Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.

Further Reading, Other Developments, and Coming Events (19 August)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The United States (U.S.) Department of Commerce tightened its chokehold on Huawei’s access to United States’ semiconductors and chipsets vital to its equipment and services. This rule follows a May rule that significantly closed off Huawei’s access to the point that many analysts are projecting the People’s Republic of China company will run out of these crucial technologies sometime next year without a suitable substitute, meaning the company may not be able to sell its smartphone and other leading products. In its press release, the department asserted the new rule “further restricts Huawei from obtaining foreign made chips developed or produced from U.S. software or technology to the same degree as comparable U.S. chips.”
    • Secretary of Commerce Wilbur Ross argued “Huawei and its foreign affiliates have extended their efforts to obtain advanced semiconductors developed or produced from U.S. software and technology in order to fulfill the policy objectives of the Chinese Communist Party.” He contended “[a]s we have restricted its access to U.S. technology, Huawei and its affiliates have worked through third parties to harness U.S. technology in a manner that undermines U.S. national security and foreign policy interests…[and] his multi-pronged action demonstrates our continuing commitment to impede Huawei’s ability to do so.”
    • The Department of Commerce’s Bureau of Industry and Security (BIS) stated in the final rule that it is “making three sets of changes to controls for Huawei and its listed non-U.S. affiliates under the Export Administration Regulations (EAR):
      • First, BIS is adding additional non-U.S. affiliates of Huawei to the Entity List because they also pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.
      • Second, this rule removes a temporary general license for Huawei and its non-U.S. affiliates and replaces those provisions with a more limited authorization that will better protect U.S. national security and foreign policy interests.
      • Third, in response to public comments, this final rule amends General Prohibition Three, also known as the foreign-produced direct product rule, to revise the control over certain foreign-produced items recently implemented by BIS.”
    • BIS claimed “[t]hese revisions promote U.S. national security by limiting access to, and use of, U.S. technology to design and produce items outside the United States by entities that pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.”
    • One technology analyst claimed “[t]he U.S. moves represent a significant tightening of restrictions over Huawei’s ability to procure semiconductors…[and] [t]hat puts into significant jeopardy its ability to continue manufacturing smartphones and base stations, which are its core products.”
  • The Office of Management and Budget (OMB) and the Office of Science and Technology Policy (OSTP) have released their annual guidance to United States department and agencies to direct their budget requests for FY 2022 with respect to research and development (R&D). OMB explained:
  • For FY2022, the five R&D budgetary priorities in this memorandum ensure that America remains at the global forefront of science and technology (S&T) discovery and innovation. The Industries of the Future (IotF) -artificial intelligence (AI), quantum information sciences (QIS), advanced communication networks/5G, advanced manufacturing, and biotechnology-remain the Administration’s top R&D priority. This includes fulfilling President Trump’s commitment to double non-defense AI and QIS funding by FY2022:
    • American Public Health Security and Innovation
    • American Leadership in the Industries of the Future and Related Technologies
    • American Security
    • American Energy and Environmental Leadership
    • American Space Leadership
  • In light of the significant health and economic disruption caused by the COVID-19 pandemic, the FY2022 memorandum includes a new R&D priority aimed at American Public Health Security and Innovation. This priority brings under a single, comprehensive umbrella biomedical and biotechnology R&D aimed at responding to the pandemic and ensuring the U.S. S&T enterprise is maximally prepared for any health-related threats.
  • Lastly, this memorandum also describes/our high-priority crosscutting actions. These actions include research and related strategies that underpin the five R&D priorities and ensure departments and agencies deliver maximum return on investment to the American people:
    • Build the S&T Workforce of the Future
    • Optimize Research Environments and Results
    • Facilitate Multisector Partnerships and Technology Transfer
    • Leverage the Power of Data
  • Despite the Trump Administration touting its R&D priorities and achievements, the non-partisan Congressional Research Service noted
    • President Trump’s budget request for FY2021 includes approximately $142.2 billion for research and development (R&D) for FY 2021, $13.8 billion (8.8%) below the FY2020 enacted level of $156.0 billion. In constant FY 2020 dollars, the President’s FY 2021 R&D request would result in a decrease of $16.6 billion (10.6%) from the FY 2020 level.
  • Two key chairs of subcommittees of the Senate Commerce, Science, and Transportation Committee are pressing the Federal Trade Commission (FTC) to investigate TikTok’s data collection and processing practices. This Committee has primary jurisdiction over the FTC in the Senate and is a key stakeholder on data and privacy issues.
    • In their letter, Consumer Protection Subcommittee Chair Jerry Moran (R-KS) and Communications, Technology, Innovation Chair John Thune (R-SD) explained they are “are seeking specific answers from the FTC related to allegations from a Wall Street Journal article that described TikTok’s undisclosed collection and transmission of unique persistent identifiers from millions of U.S. consumers until November 2019…[that] also described questionable activity by the company as it relates to the transparency of these data collection activities, and the letter seeks clarity on these practices.”
    • Moran and Thune asserted “there are allegations that TikTok discretely collected media access control (MAC) addresses, commonly used for advertisement targeting purposes, through Google Android’s operating system under an “unusual layer of encryption” through November 2019.” They said “[g]iven these reports and their potential relevancy to the “Executive Order on Addressing the Threat Posed by TikTok,” we urge the Federal Trade Commission (FTC) to investigate the company’s consumer data collection and processing practices as they relate to these accusations and other possible harmful activities posed to consumers.”
    • If the FTC were to investigate, find wrongdoing, and seek civil fines against TikTok, the next owner may be left to pay as the White House’s order to ByteDance to sell the company within three months will almost certainly be consummated before any FTC action is completed.
  • Massachusetts Attorney General Maura Healey (D) has established a “Data Privacy and Security Division within her office to protect consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy.” Healey has been one of the United States’ more active attorneys general on data privacy and technology issues, including her suit and settlement with Equifax for its massive data breach.
    • Her office explained:
      • The Data Privacy and Security Division investigates online threats and the unfair or deceptive collection, use, and disclosure of consumers’ personal data through digital technologies. The Division aims to empower consumers in the digital economy, ensure that companies are protecting consumers’ personal data from breach, protect equal and open access to the internet, and protect consumers from data-driven technologies that unlawfully deny them fair access to socioeconomic opportunities. The Division embodies AG Healey’s commitment to continue and grow on this critical work and ensure that data-driven technologies operate lawfully for the benefit of all consumers.
  • A California appeals court ruled that Amazon can be held liable for defective products their parties sell on its website. The appellate court reversed the trial court which held Amazon could not be liable.
    • The appeals court recited the facts of the case:
      • Plaintiff Angela Bolger bought a replacement laptop computer battery on Amazon, the popular online shopping website operated by defendant Amazon.com, LLC. The Amazon listing for the battery identified the seller as “E-Life, ”a fictitious name used on Amazon by Lenoge Technology (HK) Ltd. (Lenoge). Amazon charged Bolger for the purchase, retrieved the laptop battery from its location in an Amazon warehouse, prepared the battery for shipment in Amazon-branded packaging, and sent it to Bolger. Bolger alleges the battery exploded several months later, and she suffered severe burns as a result.
      • Bolger sued Amazon and several other defendants, including Lenoge. She alleged causes of action for strict products liability, negligent products liability, breach of implied warranty, breach of express warranty, and “negligence/negligent undertaking.”
    • The appeals court continued:
      • Amazon moved for summary judgment. It primarily argued that the doctrine of strict products liability, as well as any similar tort theory, did not apply to it because it did not distribute, manufacture, or sell the product in question. It claimed its website was an “online marketplace” and E-Life (Lenoge) was the product seller, not Amazon. The trial court agreed, granted Amazon’s motion, and entered judgment accordingly.
      • Bolger appeals. She argues that Amazon is strictly liable for defective products offered on its website by third-party sellers like Lenoge. In the circumstances of this case, we agree.
  • The National Institute of Standards and Technology (NIST) issued Special Publication 800-207, “Zero Trust Architecture,” that posits a different conceptual model for an organization’s cybersecurity than perimeter security. NIST claimed:
    • Zero trust security models assume that an attacker is present in the environment and that an enterprise-owned environment is no different—or no more trustworthy—than any nonenterprise-owned environment. In this new paradigm, an enterprise must assume no implicit trust and continually analyze and evaluate the risks to its assets and business functions and then enact protections to mitigate these risks. In zero trust, these protections usually involve minimizing access to resources (such as data and compute resources and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request.
    • A zero trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement. This publication discusses ZTA, its logical components, possible deployment scenarios, and threats. It also presents a general road map for organizations wishing to migrate to a zero trust design approach and discusses relevant federal policies that may impact or influence a zero trust architecture.
    • ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level [FIPS199]. Transitioning to ZTA is a journey concerning how an organization evaluates risk in its mission and cannot simply be accomplished with a wholesale replacement of technology. That said, many organizations already have elements of a ZTA in their enterprise infrastructure today. Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect their data assets and business functions by use case. Most enterprise infrastructures will operate in a hybrid zero trust/perimeter-based mode while continuing to invest in IT modernization initiatives and improve organization business processes.
  • The United Kingdom’s Government Communications Headquarters’ (GCHQ) National Cyber Security Centre (NCSC) released “Cyber insurance guidance” “for organisations of all sizes who are considering purchasing cyber insurance…not intended to be a comprehensive cyber insurance buyers guide, but instead focuses on the cyber security aspects of cyber insurance.” The NCSC stated “[i]f you are considering cyber insurance, these questions can be used to frame your discussions…[and] [t]his guidance focuses on standalone cyber insurance policies, but many of these questions may be relevant to cyber insurance where it is included in other policies.”

Further Reading

  • I downloaded Covidwise, America’s first Bluetooth exposure-notification app. You should, too.” By Geoffrey Fowler – The Washington Post. The paper’s technology columnist blesses the Apple/Google Bluetooth exposure app and claims it protects privacy. One person on Twitter pointed out the Android version will not work unless location services are turned on, which is contrary to the claims made by Google and Apple, an issue the New York Times investigated last month. A number of European nations have pressed Google to remove this feature, and a Google spokesperson claimed the Android Bluetooth tracing capability did not use location services, begging the question why the prompt appears. Moreover, one of the apps Fowler names has had its own privacy issues as detailed by The Washington Post in May. As it turns out Care19, a contact tracing app developed when the governor of North Dakota asked a friend who had designed a app for football fans to meet up, is violating its own privacy policy according to Jumbo, the maker of privacy software. Apparently, Care19 shares location and personal data with FourSquare when used on iPhones. Both Apple and state officials are at a loss to explain how this went unnoticed when the app was scrubbed for technical and privacy problems before being rolled out.
  • Truss leads China hawks trying to derail TikTok’s London HQ plan” By Dan Sabbagh – The Guardian. ByteDance’s plan to establish a headquarters in London is now under attack by members of the ruling Conservative party for the company’s alleged role in persecuting the Uighur minority in Xinjiang. ByteDance has been eager to move to London and also eager to avoid the treatment that another tech company from the People’s Republic of China has gotten in the United Kingdom (UK): Huawei. Nonetheless, this decision may turn political as the government’s reversal on Huawei and 5G did. Incidentally, if Microsoft does buy part of TikTok, it would be buying operations in four of the five Five Eyes nations but not the UK.
  • Human Rights Commission warns government over ‘dangerous’ use of AI” By Fergus Hunter – The Sydney Morning Herald. A cautionary tale regarding the use of artificial intelligence and algorithms in government decision-making. While this article nominally pertains to Australia’s Human Rights Commission advice to the country’s government, it is based, in large part, on a scandal in which an automated process illegally collected $721 million AUD from welfare beneficiaries. In the view of the Human Rights Commission, decision-making by humans is still preferable and more accurate than automated means.
  • The Attack That Broke Twitter Is Hitting Dozens of Companies” By Andy Greenberg – WIRED. In the never-ending permutations of hacking, the past has become the present because the Twitter hackers use phone calls to talk their way into gaining access to a number of high-profile accounts (aka phone spear phishing.) Other companies are suffering the same onslaught, proving the axiom that people may be the weakest link in cybersecurity. However, the phone calls are based on exacting research and preparation as hackers scour the internet for information on their targets and the companies themselves. A similar hack was reportedly executed by the Democratic People’s Republic of Korea (DPRK) against Israeli defense firms.
  • Miami Police Used Facial Recognition Technology in Protester’s Arrest” By Connie Fossi and Phil Prazan – NBC Miami. The Miami Police Department used Clearview AI to identify a protestor that allegedly injured an officer but did not divulge this fact to the accused or her attorney. The department’s policy on facial recognition technology bars officers from making arrests solely on the basis of identification through such a system. Given the error rates many facial recognition systems have experienced with identifying minorities and the use of masks during the pandemic, which further decreases accuracy, it is quite likely people will be wrongfully accused and convicted using this technology.
  • Big Tech’s Domination of Business Reaches New Heights” By Peter Eavis and Steve Lohr – The New York Times. Big tech has gotten larger, more powerful, and more indispensable in the United States (U.S.) during the pandemic, and one needs to go back to the railroads in the late 19th Century to find comparable companies. It is an open question whether their size and influence will change much no matter who is president of the U.S. next year.
  • License plate tracking for police set to go nationwide” By Alfred Ng – c/net. A de facto national license plate reader may soon be activated in the United States (U.S.). Flock Safety unveiled the “Total Analytics Law Officers Network,” (TALON) that will link its systems of cameras in more than 700 cities, allowing police departments to track cars across multiple jurisdictions. As the U.S. has no national laws regulating the use of this and other similar technologies, private companies may set policy for the country in the short term.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (13 August)

Here are Further Reading, Other Developments, and Coming Events:

Coming Events

  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.

