Further Reading, Other Developments, and Coming Events (3 February 2021)

Further Reading

  • What We Learned From Apple’s New Privacy Labels” By Brian X. Chen — The New York Times. Another look at the App Store privacy labels Apple has rolled out and how confusing they can be. It can be confusing to compare the privacy and data usage afforded by a developer such that its often like comparing apples and oranges.
  • The U.S. Spent $2.2 Million on a Cybersecurity System That Wasn’t Implemented — and Might Have Stopped a Major Hack” by Peter Elkind and Jack Gillum — ProPublica. A free program developed with funding provided by the National Science Foundation (NSF) would have likely made it harder for the SVR to penetrate SolarWinds’ systems and use their updates as Trojan Horses to penetrate thousands of entities, including United States departments and agencies. No one has a good explanation of why this program was not made mandatory in federal systems and for federal contractors.
  • Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources” By Christopher Bing, Jack Stubbs, Raphael Satter, and Joseph Menn — Reuters. Speaking of SolarWinds, it appears hackers associated with the People’s Republic of China (PRC) may have also penetrated and then used the company’s software to get into United States (U.S.) government systems. In this case, it appears a bureau inside the Department of Agriculture that handles payroll information for federal employees was compromised. And, as unlikely as it seems, this entity, the National Finance Center, handles the payroll for a number of agencies with security responsibilities including the Federal Bureau of Investigation and the Departments of Homeland Security, State and Treasury. This mirrors the PRC’s monumental hack of the Office of Personnel Management in the Obama Administration that continues to have implications today, especially in making it harder for American intelligence operatives overseas. And more concerning is that the PRC hackers used a different vulnerability than the Russians did.
  • Important stories hidden in Google’s ‘experiment’ blocking Australian news sites” By Nick Evershed — The Guardian. The search engine and online advertising giant has already begun experiments on blocking or deprioritizing search results ahead of the enactment of the “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020” that would require Google and Facebook to pay for the use of Australian media content. Major news sites are sometimes not findable nor are articles on those sites even if people are searching for them. Google claims this is just an experiment to gather data.
  • In cyber espionage, U.S. is both hunted and hunter” By Zach Dorfman — Axios. This piece makes the argument that whatever the Russian Federation and the People’s Republic of China have pilfered via SolarWinds vulnerabilities, United States (U.S.) hackers have and are engaging in the same activities.
  • Most Tools Failed to Detect the SolarWinds Malware. Those That Did Failed Too” By Rob Knake — Council on Foreign Relations. This piece covers some of the misalignment of incentives that may have caused some companies that successfully fended off the SolarWinds hack from sharing information so other companies could defend themselves. The author even suggests the time may have arrived for mandatory information sharing through a government hub such as the Cybersecurity and Infrastructure Security Agency (CISA).

Other Developments

  • Alejandro Mayorkas was confirmed by a 56-43 vote to be the next Secretary of Homeland Security, a position that has not been filled with a Senate-confirmed nominee since former Secretary Kirstjen Nielsen resigned in April 2019. Mayorkas’ nomination had been held by Senator Josh Hawley (R-MO) over potential Biden Administration immigration policy. However, to date, the White House has not named its nominee to head the Cybersecurity and Infrastructure Security Agency (CISA) nor the newly established National Cyber Director.
  • The new top Republican on the House Energy and Commerce Committee issued her “Big Tech Accountability Platform,” in which she cast “Big Tech” as “a destructive force to our society because of its attack on freedom of speech and the truth….principles…central to the foundations of our democracy and the Promise of America.” Ranking Member Cathy McMorris Rodgers (R-WA) laid out her priorities as the leader of the minority party on the primary committee of jurisdiction over technology in the House of Representatives. However, she conspicuously omitted any mention of privacy legislation and a number of other legislative areas. A year ago, McMorris Rodgers, then the ranking member on the Consumer Protection and Commerce Subcommittee, issued a privacy discussion draft with Chair Jan Schakowsky (D-IL) (see here for more analysis.) It is not clear from McMorris Rodgers’ policy statement the degree to which she is interested in working with the majority on the committee, in the House, and in the Senate on privacy legislation. The omission of privacy from her document may be a way of preserving maximum flexibility on federal privacy legislation and signaling to Democrats she wants to work with them. Nevertheless, McMorris Rodgers repeats the by now Republican orthodoxy that “Big Tech” is biased against them and is trampled their free speech rights in violation of the First Amendment despite no serious evidence of this being true.
    • Nevertheless, McMorris Rodgers suggested to the Republican Members of the committee that they seek to work in bipartisan fashion with Democrats on legislation and proposed a sunset provision on 47 USC 230 (Section 230), which would bring this legal shield’s protection to an end on a date in the future.
    • McMorris Rodgers stated “[o]ur Big Tech Accountability Platform will be guided by four principles: 1) increasing meaningful transparency; 2) enhancing oversight and accountability; 3) pushing for consistency and objectivity; and 4) exploring competition issues so innovation is unleashed, not quashed.”
    • McMorris Rodgers identified the “BIG TECH ISSUES TO BE ADDRESSED:”
      • Big Tech Responsibility:
        • Section 230 Reform: Consider several proposals requiring Big Tech to manage their platforms more responsibly, including repealing their liability protection when they neglect their “Good Samaritan” obligations;
        • Content Policies and Enforcement: Require disclosures regarding how Big Tech develops its content policies and require regular disclosures about content policy enforcement, including the types of content taken down and why, and clearly understood appeals processes;
        • Law Enforcement: Establish concrete means for Big Tech to communicate, consult, and coordinate with law enforcement to address illicit content on their platform, such as illegal sale of opioids, terrorist and violent extremists’ content, and other issues. We must ensure online threats are acted upon and evidence preserved;
        • Our Children: Explore and expose how Big Tech hurts children, including how Big Tech contributes to suicides and anxiety, especially in young girls; how Big Tech uses algorithms to drive addiction; and the role Big Tech plays in child grooming and trafficking;
        • Election Issues: Explore the role Big Tech plays in elections, particularly when it comes to their bias and censorship of news articles, such as the New York Post article they suppressed leading to the 2020 election; and
        • Deplatforming: Explore ways in which Big Tech makes decisions to deplatform users and whether some remedy to challenge those decisions should be available.
      • Big Tech Power:
        • App Stores: Explore Apple and Google’s app store policies, including how their decisions to remove or host certain apps limits or increases consumer choice;
        • Coordination: Explore how Big Tech wields its power and the groupthink that develops to silence the truth;
        • Media: Explore how Big Tech influences traditional media, including local media, how their power restricts consumer choice, and how they wield that power to build a narrative and control the stories we see online;
        • Data: Explore Big Tech’s mass accumulation of data and how it impacts new entrants’ ability to compete and create consumer choice; and
        • E-Commerce Marketplace Power: Explore how Big Tech wields its e-commerce power over consumer choice.
  • House Foreign Affairs Committee Ranking Member Michael McCaul (R-TX), House Armed Services Committee Ranking Member Mike Rogers (R-AL), Representative Elise Stefanik (R-NY), and 22 other House Republicans have written President Joe Biden “to engage with our allies on emerging technology issues” because “China is undoubtedly the greatest military, economic, and geopolitical threat to the United States and our allies in this century, as exemplified by the Chinese Communist Party’s (CCP) effort to lead the world in critical emerging technologies like 5G communications and artificial intelligence.”

Coming Events

  • On 3 February, the Senate Commerce, Science, and Transportation Committee will consider the nomination of Rhode Island Governor Gina Raimondo to be the Secretary of Commerce.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Peter H from Pixabay

Further Reading, Other Developments, and Coming Events (26, 27, and 28 January 2021)

Further Reading

  • President Biden’s Tech To-Do List” By Shira Ovide — The New York Times. Another survey of the pressing tech issues President Joe Biden and his Administration will grapple with.
  • Trying to improve remote learning? A refugee camp offers some surprising lessons” By Javeria Salman — The Hechinger Report. An organization that is helping refugee children advises that digital literacy is the necessary first step in helping all children have positive online learning experiences (assuming of course they have devices and internet access). This means more than being adept with Instagram, TikTok, and Snapchat. They also suggest that children work on projects as opposed to busy work.
  • Silicon Valley Takes the Battlespace” By Jonathan Guyer — The American Prospect. A company funded, in part, by former Google CEO Eric Schmidt, Rebellion Defense, landed two members on then President-elect Joe Biden’s official transition team, causing some to wonder about the group. This starts up writes artificial intelligence (AI) with defense industry applications, among other products. Schmidt chairs the National Security Commission on Artificial Intelligence and is widely seen as a bridge between Washington and Silicon Valley. Some see the rise of this company as the classic inside the Beltway tale of blurring interests and capitalizing on connections and know how.
  • The fight to make Netflix and Hulu pay cable fees” By Adi Robertson — The Verge. Municipalities are suing platforms like Netflix, Hulu, Dish Network, DirecTV and others, claiming they are not paying the franchise fees and quarterly fees traditional cable companies have been subject to for the use of the localities’ rights of way and broadband service. The companies are, of course, arguing they are not subject to these laws because they are not cable companies. There have been a host of such suits filed throughout the United States (U.S.) and bear watching.
  • Twitter’s misinformation problem is much bigger than Trump. The crowd may help solve it.” By Elizabeth Dwoskin — The Washington Post. Sounds like Twitter is going the route of Wikipedia with a pilot in which volunteers would fact check and provide context to problematic content. Perhaps this helps address the problems posed by social media platforms.
  • Biden’s clean up of Silicon Valley poses a problem for Scott Morrison” By Harley Dennett — The Canberra Times. The concern down under is that the Biden Administration will press the Morrison government into weakening the “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020” that “establishes a mandatory code of conduct to help support the sustainability of the Australian news media sector by addressing bargaining power imbalances between digital platforms and Australian news businesses” according to the Explanatory Memorandum. Doing so would please Google, Facebook, and others, supposedly making them more amenable to the coming policy changes Democrats want to unleash on tech companies. It remains to be seen what the Biden Administration would get in return.
  • China turbocharges bid to discredit Western vaccines, spread virus conspiracy theories” By Gerry Shih — The Washington Post. In light of more effective vaccines developed by United States (U.S.) companies and a World Health Organization (WHO) team in Wuhan investigating, the People’s Republic of China (PRC) has kicked its propaganda campaign into high gear. All sorts of unsubstantiated claims are being made about the safety and effectiveness of the U.S. vaccines and the source of COVID-19 (allegedly from the U.S.)
  • A Chinese hacking group is stealing airline passenger details” By Catalin Cimpanu — ZDNet.  Hackers associated with the People’s Republic of China (PRC) apparently hacked into one of the companies that generates Passenger Name Records (PNR) that details who flies where and when. There are many uses for these data, including identifying likely foreign intelligence operatives such as Central Intelligence Agency (CIA) agents stationed abroad.
  • Biden Has a Peloton Bike. That Raises Issues at the White House.” By Sheryl Gay Stolberg — The New York Times. This is the level of coverage of the new President. His predecessor used an insecure iPhone that other nations’ intelligence agencies were likely tapping and was famously careless with classified information. And yet, President Joe Biden’s Peloton worries cybersecurity experts. Buried inside the story are the revelations that during the Digital Age, Presidents present cybersecurity challenges and tailored solutions are found.
  • Ministry of Electronics asks Whatsapp to withdraw changes to privacy policy, disclose data sharing practice” By Bismah Malik — The New Indian Express. India’s Ministry of Electronics and Information Technology (MeitY) is asking WhatsApp to scrap plans to roll out an already delayed change to privacy policies. India is the company’s largest market and has already flexed its muscle against other foreign apps it claimed posed dangers to its people like TikTok. WhatsApp would likely be blocked under a proposed Indian law from moving ahead with its plan to make data people share with WhatsApp business accounts available to Facebook and for advertising. The Data Protection Bill is expected to pass the Parliament his year.
  • WhatsApp Fueled A Global Misinformation Crisis. Now, It’s Stuck In One.” By Pranav Dixit — BuzzFeed News. A nice overview of how WhatsApp and Facebook’s missteps and limited credibility with people resulted in a widely believed misrepresentation about the changes to WhatsApp’s Terms of Service announced earlier this year.
  • Amazon, Facebook, other tech giants spent roughly $65 million to lobby Washington last year” By Tony Romm — The Washington Post. While Amazon and Facebook increased their federal lobbying, Google cut back. It bears note these totals are only for the lobbying these entities are doing directly to the federal government and does not include what they spend on firms and lobbyists in Washington (which is plenty) or their contributions to organizations like the Information Technology Industry Council or the Center for Democracy and Technology (which, again, is a lot.) Let’s also not forget political contributions or fundraising by the leadership and senior employees of these companies and political action committees (PAC). Finally, these totals exclude funds spent in state capitals, and I expect tech companies dropped a ton of cash in places like Sacramento and Olympia last year as major privacy legislation was under consideration. Moreover, this article does not take in whatever the companies are spending in Brussels and other capitals around the world.
  • Google won’t donate to members of Congress who voted against election results” By Ashley Gold — Axios. Speaking of using money to influence the political process, Google has joined other tech companies in pausing donations to Members who voted against certifying President Joe Biden’s victory in the Electoral College (i.e., Senators Ted Cruz (R-TX) and Josh Hawley (R-MO), to name two). We’ll see how long this lasts.
  • FCC’S acting chair says agency reviewing reports of U.S. East Coast internet outages” By Staff — Reuters; “Big Internet outages hit the East Coast, causing issues for Verizon, Zoom, Slack, Gmail” By Rachel Lerman — The Washington Post. On 26 January, there were widespread internet outages on the east coast of the United States (U.S.) that the Federal Communications Commission (FCC) is vowing to investigate. Acting FCC Chair Jessica Rosenworcel tweeted:
    • We have seen reports of internet-related outages on the East Coast, making it difficult for people to work remotely and go to school online. The @FCC Public Safety and Homeland Security Bureau is working to get to the bottom of what is going on.
    • It is not clear where and why the roughly hour long outage occurred, but early fingers are being pointed at Verizon FIOS.
  • Police Say They Can Use Facial Recognition, Despite Bans” By Alfred Ng — The Markup. No one should be surprised that many police departments are reading bans on using facial recognition technology as narrowly as possible. Nevertheless, legislators and advocates are fighting over the interpretations of these recently passed statutes, almost all of which have been put in place by municipalities. Jurisdictions in the United States may also soon choose to address the use of facial recognition technology by businesses.
  • Why Are Moscow and Beijing Happy to Host the U.S. Far-Right Online?” By Fergus Ryan — Foreign Policy. The enemy of my enemy is my friend, supposedly. Hence, extremist right-wingers, white supremacists, and others are making common cause with the companies of the People’s Republic of China and the Russian Federation by moving their websites and materials to those jurisdictions after getting banned by western companies. Given how closely Beijing and Moscow monitor their nations’ internet, this is surely done with the tacit permission of those governments and quite possibly to the same end as their disinformation campaigns: to disrupt the United States and neutralize it as a rival.
  • After Huawei, Europe’s telcos want ‘open’ 5G networks “ By Laurens Cerulus — Politico EU. Europe’s major telecommunications companies, Deutsche Telekom, Telefónica, Vodafone and Orange, have banded together to support and buy Open RAN technology to roll out 5G instead of buying from Ericsson or Nokia who are promising to do it all. The Open RAN would allow for smaller companies to build pieces of 5G networks that would be interchangeable since everyone is working from the same standards. Huawei, of course, has been shut out of many European nations and see the development as more evidence that western nations are ganging up on it.

