargain, these companies are using every lever and all the leverage at their disposal to strike the type of bargain they want. There may be pushback against this impulse to grow, but it is worth keeping in mind that the trustbusting era in the US may have divided up corporate giants like Standard Oil but their progeny are still very powerful (e.g. Exxon Mobil.)
  • New York lawmakers want to outlaw geofence warrants as protests grow” – Protocol. A bill introduced in April to address the law enforcement practice of requesting geofencing data from technology companies receives renewed scrutiny in the New York State legislature in the midst of protests against racism and police violence in the United States. The article cites a Google filing in a Virginia lawsuit alleging “Between 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.” Technology companies with troves of data on where people are at virtually every hour of the day are treading carefully as critics of geofence requests and warrants are pushing to ban law enforcement agencies from using these data.
  • Australian leader says unnamed state increasing cyberattacks” – Associated Press. Australia’s Prime Minister Scott Morrison told reporters “Australian organizations are currently being targeted by a sophisticated state-based cyber actor.” He contended “[t]his activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure.” In concert with Morrison’s statement, the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs issued an advisory describing “the tactics, techniques and procedures (TTPs) identified during the ACSC’s investigation of a cyber campaign targeting Australian networks.” Some experts are saying it must be the People’s Republic of China (PRC), especially after Canberra named the PRC as the entity that hacked into Parliament.
  • Eric Schmidt: Huawei has engaged in unacceptable practices” – BBC News. The former Google head claims the People’s Republic of China (PRC) has accessed Huawei’s routers to exfiltrate information. Schmidt conceded that Huawei’s products are superior to other offerings on the market, which poses a challenge for networks and nations. He also flagged the research and development budgets Huawei and other PRC companies have that eclipse other multinationals.
  • French Court Strikes Down Most of Online Hate Speech Law” – The New York Times. A French court struck down the core of President Emmanuel Macron’s new statute to police offensive online speech, finding two provisions would impinge freedom of expression. Macron’s party has vowed to take another run at such legislation.
  • Europe threatens digital taxes without global deal, after U.S. quits talks” – Reuters. After the United States withdrew from Organisation for Economic Cooperation and Development (OECD) talks on digital taxes, prompting promises from the European Union to proceed with such taxes.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading (8 November)

  • I Accidentally Uncovered a Nationwide Scam on Airbnb” – Vice. A writer discovered through experience about a scam many on the short-term rental site, Airbnb, have experienced: a last-minute cancellation leading to a much inferior property and an interminable process for lodging complaints and obtaining a refund. Airbnb seems lax about enforcing its own policies against deceptive properties, and the incentive structure is weighted against renters leaving candid reviews.
  • An Unidentified Government Spied On Dissidents In India Using A WhatsApp Exploit” – BuzzFeed News. Israel’s NSO Group’s spyware may have been used by India’s ruling Bharatiya Janata Party (BJP) to surveil judges, activists, academics, journalists, and politicians by exploiting a weakness in WhatsApp, a messaging application used by more than 400 million Indians. This is, of course, not the first time the NSO Group has been linked to spyware, and in this case, the spyware, Pegasus, was inserted on phones through a call made using WhatApp to the victim’s phone they did not even need to answer. India’s Home Ministry has denied any connection and calls the reports “attempts to malign the government of India,” and the NSO Group seemed to claim that any such uses of its technology are contrary to their intended uses.
  • Police want faster data from the US, but Australia’s encryption laws could scuttle the deal” – ABC (Australia). As the U.S. and Australia negotiate a CLOUD Act agreement that would provide each country with a legal process to obtain information on citizens from technology companies as part of a law enforcement investigation, concerns and reservations are being raised in both countries about the powers of the Australian government under the “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” that allows it to direct technology companies to provide assistance in decrypting user information without any judicial review.
  • Missouri Official Admits to Tracking Women’s Periods” – The Cut. Health & Senior Services Director Dr. Randall Williams admitted during a hearing that his office maintained a spreadsheet with women’s menstrual cycles drawn from medical information the state had access to. He further admitted the database was used to track “failed abortions” as a means of investigating abortion and reproductive services clinics.
  • Russia Tests New Disinformation Tactics in Africa to Expand Influence” – The New York Times. Facebook and Stanford’s Internet Observatory revealed vast, new evolved Russian disinformation efforts being deployed in Africa with the goal of bringing successful tactics to the U.S. for next year’s election. For now, these tactics seem to boost Russian interests in the region and call into question American and French actions. The volume of both disinformation creation and distribution have increased several times compared to the 2016 U.S. election. These efforts have been tied to Yevgeny Prigozhin, the Russian oligarch who runs the Internet Research Agency and is a close ally of Vladimir Putin.
  • Gaggle Knows Everything About Teens And Kids In School” – BuzzFeed News and “School apps track students from classroom to bathroom, and parents are struggling to keep up” – The Washington Post. Two articles on the technology that many public schools are employing to track kids in the physical and digital worlds, begging many questions about the long term effect on children, their privacy, their rights, and their lives.
  • A Chinese hacking group breached a telecom to monitor targets’ texts, phone metadata” – cyberscoop. APT41 compromised a telecommunications company in a strategic competitor of China’s and surveilled a range of people. The Chinese hackers infected devices using SMS.
  • Banks are using their Washington clout to stomp on the tech industry” – Politico. As if the tech industry isn’t having enough trouble in Washington, the lobbies representing the banks and other financial services entities have worked to block cryptocurrencies and tech’s entry into any sector of banking and finance and found willing allies on Capitol Hill.