Other Developments

  • Senate Intelligence Committee Acting Chair Marco Rubio (R-FL) and Vice Chairman Mark Warner (D-VA) released a statement indicating the committee had voted to adopt the fifth and final volume of its investigation of the Russian Federation’s interference in the 2016 election. The committee had submitted the report to the Intelligence Community for vetting and have received the report with edits and redactions. The report could be released sometime over the next few weeks.  Rubio and Warner stated “the Senate Intelligence Committee voted to adopt the classified version of the final volume of the Committee’s bipartisan Russia investigation. In the coming days, the Committee will work to incorporate any additional views, as well as work with the Intelligence Community to formalize a properly redacted, declassified, publicly releasable version of the Volume 5 report.” The Senate Intelligence Committee’s has released four previous reports:
  • The National Institute of Standards and Technology (NIST) is accepting comments until 11 September on draft Special Publication 800-53B, “Control Baselines for Information Systems and Organizations,” a guidance document that will serve a key role in the United States government’s efforts to secure and protect the networks and systems it operates and those run by federal contractors. NIST explained:
    • This publication establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. The use of the security control baselines is mandatory, in accordance with OMB Circular A-130 [OMB A-130] and the provisions of the Federal Information Security Modernization Act4 [FISMA], which requires the implementation of a set of minimum controls to protect federal information and  information systems. Whereas use of the privacy control baseline is not mandated by law or [OMB A-130], SP 800-53B, along with other supporting NIST publications, is designed to help organizations identify the security and privacy controls needed to manage risk and satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974 [PRIVACT], selected OMB policies (e.g., [OMB A-130]), and designated Federal Information Processing Standards (FIPS), among others
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released an “Election Vulnerability Reporting Guide
    to provide “election administrators with a step-by-step guide, list of resources, and a template for establishing a successful vulnerability disclosure program to address possible vulnerabilities in their state and local election systems…[and] [t]he six steps include:
    • Step 1: Identify Systems Where You Would Accept Security Testing, and those Off-Limits
    • Step 2: Draft an Easy-to-Read Vulnerability Disclosure Policy (See Appendix III)
    • Step 3: Establish a Way to Receive Reports/Conduct Follow-On Communication
    • Step 4: Assign Someone to Thank and Communicate with Researchers
    • Step 5: Assign Someone to Vet and Fix the Vulnerabilities
    • Step 6: Consider Sharing Information with Other Affected Parties
  • The United Kingdom’s Information Commissioner’s Office (ICO) has issued “Guidance on AI and data protection” that “clarifies how you can assess the risks to rights and freedoms that AI can pose from a data protection perspective; and the appropriate measures you can implement to mitigate them.” The ICO explained “[w]hile data protection and ‘AI ethics’ overlap, this guidance does not provide generic ethical or design principles for your use of AI.” The ICO stated “[i]t corresponds to data protection principles, and is structured as follows:
    • part one addresses accountability and governance in AI, including data protection impact assessments (DPIAs);
    • part two covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination;
    • part three addresses data minimisation and security; and
    • part four covers compliance with individual rights, including rights related to automated decision-making.
  •  20 state attorneys general wrote Facebook Chief Executive Officer Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg “to request  that  you  take  additional  steps  to prevent   Facebook   from   being used   to   spread   disinformation   and   hate   and   to   facilitate discrimination.” They also asked “that you take more steps to provide redress for users who fall victim to intimidation and harassment, including violence and digital abuse.” The attorneys general said that “[b]ased on our collective experience, we believe that Facebook should take additional actions including the following steps—many of which are highlighted in Facebook’s recent Civil Rights Audit—to strengthen its commitment to civil rights and fighting disinformation and discrimination:
    • Aggressively enforce Facebook policies against hate speech and organized hate organizations: Although Facebook has developed policies against hate speech and organizations that peddle it, we remain concerned that Facebook’s policies on Dangerous Individuals and Organizations, including but not limited to its policies on white nationalist and white supremacist content, are not enforced quickly and comprehensively enough. Content that violates Facebook’s own policies too often escapes removal just because it comes as coded language, rather than specific magic words. And even where Facebook takes steps to address a particular violation, it often fails to proactively address the follow-on actions by replacement or splinter groups that quickly emerge.
    • Allow public, third-party audits of hate content and enforcement: To gauge the ongoing progress of Facebook’s enforcement efforts, independent experts should be permitted access to the data necessary to conduct regular, transparent third-party audits of hate and hate-related misinformation on the platform, including any information made available to the Global Oversight Board. As part of this effort, Facebook should capture data on the prevalence of different forms of hate content on the platform, whether or not covered by Facebook’s own community standards, thus allowing the public to determine whether enforcement of anti-hate policies differs based on the type of hate content at issue.
    • Commit to an ongoing, independent analysis of Facebook’s content population scheme and the prompt development of best practices guidance: By funneling users toward particular types of content, Facebook’s content population scheme, including its algorithms, can push users into extremist online communities that feature divisive and inflammatory messages, often directed at particular groups. Although Facebook has conducted research and considered programs to reduce this risk, there is still no mandatory guidance for coders and other teams involved in content population. Facebook should commit to an ongoing, independent analysis of its content population scheme, including its algorithms, and also continuously implement mandatory protocols as best practices are identified to curb bias and prevent recommendations of hate content and groups.
    • Expand policies limiting inflammatory advertisements that vilify minority groups: Although Facebook currently prohibits ads that claim that certain people, because of their membership in a protected group, pose a threat to the physical safety of communities or the nation, its policies still allow attacks that characterize such groups as threats to national culture or values. The current prohibition should be expanded to include such ads.
  • New Zealand’s Ministry of Statistics “launched the Algorithm Charter for Aotearoa New Zealand” that “signals that [the nation’s agencies] are committed to being consistent, transparent and accountable in their use of algorithms.”
    • The Ministry explained “[t]he Algorithm Charter is part of a wider ecosystem and works together with existing tools, networks and research, including:
      • Principles for the Safe and Effective Use of Data and Analytics (Privacy Commissioner and Government Chief Data Steward, 2018)
      • Government Use of Artificial Intelligence in New Zealand (New Zealand Law Foundation and Otago University, 2019)
      • Trustworthy AI in Aotearoa – AI Principles (AI Forum New Zealand, 2020)
      • Open Government Partnership, an international agreement to increase transparency.
      • Data Protection and Use Policy (Social Wellbeing Agency, 2020)
      • Privacy, Human Rights and Ethics Framework (Ministry of Social Development).
  • The European Union (EU) imposed its first cyber sanctions under its Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (aka the cyber diplomacy toolbox) against six hackers and three entities from the Russian Federation, the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea for attacks against the against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands, the malware attacks known as Petya and WannaCry, and Operation Cloud Hopper. The EU’s cyber sanctions follow sanctions the United States has placed on a number of people and entities from the same nations and also indictments the U.S. Department of Justice has announced over the years. The sanctions are part of the effort to levy costs on nations and actors that conduct cyber attacks. The EU explained:
    • The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
    • “WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.
    • “NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
    • “Operation Cloud Hopper” has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.
  • The United States’ Federal Communications Commission (FCC) is asking for comments on the Department of Commerce’s the National Telecommunications and Information Administration’s (NTIA) petition asking the agency to start a rulemaking to clarify alleged ambiguities in 47 USC 230 regarding the limits of the liability shield for the content others post online versus the liability protection for “good faith” moderation by the platform itself. The NTIA was acting per direction in an executive order allegedly aiming to correct online censorship. Executive Order 13925, “Preventing Online Censorship” was issued in late May after Twitter factchecked two of President Donald Trump’s Tweets regarding false claims made about mail voting in California in response to the COVID-19 pandemic. Comments are due by 2 September.
  • The Australian Competition & Consumer Commission (ACCC) released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury
    • The ACCC explained
      • The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
    • This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
    • A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “released core guidance documentation for the Trusted Internet Connections (TIC) program, developed to assist agencies in protecting modern information technology architectures and services.” CISA explained “In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: Update to the TIC Initiative, TIC 3.0 expands on the original initiative to drive security standards and leverage advances in technology to secure a wide spectrum of agency network architectures.” Specifically, CISA released three core guidance documents:
    • Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
    • Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
  • Senators Ron Wyden (D-OR), Bill Cassidy (R-LA) and ten other Members wrote the Federal Trade Commission (FTC) urging the agency “to investigate widespread privacy violations by companies in the advertising technology (adtech) industry that are selling private data about millions of Americans, collected without their knowledge or consent from their phones, computers, and smart TVs.” They asked the FTC “to use its authority to conduct broad industry probes under Section 6(b) of the FTC Act to determine whether adtech companies and their data broker partners have violated federal laws prohibiting unfair and deceptive business practices.” They argued “[t]he FTC should not proceed with its review of the Children’s Online Privacy Protection Act (COPPA) Rule before it has completed this investigation.”
  •  “100 U.S. women lawmakers and current and former legislators from around the world,” including Speaker of the House Nancy Pelosi (D-CA), sent a letter to Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg urging the company “to take decisive action to protect women from rampant and increasing online attacks on their platform that have caused many women to avoid or abandon careers in politics and public service.” They noted “[j]ust a few days ago, a manipulated and widely shared video that depicted Speaker Pelosi slurring her speech was once again circulating on major social media platforms, gaining countless views before TikTok, Twitter, and YouTube all removed the footage…[and] [t]he video remains on Facebook and is labeled “partly false,” continuing to gain millions of views.” The current and former legislators “called on Facebook to enforce existing rules, including:
    • Quick removal of posts that threaten candidates with physical violence, sexual violence or death, and that glorify, incite or praise violence against women; disable the relevant accounts, and refer offenders to law enforcement.
    • Eliminate malicious hate speech targeting women, including violent, objectifying or dehumanizing speech, statements of inferiority, and derogatory sexual terms;
    • Remove accounts that repeatedly violate terms of service by threatening, harassing or doxing or that use false identities to attack women leaders and candidates; and
    • Remove manipulated images or videos misrepresenting women public figures.
  • The United States’ Departments of Commerce and Homeland Security released an update “highlighting more than 50 activities led by industry and government that demonstrate progress in the drive to counter botnet threats.” in May 2018, the agencies submitted “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” that identified a number of steps and prompted a follow on “A Road Map Toward Resilience Against Botnets” released in November 2018.
  • United States (U.S.) Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders released a joint statement explaining that “[t]he U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
    • Maximillian Schrems filed a complaint against Facebook with Ireland’s Data Protection Commission (DPC) in 2013, alleging that the company’s transfer of his personal data violated his rights under European Union law because of the mass U.S. surveillance revealed by former National Security Agency (NSA) contractor Edward Snowden. Ultimately, this case resulted in a 2015 Court of Justice of the European Union (CJEU) ruling that invalidated the Safe Harbor agreement under which the personal data of EU residents was transferred to the US by commercial concerns. The EU and US executed a follow on agreement, the EU-U.S. Privacy Shield, that was designed to address some of the problems the CJEU turned up, and the U.S. passed a law, the “Judicial Redress Act of 2015” (P.L. 114-126), to provide EU citizens a way to exercise their EU rights in US courts via the “Privacy Act of 1974.”
    • However, Schrems continued and soon sought to challenge the legality of the European Commission’s signing off on the Privacy Shield agreement, the adequacy decision issued in 2016, and also the use of standard contractual clauses (SCC) by companies for the transfer of personal data to the US. The CJEU struck down the adequacy decision, throwing into doubt many entities’ transfers out of the EU into the U.S. but upheld SCCs in a way that suggested EU data protection authorities (DPA) may need to review all such agreements to ensure they comply with EU law.
  • The European Commission (EC) announced an “an in-depth investigation to assess the proposed acquisition of Fitbit by Google under the EU Merger Regulation.” The EC voiced its concern “that the proposed transaction would further entrench Google’s market position in the online advertising markets by increasing the already vast amount of data that Google could use for personalisation of the ads it serves and displays.” The EC detailed its “preliminary competition concerns:
    • Following its first phase investigation, the Commission has concerns about the impact of the transaction on the supply of online search and display advertising services (the sale of advertising space on, respectively, the result page of an internet search engine or other internet pages), as well as on the supply of ”ad tech” services (analytics and digital tools used to facilitate the programmatic sale and purchase of digital advertising). By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to Fitbit’s one.
    • The data collected via wrist-worn wearable devices appears, at this stage of the Commission’s review of the transaction, to be an important advantage in the online advertising markets. By increasing the data advantage of Google in the personalisation of the ads it serves via its search engine and displays on other internet pages, it would be more difficult for rivals to match Google’s online advertising services. Thus, the transaction would raise barriers to entry and expansion for Google’s competitors for these services, to the ultimate detriment of advertisers and publishers that would face higher prices and have less choice.
    • At this stage of the investigation, the Commission considers that Google:
      • is dominant in the supply of online search advertising services in the EEA countries (with the exception of Portugal for which market shares are not available);
      • holds a strong market position in the supply of online display advertising services at least in Austria, Belgium, Bulgaria, Croatia, Denmark, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom, in particular in relation to off-social networks display ads;
      • holds a strong market position in the supply of ad tech services in the EEA.
    • The Commission will now carry out an in-depth investigation into the effects of the transaction to determine whether its initial competition concerns regarding the online advertising markets are confirmed.
    • In addition, the Commission will also further examine:
      • the effects of the combination of Fitbit’s and Google’s databases and capabilities in the digital healthcare sector, which is still at a nascent stage in Europe; and
      • whether Google would have the ability and incentive to degrade the interoperability of rivals’ wearables with Google’s Android operating system for smartphones once it owns Fitbit.
    • In February after the deal had been announced, the European Data Protection Board (EDPB) made clear it position that Google and Fitbit will need to scrupulously observe the General Data Protection Regulation’s privacy and data security requirements if the body is sign off on the proposed $2.2 billion acquisition. Moreover, at present Google has not informed European Union (EU) regulators of the proposed deal. The deal comes at a time when both EU and U.S. regulators are already investigating Google for alleged antitrust and anticompetitive practices, and the EDPB’s opinion could carry weight in this process.
  • The United States’ (U.S.) Department of Homeland Security released a Privacy Impact Assessment for the U.S. Border Patrol (USPB) Digital Forensics Programs that details how it may conduct searches of electronic devices at the U.S. border and ports of entry. DHS explained
    • As part of USBP’s law enforcement duties, USBP may search and extract information from electronic devices, including: laptop computers; thumb drives; compact disks; digital versatile disks (DVDs); mobile phones; subscriber identity module (SIM) cards; digital cameras; vehicles; and other devices capable of storing electronic information.
    • Last year, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”
    • In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.
  • The Inter-American Development Bank (IDB) and the Organization of Americans States (OAS) released their second assessment of cybersecurity across Latin America and the Caribbean that used the Cybersecurity Capacity Maturity Model for Nations (CMM) developed at University of Oxford’s Global Cyber Security Capacity Centre (GSCC). The IDB and OAS explained:
    • When the first edition of the report “Cybersecurity: Are We Ready in Latin America and the Caribbean?” was released in March 2016, the IDB and the OAS aimed to provide the countries of Latin America and the Caribbean (LAC) not only with a picture of the state of cybersecurity but also guidance about the next steps that should be pursued to strengthen national cybersecurity capacities. This was the first study of its kind, presenting the state of cybersecurity with a comprehensive vision and covering all LAC countries.
    • The great challenges of cybersecurity, like those of the internet itself, are of a global nature. Therefore, it is undeniable that the countries of LAC must continue to foster greater cooperation among themselves, while involving all relevant actors, as well as establishing a mechanism for monitoring, analysis, and impact assessment related to cybersecurity both nationally and regionally. More data in relation to cybersecurity would allow for the introduction of a culture of cyberrisk management that needs to be extended both in the public and private sectors. Countries must be prepared to adapt quickly to the dynamic environment around us and make decisions based on a constantly changing threat landscape. Our member states may manage these risks by understanding the impact on and the likelihood of cyberthreats to their citizens, organizations, and national critical infrastructure. Moving to the next level of maturity will require a comprehensive and sustainable cybersecurity policy, supported by the country’s political agenda, with allocation of  financial resources and qualified human capital to carry it out.
    • The COVID-19 pandemic will pass, but events that will require intensive use of digital technologies so that the world can carry on will continue happening. The challenge of protecting our digital space will, therefore, continue to grow. It is the hope of the IDB and the OAS that this edition of the report will help LAC countries to have a better understanding of their current state of cybersecurity capacity and be useful in the design of the policy initiatives that will lead them to increase their level of cyberresilience.
  • The European Data Protection Supervisor (EDPS) issued an opinion on “the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final), published on 7 May 2020.” The EDPS asserted:
    • While  the  EDPS acknowledges the  importance  of  the  fight  against money  laundering  and terrorism financing as an objective of general interest, we call for the legislation to strike a balance between the interference with the fundamental rights of privacy and personal data protection and  the measures that  are  necessary  to  effectively  achieve  the  general  interest goals on anti-money  laundering  and  countering the  financing  of terrorism (AML/CFT) (the principle of proportionality).
    • The EDPS recommends that the Commission monitors the effective implementation of the existing  AML/CFT  framework while ensuring that the  GDPR  and  the  data  protection framework are respected and complied with. This is particularly relevant for the works on the interconnection of central bank account mechanisms and beneficial ownership registers that should be largely inspired by the principles of data minimisation, accuracy and privacy-by-design and by default.  

