Further Reading, Other Developments, and Coming Events (15 October)

Further Reading

  •  “Amazon to escape UK digital services tax that will hit smaller traders” By Mark Sweney — The Guardian. According to media reports, the United Kingdom’s (UK) new digital services tax will not be levied on goods Amazon sells directly to consumers. Rather, the new tax HM Revenue and Customs will be on the revenue from services Amazon and other platforms charge to third-party sellers using Amazon. And, Amazon has made clear it will merely pass along the 2% tax to these entities. This is a strange outcome to a policy ostensibly designed to address the fact that the tach giant paid only £14.4 million in corporation taxes to the UK last year on £13.7 billion in revenue.
  • Norway blames Russia for cyber-attack on parliament” — BBC News. In a statement, the Norwegian government claimed that its Parliament has been breached, and Norway’s Foreign Minister is saying the Russian Federation is the culprit. Last month the government in Oslo said that the email accounts of some government officials had been compromised, but this announcement seems to indicate the breach was far wider than thought last month, or that the government knew and was holding back the information. If true, this is the second such penetration and exfiltration by Russian security services of a European government in the recent past as the German government made the same claims, which lead to the European Union’s first cyber sanctions.
  • Twitter suspends accounts for posing as Black Trump supporters” By Kari Paul — The Guardian and “Fake Twitter accounts posing as Black Trump supporters appear, reach thousands, then vanish” By Craig Timberg and Isaac Stanley-Becker — The Washington Post. As a rule of thumb, I find the Cui Bono helpful. And, so it is with fake Twitter accounts of alleged African Americans who will vote for President Donald Trump. Are these courtesy of the Republican Party and the Trump Campaign? Maybe. They would certainly gain from peeling off African American support for Vice President Joe Biden considering its his strongest constituency as measured by percentage support relative to total population. The Russians? Sure. They also stand to benefit from stirring the cauldron of unease and division in the United States regardless of who wins, and possibly even more so if Biden wins for the U.S. will likely return to its pre-Trump adversarial policy towards the Russian Federation. And, finally how does Twitter benefit from taking down the sort of fake accounts that violate its terms of service when this has not often been its modus operandi? Perhaps to curry favor with a Biden Administration likely to push for changes as to how social media platforms are to be regulated.
  • Backers of Australia’s mandatory news code welcome French ruling on Google” By Amanda Meade — The Guardian. Not surprisingly, the Australian Competition and Consumer Commission (ACCC) was delighted when a French appeals court ruled in favor of France’s competition authority against Google in its challenge of a French law to require social media platforms to pay traditional media for use of their content. The ACCC has been fighting its own battle on this front with its draft code that would require Google and Facebook to do the same down under.
  • Can Tinder be sued for breach of care?” By James Purtrill — ABC News. Given the recent allegations that Tinder knew of sexual assaulters using their app and doing nothing, this piece looks at the liability Tinder may face under Australian law. It is quite likely if sexual assaults related to Tinder indifference or negligence is occurring in other common law countries, then the company may be facing lawsuits there, too.

Other Developments

  • The Government Accountability Office (GAO) found that the Federal Aviation Administration (FAA) has not all it can on aviation cybersecurity despite the absence of any successful cyber attacks on a plane’s avionics system. The GAO asserted:
    • FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.
    • The GAO allowed:
      • Increasing use of technology and connectivity in avionics has brought new opportunities for persons with malicious intentions to target commercial transport airplanes. The connections among avionics and other systems onboard airplanes and throughout the aviation ecosystem are growing more complex as airplanes become more connected to systems that are essential for flight safety and operations. Airframe manufacturers are deploying software and hardware protections to reduce the risk of the cyber threats currently facing avionics systems.
    • The GAO contended:
      • Further, while FAA has mechanisms for coordinating among its internal components and with other federal agencies and private sector stakeholders to address cybersecurity risks, it has not established avionics cybersecurity risks as a priority. As a result, avionics cybersecurity issues that have been raised within FAA have not been consistently tracked to resolution. Until FAA conducts an overall assessment of the cybersecurity risks to avionics systems and prioritizes coordination efforts based on that assessment, it may not be allocating resources and coordinating on risks as effectively as it could.