House Judiciary Continues Anti-Competitive Investigation Into Big Tech

Last week, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee held its third hearing into the market power of online platforms which focused on “The Role of Data and Privacy in Competition” as part of its “investigation into competition in digital markets.”

Chair Jerrod Nadler (D-NY) stated that digital technologies have provided Americans with a remarkable array of services. He noted it has never been easier to post news and information, share content, and communicate with loved ones, all at a moment’s notice. Nadler asserted that as with technological revolutions of the past, this transformation has upended the balance of power across the economy. He contended that it is important for Congress to study and understand how these imbalances are affecting Americans, what are causing these asymmetries of power, and whether these new and growing inequalities are compatible with our democratic values. Nadler remarked that the committee’s ongoing oversight of digital markets is a key part of this process. He said the hearing would examine how the use of data is contributing to the growing inequalities of power and how this affects competition. He said that as previous hearings have shown, a growing share of commerce and communications is controlled by a small number of companies. Nadler asserted that because these platforms are, in essence, large intermediaries, they are perfectly positioned to closely track each transaction and communication that passes through their channels. He stated that while intermediaries have long collected information on the economic activity that flows through their platforms, the large firms of the digital economy have unprecedented ability to track and surveil users across the internet. Nadler stated that this data collection includes information not only about a person’s shopping and reading habits but also about the time they wake up and go to sleep, their precise location each hour of the day, and the content of their most private communications. He said that because several of these platforms derive the vast majority of their revenue from digital advertising, these firms also have an incentive to collect as much information as possible so that they can target consumers with precision. Nadler said that these troves of information can be used by companies in even more nefarious ways to discriminate on the user’s race, gender, income, or otherwise to intrude on personal privacy. He explained that in light of these trends there are two questions he would like answered at the hearing:

  • First, how are digital technologies and the constant data collection they enable affecting competition and is there something unique about digital markets that enables firms to acquire and maintain market power in novel ways. Nadler said that in digital markets maximizing data collection can provide a significant competitive advantage because a large and constantly growing set of user data allows firms to both improve existing products and services and to expand into new lines of business often with a competitive edge. Nadler said that frequently the companies with the most dominant are those that have captured the most data from as many sources as possible. He said scholars have described this as leading to winner take all markets with the first company to establish a competitive lead wins the market crushing any potential competition. Nadler asserted that competitors in digital markets have a strong incentive to collect as much information as possible as quickly as possible as part of a long-term strategy to compete in the marketplace and to achieve market dominance, which raises serious questions about whether it is desirable to have data be the key dimension along which companies are looking to compete.
  • Second, how does data collection increase the ways that dominant companies can abuse their market power. Does the collection and use of data enable new forms of conduct that lawmakers and regulators recognize as anti-competitive. For example, platforms that serve as intermediaries for commerce have critical insight into their rivals’ business models, a dynamic that raises significant competition concerns.