Further Reading

  • China already has your data. Trump’s TikTok and WeChat bans can’t stop that.” By Aynne Kokas – The Washington Post. This article persuasively makes the case that even if a ban on TikTok and WeChat were to work, and there are substantive questions as to how a ban would given how widely the former has been downloaded, the People’s Republic of China (PRC) is almost certainly acquiring massive reams of data on Americans through a variety of apps, platforms, and games. For example, Tencent, owner of WeChat, has a 40% stake in Epic Games that has Fortnite, a massively popular multiplayer game (if you have never heard of it, ask one of the children in your family). Moreover, a recent change to PRC law mandates that companies operating in the PRC must share their data bases for cybersecurity reviews, which may be an opportunity aside from hacking and exfiltrating United States entities, to access data. In summation, if the Trump Administration is serious about stopping the flow of data from the U.S. to the PRC, these executive orders will do very little.
  • Big Tech Makes Inroads With the Biden Campaign” by David McCabe and Kenneth P. Vogel – The New York Times. Most likely long before former Vice President Joe Biden clinched the Democratic nomination, advisers volunteered to help plot out his policy positions, a process that intensified this year. Of course, this includes technology policy, and many of those volunteering for the campaign’s Innovation Policy Committee have worked or are working for large technology companies directly or as consultants or lobbyists. This piece details some of these people and their relationships and how the Biden campaign is managing possible conflicts of interest. Naturally, those on the left wing of the Democratic Party calling for tighter antitrust, competition, and privacy regulation are concerned that Biden might be pulled away from these positions despite his public statements arguing that the United States government needs to get tougher with some practices.
  • A Bible Burning, a Russian News Agency and a Story Too Good to Check Out” By Matthew Rosenberg and Julian E. Barnes – The New York Times. The Russian Federation seems to be using a new tactic with some success for sowing discord in the United States that is the information equivalent of throwing fuel onto a fire. In this case, a fake story manufactured by a Russian outlet was seized on by some prominent Republicans, in part, because it fits their preferred world view of protestors. In this instance, a Russian outlet created a fake story amplifying an actual event that went viral. We will likely see more of this, and it is not confined to fake stories intended to appeal to the right. The same is happening with content meant for the left wing in the United States.
  • Facebook cracks down on political content disguised as local news” by Sara Fischer – Axios. As part of its continuing effort to crack down on violations of its policies, Facebook will no longer allow groups with a political viewpoint to masquerade as news. The company and outside experts have identified a range of instances where groups propagating a viewpoint, as opposed to reporting, have used a Facebook exemption by pretending to be local news outlets.
  • QAnon groups have millions of members on Facebook, documents show” By Ari Sen and Brandy Zadrozny – NBC News. It appears as if some Facebooks are leaking the results of an internal investigation that identified more than 1 million users who are part of QAnon groups. Most likely these employees want the company to take a stronger stance on the conspiracy group QAnon like the company has with COVID-19 lies and misinformation.
  • And, since Senator Kamala Harris (D-CA) was named former Vice President Joe Biden’s (D-DE) vice presidential pick, this article has become even more relevant than when I highlighted it in late July: “New Emails Reveal Warm Relationship Between Kamala Harris And Big Tech” – HuffPost. Obtained via an Freedom of Information request, new email from Senator Kamala Harris’ (D-CA) tenure as her state’s attorney general suggest she was willing to overlook the role Facebook, Google, and others played and still play in one of her signature issues: revenge porn. This article makes the case Harris came down hard on a scammer running a revenge porn site but did not press the tech giants with any vigor to take down such material from their platforms. Consequently, the case is made if Harris is former Vice President Joe Biden’s vice presidential candidate, this would signal a go easy approach on large companies even though many Democrats have been calling to break up these companies and vigorously enforce antitrust laws. Harris has largely not engaged on tech issues during her tenure in the Senate. To be fair, many of these companies are headquartered in California and pump billions of dollars into the state’s economy annually, putting Harris in a tricky position politically. Of course, such pieces should be taken with a grain of salt since it may have been suggested or planted by one of Harris’ rivals for the vice president nomination or someone looking to settle a score.
  • Unwanted Truths: Inside Trump’s Battles With U.S. Intelligence Agencies” by Robert Draper – The New York Times. A deeply sourced article on the outright antipathy between President Donald Trump and Intelligence Community officials, particularly over the issue of how deeply Russia interfered in the election in 2016. A number of former officials have been fired or forced out because they refused to knuckle under to the White House’s desire to soften or massage conclusions of Russia’s past and current actions to undermine the 2020 election in order to favor Trump.
  • Huawei says it’s running out of chips for its smartphones because of US sanctions” By Kim Lyons – The Verge and “Huawei: Smartphone chips running out under US sanctions” by Joe McDonald – The Associated Press. United States (U.S.) sanctions have started biting the Chinese technology company Huawei, which announced it will likely run out of processor chips for its smartphones. U.S. sanctions bar any company from selling high technology items like processors to Huawei, and this capability is not independently available in the People’s Republic of China (PRC) at present.
  • Targeting WeChat, Trump Takes Aim at China’s Bridge to the World” By Paul Mozur and Raymond Zhong – The New York Times. This piece explains WeChat, the app, the Trump Administration is trying to ban in the United States (U.S.) without any warning. It is like a combination of Facebook, WhatsApp, news app, and payment platform and is used by more than 1.2 billion people.
  • This Tool Could Protect Your Photos From Facial Recognition” By Kashmir Hill – The New York Times. Researchers at the University of Chicago have found a method of subtly altering photos of people that appears to foil most facial recognition technologies. However, a number of experts interviewed said it is too late to stop companies like AI Clearview.
  • I Tried to Live Without the Tech Giants. It Was Impossible.” By Kashmir Hill – The New York Times. This New York Times reporter tried living without the products of large technology companies, which involved some fairly obvious challenges and some that were not so obvious. Of course, it was hard for her to skip Facebook, Instagram, and the like, but cutting out Google and Amazon proved hardest and basically impossible because of the latter’s cloud presence and the former’s web presence. The fact that some of the companies cannot be avoided if one wants to be online likely lends weight to those making the case these companies are anti-competitive.
  • To Head Off Regulators, Google Makes Certain Words Taboo” by Adrianne Jeffries – The Markup. Apparently, in what is a standard practice at large companies, employees at Google were coached to avoid using certain terms or phrases that antitrust regulators would take notice of such as: “market,” “barriers to entry,” and “network effects.” The Markup obtained a 16 August 2019 document titled “Five Rules of Thumb For Written Communications” that starts by asserting “[w]ords matter…[e]specially in antitrust laws” and goes on to advise Google’s employees:
    • We’re out to help users, not hurt competitors.
    • Our users should always be free to switch, and we don’t lock anyone in.
    • We’ve got lots of competitors, so don’t assume we control or dominate any market.
    • Don’t try and define a market or estimate our market share.
    • Assume every document you generate, including email, will be seen by regulators.
  • Facebook Fired An Employee Who Collected Evidence Of Right-Wing Pages Getting Preferential Treatment” By Craig Silverman and Ryan Mac – BuzzFeed News. A Facebook engineer was fired after adducing proof in an internal communications system that the social media platform is more willing to change false and negative ratings to claims made by conservative outlets and personalities than any other viewpoint. If this is true, it would be opposite to the narrative spun by the Trump Administration and many Republicans in Congress. Moreover, Facebook’s incentives would seem to align with giving conservatives more preferential treatment because many of these websites advertise on Facebook, the company probably does not want to get crosswise with the Administration, sensational posts and content drive engagement which increases user numbers that allows for higher ad rates, and it wants to appear fair and impartial.
  • How Pro-Trump Forces Work the Refs in Silicon Valley” By Ben Smith – The New York Times. This piece traces the nearly four decade old effort of Republicans to sway mainstream media and now Silicon Valley to its viewpoint.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo credit: Gerd Altmann on Pixabay