    • The GAO made this recommendations:
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)
  • The chairs and ranking members of the House Energy and Commerce Committee and one of its subcommittee wrote the Government Accountability Office (GAO) to “evaluate Department of Health and Human Services’ (HHS) [cyber] incident response capabilities…[and] should include assessing the agency’s forensic threat intelligence data infrastructure used in responding to major or significant incidents involving persistent threats and data breaches.” Chair Frank Pallone, Jr. (D-NJ), Ranking Member Greg Walden (R-OR), and Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), and Ranking Member Brett Guthrie (R-KY) stated:
    • The Chief Information Security Officer at HHS recently acknowledged that the ongoing COVID-19 public health crisis has placed a new target on HHS, and malicious actors have boosted their efforts to infiltrate the agency and access sensitive data. In addition, it was reported in March 2020 that HHS suffered a cyber-attack on its computer system. According to people familiar with the incident, it was part of a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor. Further, emerging cyber threats, such as the advanced persistent threat groups that exploited COVID-19 in early 2020, underscore the importance of effectively protecting information systems supporting the agency.
    • Given the types of information created, stored, and shared on the information systems owned and operated by HHS, it is important that the agency implement effective incident response handling processes and procedures to address persistent cyber-based threats.
  • A federal court denied Epic Games’ request for a preliminary injunction requiring Apple to put Fortnite back into the App Store. The judge assigned the case had signaled this request would likely fail as its request for a temporary restraining order was also rejected. The United States District Court for the Northern District of California summarized Epic’s motion:
    • In this motion for preliminary injunction, Epic Games asks the Court to force Apple to reinstate Fortnite to the Apple App Store, despite its acknowledged breach of its licensing agreements and operating guidelines, and to stop Apple from terminating its affiliates’ access to developer tools for other applications, including Unreal Engine, while Epic Games litigates its claims.
    • The court stated:
      • Epic Games bears the burden in asking for such extraordinary relief. Given the novelty and the magnitude of the issues, as well as the debate in both the academic community and society at large, the Court is unwilling to tilt the playing field in favor of one party or the other with an early ruling of likelihood of success on the merits. Epic Games has strong arguments regarding Apple’s exclusive distribution through the iOS App Store, and the in-app purchase (“IAP”) system through which Apple takes 30% of certain IAP payments. However, given the limited record, Epic Games has not sufficiently addressed Apple’s counter arguments. The equities, addressed in the temporary restraining order, remain the same.
    • The court held:
      • Apple and all persons in active concert or participation with Apple, are preliminarily enjoined from taking adverse action against the Epic Affiliates with respect to restricting, suspending or terminating the Epic Affiliates from the Apple’s Developer Program, on the basis that Epic Games enabled IAP direct processing in Fortnite through means other than the Apple IAP system, or on the basis of the steps Epic Games took to do so. This preliminary injunction shall remain in effect during the pendency of this litigation unless the Epic Affiliates breach: (1) any of their governing agreements with Apple, or (2) the operative App Store guidelines. This preliminary injunction supersedes the prior temporary restraining order.
    • In its complaint, Epic Games is arguing that Apple’s practices violate federal and California antitrust and anti-competition laws. Epic Games argued:
      • This case concerns Apple’s use of a series of anti-competitive restraints and monopolistic practices in markets for (i) the distribution of software applications (“apps”) to users of mobile computing devices like smartphones and tablets, and (ii) the processing of consumers’ payments for digital content used within iOS mobile apps(“in-app content”). Apple imposes unreasonable and unlawful restraints to completely monopolize both markets and prevent software developers from reaching the over one billion users of its mobile devices (e.g., iPhone and iPad) unless they go through a single store controlled by Apple, the App Store, where Apple exacts an oppressive 30% tax on the sale of every app. Apple also requires software developers who wish to sell digital in-app content to those consumers to use a single payment processing option offered by Apple, In-App Purchase, which likewise carries a 30% tax.
      • In contrast, software developers can make their products available to users of an Apple personal computer (e.g., Mac or MacBook) in an open market, through a variety of stores or even through direct downloads from a developer’s website, with a variety of payment options and competitive processing fees that average 3%, a full ten times lower than the exorbitant 30% fees Apple applies to its mobile device in-app purchases.