Other Developments

  • White House Press Secretary Jen Psaki confirmed that President Joe Biden has directed the United Intelligence Community (IC) to investigate and report to him on the SolarWinds breach perpetrated by the Russian Federation’s foreign intelligence service, Sluzhba vneshney razvedki Rossiyskoy Federatsii (SVR). Thus far, it appears that many United States (U.S.) agencies and private sector entities were quietly breached in early 2020 and then surveilled for months until FireEye, a private sector cybersecurity company, divulged it had been breached. Given former President Donald Trump’s aversion to acknowledging the malicious acts of Russia, it seemed likely the Biden Administration would start the U.S. response. Interestingly, the Biden Administration is extending two nuclear weapons control treaties at the same time it seeks to undertake this assessment of Russian hacking. And, whatever the results of the assessment, experts are in agreement that the Biden Administration would seem to have few good options to retaliate and deter future action.
    • At a 21 January press briefing, Psaki stated
      • I can confirm that the United States intends to seek a five-year extension of New START, as the treaty permits.  The President has long been clear that the New START Treaty is in the national security interests of the United States.  And this extension makes even more sense when the relationship with Russia is adversarial, as it is at this time.
      • New START is the only remaining treaty constraining Russian nuclear forces and is an anchor of strategic stability between our two countries.
      • And to the other part of your question: Even as we work with Russia to advance U.S. interests, so too we work to hold Russia to account for its reckless and adversarial actions.  And to this end, the President is also issuing a tasking to the intelligence community for its full assessment of the SolarWinds cyber breach, Russian interference in the 2020 election, its use of chemical weapons against opposition leader Alexei Navalny, and the alleged bounties on U.S. soldiers in Afghanistan.
  • A group of 40 organizations urged President Joe Biden “to avoid appointing to key antitrust enforcement positions individuals who have served as lawyers, lobbyists, or consultants for Amazon, Apple, Facebook, and Google” in a letter sent before his inauguration. Instead, they encouraged him “to appoint experienced litigators or public servants who have recognized the dangers of, rather than helped to exacerbate, these corporations’ market power.” They closed the letter with this paragraph:
    • With your historic election, and the groundbreaking mandate Americans have entrusted you with, you face the challenge of not only rebuilding the country, but also rebuilding trust in government. We believe that appointing antitrust enforcers with no ties to dominant corporations in the industries they will be tasked with overseeing –particularly in regard to the technology sector –willhelp re-establish public trust in government at a critically important moment in our country’s history. We look forward to working with your administration to ensure powerful technology corporations are held accountable for wrongdoing in the months of years ahead.
    • The signatories include:
      • Public Citizen
      • American Economic Liberties Project
      • Open Markets Institute
      • Revolving Door Project
  • The National Security Agency (NSA) issued an advisory “Adopting Encrypted DNS in Enterprise Environments,” “explaining the benefits and risks of adopting the encrypted domain name system (DNS) protocol, DNS over HTTPs (DoH), in enterprise environments.” This advisory is entirely voluntary and does not bind any class of entities. Moreover, it is the latest in a series of public advisories that has seen the heretofore secretive NSA seek to rival the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) in advising the owners and operators of cyber infrastructure. The NSA explained:
    • Use of the Internet relies on translating domain names (like “nsa.gov”) to Internet Protocol addresses. This is the job of the Domain Name System (DNS). In the past, DNS lookups were generally unencrypted, since they have to be handled by the network to direct traffic to the right locations. DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authentication with a client’s DNS resolver. Itis useful to prevent eavesdropping and manipulation of DNS traffic.While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used. Enterprise DNS controls can prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration.
    • Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information. The enterprise DNS resolver may be either an enterprise-operated DNS server or an externally hosted service. Either way, the enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked. However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure.
  • The United States (U.S.) Government Accountability Office (GAO) has sent a report to the chair of the House Oversight Committee on its own initiative that “examines: (1) the Department of Defense’s (DOD) efforts to revise the process for identifying and protecting its critical technologies, and (2) opportunities for DOD’s revised process to inform U.S. government protection programs.” The GAO stated:
    • DOD’s critical technologies—including those associated with an acquisition program throughout its lifecycle or those still early in development—are DOD funded efforts that provide new or improved capabilities necessary to maintain the U.S. technological advantage. For the purposes of this report, we refer to these as critical acquisition programs and technologies. Also for the purposes of this report, U.S. government protection programs are those GAO previously identified across the federal government that are designed to protect critical technologies such as the Arms Export Control System, National Industrial Security Program, and the Committee on Foreign Investment in the U.S
    • Critical technologies are pivotal to maintaining the U.S. military advantage and, as such, are a frequent target for unauthorized access by adversaries such as through theft, espionage, illegal export, and reverse engineering. DOD has long recognized the need to effectively identify and ensure the consistent protection of these technologies from adversaries, but past efforts have not been fully successful. Recent efforts to revise its process for identifying and protecting its critical acquisition programs and technologies—led by DOD’s Protecting Critical Technology Task Force— offer some improvements.
    • However, DOD can further strengthen its revised process by determining the approach for completing key steps. These steps include ensuring its critical acquisition programs and technologies list is formally communicated to all relevant internal entities and other federal agencies, such as the Department of the Treasury as chair of the Committee on Foreign Investment in the United States, to promote a consistent understanding of what DOD deems critical to protect. They also include developing appropriate metrics that DOD program offices as well as organizations—such as the military departments and Under Secretary of Defense level offices—can use to assess the implementation and sufficiency of the assigned protection measures. Finally, DOD has not yet designated an organization to oversee critical technology protection efforts beyond 2020. As DOD works to develop a policy for its revised process, addressing these issues will not only help improve and ensure continuity in DOD’s protection efforts, but also help ensure government- wide protection efforts are better coordinated as called for in the 2020 National Strategy for Critical and Emerging Technologies.
    • The GAO made three recommendations to the DOD:
      • The Secretary of Defense should direct the Deputy Secretary of Defense in conjunction with the Protecting Critical Technology Task Force to determine a process for formally communicating future critical acquisition programs and technologies lists to all relevant DOD organizations and federal agencies. (Recommendation 1)
      • The Secretary of Defense should direct the Deputy Secretary of Defense in conjunction with the Protecting Critical Technology Task Force to identify, develop, and periodically review appropriate metrics to assess the implementation and sufficiency of the assigned protection measures. (Recommendation 2)
      • The Secretary of Defense should direct the Deputy Secretary of Defense in conjunction with the Protecting Critical Technology Task Force to finalize the decision as to which DOD organization will oversee protection efforts beyond 2020. (Recommendation 3)
  • The National Telecommunications and Information Administration (NTIA) “under sponsorship of and in collaboration with the Department of Defense (DOD) 5G Initiative” “issued a Notice of Inquiry (NOI)…to explore a “5G Challenge” aiming to accelerate the development of an open source 5G ecosystem that can support DOD missions.” The NTIA explained:
    • A key innovation in 5G that is becoming more pervasive in the larger 5G ecosystem is the trend toward “open 5G” architectures that emphasize open interfaces in the network stack. NTIA, under sponsorship of and in collaboration with the DOD 5G Initiative, is seeking comments and recommendations from all interested stakeholders to explore the creation of a 5G Challenge that would accelerate the development of the open 5G stack ecosystem in support of DOD missions.
    • For the purposes of this Notice, NTIA has organized these questions into three broad categories: (1) Challenge structure and goals; (2) incentives and scope; and (3) timeframe and infrastructure support. NTIA seeks public input on any and/or all of these three categories.
  • The Court of Justice for the European Union’s (CJEU) Advocate General has released his opinion in a case on whether a different data protection authority (DPA) from the lead agency in a case may also bring actions in its court system. The General Data Protection Regulation (GDPR) has a mechanism that organizes the regulation of data protection in that one agency, often the first to act, becomes the lead supervisory authority (LSA) and other DPAs must follow its lead. Most famously, Ireland’s Data Protection Commission (DPC) has been the LSA for the action Maximillian Schrems brought against Facebook that led to the demise of two adequacy agreements between the United States (U.S.) and the European Union (EU). In each case, the DPC was the LSA. The CJEU is not obligated to follow the Advocate General’s opinions, but they frequently prove persuasive. In any event, the Advocate General found DPAs may, under some circumstances, bring cases for cross border infringement even if another DPA is LSA. Advocate General Michal Bobek summarized the facts of the case:
    • In September 2015, the Belgian data protection authority commenced proceedings before the Belgian courts against several companies belonging to the Facebook group (Facebook), namely Facebook INC, Facebook Ireland Ltd, which is the group’s main establishment in the EU, and Facebook Belgium BVBA (Facebook Belgium). In those proceedings, the data protection authority requested that Facebook be ordered to cease, with respect to any internet user established in Belgium, to place, without their consent, certain cookies on the device those individuals use when they browse a web page in the Facebook.com domain or when they end up on a third party’s website, as well as to collect data by means of social plugins and pixels on third party websites in an excessive manner. In addition, it requested the destruction of all personal data obtained by means of cookies and social plugins, about each internet user established in Belgium.
    • The proceedings at issue are at present in progress before the Hof van beroep te Brussel (Court of Appeal, Brussels, Belgium) with however their scope being limited to Facebook Belgium, as that court previously established that it had no jurisdiction with regard to the actions against Facebook INC and Facebook Ireland Ltd. In this context, Facebook Belgium asserts that, as of thed ate on which the General Data Protection Regulation (GDPR)1has become applicable,the Belgian data protection authority has lost competence to continue the judicial proceedings at issue against Facebook. It contends that, under the GDPR, only the data protection authority of the State of Facebook’s main establishment in the EU (the so-called ‘lead’ data protection authority in the EU for Facebook), namely the Irish Data Protection Commission, is empowered to engage in judicial proceedings against Facebook for infringements of the GDPR in relation to cross-border data processing.
    • Bobek summed up the legal questions presented to the CJEU:
      • Does the GDPR permit a supervisory authority of a Member State to bring proceedings before a court of that State for an alleged infringement of that regulation with respect to cross-border data processing, where that authority is not the lead supervisory authority with regard to that processing?
      • Or does the new ‘one-stop-shop’ mechanism, heralded as one of the major innovations brought about by the GDPR, prevent such a situation from happening? If a controller were called upon to defend itself against a legal challenge concerning cross-border data processing brought by a supervisory authority in a court outside the place of the controller’s main establishment, would that be ‘one-stop-too-many’ and therefore incompatible with the new GDPR mechanism?
    • Bobek made the following findings:
      • [F]irst, that it transpires from the wording of the GDPR that the lead data protection authority has a general competence over cross-border data processing, including the commencement of judicial proceedings for the breach of the GDPR, and, by implication, the other data protection authorities concerned enjoy a more limited power to act in that regard.
      • Second, the Advocate General recalls that the very reason for the introduction of the one-stop-shop mechanism enshrined in the GDPR, whereby a significant role has been given to the lead data protection authority and cooperation mechanisms have been set up to involve other data protection authorities, was to address certain shortcomings resulting from the former legislation. Indeed, economic operators used to be required to comply with the various sets of national rules implementing that legislation, and to liaise, at the same time, with all the national data protection authorities, which proved to be costly, burdensome and time-consuming for those operators, and an inevitable source of uncertainty and conflicts for them and their customers.
      • Third, the Advocate General stresses that the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned, the input of which is crucial in this area.
  • The United States (U.S.) Department of Defense added more companies from the People’s Republic of China (PRC) to the list of those associated with or controlled by the Chinese Communist Party or the People’s Liberation Army (PLA) “in accordance with the statutory requirement of Section 1237 of the National Defense Authorization Act for Fiscal Year 1999.” The previous lists were released last year (here, here and here.) This designation will almost certainly make doing business in the United States (U.S.) and elsewhere more difficult.
    • The first part of Section 1237 grants the President authority to “exercise International Emergency Economic Powers Act (IEEPA) authorities (other than authorities relating to importation) without regard to section 202 of the IEEPA (50 U.S.C. 1701) in the case of any commercial activity in the United States by a person that is on the list.” IEEPA grants the President sweeping powers to prohibit transactions and block property and property interests for nations and other groups subject to an IEEPA national emergency declaration. Consequently, those companies identified by the DOD on a list per Section 1237 could be blocked and prohibited from doing business with U.S. entities and others and those that do business with such Chinese companies could be subject to enforcement actions by the U.S. government.
    • The statute defines a “Communist Chinese military company” as “any person identified in the Defense Intelligence Agency publication numbered VP-1920-271-90, dated September 1990, or PC-1921-57-95, dated October 1995, and any update of those publications for the purposes of this section; and any other person that is owned or controlled by the People’s Liberation Army; and is engaged in providing commercial services, manufacturing, producing, or exporting.” Considering that the terms “owned” and “controlled” are not spelled out in this section, the executive branch may have very wide latitude in deeming a non-Chinese company as owned or controlled and therefore subject to the President’s use of IEEPA powers. Moreover, since the President already has the authority to declare an emergency and then use IEEPA powers, this language would seem to allow the President to bypass any such declaration and immediately use such powers, except those regarding importation, against any Chinese entities identified on this list by the Pentagon.
  • A group of 13 House Democrats wrote Attorney General designate Merrick Garland asking that the Biden Administration “to withdraw from the United States (U.S.) federal government’s lawsuit against the State of California over its net neutrality law as one of the first actions after inauguration.” The Trump Administration had sued California after a measure became law in 2018, mandating net neutrality there in the wake of the Federal Communications Commission’s (FCC) rollback of federal net neutrality. The Members argued:
    • In September 2018, then-Governor Jerry Brown signed into law SB 822, the strongest net neutrality law in the country. The Trump Department of Justice (DOJ) sued to overturn California’s law hours later, and associations of telecommunications providers sued within days. Parties to the case agreed to put the case on hold until Mozilla v. FCC was resolved. In that case, the Court of Appeals for the D.C. Circuit vacated the part of the Federal Communications Commission (FCC)’s 2018 Restoring Internet Order (RIF) that preempted state net neutrality laws.
    • The arguments of the Trump DOJ and telecommunications associations in U.S. v. California extend further than even the FCC’s RIF and have implications on the ability of California and other states to regulate many communications and technology policy issues.
    • The Eastern District of California has scheduled a hearing in U.S. v. California for a request for an injunction on January 26, 2021. It is for these reasons, we ask that the federal DOJ withdraw from U.S. v. California shortly after President-elect Biden is inaugurated.
  • On its first day in power, the Biden Administration issued its “National Strategy for the COVID-19 Response and Pandemic Preparedness.” In the cover letter, President Joe Biden stated:
    • For the past year, we could not turn to the federal government for a national plan to answer prayers with action — until today. In the following pages, you will find my Administration’s national strategy to beat the COVID-19 pandemic. It is a comprehensive plan that starts with restoring public trust and mounting an aggressive, safe, and effective vaccination campaign. It continues with the steps we know that stop the spread liked expanded masking, testing, and social distancing. It’s a plan where the federal government works with states, cities, Tribal communities, and private industry to increase supply and administer testing and the vaccines that will help reopen schools and businesses safely. Equity will also be central to our strategy so that the communities and people being disproportionately infected and killed by the pandemic receive the care they need and deserve.
    • Given the numerous cyber-attacks and intrusions throughout the pandemic and growing risks to the entire vaccine supply chain, the President asked the Director of National Intelligence Avril Haines to “lead an assessment of ongoing cyber threats and foreign interference campaigns targeting COVID-19 vaccines and related public health efforts” in order to “counter any threat to the vaccination program.” The Administration stated “[t]he U.S. Government will take steps to address cyber threats to the fight against COVID-19, including cyber attacks on COVID-19 research, vaccination efforts, the health care systems and the public health infrastructure.”
    • Specifically, the strategy requires the following:
      • To assist in the Federal Government’s efforts to provide warning of pandemics, protect our biotechnology infrastructure from cyber attacks and intellectual property theft, identify and monitor biological threats from states and non-state actors, provide validation of foreign data and response efforts, and assess strategic challenges and opportunities from emerging biotechnologies, the Director of National Intelligence shall:
        • (i) Review the collection and reporting capabilities in the United States Intelligence Community (IC) related to pandemics and the full range of high-consequence biological threats and develop a plan for how the IC may strengthen and prioritize such capabilities, including through organizational changes or the creation of National Intelligence Manager and National Intelligence Officer positions focused on biological threats, global public health, and biotechnology;
        • (ii) Develop and submit to the President, through the Assistant to the President for National Security Affairs (APNSA) and the COVID-19 Response Coordinator, a National Intelligence Estimate on
          • (A) the impact of COVID-19 on national and economic security; and
          • (B) current, emerging, reemerging, potential, and future biological risks to national and economic security; and
        • (iii)  In coordination with the Secretary of State, the Secretary of Defense, the Secretary of Health and Human Services (HHS), the Director of the Centers for Disease Control and Prevention (CDC), the Administrator of United States Agency for International Development (USAID), the Director of the Office of Science and Technology Policy, and the heads of other relevant agencies, promptly develop and submit to the APNSA an analysis of the security implications of biological threats that can be incorporated into modeling, simulation, course of action analysis, and other analyses.
  • Before the end of the Trump Administration, the Departments of State and Treasury imposed sanctions on a group of Russians for taking part in “a Russia-linked foreign influence network associated with Andrii Derkach, who was designated on September 10, 2020, pursuant to Executive Order (E.O.) 13848 for his attempt to influence the 2020 U.S. Presidential election” according to the Trump Administration Department of State press release. These sanctions emanate from a narrative pushed by Derkach, a likely Russian agent, that the Biden family were engaged in corrupt dealings in Ukraine. Allies of the Trump Campaign pushed this narrative, too, until it failed to gain traction in the public sphere. It is little wonder the last administration waited until the tail end of the Trump presidency to levy such sanctions. State went on to explain:
    • Former Ukraine Government officials Konstantin Kulyk, Oleksandr Onyshchenko, Andriy Telizhenko, and current member of the Ukrainian parliament Oleksandr Dubinsky, have publicly appeared with or affiliated themselves with Derkach through the coordinated dissemination and promotion of fraudulent or unsubstantiated allegations involving a U.S. political candidate.  They have made repeated public statements advancing malicious narratives that U.S. Government officials have engaged in corrupt dealings in Ukraine.  These efforts and narratives are consistent with or in support of Derkach’s objectives to influence the 2020 U.S. presidential election.  As such, these individuals have been designated pursuant to E.O. 13848 for having directly or indirectly engaged in, sponsored, concealed, or otherwise been complicit in foreign influence in an attempt to undermine the 2020 U.S. elections.
    • NabuLeaks, Era-Media, Only News, and Skeptik TOV are media front companies in Ukraine that disseminate false narratives at the behest of Derkach’s and his associates.  They are being designated pursuant to E.O. 13848 for being owned or controlled by Derkach or his media team.  Today’s action also includes the designation of Petro Zhuravel, Dmytro Kovalchuk, and Anton Simonenko for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Derkach.
    • Additionally, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) “took additional action against seven individuals and four entities that are part of a Russia-linked foreign influence network associated with Andrii Derkach” according to the agency’s press release. OFAC stated “[a]s a result of today’s designations, all property and interests in property of these targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked.”
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published “a draft of the Trusted Internet Connections (TIC) 3.0 Remote User Use Case and the draft National Cybersecurity Protection System (NCPS) Cloud Interface Reference Architecture (NCIRA): Volume 2.” The agency remarked in its press release:
    • The TIC initiative was launched under former President George W. Bush to limit the access points to the wider internet federal agencies used based on the logic of physical defense. And so, fewer entry and exit points made for a safer compound. However, over time, this proved problematic, especially as new technology came into use. Consequently, in the aforementioned OMB memorandum, the Trump Administration began a revamp from which these documents flow:
      • To continue to promote a consistent baseline of security capabilities, the Department of Homeland Security (DHS) will define TIC initiative requirements in documentation called TIC Use Cases (refer to Appendix A). TIC Use Case documentation will outline which alternative security controls, such as endpoint and user-based protections, must be in place for specific scenarios in which traffic may not be required to flow through a physical TIC access point. To promote flexibility while maintaining a focus on security outcomes, the capabilities used to meet TIC Use Case requirements may be separate from an agency’s existing network boundary solutions provided by a Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS). Given the diversity of platforms and implementations across the Federal Government, TIC Use Cases will highlight proven, secure scenarios, where agencies have met requirements for government-wide intrusion detection and prevention efforts, such as the National Cybersecurity Protection System (including the EINSTEIN suite), without being required to route traffic through a TICAP/MTIPS solution.
    • In the Remote User Use Case, it is explained that
      • The TIC 3.0 Remote User Use Case (Remote User Use Case) defines how network and multi-boundary security should be applied when an agency permits remote users on their network. A remote user is an agency user that performs sanctioned business functions outside of a physical agency premises. The remote user scenario has two distinguishing characteristics:
        • 1. Remote user devices are not directly connected to network infrastructure that is managed and maintained by the agency.
        • 2. Remote user devices are intended for individual use (i.e., not a server).
      • In contrast, when remote user devices are directly connected to local area networks and other devices that are managed and maintained by the agency, it would be considered either an agency campus or a branch office scenario. TIC architectures for agency campus and branch office scenarios are enumerated in the TIC 3.0 Traditional TIC Use Case and the TIC 3.0 Branch Office Use Case respectively.
    • In NCIRA, it is stated:
      • The NCPS Cloud Interface Reference Architecture is being released as two individual volumes. The first volume provides an overview of changes to NCPS to accommodate the collection of relevant data from agencies’ cloud environments and provides general reporting patterns for sending cloud telemetry to CISA. This second volume builds upon the concepts presented in NCPS Cloud Interface Reference Architecture: Volume One and provides an index of common cloud telemetry reporting patterns and characteristics for how agencies can send cloud-specific data to the NCPS cloud-based architecture. Individual cloud service providers (CSPs) can refer to the reporting patterns in this volume to offer guidance on their solutions that allow agencies to send cloud telemetry to CISA in fulfillment of NCPS requirements.
  • The Congressional-Executive Commission on China (CECC) published its “2020 Annual Report” “on human rights and the rule of law in China.” The CECC found that:
    • the Chinese government and Communist Party have taken unprecedented steps to extend their repressive policies through censorship, intimidation, and the detention of people in China for exercising their fundamental human rights. Nowhere is this more evident than in the Xinjiang Uyghur Autonomous Region (XUAR) where new evidence emerged that crimes against humanity—and possibly genocide—are occurring, and in Hong Kong, where the ‘‘one country, two systems’’ frame-work has been effectively dismantled.
    • These policies are in direct violation of China’s Constitution, which guarantees ‘‘freedom of speech, of the press, of assembly, of association, of procession and of demonstration,’’ as well as ‘‘freedom of religious belief.’’ The actions of the Chinese government also contravene both the letter and the spirit of the Universal Declaration of Human Rights; violate its obligations under the Inter-national Covenant on Civil and Political Rights, which the Chinese government has signed but not ratified; and violate the Inter-national Covenant on Economic, Social, and Cultural Rights, ratified in 2001. Further, the Chinese government has abandoned any pretense of adhering to the legally binding commitments it made to the international community when it signed the 1984 Sino-British Joint Declaration on the future of Hong Kong.
    • President and Party General Secretary Xi Jinping has tightened his grip over China’s one-party authoritarian system, and the Party has further absorbed key government functions while also enhancing its control over universities and businesses. Authorities promoted the official ideology of ‘‘Xi Jinping Thought’’ on social media and required Party members, government officials, journalists, and students to study it, making the ideology both pervasive, and for much of the country, mandatory.