U.S. Announces Plan To Release Prized Mid-Band Spectrum For 5G

The U.S. government has rolled out a plan to make available desirable mid-band spectrum in an arrangement under which the military would share with commercial providers. However, these new frequencies would be used in mid-2022 at the earliest.   

The White House and the United States (U.S.) Department of Defense (DOD) will share a prime slice of mid band electromagnetic frequency with commercial entities that would be ideal for 5G according to their announcements. The development of the next iteration of wireless communications has been hampered in the U.S. because the DOD controls a range of the usable frequency spectrum other nations have been using to test and deploy 5G. This announcement would allow commercial entities to ultimately bid on 100 continuous MHz of spectrum that has been used exclusively by the DOD for guidance and navigation. It is an open question whether the relinquishment of this spectrum will speed 5G development and adoption in the U.S., and the timeline provided by the Administration suggests licenses to use these mid-band frequencies will not be in the hands of commercial entities until mid-2022 at the earliest, assuming President Donald Trump is reelected, for a Biden Administration may propose a different course of action. Nonetheless, one Administration official asserted releasing this 100 MHz will be “the fastest transfer of Federal spectrum to commercial use in history.”

The Trump Administration has pursued a number of efforts to foster the development, deployment, and use of 5G in the U.S. A key part of the motivation for doing so is the role companies from the People’s Republic of China (PRC) have played in pushing forward this technology such as Huawei. This PRC company is playing a significant, perhaps even dominant role, in helping pioneer the technology that would allow nations around the globe to move from 4G to the significantly faster download and upload speeds of 5G because of much higher bandwidth. Experts believe this transition will be a paradigm shift in wireless communications the same way transitioning from 3G to 4G earlier in this decade changed how people used smartphones to cite just one technology. For example, 4G speeds range between 10-100 Mbps whereas 5G will allow for 1000-1400 Mbps and will allow for the development of faster phones and computers, more functional Internet of Things devices and networks, new potential military uses, and other applications not yet conceived of. However, there is the belief that whichever nation is on the forefront of developing this technology and the standards used to govern the various protocols will gain the first mover advantage and may reap a lion’s share of the benefits. Hence, if this view if correct, being first and preeminent in 5G is a national security issue, and, whether true or not, policymakers in Beijing, Washington, and other capitals believe this to be the case. At present, in the assessment of a DOD advisory board, the U.S. is among the first tier of competitors along with the PRC, South Korea, and Japan.

The announcement by the White House and DOD matters because while other nations have been allowing their commercial entities a portion of the spectrum considered ideal for 5G between 1 and 6 GHz (aka sub-6GHz), much of this spectrum has been used by the Pentagon for national security systems. Consequently, there has been a push from policymakers for use higher frequencies on the electromagnetic spectrum between 24 and 300 GHz. However, if the U.S. were to do so, the fear is that this decision would put U.S. technology companies using and operating in the 5G realm at a disadvantage as virtually the rest of the world would use sub-6Ghz spectrum. The Obama Administration began grappling with this issue, and the Trump Administration has continued through a variety of means, including a working group that led to the present announcement that 100 MHz of sub-6GHz will be available to companies and entities looking to deploy and use 5G.

In a press release, the Trump Administration said

  • Today, at President Donald J. Trump’s direction, the White House and the DOD announced that 100 megahertz of contiguous, coast-to-coast mid-band spectrum will be made available for commercial 5G deployment.
  • President Trump is committed to strengthening United States leadership in 5G communications for the security and prosperity of the American people. With 5G networks already available to more than 250 million Americans, we have made significant strides. The availability of more mid-band spectrum is a key factor to driving widespread 5G access across rural America.
  • Throughout this process, the Trump Administration has worked carefully to ensure that commercial use of this critically needed mid-band spectrum will never compromise military preparedness or national security.

In a statement, DOD Chief Information Officer Dana Deasy explained:

  • In mid-April, the White House and DOD met to discuss what could be done quickly to make more mid-band spectrum available for 5G in the 3 gigahertz band range, commonly known as mid-band, which is paramount to maintaining American leadership in 5G.
  • As a result, the America’s Mid-Band Initiative Team (AMBIT) was established and worked on an unprecedented 15-week schedule to make 100 megahertz (MHz) of contiguous mid-band spectrum available in the 3450-3550 MHz band for 5G by the end of the summer.
  • The 3450-3550 MHz band supports critical DOD radar operations including high-powered defense radar systems on fixed, mobile, shipborne, and airborne platforms. Capabilities for these systems include air defense, missile and gunfire control, counter-mortar, bomb scoring, battlefield weapon locations, air traffic control, and range safety.
  • With this additional 100 MHz, the U.S. now has a contiguous 530 megahertz of mid-band spectrum from 3450-3980 MHz to enable higher capacity 5G networks.
  • The Federal Communications Commission will auction the spectrum after service rules are adopted. Through the hard work of the AMBIT, we expect these rules to be similar to AWS-3, where for the most part the spectrum will be available for commercial use without limits, while simultaneously minimizing impact to DOD operations.

U.S. Chief Technology Officer (CTO) and acting Under Secretary of Defense for Research and Engineering Michael Kratsios claimed on a call with reporters that the Federal Communications Commission (FCC) will hold an auction for the 100 MHz in late December 2021 and by mid-2022 the winning bidders would be able to start using their slice of spectrum. FCC Chair Ajit Pai asserted in a statement that “[t]ogether with the spectrum being made available for 5G in the C-band as well as the 3.5 GHz band, we are now on track to have a 530-megahertz swath of mid-band spectrum available for 5G from 3.45 to 3.98 GHz…[and] [t]he FCC looks forward to moving quickly to adopt service rules for the 3.45 GHz band and then hold an auction to bring this prime mid-band spectrum to market.”

Preceding the AMBIT initiative, in January, the National Telecommunications and Information Administration (NTIA) prepared a technical report on the 3450-3550 MHz band “[a]s part of its ongoing effort to identify candidate bands for repurposing to accommodate commercial wireless services.” NTIA worked with DOD, “which operates the federal systems in the band, to determine the conditions needed to enable commercial services to operate without causing impact to incumbent operations.” NTIA asserted “[t]he report indicates that commercial operations would impact incumbent federal systems; however, spectrum sharing that provides both sufficient protection to incumbent operations and an attractive commercial business case may be possible with further information and analysis, including studying the efficacy of deploying appropriate time-based sharing mechanisms.”

The NTIA found

  • The primary allocations in the band include federal radiolocation and aeronautical radionavigation. The incumbent federal operations currently consist of shipborne radars, several types of airborne systems, and ground-based radars. The shipborne radars operate at over twenty ports and along the entire Atlantic, Pacific, and Gulf coasts. Some of the airborne systems operate nationwide, while other systems are limited to four locations. The ground-based radars operate at over one hundred locations, including many near high-population areas. In addition, DOD continues to deploy systems at additional locations and to develop new systems for operation in the band.
  • While some federal systems operate intermittently and in only one part of the 3450-3550 MHz band at a time, the time when they operate and the specific frequencies they use can be dynamic and unpredictable depending on mission requirements. In the aggregate and in some cases individually, the federal systems use the entire band throughout the United States and its possessions, including near and over the most populated areas. Current and future DOD system usage and operational mission requirements are important considerations for establishing sharing conditions. Sufficient information, however, was not available to fully account for these considerations, and therefore further study is needed. In addition, some aspects of the systems are classified, which reduced the ability for the report to be as transparent regarding the analysis as otherwise possible, but did not affect the quality of the results.

The NTIA proposed a “dynamic, time-based sharing mechanism” in the 3450-3550 MHz band as a means of allowing commercial entities to access what is considered a prime frequency for 5G while reserving, as needed, the ability of the DOD to operate crucial defense systems. The NTIA stated:

  • Frequency-based and geographic-based sharing approaches would result in significant restrictions on commercial services, in terms of emitter power limits and exclusion zones, making sufficient access for viable commercial applications unlikely. However, a dynamic, time-based sharing mechanism could present a potentially attractive approach to both protecting federal systems and providing viable commercial operations. Commercial operations would be contingent on spectrum availability, which will depend on the frequency, time, and location of federal system operations.
  • The assessment identifies further work needed to reach a more definitive conclusion regarding the extent to which a sharing mechanism would enable assured access for uninterrupted (i.e., without harmful interference) federal missions while also enabling commercial shared access. The study assumed that all federal systems could implement a spectrum sharing mechanism, except for the nationwide airborne systems, which present unique challenges due to their large area of operations. The table below summarizes the power levels that would be possible for commercial operations.

In late 2019, The Department of Commerce, acting through the National Telecommunications and Information Administration (NTIA), released its initial annual report “on the status of existing efforts and planned near- to mid-term spectrum repurposing initiatives” as required by an October 2018 Presidential Memorandum “on Developing a Sustainable Spectrum Strategy for America’s Future.” In the report, NTIA explained

This report is part of a broader effort to maintain the U.S. position as a global leader in pioneering and sustaining technological and economic leadership in developing and deploying spectrum-dependent products and services, from 5G wireless systems to innovative satellite and space applications. A significant component of this effort is the construction and execution of the National Spectrum Strategy called for by the Presidential Memorandum. The U.S. Government will continue to support this leadership in ground-breaking wireless technologies, including those that greatly improve the spectrum efficiency and effectiveness of federal operations. This is being accomplished through ongoing efforts to assess the Nation’s spectrum needs and to identify additional bands with federal and non-federal allocations to serve those needs. This will entail examining and implementing effective protective measures for incumbent services and managing the transitions as spectrum uses shift and new spectrum-sharing tools and techniques are developed and implemented. These ongoing efforts constitute a process that resembles a “pipeline” for continuous identification and assessment of bands, followed by repurposing or implementing other spectrum access mechanisms wherever needed and feasible.