    • In its late August denial of Epic Games’ request for a temporary restraining order, the court decided the plaintiff does not necessarily have an antitrust case strong enough to succeed on the merits, has not demonstrated irreparable harm because the “current predicament appears to be of its own making,” would unjustifiably be enriched if Fortnite is reinstated to the App Store without having to pay 30% of in app purchases to Apple, and is not operating in a public interest strong enough to overcome the expectation private parties will honor their contracts or resolve disputes through normal means.
  • As part of its Digital Modernization initiative, the Department of Defense (DOD) released its Data Strategy which is supposed to change how the DOD and its components collect, process, and use data, which is now being framed as an essential element of 21st Century conflicts. The DOD stated:
    • DOD must accelerate its progress towards becoming a data-centric organization. DOD has lacked the enterprise data management to ensure that trusted, critical data is widely available to or accessible by mission commanders, warfighters, decision-makers, and mission partners in a real- time, useable, secure, and linked manner. This limits data-driven decisions and insights, which hinders the execution of swift and appropriate action.
    • Additionally, DOD software and hardware systems must be designed, procured, tested, upgraded, operated, and sustained with data interoperability as a key requirement. All too often these gaps are bridged with unnecessary human-machine interfaces that introduce complexity, delay, and increased risk of error. This constrains the Department’s ability to operate against threats at machine speed across all domains.
    • DOD also must improve skills in data fields necessary for effective data management. The Department must broaden efforts to assess our current talent, recruit new data experts, and retain our developing force while establishing policies to ensure that data talent is cultivated. We must also spend the time to increase the data acumen resident across the workforce and find optimal ways to promote a culture of data awareness.
    • The DOD explained how it will implement the new strategy:
      • Strengthened data governance will include increased oversight at multiple levels. The Office of the DOD Chief Data Officer (CDO) will govern the Department’s data management efforts and ensure sustained focus by DOD leaders. The DOD Chief Information Officer (DOD CIO) will ensure that data priorities are fully integrated into the DOD Digital Modernization program, ensuring synchronization with DOD’s cloud; AI; Command, Control, and Communications (C3); and cybersecurity efforts. The DOD CIO will also promote compliance with CDO guidance via CIO authorities for managing IT investments, issuing DOD policy, and certifying Service/component budgets.
      • The CDO Council, chaired by the DOD CDO, will serve as the primary venue for collaboration among data officers from across the Department. This body will identify and prioritize data challenges, develop solutions, and oversee policy and data standards of the Department. While working closely with the appropriate governance bodies, members of the CDO Council must also advocate that data considerations be made an integral part of all the Department’s requirements, research, procurement, budgeting, and manpower decisions.
    • The DOD concluded:
      • Data underpins digital modernization and is increasingly the fuel of every DOD process, algorithm, and weapon system. The DOD Data Strategy describes an ambitious approach for transforming the Department into a data-driven organization. This requires strong and effective data management coupled with close partnerships with users, particularly warfighters. Every leader must treat data as a weapon system, stewarding data throughout its lifecycle and ensuring it is made available to others. The Department must provide its personnel with the modern data skills and tools to preserve U.S. military advantage in day-to-day competition and ensure that they can prevail in conflict.
    • In its draft Digital Modernization Strategy, the DOD stated:
      • The DOD Digital Modernization Strategy, which also serves as the Department’s Information Resource Management (IRM) Strategic Plan, presents Information Technology (IT)-related modernization goals and objectives that provide essential support for the three lines of effort in the National Defense Strategy (NDS), and the supporting National Defense Business Operations Plan (NDBOP). It presents the DOD CIO’s vision for achieving the Department’s goals and creating “a more secure, coordinated, seamless, transparent, and cost-effective IT architecture that transforms data into actionable information and ensures dependable mission execution in the face of a persistent cyber threat.”

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications – The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • The Senate Commerce, Science, and Transportation Committee will reportedly hold a hearing on 29 October regarding 47 U.S.C. 230 with testimony from:
    • Jack Dorsey, Chief Executive Officer of Twitter;
    • Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and 
    • Mark Zuckerberg, Chief Executive Officer of Facebook.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by amrothman from Pixabay

Further Reading, Other Developments, and Coming Events (2 October)

Coming Events

  • On 6 October, the House Administration Committee’s Elections Subcommittee will hold a virtual hearing titled “Voting Rights and Election Administration: Combatting Misinformation in the 2020 Election.”