    • Regarding freedom of expression, the CECC recommended:
      • Give greater public expression, including at the highest levels of the U.S. Government, to the issue of press freedom in China, condemning: the harassment and detention of both domestic and foreign journalists; the denial, threat of denial, or delay of visas for foreign journalists; and the censorship of foreign media websites. Consistently link press freedom to U.S. interests, noting that censorship and restrictions on journalists and media websites prevent the free flow of information on issues of public concern, including public health and environ-mental crises, food safety problems, and corruption, and act as trade barriers for foreign companies attempting to access the Chinese market. Assess the extent to which China’s treatment of foreign journalists contravenes its World Trade Organization commitments and other obligations.
      • Sustain, and where appropriate, expand, programs that develop and widely distribute technologies that will assist Chinese human rights advocates and civil society organizations in circumventing internet restrictions, in order to access and share content protected under international human rights standards. Continue to maintain internet freedom programs for China at the U.S. Department of State and the United States Agency for Global Media to provide digital security training and capacity-building efforts for bloggers, journalists, civil society organizations, and human rights and internet freedom advocates in China.
      • Raise with Chinese officials, during all appropriate bilateral discussions, the cost to U.S.-China relations and to the Chinese public’s confidence in government institutions that is incurred when the Chinese government restricts political debate, advocacy for democracy or human rights, and other forms of peaceful  political  expression.  Emphasize  that  such  restrictions  violate  international  standards  for  free  expression,  particularly  those  contained  in  Article  19  of  the  International  Covenant  on  Civil  and  Political  Rights  and  Article  19  of  the  Universal  Declaration of Human Rights.
  • The Center for Democracy and Technology (CDT) issued its “Recommendations to the Biden Administration and 117th Congress to Advance Civil Rights & Civil Liberties in the Digital Age” that called for reform to content moderation, election law, privacy, big data, and other policy areas.
  • A United States (U.S.) federal court denied Parler’s request for a preliminary injunction against Amazon Web Services (AWS) after the latter shut down the former’s website for repeated violations of their contract, including the use of the conservative tilting platform during the 6 January 2021 insurrection at the United States Capitol. Parler was essentially asking the court to force AWS to once again host its website while its litigation was pending. The court reviewed Parler’s claims and clarified the scope of the case:
    • In its Complaint, Parler asserts three claims: (1) for conspiracy in restraint of trade, in violation of the Sherman Act, 15 U.S.C. § 1; (2) for breach of contract; and (3) for tortious interference with business expectancy. AWS disputes all three claims, asserting that it is Parler, not AWS, that has violated the terms of the parties’ Agreement, and in particular AWS’s Acceptable Use Policy, which prohibits the “illegal, harmful, or offensive” use of AWS services.
    • It is important to note what this case is not about. Parler is not asserting a violation of any First Amendment rights, which exist only against a governmental entity, and not against a private company like AWS. And indeed, Parler has not disputed that at least some of the abusive and violent posts that gave rise to the issues in this case violate AWS’s Acceptable Use Policy. This motion also does not ask the Court to make a final ruling on the merits of Parler’s claims. As a motion for a preliminary injunction, before any discovery has been conducted, Parler seeks only to have the Court determine the likelihood that Parler will ultimately prevail on its claims, and to order AWS to restore service to Parler pending a full and fair litigation of the issues raised in the Complaint.
    • However, the court ruled against Parler:
      • Parler has failed to meet the standard set by Ninth Circuit and U.S. Supreme Court precedent for issuance of a preliminary injunction. To be clear, the Court is not dismissing Parler’s substantive underlying claims at this time. Parler has fallen far short, however, of demonstrating, as it must, that it has raised serious questions going to the merits of its claims, or that the balance of hardships tips sharply in its favor. It has also failed to demonstrate that it is likely to prevail on the merits of any of its three claims; that the balance of equities tips in its favor, let alone strongly so; or that the public interests lie in granting the injunction.
  • The United States (U.S.) Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a statutorily required “National Strategy to Secure 5G Implementation Plan” and Appendices. The NTIA explained:
    • In accordance with the Secure 5G and Beyond Act of 2020, the Executive Branch has developed a comprehensive implementation plan. This implementation will be managed under the leadership of the National Security Council and the National Economic Council, supported by the National Telecommunications and Information Administration (NTIA), and with contributions from and coordination among a wide range of departments and agencies. The implementation plan took into account the 69 substantive comments in response to NTIA’s Request for Comments received from companies, industry associations, and think tanks representing a range of interests and aspects of the telecommunications ecosystem. Consistent with the National Strategy to Secure 5G, the implementation plan encompasses four lines of effort:
      • Line of Effort One: Facilitate Domestic 5G Rollout: The first line of effort establishes a new research and development initiative to develop advanced communications and networking capabilities to achieve security, resilience, safety, privacy, and coverage of 5G and beyond at an affordable cost. Advancement of United States leadership in Secure 5G and beyond systems and applications will be accomplished by enhancing centers of research and development and manufacturing. These efforts will leverage public-private partnerships spanning government, industry, academia, national laboratories, and international allies. This line of effort also intends to identify incentives and options to leverage trusted international suppliers, both to facilitate secure and competitive 5G buildouts, and to ensure the global competitiveness of United States manufacturers and suppliers.
      • Line of Effort Two: Assess Risks to & Identify Core Security Principles of 5G Infrastructure: The second line of effort is oriented toward identifying and assessing risks and vulnerabilities to 5G infrastructure, building on existing capabilities in assessing and managing supply chain risk. This work will also involve the development of criteria for trusted suppliers and the application of a vendor supply chain risk management template to enable security-conscious acquisition decision-making. Several agencies have responsibilities for assessing threats as the United States’ manages risks associated with the global and regional adoption of 5G network technology as well as developing mitigation strategies to combat any identified threats. These threat assessments take into account, as appropriate, requirements from entities such as the Committee on Foreign Investment in the United States (CFIUS), the Executive Order (E.O.) on Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom), and the Federal Acquisition Security Council (FASC). In addition, this line of effort will identify security gaps in United States and international supply chains and an assessment of the global competitiveness and economic vulnerabilities of United States manufacturers and suppliers. Finally, this set of activities will include working closely with the private sector and other stakeholders to identify, develop, and apply core security principles for 5G infrastructure. These efforts will include leveraging the Enduring Security Framework (ESF), a working group under the Critical Infrastructure Partnership Advisory Council (CIPAC). These emerging security principles will be synchronized with or complementary to other 5G security principles, such as the “Prague Proposals” from the Prague 5G Security Conference held in May 2019.
      • Line of Effort Three: Address Risks to United States Economic and National Security during Development and Deployment of 5G Infrastructure Worldwide: The third line of effort involves addressing the risks to United States economic and national security during the development and deployment of 5G infrastructure worldwide. As a part of this effort, the United States will identify the incentives and policies necessary to close identified security gaps in close coordination with the private sector and through the continuous evaluation of commercial, security, and technological developments in 5G networks. A related activity is the identification of policies that can ensure the economic viability of the United States domestic industrial base, in coordination with the private sector through listening sessions and reviews of best practices. An equally important activity relates to the identification and assessment of “high risk” vendors in United States5G infrastructure, through efforts such as the Implementation of E.O. 13873, on “Securing the Information and Communications Technology and Services Supply Chain.” These efforts will build on the work of the CFIUS, the FASC, and Team Telecom reviews of certain Federal Communications Commission (FCC) licenses involving foreign ownership. This element of the implementation plan will also involve more intense engagement with the owners and operators of private sector communications infrastructure, systems equipment developers, and other critical infrastructure owners and operators. The engagements will involve sharing information on 5G and future generation wireless communications systems and infrastructure equipment. Such work will be conducted through the Network Security Information Exchange, the IT and Communications Sector and Government Coordinating Councils, the National Security Telecommunications Advisory Committee, and NTIA’s Communications Supply Chain Risk Information Partnership (C-SCRIP).
      • Line of Effort Four: Promote Responsible Global Development and Deployment of 5G: The fourth line of effort addresses the responsible global development and deployment of 5G technology. A key component of this line of effort is diplomatic outreach and engagement to advocate for the adoption and implementation of 5G security measures that prohibit the use of untrusted vendors in all parts of 5G networks. A related component involves the provision of technical assistance to mutual defense treaty allies and strategic partners of the United States to maximize the security oftheir5G and future generations of wireless communications systems and infrastructure. The goal of providing financing support and technical assistance is to help enable countries and private companies to develop secure and trusted next generation networks that are free of untrusted vendors and that increase global connectivity. A key part of 5G deployment involves international standards development, thus the implementation plan outlines several steps in support of the goal of strengthening and expanding United States leadership in international standards bodies and voluntary consensus-based standards organizations, including strengthening coordination with and among the private sector. This line of effort will also include collaboration with allies and partners with regard to testing programs to ensure secure 5G and future wireless communications systems and infrastructure equipment, including spectrum-related testing. To successfully execute this work, continued close coordination between the United States Government, private sector, academic, and international government partners is required to ensure adoption of policies, standards, guidelines, and procurement strategies that reinforce 5G vendor diversity and foster market competition. The overarching goals of this line of effort are to promote United States-led or linked technology solutions in the global market; remove and reduce regulatory and trade barriers that harm United States competitiveness; provide support for trusted vendors; and advocate for policies and laws that promote open, competitive markets for United States technology companies. This will also be supported through close collaboration with partners on options to advance the development and deployment of open interfaced, standards-based, and interoperable 5G networks.
  • The Federal Communications Commission (FCC) issued its annual “Broadband Deployment Report,” one of the last reports on FCC policy under the stewardship of former Chair Ajit Pai. In the agency’s press release, Pai claimed “[i]n just three years, the number of American consumers living in areas without access to fixed broadband at 25/3 Mbps has been nearly cut in half.” He added:
    • These successes resulted from forward-thinking policies that removed barriers to infrastructure investment and promoted competition and innovation.  I look forward to seeing the Commission continue its efforts to ensure that all Americans have broadband access.  Especially with the success of last year’s Rural Digital Opportunity Fund Phase I auction, I have no doubt that these figures will continue to improve as auction winners deploy networks in the areas for which they got FCC funding.
    • In relevant part, the FCC claimed:
      • Moreover, more than three-quarters of those in newly served areas, nearly 3.7 million, are located in rural areas, bringing the number of rural Americans in areas served by at least 25/3 Mbps to nearly 83%. Since 2016, the number of Americans living in rural areas lacking access to 25/3 Mbps service has fallen more than 46%.  As a result, the rural–urban divide is rapidly closing; the gap between the percentage of urban Americans and the percentage of rural Americans with access to 25/3 Mbps fixed broadband has been nearly halved, falling from 30 points at the end of 2016 to just 16 points at the end of 2019.
      • With regard to mobile broadband, since 2018, the number of Americans lacking access to 4G LTE mobile broadband with a median speed of 10/3 Mbps was reduced by more than 57%, including a nearly 54% decrease among rural Americans.  As of the end of 2019, the vast majority of Americans, 94% had access to both 25/3 Mbps fixed broadband service and mobile broadband service with a median speed of 10/3 Mbps. Also as of the end of 2019, mobile providers now provide access to 5G capability to approximately 60% of Americans. These strides in mobile broadband deployment were fueled by more than $29 billion of capital expenditures in 2019 (roughly 18% of global mobile capital spending), the largest mobile broadband investment since 2015.
      • .  With this Report, the Commission fulfills the Congressional directive to report each year on the progress made in deploying broadband to all Americans. Despite this finding, our work to close the digital divide is not complete.  The Commission will continue its efforts to ensure that all Americans have the ability to access broadband.
  • The chair of the House Oversight and Reform Committee wrote a letter asking Federal Bureau of Investigation (FBI) Director Christopher Wray to conduct “a comprehensive investigation into the role that the social media site Parler played in the assault on the Capitol on January 6.” Chair Carolyn Maloney (D-NY) indicated her committee is also investigating the events of 6 January, suggesting there could be hearings soon on the matter. In the letter, Maloney asserted:
    • It is clear that Parler houses additional evidence critical to investigations of the attack on the Capitol. One commentator has already used geolocation data associated with Parler to track 1,200 videos that were uploaded in Washington, D.C. on January 6.
    • Questions have also been raised about Parler’s financing and its ties to Russia, which the Intelligence Community has warned is continuing to use social media and other measures to sow discord in the United States and interfere with our democracy. For example, posters on Parler have reportedly been traced back to Russian disinformation campaigns. The company was founded by John Matze shortly after he traveled in Russia with his wife, who is Russian and whose family reportedly has ties to the Russian government. Concerns about the company’s connections to Russia have grown since the company re-emerged on a Russian hosting service, DDos-Guard, after being denied services by Amazon Web Services. DDos-Guard has ties to the Russian government and hosts the websites of other far-right extremist groups, as well as the terrorist group Hamas.According to another recent report, “DDoS-Guard’s other clients include the Russian ministry of defence, as well as media organisations in Moscow.”
    • Given these concerns, we ask that the FBI undertake a robust review of the role played by Parler in the January 6 attacks, including (1) as a potential facilitator of planning and incitement related to the attacks, (2) as a repository of key evidence posted by users on its site, and (3) as potential conduit for foreign governments who may be financing civil unrest in the United States.
  • Microsoft released further detailed, technical findings from its investigation into the wide-ranging SolarWinds hack. Last month, Microsoft revealed that its source code had been accessed as part of the Russian hack and stressed that source code for its products had not been changed or tampered with. In its update on its SolarWinds investigation, Microsoft explained:
    • As we continue to gain deeper understanding of the Solorigate attack, we get a clearer picture of the skill level of the attackers and the extent of planning they put into pulling off one of the most sophisticated attacks in recent history. The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary.
    • More than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence. These attackers appear to be knowledgeable about operations security and performing malicious activity with minimal footprint. In this blog, we’ll share new information to help better understand how the attack transpired. Our goal is to continue empowering the defender community by helping to increase their ability to hunt for the earliest artifacts of compromise and protect their networks from this threat.
    • As mentioned, in a 31 December 2020 blog posting, Microsoft revealed:
      • Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.
      • We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.
  • The Trump Administration’s United States Trade Representative (USTR) weighed in on Australia’s proposed law to make Google, Facebook, and other technology companies pay for using Australian media content. The USTR reiterated the United States (U.S.) position that forcing U.S. firms to pay for content, as proposed, in unacceptable. It is likely the view of a Biden Administration is not likely to change. The Australian Senate committee considering the “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020” had asked for input. In relevant part, the USTR argued:
    • the U.S. Government is concerned that an attempt, through legislation, to regulate the competitive positions of specific players in a fast-evolving digital market, to the clear detriment of two U.S. firms, may result in harmful outcomes. There may also be long-lasting negative consequences for U.S. and Australian firms, as well as Australian consumers. While the revised draft has partially addressed some U.S. concerns—including an effort to move towards a more balanced evaluation of the value news businesses and platforms offer each other in the context of mandatory arbitration—significant issues remain.
  • Plaintiffs have filed suit in California state court against WeChat and Tencent by Plaintiff Citizen Power Initiatives for China (CPIFC) and six unnamed California residents who use WeChat. They argue that the government of the People’s Republic of China (PRC) controls WeChat and forces it and its parent, Tencent, to turn over user data to the PRC in violation of California law. They make other allegations of unlawful conduct, including denying users in California the right to access funds though the app in the PRC. They are seeking class action status in order to bring a larger action against the PRC company. The plaintiffs claimed:
    • This case arises from Tencent’s practices of profiting from politically motivated, pro-Chinese Communist Party (“CCP”) censorship and surveillance of California WeChat users (“challenged practices”), which includes the practice of turning over private user data and communications to the government of the People’s Republic of China (“PRC government,” and, together with the CCP, the “Party-state”), and which inflicts an array of harms. Specifically, the challenged practices include Tencent’s practices of: (i) turning over private California WeChat user data and communications to the Party-state; (ii) profiting by using California WeChat user data and communications to improve Tencent’s censorship and surveillance algorithms; (iii) censoring and surveilling California WeChat user communications for content perceived as critical of the Party-state; (iv) suspending, blocking, or deleting California WeChat user accounts and/or data over such content; and (v) prohibiting California WeChat users from withdrawing funds stored in their WeChat accounts when those users do not possess an account with a PRC financial institution subject to monitoring by the Party-state.
    • This action also challenges provisions in Tencent’s terms of service and privacy policy  which,  taken  together,  are  oppressive,  obfuscatory,  and  incoherent  (“challenged provisions”). The challenged provisions include privacy-related terms that are deliberately vague and ambiguous with respect to whether the challenged practices are permitted or prohibited (“vague and ambiguous privacy provisions”), which in turn benefits Tencent by reserving to it the right to adopt self-interested interpretations. However, California WeChat users are entitled to clear, unambiguous, and testable language with respect to the nature and scope of their privacy on WeChat—in other words, to honesty and transparency.
    • Yet, even if the challenged practices were unambiguously prohibited under the challenged provisions, the challenged provisions include terms that make it practically impossible for California WeChat users to seek meaningful redress for the harms caused by those practices (“remedy-limiting provisions”). 
    • Finally, the challenged provisions include terms that impermissibly discriminate against California WeChat users who happen to be citizens of the PRC (“long-arm provisions”).
  • Representatives Anna Eshoo (D-CA) and Tom Malinowski (D-NJ) wrote the CEOs of Facebook, Twitter, and YouTube “urging the companies to address the fundamental design features of their social networks that facilitate the spread of extreme, radicalizing content to their users” per their press release. Last fall, Eshoo and Malinowski introduced the “Protecting Americans from Dangerous Algorithms Act” (H.R.8636) that would subject platforms like Facebook, Twitter, and YouTube to civil suits on the basis of the algorithms used to amplify content that violates the civil rights of others or results in international terrorism. They asserted:
    • The lawmakers note that the rioters who attacked the Capitol earlier this month were radicalized in part in digital echo chambers that these platforms designed, built, and maintained, and that the platforms are partially responsible for undermining our shared sense of objective reality, for intensifying fringe political beliefs, for facilitating connections between extremists, leading some of them to commit real-world, physical violence.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced “[u]sing enterprise risk management best practices will be a focus for CISA in 2021, and today the National Risk Management Center (NRMC) is launching a Systemic Cyber Risk Reduction Venture to organize our work to reduce shared risk to the Nation’s security and economic security.” CISA explained that “[w]e anticipate three overarching lines of effort:
    • Build the Underlying Architecture for Cyber Risk Analysis to Critical Infrastructure. The critical infrastructure community is underpinned by a dependent web of hardware, software, services, and other connected componentry.
    • Cyber Risk Metric Development. Supporting efforts to better understand the impact of cyber risk across the critical infrastructure community will require developing usable metrics to quantify cyber risk in terms of functional loss. There’s no need to get bogged down with Greek equations with decimal place-level specificity. Metrics that provide even directional or comparative indicators are enormously helpful.
    • Promoting Tools to Address Concentrated Sources of Cyber Risk. Central to our venture to reduce systemic cyber risk is finding concentrated sources of risk that, if mitigated, provide heightened risk management bang for the buck if addressed.
  • The President’s Council of Advisors on Science and Technology (PCAST) issued its first assessment of a government program to fund research and development of advanced information technology for the first time since 2015. PCAST explained:
    • As required by statute, PCAST is tasked with periodically reviewing the Networking and Information Technology Research and Development (NITRD) Program, the Nation’s primary source of federally funded research and development in advanced information technologies such as computing, networking, and software. This report examines the NITRD Program’s progress since the last review was conducted in 2015, explores emerging areas of interest relevant to the NITRD Program, and presents PCAST’s findings and recommendations.
    • PCAST made the following recommendations:
      • Recommendation 1: The current NITRD Program model and its approach to coordinating foundational research in NIT fields across participating agencies should continue as constituted, with the following modifications:
        • NITRD groups should continue to review the PCAs regularly using a fast track action committee (FTAC) and adjust as needed (with a frequency of perhaps every 3 years rather than every 5–6 years, as had been recommended in the 2015 NITRD Review). It should also continue to review IWGs periodically, as recommended in the 2015 NITRD Review.
        • The NITRD Program should continue to pursue incremental modifications of existing structures (e.g., IWGs, PCAs) rather than engage in wholesale reorganizations at this time.
        • When launching wholly new IWGs and PCAs (e.g., such as the AI IWG and AI PCA), the NITRD Program should consider showing clearly in the annual NITRD Supplement to the President’s Budget which lines of effort derive from previous structures and which are wholly new programmatic areas and funding lines. This will be especially important should NITRD groups increase the frequency with which they review and modify PCAs.
      • Recommendation 2: The NITRD Program should examine current structures and operations to identify opportunities for greater multi-sector engagement in its activities. Opportunities include the following:
        • Amplify multi-sector outreach and engagement efforts. While the NITRD Program notifies the public about its convening activities, it could augment its outreach.
        • Expand the NITRD Program’s efforts to track non-U.S. coordinated NIT efforts and collaborate with international efforts where appropriate. This should be done in coordination with the NSTC International S&T Coordination Subcommittee to avoid duplicating efforts.
      • Recommendation 3: The NITRD Program should examine current structures and operations to identify opportunities for improving coordination in IotF areas related to the program. Opportunities could include:
        • AI—continue coordination efforts within the NITRD Program and between NITRD IWGs and the NSTC Select Committee on AI and the Machine Learning and Artificial Intelligence (MLAI) Subcommittee.
        • Advanced communications networks—continue coordination efforts within the NITRD Program through the Subcommittee and the LSN and WSRD IWGs.
        • QIS—increase coordination with the NQCO and the NSTC QIS Subcommittee, particularly on topics such as post-quantum cryptography R&D and other implications of the development of quantum technologies on the NIT landscape with advances in QIS.
        • Biotechnology—coordinate with NSTC bodies working in biosciences-related areas such as the Biodefense R&D (BDRD) Subcommittee and the Biological Sciences Subcommittee (BSSC).
        • Advanced manufacturing—coordinate with the NSTC Subcommittee on Advanced
        • Manufacturing and large-scale manufacturing R&D efforts such as the Manufacturing USA Institutes.
      • Recommendation 4: The NITRD Program should incorporate microelectronics R&D explicitly into its programmatic activities.
        • Could take the form of a separate IWG or incorporating hardware/components R&D into existing IWGs.
        • Should be stronger NNI-NITRD coordination to ensure alignment of R&D strategies and programmatic activities.
      • Recommendation 5: The NITRD Program should further examine ways it can coordinate its participating agencies—such as through an IWG or other multiagency bodies—to ensure they support and emphasize the following:
        • STEM education, including PhD fellowships, in NIT.
        • Programs at the intersection and convergence of computational science and other fields (CS + X) at 2-year and 4-year educational institutions.
        • Retraining and upskilling the non-technical workforce to participate in the cyber-ready workforce.
        • A diverse and inclusive NIT workforce across all levels of technical staff, engineers, and scientists.
        • Strengthen efforts to attract and retain international students, scientists, and engineers who wish to contribute to NIT R&D in the United States. These efforts should be informed by conducting studies of the role that international talent plays in the U.S. NIT workforce and any factors affecting recent changes in recruitment and retention.