In July 2019, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released an assessment that “Fifth Generation Mobile Network (5G) will present opportunities and challenges, and its implementation will introduce vulnerabilities related to supply chains, deployment, network security, and the loss of competition and trusted options.

  • Use of 5G components manufactured by untrusted companies could expose U.S. entities to risks introduced by malicious software and hardware, counterfeit components, and component flaws caused by poor manufacturing processes and maintenance procedures. 5G hardware, software, and services provided by untrusted entities could increase the risk of compromise to the confidentiality, integrity, and availability of network assets. Even if U.S. networks are secure, U.S. data that travels overseas through untrusted telecommunication networks is potentially at risk of interception, manipulation, disruption, and destruction.
  • 5G will use more components than previous generations of wireless networks, and the proliferation of 5G infrastructure may provide malicious actors more attack vectors. The effectiveness of 5G’s security enhancements will in part depend on proper implementation and configuration.
  • Despite security enhancement over previous generations, it is unknown what new vulnerabilities may be discovered in 5G networks. Further, 5G builds upon previous generations of wireless networks and will initially be integrated into 4G Long-Term Evolution (LTE) networks that contain some legacy vulnerabilities.
  • Untrusted companies may be less likely to participate in interoperability efforts. Custom 5G technologies that do not meet interoperability standards may be difficult to update, repair, and replace. This potentially increases the lifecycle cost of the product and delays 5G deployment if the equipment requires replacement. The lack of interoperability may also have negative impacts on the competitive market as companies could be driven out if the available competitive market decreases.

CISA further explained that “[t]he United States Government can manage these vulnerabilities and increase the security of communications networks as 5G is adopted by:

  • Encouraging continued development of trusted 5G technologies, services, and products.
  • Encouraging continued trusted development of future generations of communications technologies.
  • Promoting international standards and processes that are open, transparent, consensus–driven, and that do not place trusted companies at a disadvantage.
  • Limiting the adoption of 5G equipment with known or suspected vulnerabilities.
  • Continued engagement with the private sector on risk identification and mitigation efforts.
  • Ensuring robust security capabilities for 5G applications and services.

In 2019, an advisory body to the Pentagon drafted a report on the options facing the Department of Defense (DOD) as the U.S. and other nations are on the cusp of transitioning to the next generation of wireless networks that promise even faster speeds that will likely drive the development of new applications and devices. The Defense Innovation Board (Board) released “THE 5G ECOSYSTEM: RISKS & OPPORTUNITIES FOR DOD” to “insight into the commercial landscape as well as the DOD landscape to give a comprehensive view of the stakeholders and future of 5G.” The Board explained that “[t]he shift from 4G to 5G will drastically impact the future of global communication networks and fundamentally change the environment in which DOD operates.” The Board conceded that “[w]hile DOD will feel the impact of 5G, the rollout itself will be driven by the U.S. commercial sector.”

The Board explained

The term “5G” refers to the oncoming fifth generation of wireless networks and technology that will produce a step-change improvement in data speed, volume, and latency (delay in data transfer) over fourth generation (4G and 4G LTE) networks. 5G will enable a host of new technologies that will change the standard of public and private sector operations, from autonomous vehicles to smart cities, virtual reality, and battle networks. Historical shifts between wireless generations suggest that the first-mover country stands to gain billions in revenue accompanied by substantial job creation and leadership in technology innovation. First movers also set standards and practices that were then adopted by subsequent entrants. Conversely, countries that fell behind in previous wireless generation shifts were obligated to adopt the standards, technologies, and architectures of the leading country and missed out on a generation of wireless capabilities and market potential.

The development of 5G will require the bonding together of 100 MHz channels to deliver faster speeds in new spectrums. The Board explained that the U.S., Japan, and South Korea are looking at using the electromagnetic spectrum frequencies between 24 and 300 GHz (aka mmWave) for 5G while other nations, like China, are looking at using the 3 and 4 GHZ range (aka sub-6) for 5G networks. Moreover, in the U.S., the DOD uses the latter spectrum, meaning that any transition could be tricky for 5G using that band of spectrum. The Board noted that “U.S. carriers are primarily focused on mmWave deployment for 5G because most of the 3 and 4 GHz spectrum being used by the rest of the world for 5G are exclusive Federal bands in the United States, extensively used by DOD in particular.”

The Board added that

Spectrum bands in the 3 and 4 Ghz range dominate global 5G activity because of improved propagation (range) over mmWave spectrum, resulting in far fewer base stations needed to be deployed to deliver the same coverage and performance. Because large swaths of the sub-6 bands in the United States are not available for civil/commercial use, U.S. carriers and the FCC (which controls civil spectrum in the US) are betting on mmWave spectrum as the core domestic 5G approach.

The Board stated that “[b]oth DOD and the FCC are currently prioritizing mmWave over sub-6 mid-band spectrum with a particular focus on the 28 and 37 GHz bands, but this is a fundamentally flawed focus due to the impracticality of mmWave deployment.” The Board stated that “DOD must prepare to operate in a sub-6 5G ecosystem, which will require a shift in strategy and a consideration of where DOD is willing to share bandwidth in the sub-6 realm.”

The Board explained that

However, 5G also presents a serious potential risk for DOD going forward. When operating overseas in the future, the vast majority of these networks and systems may depend on 5G infrastructure. If China leads the field in 5G infrastructure and systems, then the future 5G ecosystem will likely have Chinese components embedded throughout. This would pose a serious threat to the security of DOD operations and networks going forward. Additionally, the growth in the number of connected devices increases the potential “attack surface” for adversaries to target across DOD networks, which will require increased vigilance and security across systems. The larger volume of data being transferred will complicate this task, as it will make it more difficult to detect malicious traffic on a network.

The Board asserted that “5G has the ability to enhance DOD decision-making and strategic capabilities from the enterprise network to the tactical edge of the battlefield…[and] will increase DOD’s ability to link multiple systems into a broader network while sharing information in real time, improving communication across Services, geographies, and domains while developing a common picture of the battlefield to improve situational awareness.” The Board claimed that “[t]his improved connectivity may in turn enable a host of new technologies and missions, from hypersonics and hypersonic defense to resilient satellite constellations and mesh networks.”

The Board made the following recommendations:

  • DOD needs to make a plan for sharing sub-6 GHz spectrum to shape the future 5G ecosystem, including an assessment of how much and which bandwidths need to be shared, within what timeframe, and how that sharing will impact DOD systems.
  • DOD must prepare to operate in a “post-Western” wireless ecosystem. This plan should include R&D investments towards system security and resiliency on an engineering and strategic level.
  • DOD should advocate for adjusted trade policies to discourage vulnerabilities in its supply chain on the grounds that they put national security assets and missions at risk.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by helder100 from Pixabay

Further Reading, Other Developments, and Coming Events (22 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 22 July, the Senate Homeland Security & Governmental Affairs Committee will markup a number of bills and nominations, including:
    • The nomination of Derek Kan to the Office of Management and Budget’s Deputy Director
    • The “Federal Emergency Pandemic Response Act” (S.4204)
    • The “Securing Healthcare and Response Equipment Act of 2020” (S.4210)
    • The “National Response Framework Improvement Act of 2020” (S.4153)
    • The “National Infrastructure Simulation and Analysis Center Pandemic Modeling Act of 2020” (S.4157)
    • The “PPE Supply Chain Transparency Act of 2020” (S.4158)
    • The “REAL ID Act Modernization Act” (S.4133)
    • The “Safeguarding American Innovation Act” (S.3997)
    • The “Information Technology Modernization Centers of Excellence Program Act” (S.4200)
    • The “Telework for U.S. Innovation Act” (S.4318)
    • The “GAO Database Modernization Act” (S.____)
    • The “CFO Vision Act of 2020” (S.3287)
    • The “No Tik Tok on Government Devices Act” (S. 3455)
    • The “Cybersecurity Advisory Committee Authorization Act of 2020” (S. 4024)
  • On 23 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing on “The State of U.S. Spectrum Policy” with the following witnesses:
    • Mr. Tom Power, Senior Vice President and General Counsel, CTIA
    • Mr. Mark Gibson, Director of Business Development, CommScope
    • Dr. Roslyn Layton, Visiting Researcher, Aalborg University
    • Mr. Michael Calabrese, Director, Wireless Future Project, Open Technology Institute at New America
  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures – The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules – The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules – The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service – The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
    • Inmate Calling Services – The Commission will consider a Report and Order on Remand and a Fourth Further Notice of Proposed Rulemaking that would respond to remands by the U.S. Court of Appeals for the District of Columbia Circuit and propose to comprehensively reform rates and charges for the inmate calling services within the Commission’s jurisdiction.  (WC Docket No. 12-375)

Other Developments

  • Acting Office of Management and Budget (OMB) Director Russell Vought was confirmed by the Senate by a 51-45 vote. OMB has been without a Senate-confirmed Director since Mick Mulvaney resigned at the end of March, but he was named acting White House Chief of Staff in January 2019, resulting in Vought serving as the acting OMB head since that time.
  • Former Vice President and Democratic candidate for President Joe Biden issued a statement on Russian interference with the 2020 election that laid out his plan to respond and retaliate against these ongoing activities. His very high-level plan is a list of currently used methods of combatting cyber-attacks, much of which he would be able to undertake without Congressional assent. Biden contended “[d]espite the exposure of Russia’s malign activities by the U.S. Intelligence Community, law enforcement agencies, and bipartisan Congressional committees, the Kremlin has not halted its efforts to interfere in our democracy.” Biden said “[i]n spite of President [Donald] Trump’s failure to act, America’s adversaries must not misjudge the resolve of the American people to counter every effort by a foreign power to interfere in our democracy, whether by hacking voting systems and databases, laundering money into our political system, systematically spreading disinformation, or trying to sow doubt about the integrity of our elections.” He vowed:
    • If elected president, I will treat foreign interference in our election as an adversarial act that significantly affects the relationship between the United States and the interfering nation’s government.
    • I will direct the U.S. Intelligence Community to report publicly and in a timely manner on any efforts by foreign governments that have interfered, or attempted to interfere, with U.S. elections.
    • I will direct my administration to leverage all appropriate instruments of national power and make full use of my executive authority to impose substantial and lasting costs on state perpetrators.
    • These costs could include financial-sector sanctions, asset freezes, cyber responses, and the exposure of corruption.
    • A range of other actions could also be taken, depending on the nature of the attack.
    • I will direct our response at a time and in a manner of our choosing.
    • In addition, I will take action where needed to stop attempts to interfere with U.S. elections before they can impact our democratic processes.
    • In particular, I will direct and resource the Department of Defense, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of State, and the Federal Bureau of Investigation’s Foreign Interference Task Force to develop plans for disrupting foreign threats to our elections process.
    • This will be done, wherever possible, in coordination with our allies and partners, so that we are isolating the regimes that seek to undermine democracies and civil liberties.
  • Top Democrats in Congress have written the Director of the Federal Bureau of Investigation (FBI) requesting “a defensive counterintelligence briefing to all Members of the House of Representatives and the Senate regarding foreign efforts to interfere in the 2020 U.S. presidential election.” Speaker of the House Nancy Pelosi (D-CA), Senate Minority Leader Chuck Schumer (D-NY), House Intelligence Committee Chair Adam Schiff (D-CA), and Senate Intelligence Committee Ranking Member Mark Warner (D-VA) sent a letter to FBI Director Christopher Wray in which they claimed “that Congress appears to be the target of a concerted foreign interference campaign, which seeks to launder and amplify disinformation in order to influence congressional activity, public debate, and the presidential election in November.”
  • District of Columbia Attorney General Karl Racine (D) has inserted himself into the struggle raging over the Trump Administration’s remaking of the United States (US) Agency for Global Media (USAGM), in part, by installing Michael Pack as the head of USAGM. He filed suit “to resolve a dispute between two dueling Boards of Directors that has paralyzed the Open Technology Fund (OTF), a District nonprofit…which supports encryption and anti-censorship tools for people living in repressive societies…an independent nonprofit corporation organized and created under District law that receives grant funding from the USAGM” per his press release. Racine claimed:
    • The USAGM CEO does not have authority over OTF’s Board or officers: OTF is an independent D.C. nonprofit corporation, which governs itself under local law and under its own bylaws. While USAGM provides grant funding for OTF’s work, it does not have authority over OTF’s governance. OAG asserts that OTF’s bylaws are clear and that only the organization’s Board of Directors—not USAGM, its leadership, or any other body—has the authority to appoint or remove OTF directors.
    • Dueling Boards have paralyzed OTF: Two Boards are currently claiming authority over OTF, and without clarity as to which Board is properly in place, the organization is effectively leaderless. It is also unable to authorize decisions necessary for carrying out its functions, including decisions to authorize funding partner organizations have already been promised, and decisions related to potential new partnership. The leadership crisis has also left employees of the organization at risk of losing their jobs.
    • The original Board of Directors is the valid Board: OAG asserts that because Pack did not have authority under either District law or OTF’s bylaws to dismiss OTF’s Board of Directors, the Court should recognize OTF’s original Board as valid.
    • Any actions taken on behalf of OTF by Michael Pack or his replacement Board should be voided: Michael Pack did not have authority as USAGM CEO to dismiss or appoint Directors on behalf of OTF. As a result, any actions Pack or the replacement Board have taken on behalf of OTF should be invalidated.
  • The Department of Commerce’s (DOC) Bureau of Industry and Security (BIS) has announced further action against entities from the People’s Republic of China (PRC) by adding “to the Entity List 11 Chinese companies implicated in human rights violations and abuses in the implementation of the PRC’s campaign of repression, mass arbitrary detention, forced labor, involuntary collection of biometric data, and genetic analyses targeted at Muslim minority groups from the Xinjiang Uyghur Autonomous Region (XUAR)” according to the agency’s press release. DOC claimed “[t]oday’s action will result in these companies facing new restrictions on access to U.S.-origin items, including commodities and technology…[and] will supplement BIS’s two tranches of Entity List designations in October 2019 and June 2020, actions that together added 37 parties engaged in or enabling PRC’s repression in Xinjiang.”