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Government Accountability Office (GAO) released a report on the confused nature of the United States’ (U.S.) government efforts to address longstanding, endemic cybersecurity issues that will likely renew calls for a National Cyber Director position to be created in the White House. Moreover, Congress could revisit and clarify current lines of authority and responsibility for a more streamlined, transparent, and accountable structure to oversee federal and private sector cybersecurity.  The report was requested by the chair and ranking member of the Senate Homeland Security & Governmental Affairs Committee, the chair of the House Oversight Committee, and three of the four members of the Cyberspace Solarium Commission serving in Congress.
    • The GAO found:
      • The White House’s September 2018 National Cyber Strategy and the NSC’s accompanying June 2019 Implementation Plan detail the executive branch’s approach to managing the nation’s cybersecurity. When evaluated together, these documents addressed several of the desirable characteristics of national strategies, but lacked certain key elements for addressing others.
      • While the National Cyber Strategy and Implementation Plan address some of the characteristics of an effective national strategy, additional efforts are needed to fully incorporate risk assessment; performance measures; and resources, investments, and risk management into the executive branch’s cybersecurity strategy. Further, our previous reviews, as well as other studies, have highlighted the need for responsibility and accountability for leading and overseeing national cybersecurity policy to be elevated to the White House. Although NSC staff is tasked with the coordination of efforts to carry out the National Cyber Strategy and its accompanying Implementation Plan, there is a lack of clarity around how it plans on accomplishing this. Without effective and transparent leadership that includes a clearly defined leader, a defined management process, and a formal monitoring mechanism, the executive branch cannot ensure that entities are effectively executing their assigned activities intended to support the nation’s cybersecurity strategy and ultimately overcome this urgent challenge
    • The GAO recommended that Congress consider “legislation to designate a leadership position in the White House with the commensurate authority—for example, over budgets and resources—to implement and encourage action in support of the nation’s cyber critical infrastructure, including the implementation of the National Cyber Strategy.”
    • The GAO recommended to the National Security Council:
      • The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation’s cybersecurity to better reflect desirable characteristics of a national strategy, to include:
        • an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;
        • measures of performance and formal mechanism to track progress of the execution of activities; and
        • an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)
  • The United States (U.S.) and the United Kingdom (UK) issued a declaration “on Cooperation in Artificial Intelligence Research and Development: A Shared Vision for Driving Technological Breakthroughs in Artificial Intelligence.” The U.S. and UK committed to cooperate on research and development on artificial intelligence (AI), a key emphasis of the Trump Administration which sees this realm as being crucial for maintaining U.S. military and technological superiority over adversaries like the People’s Republic of China (PRC) and the Russian Federation. The U.S. and UK stated:
    • Building on the US-UK Science and Technology Agreement signed in September 2017, we intend to advance our shared vision and work towards an AI R&D ecosystem that embodies this approach by:
      • Taking stock of and utilizing existing bilateral science and technology cooperation (e.g., the Memorandum of Understanding between the U.S. National Science Foundation and UK Research and Innovation on Research Cooperation) and multilateral cooperation frameworks;
      • Recommending priorities for future cooperation, particularly in R&D areas where each partner shares strong common interest (e.g., interdisciplinary research and intelligent systems) and brings complementary challenges, regulatory or cultural considerations, or expertise to the partnerships;
      • Coordinating as appropriate the planning and programming of relevant activities in these areas, including promoting researcher and student collaboration that could potentially involve national partners, the private sector, academia, and the scientific community to further our efforts by harnessing the value of public-private partnerships; and
      • Promoting research and development in AI, focusing on challenging technical issues, and protecting against efforts to adopt and apply these technologies in the service of authoritarianism and repression.
      • We intend to establish a bilateral government-to-government dialogue on the areas identified in this vision and explore an AI R&D ecosystem that promotes the mutual wellbeing, prosperity, and security of present and future generations.