Coming Events

  • The Commerce, Science, and Transportation Committee will hold a hearing on the nomination of Gina Raimondo to be the Secretary of Commerce on 26 January.
  • On 17 February, the Federal Communications Commission (FCC) will hold an open meeting, its first under acting Chair Jessica Rosenworcel, with this tentative agenda:
    • Presentation on the Emergency Broadband Benefit Program. The Commission will hear a presentation on the creation of an Emergency Broadband Benefit Program. Congress charged the FCC with developing a new $3.2 billion program to help Americans who are struggling to pay for internet service during the pandemic.
    • Presentation on COVID-19 Telehealth Program. The Commission will hear a presentation about the next steps for the agency’s COVID-19 Telehealth program. Congress recently provided an additional $249.95 million to support the FCC’s efforts to expand connected care throughout the country and help more patients receive health care safely.
    • Presentation on Improving Broadband Mapping Data. The Commission will hear a presentation on the work the agency is doing to improve its broadband maps. Congress directly appropriated $65 million to help the agency develop better data for improved maps.
    • Addressing 911 Fee Diversion. The Commission will consider a Notice of Proposed Rulemaking that would implement section 902 of the Don’t Break Up the T-Band Act of 2020, which requires the Commission to take action to help address the diversion of 911 fees by states and other jurisdictions for purposes unrelated to 911. (PS Docket Nos. 20-291, 09-14)
    • Implementing the Secure and Trusted Communications Networks Act. The Commission will consider a Third Further Notice of Proposed Rulemaking that proposes to modify FCC rules consistent with changes that were made to the Secure and Trusted Communications Networks Act in the Consolidated Appropriations Act, 2021. (WC Docket No. 18-89)
  • On 27 July 2021, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Photoholgic on Unsplash

Further Action On TikTok Divestment and Ban But No Changes

TikTok sues to block the CFIUS order that it divest and the Trump Administration files an appeal of an injunction.

Even though the Trump Administration’s efforts to implement its ban of TikTok have gone nowhere as numerous courts have enjoined the enforcement of the orders, TikTok filed suit against the related order that the company divest Musical.ly primarily on the grounds that the technology that supposedly threatens United States (U.S.) national security is unrelated to the acquisition. Moreover, the day after this suit was filed, a key U.S. agency announced a delay of the divestment order. In a related action, the Trump Administration filed to appeal one of the injunctions blocking it from moving forward on banning the People’s Republic of China (PRC) app. Depending on how long it takes for the federal court to resolve this suit, a Biden Administration Department of Justice (DOJ) may take a different tack than the Trump DOJ.

The day before the divestment order was set to take effect, TikTok asked the United States Court of Appeals for the District of Columbia to review “the Presidential Order Regarding the Acquisition of Musical.ly by ByteDance Ltd., 85 Fed. Reg. 51,297 (Aug. 14, 2020) (the “Divestment Order”), and the related action of the Committee on Foreign Investment in the United States (CFIUS), including its determination to reject mitigation, truncate its review and investigation, and refer the matter to the President.” TikTok asserted:

The Divestment Order and the CFIUS Action seek to compel the wholesale divestment of TikTok, a multi-billion-dollar business built on technology developed by Petitioner ByteDance Ltd. (“ByteDance”), based on the government’s purported national security review of a three-year- old transaction that involved a different business. This attempted taking exceeds the authority granted to Respondents under Section 721, which authorizes CFIUS to review and the President to, at most, prohibit a specified “covered transaction” to address risks to national security created by that transaction. Here, that covered transaction was ByteDance’s acquisition of the U.S. business of another Chinese- headquartered company, Musical.ly—a transaction that did not include the core technology or other aspects of the TikTok business that have made it successful and yet which the Divestment Order now seeks to compel ByteDance to divest.

TikTok also made claims that CFIUS violated the Due Process Clause of the Fifth Amendment, violated the Administrative Procedures Act, and is proposing a “taking” illegal under the Fifth Amendment.

And yet, the Department of the Treasury, the lead agency in the CFIUS process, issued a statement, explaining that the deadline for divestiture had been pushed back by 15 days:

The President’s August 14 Order requires ByteDance and TikTok Inc. to undertake specific divestments and other measures to address the national security risk arising from ByteDance’s acquisition of Musical.ly.  Consistent with the Order, the Committee on Foreign Investment in the United States (CFIUS) has granted ByteDance a 15-day extension of the original November 12, 2020 deadline.  This extension will provide the parties and the Committee additional time to resolve this case in a manner that complies with the Order.   

The Trump Administration may successfully argue that a delay of the order means the court cannot rule on TikTok’s suit. Consequently, this suit may well get pushed into a Biden Administration.

TikTok issued this statement along with the filing of its suit:

For a year, TikTok has actively engaged with CFIUS in good faith to address its national security concerns, even as we disagree with its assessment. In the nearly two months since the president gave his preliminary approval to our proposal to satisfy those concerns, we have offered detailed solutions to finalize that agreement—but have received no substantive feedback on our extensive data privacy and security framework.

Of course, because of the CFIUS divestment order, ByteDance seems to have reached an agreement with Oracle and Walmart, but what they exactly agreed to remains an open question.

In mid-September, the Trump Administration paused its notice for implementing the Executive Order (EO) against TikTok because of agreement in principles of a deal that would permit Oracle and Walmart to control a certain percentage of TikTok in the U.S. However, the details of which entity would control what remain murky with ByteDance arguing that U.S. entities will not control TikTok, but assertions to the opposite being made by the company’s U.S. partners. In the weekend before the EO has set to take effect, it appeared Oracle and Walmart would be able to take a collective 20% stake in a new entity TikTok Global that would operate in the U.S. Walmart has been partnering with Microsoft, but when the tech giant failed in its bid, Walmart began talks with Oracle. ByteDance would have a stake in the company but not majority control according to some sources. However, ByteDance began pushing back on that narrative as President Donald Trump declared after word of a deal leaked “if we find that [Oracle and Walmart] don’t have total control, then we’re not going to approve the deal.” Moreover, $5 billion would be used for some sort of educational fund. However, it is hard to tell what exactly would occur and whether this is supposed to be the “finder’s fee” of sorts Trump had said the U.S. would deserve from the deal.

On 19 September, the U.S. Department of Commerce issued a statement pushing back the effective date of the order against TikTik from 20 September to 27 September because of “recent positive developments.” The same day, the U.S. Department of the Treasury released a statement, explaining:

The President has reviewed a deal among Oracle, Walmart, and TikTok Global to address the national security threat posed by TikTok’s operations. Oracle will be responsible for key technology and security responsibilities to protect all U.S. user data. Approval of the transaction is subject to a closing with Oracle and Walmart and necessary documentation and conditions to be approved by Committee on Foreign Investment in the United States (CFIUS). 

TikTok also released a statement, asserting

We’re pleased that today we’ve confirmed a proposal that resolves the Administration’s security concerns and settles questions around TikTok’s future in the US. Our plan is extensive and consistent with previous CFIUS resolutions, including working with Oracle, who will be our trusted cloud and technology provider responsible for fully securing our users’ data. We are committed to protecting our users globally and providing the highest levels of security. Both Oracle and Walmart will take part in a TikTok Global pre-IPO financing round in which they can take up to a 20% cumulative stake in the company. We will also maintain and expand the US as TikTok Global’s headquarters while bringing 25,000 jobs across the country.

Walmart issued its own statement on 19 September:

While there is still work to do on final agreements, we have tentatively agreed to purchase 7.5% of TikTok Global as well as enter into commercial agreements to provide our ecommerce, fulfillment, payments and other omnichannel services to TikTok Global. Our CEO, Doug McMillon, would also serve as one of five board members of the newly created company. In addition, we would work toward an initial public offering of the company in the United States within the next year to bring even more ownership to American citizens. The final transaction will need to be approved by the relevant U.S. government agencies.

The same day, Oracle and Walmart released a joint statement:

  • The President has announced that ByteDance has received tentative approval for an agreement with the U.S. Government to resolve the outstanding issues, which will now include Oracle and Walmart together investing to acquire 20% of the newly formed TikTok Global business.
  • As a part of the deal, TikTok is creating a new company called TikTok Global that will be responsible for providing all TikTok services to users in United States and most of the users in the rest of the world. Today, the administration has conditionally approved a landmark deal where Oracle becomes TikTok’s secure cloud provider.
  • TikTok Global will be majority owned by American investors, including Oracle and Walmart. TikTok Global will be an independent American company, headquartered in the U.S., with four Americans out of the five member Board of Directors.
  • All the TikTok technology will be in possession of TikTok Global, and comply with U.S. laws and privacy regulations. Data privacy for 100 million American TikTok users will be quickly established by moving all American data to Oracle’s Generation 2 Cloud data centers, the most secure cloud data centers in the world.
  • In addition to its equity position, Walmart will bring its omnichannel retail capabilities including its Walmart.com assortment, eCommerce marketplace, fulfillment, payment and measurement-as-a-service advertising service.
  • TikTok Global will create more than 25,000 new jobs in the Unites States and TikTok Global will pay more than $5 billion in new tax dollars to the U.S. Treasury.
  • TikTok Global, together with Oracle, SIG, General Atlantic, Sequoia, Walmart and Coatue will create an educational initiative to develop and deliver an AI-driven online video curriculum to teach children from inner cities to the suburbs, a variety of courses from basic reading and math to science, history and computer engineering.
  • TikTok Global will have an Initial Public Offering (IPO) in less than 12 months and be listed on a U.S. Exchange. After the IPO, U.S. ownership of TikTok Global will increase and continue to grow over time.

A day later, Oracle went further in a statement to the media claiming, “ByteDance will have no ownership in TikTok Global,” which is a different message than the one the company was sending. For example, in a blog post, ByteDance stated “[t]he current plan does not involve the transfer of any algorithms or technology…[but] Oracle has the authority to check the source code of TikTok USA.”

On a related note, the DOJ filed a notice of appeal of an injunction barring the implementation of the TikTok issued in late October. Three TikTok influencers had filed suit and lost their motion for a preliminary injunction. However, after District Court of the District of Columbia granted TikTok’s request to stop the Department of Commerce from enforcing the first part of the order implementing the ban, the three influencers revised their motion and refiled.

Judge Wendy Beetlestone found that the Trump Administration exceeded its powers under the International Emergency Economic Powers Act (IEEPA) in issuing part of its TikTok order effectuating the ban set to take effect on 12 November:

  • Any provision of internet hosting services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;]
  • Any provision of content delivery network services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;]
  • Any provision of directly contracted or arranged internet transit or peering services, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, enabling the functioning or optimization of the TikTok mobile application[;and]
  • Any utilization, occurring on or after 11:59 p.m. eastern standard time on November 12, 2020, of the TikTok mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the land and maritime borders of the United States and its territories.

Beetlestone found that the limit on the use of IEEPA powers to regulate information is clearly implicated by Commerce’s order, which proposes to do just that. Consequently, this is not a legal use of IEEPA powers. The judge also found the plaintiffs would be irreparably harmed through a loss of their audiences and brand sponsorships:

Plaintiffs challenge the Commerce Identification on both statutory and constitutional grounds. First, they contend that the Commerce Identification violates both the First and Fifth Amendments to the U.S. Constitution. They then contend that the Commerce Identification violates the Administrative Procedure Act,5 U.S.C. §701 et seq.,as it is both arbitrary and capricious, see id.§706(2)(A), and ultra vires, see id. § 706(2)(C). Plaintiffs’ ultra vires claim consists of three separate arguments: (1) the Commerce Identification contravenes IEEPA’s “informational materials” exception, 50 U.S.C. § 1702(b)(3); (2) the Commerce Identification contravenes IEEPA’s prohibition on the regulation of “personal communication[s] . . . not involv[ing] a transfer of anything of value,” id. § 1702(b)(1), and (3) the Commerce Identification is not responsive to the national emergency declared in the ICTS Executive Order, and therefore requires the declaration of a new national emergency to take effect, see id. §1701(b).