Further Reading

  • Google Promises Privacy With Virus App but Can Still Collect Location Data” – The New York Times. Google’s version of the contact racing app developed with Apple has a feature the other company does not: it prompts users to turn on the Android device’s location setting. This feature would seem to be contrary to the claims made by Google and Apple that their Bluetooth tracing system does not collect sensitive location data. In fact, the companies refused to request of the governments of the United Kingdom and France, among others, to change settings on their smartphones to allow for centralized information collection on possible COVID-19 transmission. A number of European nations have pressed Google to remove this feature, and a Google spokesperson claimed the Android Bluetooth tracing capability did not use location services, begging the question why the prompt appears.
  • Inside the Federal Trade Commission’s Facebook probe” – Axios. The anonymous sources inside the Federal Trade Commission (FTC) cautioning that the agency will not likely pursue an anti-trust action against Facebook before next year may be part of an inner-agency quarrel slowing down the inquiry. Allegedly, the FTC’s Bureau of Competition and its Office of Policy Planning are at odds over the drafting of guidance that will govern the Facebook and other anti-trust investigations. The latter wants to keep the current standards of harm to consumers in terms of price changes, which the former thinks are inapplicable in the provision of free services. How this struggle plays out may well inform the agency’s approach to Facebook and other tech companies.
  • Beware the ‘But China’ Excuses” – The New York Times. This article cautions people from putting too much stock in the claims by the Trump Administration and technology companies that the People’s Republic of China (PRC) is the seeming threat they say it is. If the PRC is such a threat, the United States might consider investing more in basic research and development (R&D) and in some critical tech sectors to develop and build their products in the US. Also the notion advanced by some tech sector CEOs that breaking up the tech giants will ultimately benefit PRC competitors is scrutinized.
  • DHS Authorizes Domestic Surveillance to Protect Statues and Monuments” – Lawfare. One of my law school professors and a colleague examine a Department of Homeland Security’s (DHS) Office of Intelligence & Analysis (I&A) that authorizes intelligence and information collection on those who present threats to monuments, memorials, and statues that seems like a Trojan Horse by which DHS could surveil and mobilize protestors in the streets of American cities. The surveillance cannot be electronic surveillance, but then DHS could ask a sister agency to conduct such activity if needed.
  • Two more cyber-attacks hit Israel’s water system” – ZDNet. It appears Iran has responded to Israel’s cyber attacks that led to a number of problems at facilities in Tehran. This is the latest in an ongoing battle between the two Middle Eastern enemies that may escalate further.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

The UK Will Now Eliminate Huawei From Its 5G Networks

The Conservative government in London has changed course and will now ban Huawei from its 5G networks by 2027, but this might not be enough to head off a challenge from those in the party who want a stronger line. The British government claimed a US regulatory change has made using Huawei impracticable.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Prime Minister Boris Johnson has reversed the United Kingdom’s (UK) course on Huawei equipment in its 5G networks and instead of limiting the percentage of the UK’s next generation telecommunications network that would consist of Huawei to 35%, now Downing Street is proposing to eliminate the Chinese company entirely. While Johnson’s government is essentially blaming a United States Department of Commerce rule aiming to cut off the flow of semiconductors to Huawei, it is likely the position of a number of Conservative Ministers of Parliament (MP) who were planning to oppose Johnson’s original plan informed the revised path. And much to the chagrin of this bloc of 60 or so Tory MPs, Johnson’s government is not calling for the removal of Huawei equipment from existing 2G, 3G, and 4G networks, a proposal British telecommunications companies have opposed. Consequently, Conservative MPs may try to change the coming telecommunication bill to institute the new Huawei ban to apply it to existing equipment, and they may have the votes to do so, forcing the Prime Minister to risk a defeat on the floor of the House of Commons or change his package further ahead of consideration.

Johnson had floated the notion that a so-called G10 group of nations could pool resources and develop alternative means of achieving 5G other than buying from Huawei, one of the People’s Republic of China (PRC) companies the United States has been pressuring allies and others not to buy from. It is not clear whether Johnson will try to pursue this other strategy with the new change in course.

Digital, Culture, Media and Sport Secretary Oliver Dowden made a “statement on telecoms” earlier today in the House of Commons, explaining the government’s change in plans regarding Huawei in particular. Dowden stated:

  • In January, we set out to this House our conclusions on how we would define and restrict high risk vendors, keeping them outside the network’s core and away from critical infrastructure and sites.
  • We have been clear-eyed from the start that the Chinese-owned vendors Huawei and ZTE were deemed to be high risk.
  • And we made clear that the National Cyber Security Centre (NCSC) would review and update its advice as necessary.

He declared that “[s]ince January the situation has changed.” He added that “[o]n the 15th of May the US Department of Commerce announced that new sanctions had been imposed against Huawei through changes to the foreign direct product rules…a significant, material change – and one that we have to take into consideration.”

Dowden claimed

  • This morning, the Prime Minister chaired a meeting of the National Security Council. Attendees at that meeting took full account of the NCSC’s advice, together with the implications for UK industry and wider geostrategic considerations.
  • The government agrees with the NCSC’s advice: the best way to secure our networks is for operators to stop using new affected Huawei equipment to build the UK’s future 5G networks.
  • So to be clear, from the end of this year, telecoms operators must not buy any 5G equipment from Huawei. And once the Telecoms Security Bill is passed it will be illegal for them to do so.

Dowden continued

I know that Honourable Members have sought a commitment from the government to remove Huawei equipment from our 5G network altogether. This is why we have concluded that it is necessary and prudent to commit to a timetable for the removal of Huawei equipment from our 5G network by 2027. Let me be clear. This requirement will be set out in law by the Telecoms Security Bill. By the time of the next election, we will have implemented in law an irreversible path for the complete removal of Huawei equipment from our 5G networks.

Dowden explained that “one of the reasons we are in this situation is because of global market failure…[and] [p]ut simply, countries around the world, not just in the UK, have become dangerously reliant on too few vendors.” He stated that “[w]e have already set out a clear and ambitious diversification strategy…[and] [t]hat strategy will include wide-ranging action in the short, medium and long-term with the aim of driving competition and innovation to grow the market and deliver greater resilience across our networks.” Dowden stated “[t]]he strategy will focus on three core elements:

  • First – securing the supply chains of our incumbent, non high risk suppliers by putting in place measures and mitigations that will protect supply chains and ensure there is no disruption to our networks.
  • Second – bringing new scale vendors into the UK market by removing barriers to entry, providing commercial incentives and creating large scale opportunities for new vendors to enter the UK market.
  • And third – addressing the existing structure of the supply market by investing in research and development and building partnerships between operators and vendors that will mean operators using multiple vendors in a single network will become the standard across the industry.

In a blog post and a summary, the NCSC explained in much more detail its analysis of the risks of using Huawei’s equipment, which derive mostly from the implications of US action and less from inherent risks.

NCSC Technical Director Dr Ian Levy explained “[i]n May, the US changed a subtle and detailed export control rule called the ‘Foreign-Produced Direct Product Rule’ (FDPR).” He added that “[t]he amended rule says that no-one, anywhere in the world, can send Huawei-designed chips to Huawei if US technology was used in the design tools or manufacture processes…[and] [t]his doesn’t just mean that Huawei can’t use design tools that contain US technology…[i]t also means:

  • no-one else can take a Huawei design and turn it into chip manufacture instructions (usually something called a GDS2) using tools that contain US technology
  • even if you’ve already got the GDS2 for a Huawei chip, you can’t actually turn it into a chip if your foundry process uses US technology (and for modern process nodes, US technology is pretty pervasive) or if the GDS2 was produced using US technology

Levy stated

The FDPR change wasn’t in effect in January. It is now, and that’s a material change to the facts on the ground that has led us to revisit our analysis. The NCSC now believes that there are only three things that can happen to help Huawei in response to this action. In our recent consultations with them, Huawei haven’t disagreed with this analysis. Those options are:

  1. Someone breaks US law and continue to manufacture. This is pretty unlikely. Huawei have always publicly said that they’ll follow applicable law, but the impact on any design house or foundry that went this way would be huge. Also – given there’d be a reasonable expectation that the chips broke US law – any organisation buying the equipment would be taking a significant risk.
  2. Huawei switch chips in equipment designs to ones that aren’t Huawei-designed, but perform the same sort of function. This is a big task. Assuming you can find someone to design a chip that’s near enough to the original, the integration into the wider product is a very complex job. This can’t be a direct replacement for a Huawei-designed chip, because then at least some of the design will be Huawei’s, and so likely caught by the rule. This is a really complex engineering task. And given Huawei’s continued lack of security or engineering quality as described in the Oversight Board reports, this is highly likely to introduce security and reliability problems into the equipment for the next few years at least.
  3. Someone makes new design tools and manufacturing processes for chips that don’t use any US technology and so can provide Huawei what they need. Good luck doing that quickly. You need to invent some new ways of doing really complex things (extreme UV lithography, multi-patterning etc.) while being bound by the laws of physics. The precise mechanisms the foundry uses to make these tiny transistors dictate the design rules your EDA tools have to enforce. As a cartoon example, if the foundry process produces some fuzziness around the edges of transistors, your design tool will need to leave more space between them, or the performance of the chip could be affected. The performance and capability of your EDA tools dictate what the foundry can build reliably. If your EDA tools can’t do lots of Maxwell’s equation solving, you’ll need to route wires differently round the chip and simplify your design. You don’t need to understand how a FinFET works or what a hi-K dielectric is to know that’s a ton of work that’s likely to fail a few times.