  • A bipartisan task force comprised of Members of the House Armed Services Committee published its recommendations that call for a dramatic remaking of funding and the structure of the United States’ (U.S.) military over the next few decades to meet the waning threat posed by the Russian Federation and the waxing threat posed by the People’s Republic of China (PRC). The Future of Defense Task Force asserted:
    • The stakes could scarcely be higher. The national security challenges the United States faces today are existential, and they cannot be met by simply doubling down on old models of policy and investment. Our adversaries are surging around the globe in a long-game effort to supplant western-style democracy with a form of authoritarianism that cloaks itself in capitalism as it undermines personal liberties and freedoms. The United States must recognize that without a new commitment to achieving technological superiority, the successes of the 20thcentury–the American Century–will no longer be assured.
    • The task force made these findings:
      • I. China represents the most significant economic and national security threat to the United States over the next 20 to 30 years. Because of its nuclear arsenal and ongoing efforts to undermine Western democratic governments, Russia presents the most immediate threat to the United States; however, Russia’s long-term economic forecast makes its global power likely to recede over the next 20 to 30 years.
      • II.As a result of historic levels of government-sponsored science and technology research, and the inherent advantages of a free market economy, the United States emerged from the Cold War with a substantial economic and military lead over any potential rival. However, these gaps have dramatically narrowed. China will soon overtake the United States as the world’s largest economy, and despite historic defense budgets, the United States has failed to keep pace with China’s and Russia’s military modernization.
      • III. Assuring the United States’ continued leadership will require dramatic changes to the structure and implementation of the defense budget, the effective implementation of a whole-of-government approach to security, and the strengthening of underlying institutions such as our education system and national security innovation base to out-pace our adversaries.
      • IV. Advancements in artificial intelligence, biotechnology, quantum computing, and space, cyber, and electronic warfare, among others, are making traditional battlefields and boundaries increasingly irrelevant. To remain competitive, the United States must prioritize the development of emerging technologies over fielding and maintaining legacy systems. This will require significant changes to the Pentagon’s force structure, posture, operational plans, and acquisition system and must be complemented by a tough and fulsome review of legacy systems, platforms, and missions.
      • V. The Pentagon’s emerging operational concepts have the potential to provide the U.S. military a decisive advantage, but they are not yet fully viable. To address current and future threats and deter conflict, the Department of Defense must more aggressively test new operational concepts against emerging technologies.
      • VI. To endure as the leading global power with preeminent economic might, political influence, and a resilient national security apparatus, the United States must strengthen and modernize geopolitical alliances with longstanding allies while establishing new alliances to meet emerging threats.
      • VII. Technological advancements in artificial intelligence and biotechnology will have an outsized impact on national security; the potential of losing this race to China carries significant economic, political, and ethical risks for the United States and our free democratic allies for decades to come. Winning this race requires a whole-of-nation approach where the distinct advantages of both America’s private and public sector are harnessed and synthesized.
      • VIII. Increased government investment in basic scientific research must be complemented by increased cooperation with the private sector to quickly adopt resulting technologies. The Department of Defense and elements of the greater U.S. government must adapt their culture and business practices to better support, and more quickly integrate, innovation from the private sector.
      • IX. Whereas emerging technologies offer tremendous opportunities for commercial and social transformation, many are also fraught with the potential for nefarious use. It is essential that the United States and our free democratic allies set and enforce the terms and norms for their employment.
      • X. Authoritarianism is on the rise globally, whereas democracy is waning. A whole-of-government approach to national security should be led by diplomacy and economic cooperation, supported by development and humanitarian assistance, and strengthened by military-to-military relationships.
      • XI.The United States is most likely to succeed by playing to our strengths: a free, fair, and open economy, strong education system, and a culture for innovation that rests on the open market and free democratic principles.
  • The top Democrats and Democratic Leadership in the Senate introduced the “America Labor, Economic competitiveness, Alliances, Democracy and Security (America LEADS) Act” which is characterized as the “Senate Democrats’ proposal for a new United States (U.S.)-China policy” according to a press release. The sponsors of the bill argued:
    • The most comprehensive China legislation to date, the America LEADS Act seeks to recognize that only when we have a vibrant economy here at home can we truly compete with China abroad.  The legislation provides significant new investments to rebuild the U.S. economy and provide our workers, entrepreneurs, researchers, and manufacturers with the skills and support needed to out-compete China and succeed in the twenty-first century. The proposal includes over $350 billion in new funding to synchronize and mobilize all aspects of U.S. national power. This approach is grounded in getting the broader Indo-Pacific strategy “right,” centered on our alliances and partnerships, animated by America’s longstanding values, and driven by the need for a course correction, after almost four years of destruction under President Trump.