In the first injunction granted against the TikTok ban, the court found that TikTok’s claims on the misuse of IEEPA, 50 U.S.C. §§ 1701–08, the primary authority President Donald Trump relied on in his executive order banning the app, were unpersuasive. The court conceded “IEEPA contains a broad grant of authority to declare national emergencies and to prohibit certain transactions with foreign countries or foreign nationals that pose risks to the national security of the United States.” But, the court noted “IEEPA also contains two express limitations relevant here: the “authority granted to the President . . . does not include the authority to regulate or prohibit, directly or indirectly” either (a) the importation or exportation of “information or informational materials”; or (b) “personal communication[s], which do[] not involve a transfer of anything of value.” The court concluded:

In sum, the TikTok Order and the Secretary’s prohibitions will have the intended effect of stopping U.S. users from communicating (and thus sharing data) on TikTok. To be sure, the ultimate purpose of those prohibitions is to protect the national security by preventing China from accessing that data and skewing content on TikTok. And the government’s actions may not constitute direct regulations or prohibitions of activities carved out by 50 U.S.C. 1702(b). But Plaintiffs have demonstrated that they are likely to succeed on their claim that the prohibitions constitute indirect regulations of “personal communication[s]” or the exchange of “information or informational materials.”

After considering the risks of irreparable harm to TikTok and the equities and public interest, the court decided:

Weighing these interests together with Plaintiffs’ likelihood of succeeding on their IEEPA claim and the irreparable harm that Plaintiffs (and their U.S. users) will suffer absent an injunction, the Court concludes that a preliminary injunction is appropriate.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Olivier Bergeron from Pexels

Russian Hacking Uncovered

The U.S. and UK announced Russian hacking, including attempts to derail the last few Olympic Games. The EU also announced unrelated cyber sanctions.

The United Kingdom’s Government Communications Headquarters’ (GCHQ) National Cyber Security Centre (NCSC) unveiled the Russian Federation’s military hacking of past Olympics and the scheduled but delayed Summer Olympics in Tokyo. Even though the NCSC did not speculate on Russian motivation, it is likely this was designed as payback for having been exposed for widespread doping and cheating at the 2014 Winter Olympics in Sochi, Russia.

The NCSC stated it “assesses with high confidence that these attacks were carried out by the GRU’s Main Centre for Specialist Technologies (GTsST), also known as Sandworm and VoodooBear.” The NCSC explained it “exposed malicious cyber activity from Russia’s GRU military intelligence service against organisations involved in the 2020 Olympic and Paralympic Games before they were postponed.”

The NCSC stated:

  • The activity involved cyber reconnaissance by the GRU targeting officials and organisations involved in the Games, which had been due to take place in Tokyo during the summer.
  • The incidents were the latest in a campaign of Russian malicious activity against the Olympic and Paralympic Games, with the UK also today revealing details of GRU targeting of the 2018 Winter Olympic and Paralympic Games in Pyeongchang, Republic of Korea.
  • In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games.
  • The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter.
  • The NCSC assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks. Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.

In concert with the NCSC’s announcement, the United States’ Department of Justice (DOJ) released grand jury indictments of six GRU hackers for the foiled Olympic hack and other attacks dating from nearly five years ago to the present around the world. In one of the attacks, three United States (U.S.) companies allegedly suffered $1 billion in losses. The DOJ noted that cybersecurity researchers bestowed various names on the hackers including: “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking,” and in the indictment, the DOJ claimed the object of the conspiracy “was to deploy malware and take other disruptive actions for the strategic benefit of Russia, through unauthorized access (“hacking”) of victim computers.”

In its press release, the DOJ stated that “[o]n Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.”

The DOJ asserted:

These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort. 

The DOJ stated

  • Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.  The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.
  • According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access  to victim computers (hacking). 

The DOJ stated “[a]s alleged, the conspiracy was responsible for the following destructive, disruptive, or otherwise destabilizing computer intrusions and attacks:

  • Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk;
  • French Elections: April and May 2017 spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments prior to the 2017 French elections;
  • Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya, including hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania; a FedEx Corporation subsidiary, TNT Express B.V.; and a large U.S. pharmaceutical manufacturer, which together suffered nearly $1 billion in losses from the attacks;
  • PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: December 2017 through February 2018 spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (IOC) officials;
  • PyeongChang Winter Olympics IT Systems (Olympic Destroyer): December 2017 through February 2018 intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, using malware known as Olympic Destroyer;
  • Novichok Poisoning Investigations: April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens; and
  • Georgian Companies and Government Entities: a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.

The NCSC and the DOJ are, of course, continuing the standard play of naming and shaming, further portraying Russia as a multi-faceted threat to the democracies in Europe, the United States, and those in the Eastern Pacific region. The coordinated announcement also indicate further the degree to which these nations are working together to fend off Russian information operations and hacking, and such announcements also serve to rally even greater cooperation. In terms of why these indictments were handed down now given how long it has been clear Russia conducted many of these attacks, there are several possible motivations. Firstly, this may be not so subtle pushing back by the DOJ’s National Security Division and NCSC against top Trump Administration officials claiming the People’s Republic of China and Iran are the equals of Russia. For example, Director of National Intelligence (DNI) John Ratcliffe characterized Iran as the more serious threat to the 2020 Election even though unnamed officials said the exact opposite to media outlets. Second, it could be coincidental that the DOJ decided to seek these indictments and the purpose is, indeed, to put Russia on notice by detailing its widespread unparalleled hacking campaigns in an attempt to give governments around the world a full view of Russia’s intentions and activities. Moreover, as extensive as these allegations are, they omit the attempted Russian hacking about which the Federal Bureau of Investigation (FBI) warned U.S. critical cyber infrastructure owners and operators this past summer.

In a seemingly unrelated announcement, Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), “a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack” for the Triton malware in the Middle East and against U.S. electric companies. OFAC did not identify the attackers although it seems probable that it is GRU given the laundry list of attacks in the DOJ indictment.

OFAC asserted:

  • The Triton malware — known also as TRISIS and HatMan in open source reporting — was designed specifically to target and manipulate industrial safety systems. Such systems provide for the safe emergency shutdown of industrial processes at critical infrastructure facilities in order to protect human life. The cyber actors behind the Triton malware have been referred to by the private cybersecurity industry as “the most dangerous threat activity publicly known.”
  • In recent years, the Triton malware has been deployed against U.S. partners in the Middle East, and the hackers behind the malware have been reportedly scanning and probing U.S. facilities. The development and deployment of the Triton malware against our partners is particularly troubling given the Russian government’s involvement in malicious and dangerous cyber-enabled activities. Previous examples of Russia’s reckless activities in cyberspace include, but are not limited to: the NotPetya cyber-attack, the most destructive and costly cyber-attack in history; cyber intrusions against the U.S. energy grid to potentially enable future offensive operations; the targeting of international organizations such as the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency; and the 2019 disruptive cyber-attack against the country of Georgia.

The Council of the European Union (Council) also announced sanctions against a portion of the GRU and two of its hackers responsible for penetrating and exfiltrating information from Germany’s Bundestag and the attempted hack of  the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands. This is the second time the European Union has utilized its cyber sanction powers put in place in 2019 in “Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States.”

The Council explained:

  • Today’s sanctions consist of a travel ban and an asset freeze imposed on the individuals, and an asset freeze imposed on the body. In addition, EU persons and entities are forbidden from making funds available to those listed.
  • The Council’s decision means that a total of 8 persons and 4 entities and bodies have been targeted by restrictive measures in relation to cyber-attacks targeting the EU or its member states.
  • Sanctions are one of the options available in the Union’s framework for a joint diplomatic response to malicious cyber activities (the so-called cyber diplomacy toolbox), and are intended to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace.

The Council sanctioned the “85th Main Centre for Special Services (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU)” and two hackers. The Council contended:

  • In particular, military intelligence officers of the GTsSS took part in the cyber-attack against the German federal parliament (Deutscher Bundestag) which took place in April and May 2015 and the attempted cyber-attack aimed at hacking into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April 2018.
  • The cyber-attack against the German federal parliament targeted the parliament’s information system and affected its operation for several days. A significant amount of data was stolen and email accounts of several MPs as well as of Chancellor Angela Merkel were affected.

In late July, the EU imposed its first cyber sanctions under its Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (aka the cyber diplomacy toolbox) against six hackers and three entities from the Russian Federation, the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea for attacks against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, the malware attacks known as Petya and WannaCry, and Operation Cloud Hopper. The sanctions are part of the effort to levy costs on nations and actors that conduct cyber attacks. The EU explained:

  • The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
  • “WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.
  • “NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
  • “Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Victor Malyushev on Unsplash

Further Reading, Other Developments, and Coming Events (7 October)

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Artificial Intelligence – 14 October at 15:00 to 16:30 CET
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications –
    • The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • Consumer Reports released a study it did on the “California Consumer Privacy Act” (CCPA) (AB 375), specifically on the Do-Not-Sell right California residents were given under the newly effective privacy statute. For those people (like me) who expected a significant number of businesses to make it hard for people to exercise their rights, this study confirms this suspicion. Consumer Reports noted more than 40% of data brokers had hard to find links or extra, complicated steps for people to tell them not to sell their personal information.
    • In “CCPA: Are Consumers Digital Rights Protected?,” Consumer Reports used this methodology:
    • Consumer Reports’ Digital Lab conducted a mixed methods study to examine whether the new CCPA is working for consumers. This study focused on the Do-Not-Sell (DNS) provision in the CCPA, which gives consumers the right to opt out of the sale of their personal information to third parties through a “clear and conspicuous link” on the company’s homepage.1 As part of the study, 543 California residents made DNS requests to 214 data brokers listed in the California Attorney General’s data broker registry. Participants reported their experiences via survey.
    • Consumer Reports found:
      • Consumers struggled to locate the required links to opt out of the sale of their information. For 42.5% of sites tested, at least one of three testers was unable to find a DNS link. All three testers failed to find a “Do Not Sell” link on 12.6% of sites, and in several other cases one or two of three testers were unable to locate a link.
        • Follow-up research focused on the sites in which all three testers did not find the link revealed that at least 24 companies on the data broker registry do not have the required DNS link on their homepage.
        • All three testers were unable to find the DNS links for five additional companies, though follow-up research revealed that the companies did have DNS links on their homepages. This also raises concerns about compliance, since companies are required to post the link in a “clear and conspicuous” manner.
      • Many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt out, highlighting serious flaws in the CCPA’s opt-out model.
        • Some DNS processes involved multiple, complicated steps to opt out, including downloading third-party software.
        • Some data brokers asked consumers to submit information or documents that they were reluctant to provide, such as a government ID number, a photo of their government ID, or a selfie.
        • Some data brokers confused consumers by requiring them to accept cookies just to access the site.
        • Consumers were often forced to wade through confusing and intimidating disclosures to opt out.
        • Some consumers spent an hour or more on a request.
        • At least 14% of the time, burdensome or broken DNS processes prevented consumers from exercising their rights under the CCPA.
      • At least one data broker used information provided for a DNS request to add the user to a marketing list, in violation of the CCPA.
      • At least one data broker required the user to set up an account to opt out, in violation of the CCPA.
      • Consumers often didn’t know if their opt-out request was successful. Neither the CCPA nor the CCPA regulations require companies to notify consumers when their request has been honored. About 46% of the time, consumers were left waiting or unsure about the status of their DNS request.
      • About 52% of the time, the tester was “somewhat dissatisfied” or “very dissatisfied” with the opt-out processes.
      • On the other hand, some consumers reported that it was quick and easy to opt out, showing that companies can make it easier for consumers to exercise their rights under the CCPA. About 47% of the time, the tester was “somewhat satisfied” or “very satisfied” with the opt-out process.
    • Consumer Reports recommended:
      • The Attorney General should vigorously enforce the CCPA to address noncompliance.
      • To make it easier to exercise privacy preferences, consumers should have access to browser privacy signals that allow them to opt out of all data sales in one step.
      • The AG should more clearly prohibit dark patterns, which are user interfaces that subvert consumer intent, and design a uniform opt-out button. This will make it easier for consumers to locate the DNS link on individual sites.
      • The AG should require companies to notify consumers when their opt-out requests have been completed, so that consumers can know that their information is no longer being sold.
      • The legislature or AG should clarify the CCPA’s definitions of “sale” and “service provider” to more clearly cover data broker information sharing.
      • Privacy should be protected by default. Rather than place the burden on consumers to exercise privacy rights, the law should require reasonable data minimization, which limits the collection, sharing, retention, and use to what is reasonably necessary to operate the service.
  • Two agencies of the Department of the Treasury have issued guidance regarding the advisability and legality of paying ransomware to individuals or entities under United States (U.S.) sanction at a time when ransomware attacks are on the rise. It bears note that a person or entity in the U.S. may face criminal and civil liability for paying a sanctioned ransomware entity even if they did not know it was sanctioned. One of the agencies reasoned that paying ransoms to such parties is contrary to U.S. national security policy and only encourages more ransomware attacks.
    • The Office of Foreign Assets Control (OFAC) issued an “advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” OFAC added:
      • Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. This advisory describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
    • Financial Crimes Enforcement Network (FinCEN) published its “advisory to alert financial institutions to predominant trends, typologies, and potential indicators of ransomware and associated money laundering activities. This advisory provides information on:
      • (1) the role of financial intermediaries in the processing of ransomware payments;
      • (2) trends and typologies of ransomware and associated payments;
      • (4) reporting and sharing information related to ransomware attacks.
  • The Government Accountability Office (GAO) found uneven implementation at seven federal agencies in meeting the Office of Management and Budget’s (OMB) requirements in using the category management initiative for buying information technology (IT). This report follows in a long line of assessments of how the federal government is not spending its billions of dollars invested in IT to maximum effect. The category management initiative was launched two Administrations ago as a means of driving greater efficiency and savings for the nearly $350 billion the U.S. government spends annually in services and goods, much of which could be bought in large quantities instead of piecemeal by agency as is now the case.
    • The chair and ranking member of the House Oversight Committee and other Members had asked the GAO “to conduct a review of federal efforts to reduce IT contract duplication and/or waste” specifically “to determine the extent to which (1) selected agencies’ efforts to prevent, identify, and reduce duplicative or wasteful IT contracts were consistent with OMB’s category management initiative; and (2) these efforts were informed by spend analyses.” The GAO ended up looking at the Departments of Agriculture (USDA), Defense (DOD), Health and Human Services (HHS), Homeland Security (DHS), Justice (DOJ), State (State), and Veterans Affairs (VA).
    • The GAO found:
      • The seven agencies in our review varied in their implementation of OMB’s category management activities that contribute to identifying, preventing, and reducing duplicative IT contracts. Specifically, most of the agencies fully implemented the two activities to identify a Senior Accountable Official and develop processes and policies for implementing category management efforts, and to engage their workforces in category management training. However, only about half the agencies fully implemented the activities to reduce unaligned IT spending, including increasing the use of Best in Class contract solutions, and share prices paid, terms, and conditions for purchased IT goods and services. Agencies cited several reasons for their varied implementation, including that they were still working to define how to best integrate category management into the agency.
      • Most of the agencies used spend analyses to inform their efforts to identify and reduce duplication, and had developed and implemented strategies to address the identified duplication, which, agency officials reported resulted in millions in actual and anticipated future savings. However, two of these agencies did not make regular use of the spend analyses.
      • Until agencies fully implement the activities in OMB’s category management initiative, and make greater use of spend analyses to inform their efforts to identify and reduce duplicative contracts, they will be at increased risk of wasteful spending. Further, agencies will miss opportunities to identify and realize savings of potentially hundreds of millions of dollars.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) provided “specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure.” CISA took this action “[i]n light of heightened tensions between the United States and China.”
    • CISA asserted
      • According to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.
    • CISA recommends organizations take the following actions:
      • Adopt a state of heightened awareness. Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.
      • Increase organizational vigilance. Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.
      • Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see the Contact Information section below).
      • Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.
  • The Supreme Court of the United States (SCOTUS) declined to hear a case on an Illinois revenge porn law that the Illinois State Supreme Court upheld, finding it did not impinge on a woman’s First Amendment rights. Bethany Austin was charged with a felony under an Illinois law barring the nonconsensual dissemination of private sexual pictures when she printed and distributed pictures of her ex-fiancé’s lover. Because SCOTUS decided not to hear this case, the Illinois case and others like it remain Constitutional.
    • The Illinois State Supreme Court explained the facts of the case:
      • Defendant (aka Bethany Austin) was engaged to be married to Matthew, after the two had dated for more than seven years. Defendant and Matthew lived together along with her three children. Defendant shared an iCloud account with Matthew, and all data sent to or from Matthew’s iPhone went to their shared iCloud account, which was connected to defendant’s iPad. As a result, all text messages sent by or to Matthew’s iPhone automatically were received on defendant’s iPad. Matthew was aware of this data sharing arrangement but took no action to disable it.
      • While Matthew and defendant were engaged and living together, text messages between Matthew and the victim, who was a neighbor, appeared on defendant’s iPad. Some of the text messages included nude photographs of the victim. Both Matthew and the victim were aware that defendant had received the pictures and text messages on her iPad. Three days later, Matthew and the victim again exchanged several text messages. The victim inquired, “Is this where you don’t want to message [because] of her?” Matthew responded, “no, I’m fine. [S]omeone wants to sit and just keep watching want [sic] I’m doing I really do not care. I don’t know why someone would wanna put themselves through that.” The victim replied by texting, “I don’t either. Soooooo baby ….”
      • Defendant and Matthew cancelled their wedding plans and subsequently broke up. Thereafter, Matthew began telling family and friends that their relationship had ended because defendant was crazy and no longer cooked or did household chores.
      • In response, defendant wrote a letter detailing her version of events. As support, she attached to the letter four of the naked pictures of the victim and copies of the text messages between the victim and Matthew. When Matthew’s cousin received the letter along with the text messages and pictures, he informed Matthew.
      • Upon learning of the letter and its enclosures, Matthew contacted the police. The victim was interviewed during the ensuing investigation and stated that the pictures were private and only intended for Matthew to see. The victim acknowledged that she was aware that Matthew had shared an iCloud account with defendant, but she thought it had been deactivated when she sent him the nude photographs.
    • In her petition for SCOTUS to hear her case, Austin asserted:
      • Petitioner Bethany Austin is being prosecuted under Illinois’ revenge porn law even though she is far from the type of person such laws were intended to punish. These laws proliferated rapidly in recent years because of certain reprehensible practices, such as ex-lovers widely posting images of their former mates to inflict pain for a bad breakup, malicious stalkers seeking to damage an innocent person’s reputation, or extortionists using intimate photos to collect ransom. Austin did none of those things, yet is facing felony charges because she tried to protect her reputation from her former fiancé’s lies about the reason their relationship ended.
      • The Illinois Supreme Court rejected Petitioner’s constitutional challenge to the state revenge porn law only because it ignored well-established First Amendment rules: It subjected the law only to intermediate, rather than strict scrutiny, because it incorrectly classified a statute that applies only to sexual images as content neutral; it applied diminished scrutiny because the speech at issue was deemed not to be a matter of public concern; and it held the law need not require a showing of malicious intent to justify criminal penalties, reasoning that such intent can be inferred from the mere fact that the specified images were shared. Each of these conclusions contradicts First Amendment principles recently articulated by this Court, and also is inconsistent with decisions of various state courts, including the Vermont Supreme Court.
    • Illinois argued in its brief to SCOTUS:
      • The nonconsensual dissemination of private sexual images exposes victims to a wide variety of serious harms that affect nearly every aspect of their lives. The physical, emotional, and economic harms associated with such conduct are well-documented: many victims are exposed to physical violence, stalking, and harassment; suffer from emotional and psychological harm; and face limited professional prospects and lowered income, among other repercussions. To address this growing problem and protect its residents from these harms, Illinois enacted section 11-23.5,720 ILCS 5/11-23.5. Petitioner—who was charged with violating section 11-23.5 after she disseminated nude photos of her fiancé’s paramour without consent—asks this Court to review the Illinois Supreme Court’s decision rejecting her First Amendment challenge.
  • Six U.S. Agency for Global Media (USAGM) whistleblowers have filed a complaint concerning “retaliatory actions” with the Office of the Inspector General (OIG) at the Department of State and the Office of Special Counsel, arguing the newly installed head of USAGM punished them for making complaints through proper channels about his actions. This is the latest development at the agency. the United States Court of Appeals for the District of Columbia enjoined USAGM from “taking any action to remove or replace any officers or directors of the OTF,” pending the outcome of the suit which is being expedited.
  • Additionally, USAGM CEO and Chair of the Board Michael Pack is being accused in two different letters of seeking to compromise the integrity and independence of two organizations he oversees. There have been media accounts of the Trump Administration’s remaking of USAGM in ways critics contend are threatening the mission and effectiveness of the Open Technology Fund (OTF), a U.S. government non-profit designed to help dissidents and endangered populations throughout the world. The head of the OTF has been removed, evoking the ire of Members of Congress, and other changes have been implemented that are counter to the organization’s mission. Likewise, there are allegations that politically-motivated policy changes seek to remake the Voice of America (VOA) into a less independent entity.
  • The whistleblowers claimed in their complaint:
    • Each of the Complainants made protected disclosures –whether in the form of OIG complaints, communications with USAGM leadership, and/or communications with appropriate Congressional committees–regarding their concerns about official actions primarily taken by Michael Pack, who has been serving as the Chief Executive Officer for USAGM since June 4, 2020. The Complainants’ concerns involve allegations that Mr. Pack has engaged in conduct that violates federal law and/or USAGM regulations, and that constitutes an abuse of authority and gross mismanagement. Moreover, each of the Complainants was targeted for retaliatory action by Mr. Pack because of his belief that they held political views opposed to his, which is a violation of the Hatch Act.
    • Each of the Complainants was informed by letter, dated August 12, 2020, that their respective accesses to classified information had been suspended pending further investigation. Moreover, they were all concurrently placed on administrative leave. In each of the letters to the Complainants, USAGM claimed that the Complainants had been improperly granted security clearances, and that the Complainants failed to take remedial actions to address personnel and security concerns prior to permitting other USAGM employees to receive security clearances. In addition, many or all of the Complainants were earlier subject to retaliatory adverse personnel actions in the form of substantial limitations on their ability to carry out their work responsibilities(i.e. a significant change in duties and responsibilities), which limitations were imposed without following appropriate personnel procedures.