Levy explained “[t]oday, we are publishing guidance, supported by government, as to what this all means for the future telecoms network builds and to help operators understand the impacts of this decision…[and] [t]he guidance says that:

  • existing Huawei equipment in the UK can continue to be used, subject to the HRV policy and our mitigation strategy
  • operators need to procure enough spares to maintain the equipment for the expected lifetime
  • operators should seek to cease procuring and deploying Huawei 5G access equipment, all transport equipment, and other miscellany to manage the long-term risks of the newly designed products (practically, procurements are likely to cease by the end of 2020)
  • operators should seek to cease procuring and deploying Huawei FTTP (Fibre to the Premises) access equipment. It may take a bit longer for rollouts to cease in this case, so the Department for Digital, Culture, Media & Sport (DCMS) are going to work with industry to establish a manageable timeframe

In mid-May, the Department of Commerce’s Bureau of Industry and Security (BIS) “announced plans to protect U.S. national security by restricting Huawei’s ability to use U.S. technology and software to design and manufacture its semiconductors abroad” per the agency’s press release. BIS released an interim final rule that takes effect as of 15 May, but the agency is accepting comments through 14 July, meaning there will be a final rule issued at some point in the future once the comments have been analyzed and addressed. Nevertheless, Commerce claimed the BIS interim final rule “cuts off Huawei’s efforts to undermine U.S. export controls.”

Commerce stated

  • BIS is amending its longstanding foreign-produced direct product rule and the Entity List to narrowly and strategically target Huawei’s acquisition of semiconductors that are the direct product of certain U.S. software and technology.
  • Since 2019 when BIS added Huawei Technologies and 114 of its overseas-related affiliates to the Entity List, companies wishing to export U.S. items were required to obtain a license.[1]  However, Huawei has continued to use U.S. software and technology to design semiconductors, undermining the national security and foreign policy purposes of the Entity List by commissioning their production in overseas foundries using U.S. equipment.
  • Specifically, this targeted rule change will make the following foreign-produced items subject to the Export Administration Regulations (EAR):
  • Items, such as semiconductor designs, when produced by Huawei and its affiliates on the Entity List (e.g., HiSilicon), that are the direct product of certain U.S. Commerce Control List (CCL) software and technology; and
  • Items, such as chipsets, when produced from the design specifications of Huawei or an affiliate on the Entity List (e.g., HiSilicon), that are the direct product of certain CCL semiconductor manufacturing equipment located outside the United States.  Such foreign-produced items will only require a license when there is knowledge that they are destined for reexport, export from abroad, or transfer (in-country) to Huawei or any of its affiliates on the Entity List.

Commerce added that “[t]o prevent immediate adverse economic impacts on foreign foundries utilizing U.S. semiconductor manufacturing equipment that have initiated any production step for items based on Huawei design specifications as of May 15, 2020, such foreign-produced items are not subject to these new licensing requirements so long as they are reexported, exported from abroad, or transferred (in-country) by 120 days from the effective date.”

The PRC’s Commerce Ministry posted a statement, arguing “[t]he U.S. uses state power, under the so-called excuse of national security, and abuses export control measures to continuously oppress and contain specific enterprises of other countries.” The Ministry vowed the PRC will “take all necessary measures to resolutely safeguard the legitimate rights and interests of Chinese enterprises.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Marcin Nowak on Unsplash

FTC Settles A Pair of Privacy Shield Cases

The FTC imposes 20 year commitments for two companies who were not meeting their requirements in terms of transferring the personal data of EU residents out of Europe.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Federal Trade Commission (FTC) has announced its second Privacy Shield violation settlement in the last few weeks that will impose obligations over the next 20 years so long as the United States (US) companies choose to transfer and process the data of European Union (EU) citizens and residents. The 2016 agreement requires US entities to self-certify compliance subject to enforcement by the FTC for most companies and violations are punished under the Section 5 prohibition against deceptive practices of the FTC Act. The agreement requires a range of practices for those companies that choose to participate, including heeding standards for notice, consent, accountability for onward transfers, data security, data integrity and purpose limitation. A failure to fully comply represents a violation subject to enforcement.

In the settlement announced this week, the FTC claimed Ortho-Clinical Diagnostics, Inc. “participated in the Privacy Shield framework and complied with the program’s requirements, even though the company had allowed its certification to lapse in 2018” according to the agency’s press release. The FTC added

After Ortho’s certification lapsed, the Department of Commerce warned the company to either remove the claims or take steps to recertify its participation in the Privacy Shield program, which the company failed to do, the complaint alleges. The FTC also alleges Ortho violated the Privacy Shield principles by failing to verify annually that statements about its Privacy Shield practices were accurate. In addition, it also failed to comply with a Privacy Shield requirement that it affirm that the company would continue to apply Privacy Shield protections to personal information collected while participating in the program, according to the complaint.

In a Consent Agreement set to run for 20 years, Ortho-Clinical Diagnostics, Inc. “whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, must affirm to the Department of Commerce, within ten (10) days after the effective date of this Order and on an annual basis thereafter for as long as it retains such information, that it will

1. continue to apply the EU-U.S. Privacy Shield framework principles to the personal information it received while it participated in the Privacy Shield; or

2. protect the information by another means authorized under EU (for the EU-U.S. Privacy Shield framework) or Swiss (for the Swiss-U.S. Privacy Shield framework) law, including by using a binding corporate rule or a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission

If the company decides not to participate in the Privacy Shield, it must delete all data within 10 days.

The FTC meted out a stiffer penalty to NTT Global Data Centers, Inc., formerly known as RagingWire Data Centers for Privacy Shield compliance violations. The company “must hire a third-party assessor to verify that it is adhering to its Privacy Shield promises if it plans to participate in the framework” per the FTC’s press release. The FTC explained

In a complaint filed in November 2019, the FTC alleged that, between January 2017 and October 2018, RagingWire claimed in its online privacy policy and marketing materials that the company participated in the Privacy Shield framework and complied with the program’s requirements. In fact, the FTC alleged, the company’s certification lapsed in January 2018 and it failed to comply with certain Privacy Shield requirements while it was a participant in the program. The FTC also alleged that, upon allowing its certification to lapse, RagingWire failed to take the necessary steps to confirm that it would comply with its continuing obligations relating to data received pursuant to the framework.

In the 20 year Consent Order with NTT Global Data Centers, the FTC stipulated

no later than 120 days after the effective date of this Order and for so long as Respondent is a self-certified participant in Privacy Shield, Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertisement, marketing, promotion, offering for sale, or sale of any product or service, shall obtain an annual outside compliance review from an independent third-party assessor approved by the Associate Director for the Division of Enforcement of the Bureau of Consumer Protection at the Federal Trade Commission, that demonstrates that the assertions Respondent makes about its Privacy Shield practices are true, and that those Privacy Shield practices have been implemented as represented and in accord with the Privacy Shield Principles. (emphasis added).

NTT Global Data Centers must also

1. continue to apply the EU-U.S. Privacy Shield framework principles to the personal information it received while it participated in the Privacy Shield; or

2. protect the information by another means authorized under EU (for the EU-U.S. Privacy Shield framework) or Swiss (for the Swiss-U.S. Privacy Shield framework) law, including by using a binding corporate rule or a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission

The FTC split over the Consent Order against NTT Global Data Centers, with Commissioner Rohit Chopra dissenting for these reasons:

  • American businesses that participate in the EU-U.S. Privacy Shield Framework should not have to compete with those that break their privacy promises.
  • The FTC charged a data center company with violating their Privacy Shield commitments, but our proposed settlement does not even attempt to adequately remedy the harm to the market.
  • The evidence in the record raises serious concerns that customers looking to follow the law relied on the company’s representations and may be locked into long-term contracts.
  • A quick settlement with a small firm for an inadvertent mistake may be appropriate, but it is inadequate for a dishonest, large firm violating a core pillar of Privacy Shield.
  • We must consider seeking additional remedies, including rights to renegotiate contracts, disgorgement of ill-gotten revenue and data, and notice and redress for customers.

Chair Joe Simons and Commissioners Noah Joshua Phillips and Christine Wilson argued in their majority statement that

Commissioner Chopra would ask us to reject a settlement that protects consumers and furthers our Privacy Shield goals, to instead continue litigation during an ongoing pandemic. There is no need and doing so would unnecessarily divert resources from other important matters, including investigations of other substantive violations of Privacy Shield. We do not support moving the goalposts in this manner and for this reason vote to accept the settlement, which not just accords with but exceeds the relief the Commission unanimously sought to obtain at the outset of the case.

Despite these and other Privacy Shield enforcement actions, it is likely EU officials will still find US enforcement lacking. The European Data Protection Board (EDPB or Board) released its most recent annual assessment of the Privacy Shield in December 2019 and again found both the agreement itself and implementation wanting. There was some overlap between the concerns of the EDPB and the European Commission (EC) as detailed in its recently released third assessment of the Privacy Shield, but the EDPB discusses areas that were either omitted from or downplayed in the EC’s report. The EDPB’s authority is persuasive with respect to Privacy Shield and carries weight with the EC; however, its concerns as detailed in previous annual reports have pushed the EC to demand changes, including but not limited to, pushing the Trump Administration to nominate Board Members to the Privacy and Civil Liberties Oversight Board (PCLOB) and the appointment of a new Ombudsperson to handle complaints about how the U.S. Intelligence Community is handling the personal data of EU citizens.

In January 2019, in the “EU-U.S. Privacy Shield – Second Annual Joint Review,” the EDPB noted some progress by the US in implementing the EU-U.S. Privacy Shield. However, the EU’s Data Protection Authorities (DPA) and EDPB took issue with a number of shortcomings in US implementation, many of which have been noted in previous analyses of US efforts to ensure that U.S. companies that agree to the Privacy Shield’s principles. Notably, the EDPB found problems with the assurances provided by the US government regarding the collection and use of personal data by national security and law enforcement agencies. The EDPB also found problems with how the Department of Commerce and FTC are enforcing the Privacy Shield in the US against commercial entities.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by ipse dixit on Unsplash