Antitrust, Commercial, and Administrative Law Subcommittee Ranking Member James Sensenbrenner (R-WI) said the hearing would focus on the roles that data play in privacy and competition and the ways the data of online consumers can be better protected. He said that data is in many ways the lifeblood of the internet, and numerous issues are swirling around the use of this data. Sensenbrenner said these include allegations that platforms that accumulate a large amount of data can function as barriers to entry for new platforms. He added that platforms holding large data bases can leverage that data to compete unfairly with third party competitors that are dependent upon their platforms. Sensenbrenner noted that incumbent platforms have pursued mergers with emerging competitors in order to kill off competition for data acquisition and market share. He stated his hope that the hearing could separate fact from fiction regarding these allegations. Sensenbrenner reiterated his view that antitrust laws do not exist to punish success but rather to foster it. He cautioned antitrust regulators and Congress from extending antitrust laws in ways that punish success, suppressing innovation, and ultimately limiting consumer welfare. He added that these principles also apply to data privacy, and if Congress is going to legislate on this issue, it must get it right. Sensenbrenner said his views do not exist in a vacuum as many American and European governments have already acted, including the European Union with its General Data Protection Regulation (GDPR) and California with its California Consumer Privacy Act (CCPA). Sensenbrenner claimed that while well-intentioned, the GDPR is already producing substantial collateral damage to consumer well-being, innovation, and the health of the digital economy. He claimed it is likely the CCPA will have the same effect. He asserted that these results are avoidable, and the U.S. must put in place a better method of protecting consumer privacy online.

Antitrust, Commercial, and Administrative Law Subcommittee Chair David Cicilline (D-RI) noted that the committee launched a historic, bipartisan investigation into the state of the digital marketplace in June. He said the purpose of the investigation is to document anti-competitive behavior online, to determine whether the dominant firms are engaging in anti-competitive conduct, and to assess whether current anti-trust laws and enforcement levels are sufficient to address these problems. Cicilline stated that the committee has held a series of hearings, briefings, and Member roundtables to start this top-to-bottom review. He stated that the committee has requested documents and materials relevant to the investigation from the four dominant platforms. Cicilline explained that the committee received tens of thousands of pages of materials this week and will receive more in the weeks ahead. He added that hearings and roundtables would continue to ensure the goals of the investigation are met. Cicilline said this series of hearings are essential to the committee in executing its constitutional duties to ensure that anti-trust laws are working. He stressed that Congress and not the courts, agencies, or private companies, enacted the anti-trust laws, and Congress must be the body to determine whether current laws are keeping up with digital markets. Cicilline said the hearing was an opportunity for the committee to better understand a key component of digital markets: the role of data and privacy. He highlighted the international reports on competition in digital markets published on this issue that have noted that data is at the heart of the issue. Cicilline quoted the Australian Competition and Consumer Commission’s “exhaustive” report which asserted that the “breadth and depth of user data collected by the incumbent digital platforms provides them with a strong competitive advantage creating barriers to rivals entering and expanding in relevant markets and allowing the incumbent digital platforms to expand into adjacent markets.” He said the United Kingdom’s Digital Competition Expert Panel similarly reported that large troves of data when combined with network effects may tip markets in favor of a single dominant platform, killing off competition. Cicilline referenced a University of Chicago report that cites the importance of access to data as a key factor in whether venture capital firms will invest in startups as those with less data receive less funding. He noted this has real consequences for firms that get locked out of the market and never get to offer new and innovative services. Cicilline also said there is broad agreement among anti-trust experts that data can be abused for anti-competitive purposes, and in some cases these tactics have created innovation “kill-zones” around dominant firms. Cicilline noted the hearing also provides the opportunity to examine the role of privacy in anti-trust and competition online. He asserted that while many services are billed as free, it is well known that consumers pay in the form of two valuable commodities: their personal data and their attention. Cicilline added that the prevalence of data usage and sharing techniques can indicate the lack of competition in markets. He contended that in a strong, competitive market, digital platforms would have strong incentives to deliver strong privacy standards, but in anti-competitive markets no such incentives exist. Cicilline claimed that competition and privacy are not mutually exclusive and that they can and must be made to work in concert as the committee considers how to restore the internet to its full promise.