Further Reading

  • Big Tech Was Their Enemy, Until Partisanship Fractured the Battle Plans” By Cecilia Kang and David McCabe — The New York Times. There’s a bit of court intrigue in this piece about how Republicans declined to join Democrats in the report on the antirust report released this week, sapping the recommendations on how to address Big Tech of power.
  • Facebook Keeps Data Secret, Letting Conservative Bias Claims Persist” By Bobby Allyn — NPR. Still no evidence of an anti-conservative bias at Facebook, according to experts, and the incomplete data available seem to indicate conservative content may be more favored by users than liberal content. Facebook does not release data that settle the question, however, and there are all sorts of definitional questions that need answers before this issue could be definitely settled. And yet, some food for thought is a significant percentage of sharing a link may be driven by bots and not humans.
  • News Corp. changes its tune on Big Tech” By Sara Fischer — Axios.  After beating the drum for years about the effect of Big Tech on journalism, the parent company of the Wall Street Journal and other media outlets is much more conciliatory these days. It may have something to do with all the cash the Googles and Facebooks of the world are proposing to throw at some media outlets for their content. It remains to be seen how this change in tune will affect the Australian Competition and Consumer Commission’s (ACCC) proposal to ensure that media companies are compensated for articles and content online platforms use. In late July the ACCC released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.”
  • Silicon Valley Opens Its Wallet for Joe Biden” By Daniel Oberhaus — WIRED. In what will undoubtedly be adduced as evidence that Silicon Valley is a liberal haven, this article claims according to federal elections data for this election cycle, Alphabet, Amazon, Apple, Facebook, Microsoft, and Oracle employees have contributed $4,787,752 to former Vice President Joe Biden and $239,527 to President Donald Trump. This is only for contributions of $200 and higher, so it is likely these data are not complete.
  • Facebook bans QAnon across its platforms” By Ben Collins and Brandy Zadrozny — NBC News. The social media giant has escalated and will remove all content related to the conspiracy group and theory known as QAnon. However, believers have been adaptable and agile in dropping certain terms and using methods to evade detection. Some experts say Facebook’s actions are too little, too late as these beliefs are widespread and are fueling a significant amount of violence and unrest in the real world.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Katie White from Pixabay

Further Reading, Other Developments, and Coming Events (29 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • September 30 the House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will meet for an oversight hearing titled “Examining VA’s Ongoing Efforts in the Electronic Health Record Modernization Program.”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.
  • On October 1, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing as part of its series on online competition at which it may unveil its proposal on how to reform antitrust enforcement for the digital age. The hearing is titled “Proposals to Strengthen the Antitrust Laws and Restore Competition Online.”
  • On 1 October, the Senate Commerce, Science, and Transportation Committee may hold a markup to authorize subpoenas to compel the attendance of the technology CEOs for a hearing on 47 U.S.C. 230 (aka Section 230). Ranking Member Maria Cantwell (D-WA) has said:
    • Taking the extraordinary step of issuing subpoenas is an attempt to chill the efforts of these companies to remove lies, harassment, and intimidation from their platforms. I will not participate in an attempt to use the committee’s serious subpoena power for a partisan effort 40 days before an election,” indicating a vote, should one occur, may well be along party lines.
    • Nonetheless, the Committee may subpoena the following CEOs:
      • Mr. Jack Dorsey, Chief Executive Officer, Twitter
      • Mr. Sundar Pichai, Chief Executive Officer, Alphabet Inc., Google
      • Mr. Mark Zuckerberg, Chief Executive Officer, Facebook
  • The Senate Judiciary Committee will markup the “Online Content Policy Modernization Act” (S.4632), a bill to reform 47 U.S.C. 230 (aka Section 230) that provides many technology companies with protection from lawsuits for third party content posted on their platforms and for moderating and removing such content.
  • On October 1, the Senate Armed Services Committee’s Readiness and Management Support Subcommittee will hold a hearing on supply chain integrity with Under Secretary of Defense for Acquisition and Sustainment Ellen Lord testifying. Undoubtedly, implementation of the ban on Huawei, ZTE, and other People’s Republic of China (PRC) equipment and services as required by Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) will be discussed. Also, the Cybersecurity Maturity Model Certification (CMMC) program will also likely be discussed.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Senate passed an extension of the “Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006” (U.S.  SAFE  WEB  Act) (H.R.4779), sending the bill to the White House. The Senate did not alter the bill the House sent to it in December. The House Energy and Commerce Committee explained in its committee report:
    • Enacted into law on December 22, 2006, the U.S. SAFE WEB Act amended the Federal Trade Commission Act (FTC Act) to improve the FTC’s ability to combat unfair or deceptive acts or practices that are international in scope. Specifically, U.S. SAFE WEB Act: (1) affirms the FTC’s cross-border enforcement authority; (2) authorizes collaboration with foreign law enforcement in the form of investigative assistance3and information sharing, provided certain statutory factors are met; (3) bolsters the FTC’s ability to receive information from foreign counterparts by allowing confidential treatment of information received; and (4) promotes relation-ship building through staff exchanges with foreign counterparts.
    • H.R. 4779 would ensure that the FTC continues to have the cross-border enforcement authority and international cooperation tools it needs to protect American consumers from unfair or deceptive acts or practices that originate abroad. This program provides a sound foundation for related issues of protecting and preserving cross-border data flows that are essential for Privacy Shield and other such agreements. Such legislation helps promote our leader ship  on  artificial  intelligence,  autonomous  vehicles,  quantum  computing, and other emerging technologies.
  • The Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. The two events may not be linked, however. And yet, what is linked to the breach is an August VA request for information (RFI) for an entity “provide cyber security audit services support,” as confirmed by an agency spokesperson. The VA has experienced long running problems with information technology (IT) and cybersecurity as evidenced by this Government Accountability Office (GAO) testimony released a few weeks ago. In the notice of the breach, the VA explained:
    • The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office. A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols. To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued Emergency Directive 20-04, “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday” that directs United States’ (U.S.) agencies to act with respect to “non-national security systems,” meaning civilian agencies, to “immediately apply the Windows Server August 2020 security update to all domain controllers.” This most recent Emergency Directive follows two earlier ones this year (found here and here.)
  • The United States Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced a trio of enforcement actions for violations of HHS regulations on healthcare information these entities failed to properly protect. Specifically, these entities failed to meet their obligations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. OCR released these summaries of the actions:
    • Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people.
      • On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system.  The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015.  This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. 
      • OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
    •  CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people.  CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee.
      • In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network. 
      • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
    • Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia and provides orthopedic services to approximately 138,000 patients annually.
      • On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
      • On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
      • OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
  • The Department of the Treasury published a final rule that changes the Committee on Foreign Investment in the United States (CFIUS) regulations with respect to mandatory filings for future deals in which foreign companies are investing in United States (U.S.) firms producing “critical technologies.” Previously, the trigger was if there was a nexus between the U.S. entity and certain industries. But now, the filing requirement will be triggered if “certain U.S. government authorizations would be required to export, reexport, transfer (in-country), or retransfer the critical technology or technologies produced, designed, tested, manufactured, fabricated, or developed by the U.S. business to certain transaction parties and foreign persons in the ownership chain.” The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) (P.L. 115-232) required the agency to make this, among many other changes, in the CFIUS regime. What constitutes “critical technologies” is defined in FIRRMA and includes all sorts of military, commercial items with military applications, and “emerging and foundational technologies.” The final rule also “makes amendments to the definition of the term “substantial interest” and a related provision, and makes one technical revision.”
  • The Government Accountability Office (GAO) has assessed how well the Department of the Treasury is doing in its role as the overseer of cybersecurity for the United States (U.S.) financial services industry. The GAO found Treasury’s efforts lacking, especially with respect in implementing the recommendations the GAO has previously made. The GAO concluded:
    • Increased access to financial services sector systems, combined with the potential for monetary gains and economic disruptions, poses significant information security risks to the sector’s systems and to the critical operations and infrastructures they support. The financial services sector faces several different types of cyber-related risks, including ensuring adequate security for service providers traditionally considered external to the sector, an increased interconnectivity between sector entities that could result in simpler attack vectors, and the potential introduction of malware such as ransomware through social engineering techniques, such as spear phishing, or insider access. The sector has also faced an increase in attacks from well-organized attackers with significant resources.
    • The financial services industry, including firms and sectorwide groups set up to assist firms in ensuring the cybersecurity and resilience of the sector, have undertaken a series of risk mitigation efforts, in areas such as coordination and information sharing between organizations, development of guidance and training for members, and sectorwide incident response exercises. However, industry firms also pointed to challenge areas for assistance from regulators and policymakers. The most common of these areas were improved information sharing of actionable data after a cyber incident; improved harmonization among regulators, such as minimizing differences in use of state versus national requirements; establishing clearer guidance regarding regulation of the sector’s third-party service providers; and increasing cybersecurity training to firm employees.
    •  Federal agencies are conducting risk mitigation efforts intended to support private industry in improving cybersecurity of the financial services sector. These efforts, including regular outreach by the designated financial sector-specific agency, Treasury, generally meet responsibilities laid out in policy. However, Treasury does not prioritize or track the progress of sectorwide risk mitigation efforts, and does not explicitly link sector efforts to the goals in the sector specific plan, which is the primary sector planning document. Furthermore, the plan is out of date and does not include information on how the sector plans to implement recently required efforts. The plan also does not identify ways to measure sector progress, such as explicit metrics for determining the progress of risk mitigation efforts to enhance the cybersecurity and resilience of the sector. Unless Treasury undertakes tracking and prioritization of efforts based on metrics that reflect sector planning documents, the sector will remain unable to determine the effectiveness of its efforts, which could leave the sector insufficiently prepared to deal with primary sector risks.
    • The GAO made two recommendations to Treasury:
      • Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)
      • Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector’s ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)
  • The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) published its review of a May 2019 breach of a U.S. Customs and Border Protection (CBP) subcontractor that resulted in “CBP data, including traveler images from CBP’s facial recognition pilot, appear[ing] on the dark web.” The OIG explained that “CBP selected Unisys Corporation to design, develop, and install a biometric entry-exit solution that would verify and confirm the arrival and departures of passengers. In turn, Unisys Corporation hired Perceptics, LLC, as a subcontractor to install its proprietary facial image capture solution.” Perceptics then proceeded to violate DHS security and privacy protocols by transferring these data to its systems, but the agency did not store the personally identifiable information (PII) in an encrypted form. Consequently, when Perceptics was hit with a ransomware attack, “more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack.” The hackers also “stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.” Worse still, CBP was notified of the breach through a media article instead of by either the prime or subcontractor even thought Perceptics informed Unisys, which opted against informing CBP in violation of its contractual duties.
  • The OIG summarized the facts of the case:
    • CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack.
    • DHS requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network. Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.
    • This data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot; at least 19 of the images were posted to the dark web. This incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry.
  • The OIG made 3 recommendations to CBP:
    • Recommendation 1: We recommend CBP’s Assistant Commissioner for the Office of Information and Technology implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods.
    • Recommendation 2: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations.
    • Recommendation 3: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards.

Further Reading

  • Revealed: Trump campaign strategy to deter millions of Black Americans from voting in 2016” — Channel 4 News. The same British news organization that broke the Cambridge Analytica story is back with another article on the mining and use of personal data in microtargeting voters in the 2016 presidential election. Despite repeated denials, it appears the Trump Campaign in concert with Cambridge Analytica and the Republican National Committee targeted African Americans with messages on Facebook to keep them home on election day, possibly swinging a few keys states Trump could not have won the Electoral College without.
  • Why the right wing has a massive advantage on Facebook” By Alex Thompson — Politico. This piece lays the responsibility for the advantage in popularity conservative political posts and content on human nature, arguing that right-wing populism will always be more viscerally appealing to people than left-wing populism. The company also seems to be laying what many are calling its malign effects on human nature, too.  
  • Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns” By Jack Gillum, Jessica Huseman, Jeff Kao and Derek Willis — ProPublica. In an article based on information provided on a small Texas County’s breach, light is shined on how unprepared many localities and jurisdictions against common cyber threats. In this case, a common ransomware malware was placed successfully on the county’s system rending it unusable. It appears this, and other counties, have disregarded the cybersecurity advice furnished by the Department of Homeland Security in the hopes that the United States’ (U.S.) systems will be secure against election day hacks. With minimal effort, a sophisticated entity can wreak havoc in contested states this election.
  • TikTok was just the beginning: Trump administration is stepping up scrutiny of past Chinese tech investments” By Jeanne Whalen — The Washington Post. To no great surprise, the Trump Administration is looking to use the Committee on Foreign Investment in the United States (CFIUS) process. The Department of the Treasury’s Office of Investment Security Monitoring & Enforcement has been sending letters to technology companies since the early spring inquiring about foreign investment. The companies being targeted tend to collect, process, and store a lot of personal data or are pioneering or producing cutting edge technology considered vital for national security like electric batteries. This new office is reportedly looking back at transactions completed more than ten years ago. Already the scrutiny is having its intended effect as entities from the People’s Republic of China (PRC) have invested less this year in Silicon Valley than they have in six years.
  • China chip giant SMIC shares sink on US export controls” By Jerome Taylor — AFP; “U.S. sanctions on chipmaker SMIC hit at the very heart of China’s tech ambitions” By Arjun Kharpal — CNBC. The United States (U.S.) Department of Commerce has reportedly informed U.S. chipmakers and others that they must stop selling equipment to the People’s Republic of China’s (PRC) Semiconductor Manufacturing International Corp (SMIC) unless they get an export license. This latest move tightens further the chokehold the U.S. has placed on Huawei and other PRC firms that require U.S. technology to make their products. While SMIC has made strides in developing chips, it is still dependent on foreign technology. SMIC told western media outlets we “no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”
  • Activists slam Palantir for its work with ICE ahead of market debut” By Tonya Riley and Cat Zakrzewski — The Washington Post. Ahead of tomorrow’s initial public offering, human rights advocates are pressing investors to forego Palantir or to buy the stock and demand changes. These activists are arguing that the Peter Thiel launched company has worked with the United States government and others in violation of human rights.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Daniel Falcao on Unsplash