Further Reading and Other Developments (4 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The Senate invoked cloture on the nomination of acting Office of Management and Budget (OMB) Director Russell Vought to be confirmed in that role and will vote on the nomination on 20 July. OMB has been without a Senate-confirmed Director since Mick Mulvaney resigned at the end of March, but he was named acting White House Chief of Staff in January 2019, resulting in Vought serving as the acting OMB head since that time.
  • The United States Federal Chief Information Officer (CIO) Suzette Kent announced she is stepping down in July, and Deputy Federal CIO Maria Roat is expected to be named acting Federal CIO. Given the Trump Administration’s approach to submitting nominations to the Senate for confirmation and the Senate’s truncated work schedule due to the election, it is likely no nomination is made this year. Kent technically held the position of Administrator of the Office of Electronic Government within the Office of Management and Budget (OMB) and her portfolio includes a range of technology related matters including cybersecurity, information technology IT policy and procurement, workforce, data security, data management and others.
  • The General Services Administration (GSA) announced the next step in “establish[ing] a program to procure commercial products through commercial e-commerce portals for purposes of enhancing competition, expediting procurement, enabling market research, and ensuring reasonable pricing of commercial products.” GSA “awarded contracts to three e-marketplace platform providers…[to] Amazon Business, Fisher Scientific, and Overstock.com, Inc. allows GSA to test the use of commercial e-commerce portals for purchases below the micro-purchase threshold of $10,000 using a proof-of-concept (for up to three years).” Section 846 of the 2018 National Defense Authorization Act (P. L. 115-91) directed GSA to implement such a program, and the agency claimed in a blog posting:
    • These contracts and platforms will be available to federal agencies as part of a governmentwide effort to modernize the buying experience for agencies and help them gain insights into open-market online spend occurring outside of existing contracts.  It is estimated that open market purchases on government purchase cards represent an addressable market of $6 billion annually.
    • The goal of the proof of concept is to provide a modern buying solution for federal customers and increase transparency on agency spending that’s already taking place with better data through this solution. Further, this solution leverages the government’s buying power and increases supply chain security awareness with a governmentwide approach.
  • In response to the ongoing and growing advertising boycott, Facebook announced in a press release some changes to the platform’s policies regarding voter suppression or hateful content. CEO Mark Zuckerberg stated “Three weeks ago, I committed to reviewing our policies ahead of the 2020 elections…[and] [t]hat work is ongoing, but today I want to share some new policies to connect people with authoritative information about voting, crack down on voter suppression, and fight hate speech:
    • 1. Providing Authoritative Information on Voting During the Pandemic
      • Last week, we announced the largest voting information campaign in American history, with the goal of helping 4 million people register to vote. As part of this, we’re creating a Voting Information Center to share authoritative information on how and when you can vote, including voter registration, voting by mail and early voting. During a pandemic when people may be afraid of going to polls, sharing authoritative information on voting by mail will be especially important. We’ll be showing the Voting Information Center at the top of the Facebook and Instagram apps over the coming months.
    • 2. Additional Steps to Fight Voter Suppression
      • Since the most dangerous voter suppression campaigns can be local and run in the days immediately before an election, we’re going to use our Elections Operations Center to quickly respond and remove false claims about polling conditions in the 72 hours leading into election day. Learning from our experience fighting Covid misinformation, we will partner with and rely on state election authorities to help determine the accuracy of information and what is potentially dangerous. We know this will be challenging in practice as facts on the ground may be uncertain and we don’t want to remove accurate information about challenges people are experiencing, but we’re building our operation to be able to respond quickly.
      • We will also ban posts that make false claims saying ICE agents are checking for immigration papers at polling places, which is a tactic used to discourage voting. We’ll also remove any threats of coordinated interference, like someone saying “My friends and I will be doing our own monitoring of the polls to make sure only the right people vote”, which can be used to intimidate voters. We will continue to review our voter suppression policies on an ongoing basis as part of our work on voter engagement and racial justice.
    • 3. Creating a Higher Standard for Hateful Content in Ads
      • This week’s study from the EU showed that Facebook acts faster and removes a greater percent of hate speech on our services than other major internet platforms, including YouTube and Twitter. We’ve invested heavily in both AI systems and human review teams so that now we identify almost 90% of the hate speech we remove before anyone even reports it to us. We’ve also set the standard in our industry by publishing regular transparency reports so people can hold us accountable for progress. We will continue investing in this work and will commit whatever resources are necessary to improve our enforcement.
      • We believe there is a public interest in allowing a wider range of free expression in people’s posts than in paid ads. We already restrict certain types of content in ads that we allow in regular posts, but we want to do more to prohibit the kind of divisive and inflammatory language that has been used to sow discord. So today we’re prohibiting a wider category of hateful content in ads. Specifically, we’re expanding our ads policy to prohibit claims that people from a specific race, ethnicity, national origin, religious affiliation, caste, sexual orientation, gender identity or immigration status are a threat to the physical safety, health or survival of others. We’re also expanding our policies to better protect immigrants, migrants, refugees and asylum seekers from ads suggesting these groups are inferior or expressing contempt, dismissal or disgust directed at them.
    • 4. Labeling Newsworthy Content
      • A handful of times a year, we leave up content that would otherwise violate our policies if the public interest value outweighs the risk of harm. Often, seeing speech from politicians is in the public interest, and in the same way that news outlets will report what a politician says, we think people should generally be able to see it for themselves on our platforms.
      • We will soon start labeling some of the content we leave up because it is deemed newsworthy, so people can know when this is the case. We’ll allow people to share this content to condemn it, just like we do with other problematic content, because this is an important part of how we discuss what’s acceptable in our society — but we’ll add a prompt to tell people that the content they’re sharing may violate our policies.
      • To clarify one point: there is no newsworthiness exemption to content that incites violence or suppresses voting. Even if a politician or government official says it, if we determine that content may lead to violence or deprive people of their right to vote, we will take that content down. Similarly, there are no exceptions for politicians in any of the policies I’m announcing here today.
  • On 30 June, Facebook banned the boogaloo movement from its platform. The company “designat[ed] a violent US-based anti-government network under our Dangerous Individuals and Organizations policy and disrupting it on our services…[and] [a]s a result, this violent network is banned from having a presence on our platform and we will remove content praising, supporting or representing it.”
  • The United States Department of Commerce suspended “regulations affording preferential treatment to Hong Kong… including the availability of export license exceptions.” The Trump Administration took this latest action in its trade war with the People’s Republic of China (PRC) because of “the Chinese Communist Party’s imposition of new security measures on Hong Kong” and “the risk that sensitive U.S. technology will be diverted to the People’s Liberation Army or Ministry of State Security has increased, all while undermining the territory’s autonomy.” The United States Department of State added “the United States will today end exports of U.S.-origin defense equipment and will take steps toward imposing the same restrictions on U.S. defense and dual-use technologies to Hong Kong as it does for China.”
  • The Democratic National Committee (DNC) updated its “social media comparative analysis to reflect changes companies have made in recent months to their counter disinformation and election integrity policies.” The DNC is working with Facebook/Instagram, Twitter, Google/YouTube, and now Snapchat to “to combat platform manipulation and train our campaigns on how best to secure their accounts and protect their brands against disinformation.”
  • The Office of the Privacy Commissioner of Canada (OPC) and three privacy agencies for provinces of Canada announced an investigation “into a Tim Hortons mobile ordering application after media reports raised concerns about how the app may be collecting and using data about people’s movements as they go about their daily activities.” A journalist made a request to Tim Hortons under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and learned the company’s app had logged his longitude and latitude coordinates over 2,700 times in five months, sometimes when he was not using the app even though the company has claimed it only tracks users when the app is being used. Moreover, Tim Hortons combines data from sister companies also owned by Restaurant Brands International like Burger King and Popeyes.
  • The United Kingdom’s Information Commissioner’s Office (ICO) released an “investigation report into the use of mobile phone extraction (MPE) by police forces when conducting criminal investigations in England and Wales” which “found that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted and stored without an appropriate basis in existing data protection law.” The ICO made a range of recommendations, many of which will require a legislative revamp of the laws that currently govern these practices.
  • Ireland’s Data Protection Commission released its “2018-2020 Regulatory Activity Under GDPR” and listed the following enforcement actions under the General Data Protection Regulation:
    • An Garda Síochana–reprimand and corrective powers applied in accordance with the Data Protection Act, 2018.
    • Tusla; The Child and Family Agency –reprimand and fine applied in accordance with the Data Protection Act, 2018.
    • Tusla; The Child and Family Agency –reprimand and fine applied in accordance with the Data Protection Act, 2018.
    • Twitter–Inquiry completed and draft decision forwarded to EU concerned data protection authorities in accordance with Article 60 of the GDPR.
    • DEASP-Enforcement notice issued regarding the use of the Public Services Card (currently under appeal).
    • 59 Section 10 decisions issued.
    • 15,000 breach notifications assessed and concluded.
    • 9 litigation cases concluded in the Irish Courts.
    • Hearing in CJEU Standard Contractual Clauses case brought by DPC to Irish High Court.
    • 80 % of cases received under the GDPR have been concluded.
  • The National Telecommunications and Information Administration (NTIA) issued its “American Broadband Initiative Progress Report,” an update on a Trump Administration inter-agency effort to implement “a cohesive government-wide strategy to reform broadband deployment” started in 2019. NTIA highlighted the following accomplishment:
    • Through the ReConnect program, as of March 2020, the U.S. Department of Agriculture (USDA) awarded over $744 million in funds to support more than 80 broadband projects benefiting more than 430,000 rural residents in 34 states. The Federal Communications Commission (FCC) and USDA also established processes to coordinate awards for rural broadband deployment to ensure that USDA-funded grants do not overlap with the FCC’s $20 Billion Rural Digital Opportunity Fund (RDOF) or the $9 Billion 5G Fund for Rural America
    • The Department of the Interior (DOI) launched a Joint Overview-Established Locations (JOEL) mapping tool to make site locations visible to service providers looking to locate equipment on Federal property, and added new data layers from the General Services Administration, the U.S. Forest Service, and U.S. Postal Service. Since its release, the map has been viewed 4,294 times, averaging 7 views per day.
    • In June 2019, the General Services Administration (GSA) published the FY 2018 Federal Real Property Profile (FRPP) public data set, updated with a set of filters allowing users to identify Federal property that could be candidates for communications infrastructure installation. This publicly available data now includes the height of buildings and facilities and the elevation above mean sea level, helping the communications industry to determine a structure’s suitability for siting communications facilities. In June 2020, GSA will update the FRPP public data set with more current data from FY 2019.
    • In March 2019, the Department of Commerce’s NTIA updated its website with information about Federal Agencies’ permitting processes and funding information to provide easier, “one-stop” access to the information. NTIA continues to update this information with support from Agencies.
    • In September 2019, NTIA completed the first phase of its National Broadband Availability Map (NBAM), a geographic information system platform which allows for the visualization and analysis of federal, state, and commercially available data sets. As of June 2020, the NBAM program includes 18 States who are partnering on this critical broadband data platform.
    • In February 2020, GSA and USDA’s Forest Service (FS) finalized a revised Standard Form (SF-299), making this Common Application Form suitable for telecommunications purposes.

Further Reading

  • Google will start paying some publishers for news articles” – The Verge. In part because of pressure from regulators in Australia and France, Google will begin paying some new outlets for articles. This could be the start of a larger trend of online platforms compensating media which has long argued this should be the case. However, similar systems in Germany and Spain earlier this decade failed to bolster the media in those countries financially, and Google responded to the Spanish statute by ceasing to operate its News platform in that country.
  • Trump’s strike at Twitter risks collateral damage inside the executive branch” – Politico. One aspect to the Trump Administration executive order on online platforms is that it directs federal agencies to review their online advertising and marketing subject to additional Office of Management and Budget and Department of Justice review. If fully implemented, this process could derail a number of agency initiatives ranging from military recruitment to fighting drug addiction.
  • Column: With its Sprint merger in the bag, T-Mobile is already backing away from its promises” – The Los Angeles Times. Critics of the T-Mobile-Sprint merger have pounced on a recent filing with the California Public Utilities Commission in which the company has asked for two additional years to build out its 5G network despite making this a signal promise in selling California Attorney General Xavier Becerra on the deal. Likewise, the company is trying to renegotiate its promise to create 1,000 new jobs in the state.
  • Facebook policy changes fail to quell advertiser revolt as Coca-Cola pulls ads” – The Guardian. Despite Facebook CEO Mark Zuckerberg’s announcement of policy changes (see Other Developments above), advertisers continue to join a widening boycott that some companies are applying across all major social media platforms. Unilever, Coca Cola, Hershey’s, Honda, and other joined the movement. The majority of Facebook’s income comes from advertising, so a sustained boycott could do more than pushing down the company’s share value. And, the changes announced at the end of last week do not seem to have impressed the boycott’s organizers. It would be interesting if pressure placed on companies advertising on Facebook affects more change than pressure from the right and left in the United States, European Union, and elsewhere.
  • Trump administration tells Facebook, Twitter to act against calls to topple statues, commit violent acts” – The Washington Post. The Department of Homeland Security sent letters late last week to the largest technology companies, asserting they may have played a role in “burglary, arson, aggravated assault, rioting, looting, and defacing public property” by allowing people to post on or use their platforms. The thrust of the argument seems to be that Twitter, Facebook, Apple, Google, and other companies should have done more to prevent people from posting and sharing material that allegedly resulted in violence. Acting Secretary of Homeland Security Chad Wolf argued “In the wake of George Floyd’s death, America faced an unprecedented threat from violent extremists seeking to co-opt the tragedy of his death for illicit purposes.” These letters did not mention President Donald Trump’s tweets that seem to encourage authorities to use violence against protestors. Moreover, they seem to be of a piece with the recent executive order in that there is a scant legal basis for the action designed to cow the social media platforms.
  • Twitch, Reddit crack down on Trump-linked content as industry faces reckoning” – Politico. Two platforms acted against President Donald Trump and his supporters for violating the platforms terms of service and rules. The irony here is that the recent executive order on social platforms seeks to have them held accountable for not operating according to their terms of service.
  • Inside Facebook’s fight against European regulation” – Politico. Through until now unavailable European Commission documents on meetings with and positions of Facebook, this article traces the slow evolution of the company’s no-regulation approach in the European Union (EU) to a public position ostensibly amenable to regulation. It is also perhaps the tale of using lobbying tactics that work in Washington, DC, that have largely failed to gain traction in Brussels.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by congerdesign from Pixabay