Federal Trade Commission (FTC) Commissioner Rohit Chopra stated “As the Committee continues its investigation, it will be important for members of Congress to evaluate evidence with several things in mind, including:

(1) Data has certain economic features that are unique and unlike other assets.

(2) Most online services are not actually “free.” While consumers and businesses are not paying with dollars, they are paying with data.

(3) Competition is not a click away. Today’s tech titans are wholly integrated throughout the digital world, such that people and businesses cannot avoid them.

Chopra noted that “Last year, the FTC convened a series of hearings examining a range of competition and consumer protection issues in digital markets……FTC staff has outlined next steps for these hearings, including policy outputs and deliverables.” Chopra said that “I hope that the Commission will pursue work based on Section 6(b) of the Federal Trade Commission Act, which allows the agency to conduct industrywide investigations and studies and making its findings available to the public.” He stated that “Given its authority to prohibit unfair methods of competition and unfair or deceptive trade practices, the FTC is uniquely positioned to tackle the concerns associated with digital platforms.” Chopra stated that “The twin goals of competition and consumer protection are inextricably linked.”

Harvard Kennedy School Professor of the Practice of Economic Policy Dr. Jason Furman stated that he “recently chaired the Digital Competition Expert Panel for the UK government that produced a report titled Unlocking Digital Competition” and is “currently advising the UK as they move forward with a key set of recommendations from this report, including the establishment of a Digital Markets Unit to act as a pro-competition regulator.” Furman made “four points:

(1) The major digital platforms are highly concentrated and, absent policy changes, this concentration will likely persist with detrimental consequences for consumers.

(2) More robust competition policy can benefit consumers by helping to lower prices, improve quality, expand choices, and accelerate innovation. These improvements would likely include greater privacy protections given that these are valued by consumers. However, itis not clear that competition will be sufficient to adequately address privacy and several other digital issues.

(3) More robust merger enforcement should be part of the solution to expanding competition, including better technical capacity on the part of regulators, more forward-looking merger enforcement that is focused on potential competition and innovation, and legal changes to clarify these processes for the courts.

(4) A regulatory approach that is oriented towards increasing competition by establishing and enforcing a code of conduct, promoting systems with open standards and data mobility, and supporting data openness is essential. This is because more robust merger enforcement is too late to prevent the harms from previous mergers and antitrust enforcement can take too long in a fast moving market.

American Enterprise Institute Visiting Scholar Dr. Roslyn Layton stated that “Congress is right to focus on competition in the tech sector, but it won’t achieve this with from third rate platforms mandate by government fiat.” She claimed that “Instead Congress should hasten the next technological revolution which will supplant the current incumbents.” Layton stated that “This can be done through policy that supports investments and incentives for next-generation technologies and removes the market barriers to entrepreneurship, innovation, and enterprise.” She asserted that “Here the focus should be on fast-tracking 5G, the internet of things, artificial intelligence, blockchain, and security technologies.” Layton stated that “In summary rational privacy legislation could consist of

(1) framework that protects Americans’ Constitutional rights and freedoms for speech and commerce;

(2) strengthened authority and budget for the FTC to develop risk-based privacy standards for the online economy (this would also include budget for more economists and technologists at the agency);

(3) safe harbors that allow companies to migrate their operations to those standards,

(4) investments and incentives for the development of privacy-enhancing technologies, and

(5) consumer education and competency training.