Further Reading, Other Developments, and Coming Events (22 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing on 23 September titled “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • On 23 September, the Commerce, Science, and Transportation Committee will hold a hearing titled “Revisiting the Need for Federal Data Privacy Legislation,” with these witnesses:
    • The Honorable Julie Brill, Former Commissioner, Federal Trade Commission
    • The Honorable William Kovacic, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Jon Leibowitz, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Maureen Ohlhausen, Former Commissioner and Acting Chairman, Federal Trade Commission
    • Mr. Xavier Becerra, Attorney General, State of California
  • The House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will hold a virtual hearing “Mainstreaming Extremism: Social Media’s Role in Radicalizing America” on 23 September with these witnesses:
    • Marc Ginsburg, President, Coalition for a Safer Web
    • Tim Kendall, Chief Executive Officer, Moment
    • Taylor Dumpson, Hate Crime Survivor and Cyber-Harassment Target
    • John Donahue, Fellow, Rutgers University Miler Center for Community Protection and Resiliency, Former Chief of Strategic Initiatives, New York City Police Department
  • On 23 September, the Senate Homeland Security and Governmental Affairs will hold a hearing to consider the nomination of Chad Wolf to be the Secretary of Homeland Security.
  • The Senate Armed Services Committee will hold a closed briefing on 24 September “on Department of Defense Cyber Operations in Support of Efforts to Protect the Integrity of U.S. National Elections from Malign Actors” with:
    • Kenneth P. Rapuano, Assistant Secretary of Defense for Homeland Defense and Global Security
    • General Paul M. Nakasone, Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service
  • On 24 September, the Homeland Security and Governmental Affairs will hold a hearing on “Threats to the Homeland” with:
    • Christopher A. Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center
    • Kenneth Cuccinelli, Senior Official Performing the Duties of the Deputy Secretary of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The United States (U.S.) Department of Justice (DOJ) has indicted two Iranian nationals for allegedly hacking into systems in the U.S., Europe, and the Middle East dating back to 2013 to engage in espionage and sometimes theft.
    • The DOJ claimed in its press release:
      • According to a 10-count indictment returned on Sept. 15, 2020, Hooman Heidarian, a/k/a “neo,” 30, and Mehdi Farhadi, a/k/a “Mehdi Mahdavi” and “Mohammad Mehdi Farhadi Ramin,” 34, both of Hamedan, Iran, stole hundreds of terabytes of data, which typically included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research.  In some instances, the defendants’ hacks were politically motivated or at the behest of Iran, including instances where they obtained information regarding dissidents, human rights activists, and opposition leaders.  In other instances, the defendants sold the hacked data and information on the black market for private financial gain.
      • The victims included several American and foreign universities, a Washington, D.C.-based think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran.  In addition to the theft of highly protected and sensitive data, the defendants also vandalized websites, often under the pseudonym “Sejeal” and posted messages that appeared to signal the demise of Iran’s internal opposition, foreign adversaries, and countries identified as rivals to Iran, including Israel and Saudi Arabia.
  • Two United States (U.S.) agencies took coordinated action against an alleged cyber threat group and a front company for a “a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector.” The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) “imposed sanctions on Iranian cyber threat group Advanced Persistent Threat 39 (APT39), 45 associated individuals, and one front company…Rana Intelligence Computing Company (Rana)” per the agency’s press release. Treasury further claimed:
    • Rana advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and Security (MOIS) by conducting computer intrusions and malware campaigns against perceived adversaries, including foreign governments and other individuals the MOIS considers a threat. APT39 is being designated pursuant to E.O. 13553 for being owned or controlled by the MOIS, which was previously designated on February 16, 2012 pursuant to Executive Orders 13224, 13553, and 13572, which target terrorists and those responsible for human rights abuses in Iran and Syria, respectively.
    • The Federal Bureau of Investigation (FBI) provided “information on numerous malware variants and indicators of compromise (IOCs) associated with Rana to assist organizations and individuals in determining whether they may have been targeted.”
  • The United States (U.S.) Department of Justice (DOJ) also released grand jury indictments against five nationals of the People’s Republic of China and two Malaysians for extensive hacking and exfiltration of commercial and business information with an eye towards profiting from these crimes. The DOJ asserted in its press release:
    • In August 2019 and August 2020, a federal grand jury in Washington, D.C., returned two separate indictments (available here and here) charging five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.
    •  The intrusions, which security researchers have tracked using the threat labels “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider,” facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information.  These intrusions also facilitated the defendants’ other criminal schemes, including ransomware and “crypto-jacking” schemes, the latter of which refers to the group’s unauthorized use of victim computers to “mine” cryptocurrency. 
    • Also in August 2020, the same federal grand jury returned a third indictment charging two Malaysian businessmen who conspired with two of the Chinese hackers to profit from computer intrusions targeting the video game industry in the United States and abroad.  Shortly thereafter, the U.S. District Court for the District of Columbia issued arrest warrants for the two businessmen.  On Sept. 14, 2020, pursuant to a provisional arrest request from the United States with a view to their extradition, Malaysian authorities arrested them in Sitiawan.
  • On 21 September, the House of Representatives took and passed the following bills, according to summaries provided by the House Majority Whip’s office:
    • The “Effective Assistance in the Digital Era” (H.R. 5546) (Rep. Jeffries – Judiciary) This bill requires the Federal Bureau of Prisons to establish a system to exempt from monitoring any privileged electronic communications between incarcerated individuals and their attorneys or legal representatives.
    • The “Defending the Integrity of Voting Systems Act (S. 1321) This bill broadens the definition of “protected computer” for purposes of computer fraud and abuse offenses under current law to include a computer that is part of a voting system.
    • The “Promoting Secure 5G Act of 2020” (H.R. 5698) This bill will establish as a U.S. policy within the IFIs to only finance 5G projects and other wireless technologies that include adequate security measures in furtherance of national security aims to protect wireless networks from bad actors and foreign governments.
    • The “MEDIA Diversity Act of 2020” (H.R. 5567) This bill Requires the FCC to consider market entry barriers for socially disadvantaged individuals in the communications marketplace.
    • The “Don’t Break Up the T-Band Act of 2020” as amended (H.R. 451) This bill repeals the requirement on the FCC to reallocate and auction the T-Band.  H.R. 451 also requires the FCC to adopt rules limiting the use of 9-1-1 fees by States or other taxing jurisdictions to (1) the support and implementation of 9-1-1 services and (2) operational expenses of public safety answering points.
    • It bears note that S. 1321 has passed the Senate, and so it is off to the White House for the only election security bill that has made it through both house of Congress.

Further Reading

  • Justice Department expected to brief state attorneys general this week on imminent Google antitrust lawsuit” By Tony Romm — The Washington Post; “Justice Dept. Case Against Google Is Said to Focus on Search Dominance” By Cecilia Kang, Katie Benner, Steve Lohr and Daisuke Wakabayashi — The New York Times; “Justice Department, states to meet in possible prelude to Google antitrust suit” By Leah Nylen — Politico. Tomorrow, the United States Department of Justice (DOJ) will outline its proposed antitrust case against Google with state attorneys general, almost all of whom are investigating Google on the same grounds. Reportedly, the DOJ case is focused on the company’s dominance of online searches, notably its arrangement to make Google the default search engine on iPhones and Androids, and not on its advertising practices. If the DOJ goes this road, then it will be similar to the European Union’s (EU) 2018 case against Google for the same, which resulted in EU residents being offered a choice on search engines on Android devices and a €4.34 billion fine. This development comes after articles earlier this month that Attorney General William Barr has been pushing the DOJ attorneys and investigators against the wishes of many to wrap up the investigation in time for a pre-election filing that would allow President Donald Trump to claim he is being tough on big technology companies. However, if this comes to pass, Democratic attorneys general may decline to join the suit and may bring their own action also alleging violations in the online advertising realm that Google dominates. In this vein, Texas Attorney General Ken Paxton has been leading the state effort to investigate Google’s advertising business, which critics argue is anti-competitive. Also, according to DOJ attorneys who oppose what they see as Barr rushing the suit, this could lead to a weaker case Google may be able to defeat in court. Of course, this news comes shortly after word leaked from the Federal Trade Commission (FTC) that its case against Facebook could be filed regarding its purchase of rivals WhatsApp and Instagram.
  • Why Japan wants to join the Five Eyes intelligence network” By Alan Weedon — ABC News. This piece makes the case as to why the United States, United Kingdom, Canada, Australia, and New Zealand may admit a new member to the Five Eyes soon: Japan. The case for the first Asian country is that it is a stable, western democracy, a key ally in the Pacific, and a bulwark against the influence of the People’s Republic of China (PRC). It is really this latter point that could carry the day, for the Five Eyes may need Japan’s expertise with the PRC and its technology to counter the former’s growing ambitions.
  • The next Supreme Court justice could play a major role in cybersecurity and privacy decisions” By Joseph Marks — The Washington Post. There are a range of cybersecurity and technology cases that the Supreme Court will decide in the near future, and so whether President Donald Trump gets to appoint Justice Ruth Bader Ginsburg’s successor will be very consequential for policy in these areas. For example, the court could rule on the Computer Fraud and Abuse Act for the first time regarding whether researchers are violating the law by probing for weak spots in systems. There are also Fourth Amendment and Fifth Amendment cases pending with technology implications as the former pertains to searches of devices by border guards and the latter to self-incrimination visa vis suspects being required to unlock devices.
  • Facebook Says it Will Stop Operating in Europe If Regulators Don’t Back Down” By David Gilbert —VICE. In a filing in its case against Ireland’s Data Protection Commission (DPC), Facebook made veiled threats that if the company is forced to stop transferring personal data to the United States, it may stop operating in the European Union altogether. Recently, the DPC informed Facebook that because Privacy Shield was struck down, it would need to stop transfers even though the company has been using standard contractual clauses, another method permitted in some case under the General Data Protection Regulation. Despite Facebook’s representation, it seems a bit much that the company would leave the EU to any competitors looking to its fill its shoes.
  • As U.S. Increases Pressure, Iran Adheres to Toned-Down Approach” By Julian E. Barnes, David E. Sanger, Ronen Bergman and Lara Jakes — The New York Times. The Islamic Republic of Iran is showing remarkable restraint in its interactions with the United States in the face of continued, punitive actions against Tehran. And this is true also of its cyber operations. The country has made the calculus that any response could be used by President Donald Trump to great effect in closing the gap against front runner former Vice President Joe Biden. The same has been true of its cyber operations against Israel, which has reportedly conducted extensive operations inside Iran with considerable damage.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

TikTok Deal Struck And WeChat Wins Injunction

A TikTok deal may be taking shape even though there are indications the details have not been hammered out entirely. A federal court blocked implementation of the WeChat ban.

Over the weekend with the 20 September effective dates looming on the TikTok and WeChat notices, there were separate developments that delayed implementation of the bans on the two apps from the People’s Republic of China (PRC). It appeared the Trump Administration, ByteDance, and potential United States (U.S.) partners were closing in on a deal even as there continued to be disputes as to the composition and nature of the new entity that would house TikTok in the U.S. The ban against WeChat was blocked by a U.S. court, a decision sure to be appealed.

On 19 September, a magistrate judge in San Francisco granted a preliminary injunction against the Trump Administration’s implementation of the WeChat order. As explained in a footnote, “[t]he plaintiffs are U.S. WeChat Users Alliance, a nonprofit formed to challenge the WeChat Executive Order, and individual and business users.” In short, they contended that the WeChat ban

(1) violates the First Amendment to the U.S. Constitution,

(2) violates the Fifth Amendment,

(3) violates the Religious Freedom Restoration Act, 42 U.S.C. § 2000bb(1)(a),

(4) was not a lawful exercise of the President’s and the Secretary’s authority under the International Economic Emergency Powers Act (“IEEPA”) — which allows the President to prohibit “transactions” in the interest of national security — because the IEEPA, 50 U.S.C. § 1702(b)(1), does not allow them to regulate personal communications, and

(5) violates the Administrative Procedures Act (“APA”) because the Secretary exceeded his authority under the IEEPA and should have promulgated the rule through the notice-and-comment rulemaking procedures in 5 U.S.C. § 553(b).

The judge granted the motion for a preliminary injunction “on the ground that the plaintiffs have shown serious questions going to the merits of the First Amendment claim, the balance of hardships tips in the plaintiffs’ favor, and the plaintiffs establish sufficiently the other elements for preliminary-injunctive relief.” The judge seemed most persuaded by this claim and summarized the plaintiffs’ argument:

  • First, they contend, effectively banning WeChat — which serves as a virtual public square for the Chinese-speaking and Chinese-American community in the United States and is (as a practical matter) their only means of communication — forecloses meaningful access to communication in their community and thereby operates as a prior restraint on their right to free speech that does not survive strict scrutiny.
  • Second, even if the prohibited transactions are content-neutral time-place-or-manner restrictions, they do not survive intermediate scrutiny because the complete ban is not narrowly tailored to address the government’s significant interest in national security.

The Trump Administration will almost certainly appeal this decision, but it remains to be seen how quickly the case moves through the court system.

Also, over the weekend, the Trump Administration paused its notice for implementing the EO against TikTok because of agreement in principles of a deal that would permit Oracle and Walmart to control a certain percentage of TikTok in the U.S. However, the details of which entity would control what remain murky with ByteDance arguing that U.S. entities will not control TikTok, but assertions to the opposite being made by the company’s U.S. partners. Over the weekend, it appeared Oracle and Walmart would be able to take a collective 20% stake in a new entity TikTok Global that would operate in the U.S. Walmart has been partnering with Microsoft, but when the tech giant failed in its bid, Walmart began talks with Oracle. ByteDance would have a stake in the company but not majority control according to some sources. However, ByteDance began pushing back on that narrative as President Donald Trump declared this morning “if we find that [Oracle and Walmart] don’t have total control, then we’re not going to approve the deal.” Moreover, $5 billion would be used for some sort of educational fund. However, it is hard to tell what exactly would occur and whether this is supposed to be the “finder’s fee” of sorts Trump had said the U.S. would deserve from the deal.

On 19 September, the U.S. Department of Commerce issued a statement pushing back the effective date of the order against TikTik from 20 September to 27 September because of “recent positive developments.” The same day, the U.S. Department of the Treasury released a statement, explaining:

The President has reviewed a deal among Oracle, Walmart, and TikTok Global to address the national security threat posed by TikTok’s operations. Oracle will be responsible for key technology and security responsibilities to protect all U.S. user data. Approval of the transaction is subject to a closing with Oracle and Walmart and necessary documentation and conditions to be approved by Committee on Foreign Investment in the United States (CFIUS). 

TikTok also released a statement, asserting

We’re pleased that today we’ve confirmed a proposal that resolves the Administration’s security concerns and settles questions around TikTok’s future in the US. Our plan is extensive and consistent with previous CFIUS resolutions, including working with Oracle, who will be our trusted cloud and technology provider responsible for fully securing our users’ data. We are committed to protecting our users globally and providing the highest levels of security. Both Oracle and Walmart will take part in a TikTok Global pre-IPO financing round in which they can take up to a 20% cumulative stake in the company. We will also maintain and expand the US as TikTok Global’s headquarters while bringing 25,000 jobs across the country.

Walmart issued its own statement on 19 September:

While there is still work to do on final agreements, we have tentatively agreed to purchase 7.5% of TikTok Global as well as enter into commercial agreements to provide our ecommerce, fulfillment, payments and other omnichannel services to TikTok Global. Our CEO, Doug McMillon, would also serve as one of five board members of the newly created company. In addition, we would work toward an initial public offering of the company in the United States within the next year to bring even more ownership to American citizens. The final transaction will need to be approved by the relevant U.S. government agencies.

The same day, Oracle and Walmart released a joint statement:

  • The President has announced that ByteDance has received tentative approval for an agreement with the U.S. Government to resolve the outstanding issues, which will now include Oracle and Walmart together investing to acquire 20% of the newly formed TikTok Global business.
  • As a part of the deal, TikTok is creating a new company called TikTok Global that will be responsible for providing all TikTok services to users in United States and most of the users in the rest of the world. Today, the administration has conditionally approved a landmark deal where Oracle becomes TikTok’s secure cloud provider.
  • TikTok Global will be majority owned by American investors, including Oracle and Walmart. TikTok Global will be an independent American company, headquartered in the U.S., with four Americans out of the five member Board of Directors.
  • All the TikTok technology will be in possession of TikTok Global, and comply with U.S. laws and privacy regulations. Data privacy for 100 million American TikTok users will be quickly established by moving all American data to Oracle’s Generation 2 Cloud data centers, the most secure cloud data centers in the world.
  • In addition to its equity position, Walmart will bring its omnichannel retail capabilities including its Walmart.com assortment, eCommerce marketplace, fulfillment, payment and measurement-as-a-service advertising service.
  • TikTok Global will create more than 25,000 new jobs in the Unites States and TikTok Global will pay more than $5 billion in new tax dollars to the U.S. Treasury.
  • TikTok Global, together with Oracle, SIG, General Atlantic, Sequoia, Walmart and Coatue will create an educational initiative to develop and deliver an AI-driven online video curriculum to teach children from inner cities to the suburbs, a variety of courses from basic reading and math to science, history and computer engineering.
  • TikTok Global will have an Initial Public Offering (IPO) in less than 12 months and be listed on a U.S. Exchange. After the IPO, U.S. ownership of TikTok Global will increase and continue to grow over time.

Today, Oracle went further in a statement to the media claiming, “ByteDance will have no ownership in TikTok Global,” which is a different message than the one the company was sending. For example, in a blog post, ByteDance stated “[t]he current plan does not involve the transfer of any algorithms or technology…[but] Oracle has the authority to check the source code of TikTok USA.”

Late last week, the Trump Administration issued orders barring TikTok and WeChat pursuant to executive orders issued an “Executive Order on Addressing the Threat Posed by TikTok” and an “Executive Order on Addressing the Threat Posed by WeChat” that bar any transactions with the companies that made, distribute, and operate TikTok and WeChat respectively. The U.S. Department of Commerce (Commerce) issued orders effectuating the executive orders, which were set to take effect this past weekend. In a press release, Commerce explained:

As of September 20, 2020, the following transactions are prohibited:

  1. Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  2. Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of September 20, 2020, for WeChat and as of November 12, 2020, for TikTokthe following transactions are prohibited:

  1. Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  2. Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.;
  3. Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application within the U.S.;
  4. Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.

Commerce added:

Any other prohibitive transaction relating to WeChat or TikTok may be identified at a future date. Should the U.S. Government determine that WeChat’s or TikTok’s illicit behavior is being replicated by another app somehow outside the scope of these executive orders, the President has the authority to consider whether additional orders may be appropriate to address such activities. The President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.

Commerce has submitted notices to be published this week in the Federal Register identifying the transactions that will be illegal regarding TikTok and WeChat:

  • Pursuant to Executive Order 13942, the Secretary of Commerce is publishing the list of prohibited transactions by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, including TikTok Inc., in which any such company has any interest, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13942 posed by mobile application TikTok.
  • Pursuant to Executive Order 13943, the Secretary of Commerce is publishing this Identification of Prohibited Transactions related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the United States, with Tencent Holdings Ltd. (a.k.a. Téngxùn Kònggŭ Yŏuxiàn Gōngsī), Shenzhen, China, or any subsidiary of that entity, to address the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873, May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and particularly to address the threat identified in Executive Order 13943 posed by mobile application WeChat.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by chuttersnap on Unsplash

Further Reading, Other Developments, and Coming Events (10 September)

Coming Events

  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • Top Senate Democrats asked the Secretary of the Treasury to impose sanctions on officials and others in the Russian Federation for interfering in the 2020 United States election. In their letter, they urged Secretary Steven Mnuchin “to draw upon the conclusions of the Intelligence Community to identify and target for sanctions all those determined to be responsible for ongoing election interference, including any actors within the government of the Russian Federation, any Russian actors determined to be directly responsible, and those acting on their behalf or providing material or financial support for their efforts.” Given that Mnuchin is unlikely to displease President Donald Trump through agreeing that Russians are again interfering in a presidential election, it is probable that Senate Democrats are seeking to further their line of attack on Republicans that they are unwilling to defend the U.S. and its elections from Russia. They called on Mnuchin to use the authorities granted by Congress in the “Countering America’s Adversaries Through Sanctions Act” (P.L. 115-44) and Executive Order 13848 “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election.”
  • Epic Games has returned to court in an attempt to force Apple to put its popular multiplayer game, Fortnite back into the App Store. At present, those on iOS devices cannot download and play the newest version of the game released a few weeks ago. Even though Epic Games lost its request for a temporary restraining order that would order Apple to put the game back, it has filed for a preliminary injunction:
    • (1) restraining Defendant Apple Inc. (“Apple”) from removing, de-listing, refusing to list or otherwise making unavailable the app Fortnite or any other app on Epic’s Team ID ’84 account in Apple’s Developer Program, including any update of such an app, from the App Store on the basis that Fortnite offers in-app payment processing through means other than Apple’s In-App Purchase (“IAP”) or on any pretextual basis;
    • (2) restraining Apple from taking any adverse action against Epic, including but not limited to restricting, suspending, or terminating any other Apple Developer Program account of Epic or its affiliates, on the basis that Epic enabled in-app payment processing in Fortnite through means other than IAP or on the basis of the steps Epic took to do so;
    • (3) restraining Apple from removing, disabling, or modifying Fortnite or any code, script, feature, setting, certification, version or update thereof on any iOS user’s device; and
    • (4) requiring Apple to restore Epic’s Team ID ’84 account in Apple’s Developer Program.
    •  Epic Games asserts:
      • This motion is made on the grounds that: (1) Epic is likely to succeed on the merits of its claims that Apple’s conduct violates the Sherman Act; (2) absent a preliminary injunction, Epic is likely to suffer irreparable harm; (3) the balance of harms tips sharply in Epic’s favor; and (4) the public interest supports an injunction.
    • Considering that the judge ruled against Epic Games’ claim of irreparable harm in the motion for a temporary restraining order on the grounds that self-inflicted harm (i.e. Epic Game escalated by putting its own pay option on Fortnite to foil Apple’s 30% take on in-game sales and no public interest being present, one wonders if the company will prevail on this motion.
  • Apple filed a countersuit against Epic Games, arguing the latter breached its contract with the former and now must pay damages. In contrast, Epic Games is not suing for any monetary damages, surely a tactical decision to help its case in court and among interested observers.
    • Apple sought to portray Epic Games’ lawsuit this way:
      • Epic’s lawsuit is nothing more than a basic disagreement over money. Although Epic portrays itself as a modern corporate Robin Hood, in reality it is a multi-billion dollar enterprise that simply wants to pay nothing for the tremendous value it derives from the App Store. Epic’s demands for special treatment and cries of “retaliation” cannot be reconciled with its flagrant breach of contract and its own business practices, as it rakes in billions by taking commissions on game developers’ sales and charging consumers up to $99.99 for bundles of “V-Bucks.”
      • Epic decided that it would like to reap the benefits of the App Store without paying anything for them. Armed with the apparent view that Epic is too successful to play by the same rules as everyone else—and notwithstanding a public proclamation that Epic “w[ould] not accept special revenue sharing or payment terms just for ourselves”1—Epic CEO Tim Sweeney emailed Apple executives on June 30, 2020, requesting a “side letter” that would exempt Epic from its existing contractual obligations, including the App Store Review Guidelines (the “Guidelines”) that apply equally to all Apple developers. Among other things, Mr. Sweeney demanded a complete end-run around “Apple’s fees”—specifically, Epic wished to continue taking full advantage of the App Store while allowing consumers to pay Epic instead, leaving Apple to receive no payment whatsoever for the many services it provides developers and consumers.
    • Apple contended “[t]his Court should hold Epic to its contractual promises, award Apple compensatory and punitive damages, and enjoin Epic from engaging in further unfair business practices.”
  • The General Services Administration (GSA) released a draft Data Ethics Framework as part of implementing the Trump Administration’s Federal Data Strategy.
    • GSA noted
      • The Federal Data Strategy, delivered in December 2019, recognized the importance of ethics in its founding Principles. When the Federal Data Strategy team created the 2020 Action Plan, they specifically tasked the General Services Administration (GSA) with developing a Data Ethics Framework (Framework)in Action 14to help agency employees, managers, and leaders make ethical decisions as they acquire, manage, and use data.
      • The resulting Framework is intended to be a “living” resource and to be regularly updated by the CDO Council and ICSP. The Framework incorporates the input and terminology from stakeholders representing many domains, and who use different types of data in different ways. The developers of the Framework recognize that some terms may be used differently, depending on the context, type of data being used, and stage in the data lifecycle.
      • The Framework applies to all data types and data uses. The Framework consists of four parts:
        • About the Data Ethics Framework outlines the intended purpose and audience of this document
        • Data Ethics Defined explores the meaning of the term “data ethics,” as background to the Tenets provided in the following section
        • Data Ethics Tenets provides seven Tenets, or high-level principles, for using data ethically within the Federal Government
        • Data Ethics Tenets in Action describes the benefits of data ethics and contains use cases demonstrating how the Tenets can guide data activities within federal agencies and federally sponsored programs
      • The Administration claimed the 2020 Action Plan “establishes a solid foundation that will support implementation of the strategy over the next decade…[and] identifies initial actions for agencies that are essential for establishing processes, building capacity, and aligning existing efforts to better leverage data as a strategic asset.” The use of federal data holds a key place in the President’s Management Agenda (PMA) and, according to the Administration, will be a key driver in transforming how the federal government operates, particularly in relation to technology. The 2020 Action Plan lays out the steps agencies will be expected to take to realize the Administration’s 10-year Federal Data Strategy. As always, results will be informed by follow through and prioritization by the Office of Management and Budget (OMB) and buy-in from agency leadership.
      • Notably, the Administration tied the 2020 Action Plan to a number of other ongoing initiatives that rely heavily on data. The Administration said the plan “incorporates requirements of the Foundations for Evidence-Based Policymaking Act of 2018, the Geospatial Data Act of 2018, and Executive Order 13859 on Maintaining American Leadership in Artificial Intelligence.”
  • The Office of the Australian Information Commissioner (OAIC) published “its Corporate Plan for 2020-21, which sets out its strategic priorities and key activities for the next four years” according to its press release. The OAIC stated “[t]he plan identifies four strategic priorities that will help the OAIC achieve its vision to increase public trust and confidence in the protection of personal information and access to government-held information:
    • Advance online privacy protections for Australians
    • Influence and uphold privacy and information access rights frameworks
    • Encourage and support proactive release of government-held information, and
    • Contemporary approach to regulation.
    • The agency stated:
      • Over the coming year, the OAIC will continue to promote strong privacy protections for the use of personal information to prevent and manage the spread of COVID-19, including oversight of data handling within the COVIDSafe app system. 
      • Strengthening privacy protections in the online environment remains a key focus for the organisation, while privacy law reform will be a priority in 2020-21, with the Australian Government’s review of the Privacy Act an opportunity to ensure the regulatory framework can respond to new challenges in the digital environment.
      • Commissioner [Angelene] Falk said the OAIC will also enforce privacy safeguards under the Consumer Data Right and will continue its work to improve transparency and prevent harm to consumers through its oversight of the Notifiable Data Breaches scheme.
  • Ontario’s Ministry of Government and Consumer Services “launched consultations to improve the province’s privacy protection laws” and stakeholders “will have the opportunity to contribute to strengthening transparency and accountability concerning the collection, use and safeguarding of personal information online.” Ontario “is seeking advice on ways to:
    • Increase transparency for individuals, providing Ontarians with more detail about how their information is being used by businesses and organizations.
    • Enhance consent provisions allowing individuals to revoke consent at any time, and adopting an “opt-in” model for secondary uses of their information.
    • Introduce a right for individuals to request information related to them be deleted, subject to limitations (this is otherwise known as “right to erasure” or “the right to be forgotten”).
    • Introduce a right for individuals to obtain their data in a standard and portable digital format, giving them greater freedom to change service providers without losing their data (this is known as “data portability”).
    • Increase enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law, including giving the commissioner the ability to impose penalties.
    • Introduce requirements for data that has been de-identified and derived from personal information to provide clarity of applicability of privacy protections.
    • Expand the scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties.
    • Create a legislative framework to enable the establishment of data trusts for privacy protective data sharing.
  • The United States (U.S.) Department of Homeland Security (DHS) Office of the Inspector General (OIG) issued “Progress and Challenges in Modernizing DHS’ Information Technology (IT) Systems and Infrastructure” and found fault with these three systems:
    • DHS-wide Human Resources IT (HRIT)
    • DHS Legacy Major IT Financial System that “[s]erves as Coast Guard and Transportation Security Agency’s (TSA) financial system of record.
    • Federal Emergency Management Agency (FEMA) Grants Management Mission Domain and Operational Environment
    • The OIG stated
      • The DHS 2019–2023 IT strategic plan included two distinct department-wide IT modernization initiatives: to adopt cloud-based computing and to consolidate data centers. However, not all components have complied with or fully embraced these efforts due to a lack of standard guidance and funding. Without consistent implementation of these efforts, DHS components remain hindered in their ability to provide personnel with more enhanced, up-to-date technology.
      • In the meantime, DHS continues to rely on deficient and outdated IT systems to perform mission-critical operations. We identified three legacy IT systems with significant operational challenges that negatively affected critical DHS functions, such as human resources and financial management, as well as disaster recovery mission operations. DHS has not made sufficient progress in replacing or augmenting these IT systems due to ineffective planning and inexperience in executing complex IT modernization efforts. Additionally, the DHS CIO has not performed mandated oversight of legacy IT to mitigate and reduce risks associated with outdated systems. Until DHS addresses these issues, it will continue to face significant challenges to accomplish mission operations efficiently and effectively
    • The OIG recommended:
      • We recommend the DHS OCIO develop department-wide guidance for implementing cloud technology and migrating legacy IT systems to the cloud. Recommendation
      • We recommend the DHS OCIO coordinate with components to develop and finalize a data center migration approach to accomplish strategic goals for reducing the footprint of DHS IT infrastructure. Recommendation
      • We recommend the DHS OCIO establish a process to assign risk ratings for major legacy IT investments, as required by the Federal Information Technology Acquisition Reform Act.
  • The University of Toronto’s Citizen Lab and the International Human Rights Program at the University of Toronto’s Faculty of Law published a report “To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada” that “focuses on the human rights and constitutional law implications of the use of algorithmic policing technologies by law enforcement authorities.” The authors found:
    • The research conducted for this report found that multiple law enforcement agencies across Canada have started to use, procure, develop, or test a variety of algorithmic policing methods. These programs include using and both developing predictive policing technologies and using algorithmic surveillance tools. Additionally, some law enforcement agencies have acquired tools with the capability of algorithmic policing technology, but they are not currently using that capability because, to date, they have not decided to do so. 
    • The authors “analyze the potential impacts of algorithmic policing technologies on the following rights: the right to privacy; the right to freedoms of expression, peaceful assembly, and association; the right to equality and freedom from discrimination; the right to liberty and to be free from arbitrary detention; the right to due process; and the right to a remedy.”
  • The United States (U.S.) Department of Homeland Security (DHS) issued “the Electromagnetic Pulse (EMP) Program Status Report as part of an update on efforts underway in support of Executive Order (E.O.) 13865 on Coordinating National Resilience to Electromagnetic Pulses…[that] establishes resilience and security standards for U.S. critical infrastructure as a national priority.”
    • DHS stated
      • E.O.13865 states, “An electromagnetic pulse (EMP) has the potential to disrupt, degrade, and damage technology and critical infrastructure systems. Human-made or naturally occurring EMPs can affect large geographic areas, disrupting elements critical to the Nation’s security and economic prosperity, and could adversely affect global commerce and stability. The federal government must foster sustainable, efficient, and cost-effective approaches to improving the Nation’s resilience to the effects of EMPs.”
      • In accordance with E.O.13865, the Department has identified initial critical infrastructure and associated functions that are at greatest risk from an EMP and is focusing efforts on the development and implementation of evidence-based and independently-tested EMP protection and mitigation technologies and resilience best practices. Initial efforts within the Department, working across the federal interagency, have focused on risk management to both the Energy and Communications Sectors.
  • Two United States Magistrate Judges denied three requests for a geofence warrant to serve on Google to obtain cell phone data from an area of Chicago for three forty-five minutes periods on three different days. The courts took the unusual step of unsealing the opinions for the proceedings which are not adversarial because the person or people suspected of being involved with the alleged crime are presumably unaware and therefore cannot contest the warrant application. If Google took an adversarial position, there is no indication in the decisions the company did so. However, Google did state in a filing that “[b]etween 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.”
    • Moreover, one wonders if prosecutors did not also seek similar warrant requests from other companies such as telecommunications providers. Nonetheless, the judges ruled the geofence warrant requests violated the Fourth Amendment to the U.S. Constitution in a number of ways and suggested that narrower, more particular requests might have been legal.
    • In the first denial, the magistrate judge explained:
      • As to the first geofence request, the government has probable cause to believe that the suspect received the stolen pharmaceuticals from a commercial enterprise located within the designated geofence area during the designated forty-five minute interval in the early afternoon hours on the day of the first geofence request. The geofence, which has a 100-meter radius, is in a densely populated city, and the area contains restaurants, various commercial establishments, and at least one large residential complex, complete with a swimming pool, workout facilities, and other amenities associated with upscale urban living.
      • The second and third geofence requests focus on the same commercial enterprise where the government has probable cause to believe that the suspect shipped some of the stolen pharmaceuticals to a buyer, who purchased the pharmaceuticals from the suspect at the government’s direction. Again, the government’s requested geofence is a I00-meter radius area extending from the commercial establishment where the suspect shipped the pharmaceuticals and covers two separate dates for forty-five minute intervals in the early afternoon hours. This geofence includes medical offices and other single and multi-floor commercial establishments that are likely to have multiple patrons during the early afternoon hours.
      • The warrant application contemplates that the information will be obtained in three stages: (l) Google will be required to disclose to the government an anonymized list of devices that specifies information including the corresponding unique device ID, timestamp, coordinates, and data source, if available, of the devices that reported their location within the geofence during the forty-five minute periods; (2) the government will then review the list to prioritize the devices about which it wishes to obtain associated information; and (3) Google will then be required to disclose to the government the information identifying the Google account(s) for those devices about which the government further inquiries. The warrant application includes no criteria or limitations as to which cellular telephones government agents can seek additional information.

Further Reading

  • A Saudi Prince’s Attempt to Silence Critics on Twitter” By Bradley Hope and Justin Scheck – WIRED. Considering the United States Department of Justice indictments against three Saudi nationals in November 2019 and resulting news stories (“Why Do We Tolerate Saudi Money in Tech?” – The New York Times and “Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics” – The Washington Post), one would think what news is there in this excerpt on a book. But we learn that Twitter’s anti-establishment stance led the company’s lawyers to suspend the Saudi Twitter employee who the target of a U.S. investigation which allowed him to flee the U.S. Government lawyers were livid. The bigger issue is foreign operatives infiltrated social media platforms and then reaping information about selected people, especially dissidents.
  • When Algorithms Give Real Students Imaginary Grades” By Meredith Broussard – The New York Times. The International Baccalaureate (IB) program used an algorithm to hand out grades this past spring when in-person exams were cancelled. It did not go well as you might imagine. The same was true in the United Kingdom for its A-level exams, causing a furor there. The case id made for never using algorithms in education or related fields.
  • Wheely ride-hailing app writes to UK privacy watchdog over Moscow data demands” By Simon Goodley – The Guardian. A British ride-sharing company wrote the United Kingdom’s data protection authority about data requests made by the Moscow Department of Transportation (MDOT) on individual riders. Wheely made the case to the Information Commissioner’s Office (ICO) that it could not hand over the data under the General Data Protection Regulation (GDPR) unlike some of the app’s rivals who apparently complied with the demand. It is not clear whether the company’s GDPR obligations would apply in another jurisdiction. It may possible Wheely is trying to smear the other companies in the U.K.
  • Deepfake porn is now mainstream. And major sites are cashing in” By Matt BurgessWired. Through the use of artificial intelligence technology, people are making fake pornography in which actresses’ faces are affixed to women’s bodies that are engaged in sexual acts. These deepfake porn videos are soaring in popularity, and there are often not good options for taking them down or taking legal action. This is another area in which technology has outpaced policy and law.
  • Most cyber-security reports only focus on the cool threats” By Catalin Cimpanu – ZDNet. Turns out that commercial threat reports are issued with an eye towards generating business and considering that governments and huge contractors have the deepest pockets, the issues of concern are covered while other less lucrative areas like threats to civil society are largely ignored. These reports also influence policymakers and give them a distorted picture of cyber threats.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.