    • They summarized the provisions of the bill:
      • Invests in American workers and restores United States’ competitiveness in science and technology, manufacturing, global infrastructure, digital technologies, and global clean energy development, by increasing federal funding for research and development, including investment to lead in the development and production of new and emerging technologies like 5G, quantum, and artificial intelligence that will define the twenty-first century, taking action to strengthen domestic supply chains, and providing support for domestic manufacturing industries like seminconductors. 
      • Confronts China’s education and influence campaigns by requiring new reporting requirements and invests in registered apprenticeships, training, and STEM education programs with a focus on building a diverse and inclusive innovation and manufacturing workforce for the 21st Century.
      • Renews and reorients the United States’ diplomatic strategy towards China centered on America’s commitment to its allies around the world and in the Indo-Pacific region, including Japan, South Korea, the Philippines, Australia, Thailand, and Taiwan, and calls for the United States to reassert its leadership within regional and international organizations, like the World Health Organization and the G7.
      • Reaffirms America’s strong security commitment in the Indo-Pacific and a forward-deployed posture in the region to ensure that all nations can exercise their rights in the region’s international waters and airspace, and directs the United States to provide additional assistance and training to countries under the Indo-Pacific Maritime Security Initiative. The bill also provides regional strategies to confront malign PRC influence in the Western Hemisphere, South and Central Asia, Africa, the Arctic region, and the Middle East and North Africa.
      • Invests in our values, authorizing a broad range of efforts to support human rights and civil society measures, especially as they relate to Tibet, the Xinjiang Uyghur Autonomous Region (XUAR), and Hong Kong, including allowing certain Hong Kong citizens and residents of Xinjiang to apply for admission to the United States.  The bill also directs the President to report foreign persons identified for engaging in and facilitating forced labor in China and to apply sanctions to Chinese officials complicit in human rights violations. 
      • Focuses on countering and confronting China’s predatory international economic behavior, and includes measures to strengthen trade enforcement across a wide range of areas, including intellectual property, supply chains, currency manipulation, and counterfeit goods.
  • Senators Rick Scott (R-FL) and Catherine Cortez Masto (D-NV) unveiled the “American Privacy Protection (APP) Act” (S.4669) that would “require the Federal Trade Commission (FTC) to ensure all entities that operate application platforms disclose the location in which the application was developed and where data collected by the application is stored” according to their press release. This bill flows from “recent security concerns about apps made by U.S. adversaries, including Communist China and Russia,” such as TikTok and WeChat.
  • The United States (U.S.) Federal Energy Regulatory Commission (FERC) issued a notice of inquiry and asked for comments on:
    • the potential risks to the bulk electric system posed by using equipment and services produced or provided by entities identified as risks to national security.
    • whether the current Critical Infrastructure Protection (CIP) Reliability Standards adequately mitigate the identified risks.
    • possible actions the Commission could consider taking to address the identified risks.
    • The Department of Defense (DOD), Federal Communications Commission (FCC), and other U.S. agencies are undertaking similar efforts to root out what they consider suspicious, malicious, or compromised parts, equipment, or systems that would allow nations like the People’s Republic of China (PRC) to access, impair, or cripple critical infrastructure. Even though nations other than the PRC are listed in this RFI, as a practical matter, the PRC is the focus since so much of the world’s electronics supply chain originates in that country.
    • FERC explained:
      • On October 18, 2018, the Commission approved the first set of supply chain risk management Reliability Standards in Order No. 850. The Commission described the supply chain risk management Reliability Standards as “forward-looking and objective-based and require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.”In approving the supply chain risk management Reliability Standards, the Commission recognized that “the global supply chain creates opportunities for adversaries to directly or indirectly affect the management or operations of companies with potential risks to end users.”
      • Since the issuance of Order No. 850, there have been significant developments in the form of Executive Orders, legislation, as well as federal agency actions that raise concerns over the potential risks posed by the use of equipment and services provided by certain entities identified as risks to national security. In particular, Huawei Technologies Company (Huawei) and ZTE Corporation (ZTE) have been identified as examples of such certain entities because they provide communication systems and other equipment and services that are critical to bulk electric system reliability.
      • Therefore, as discussed in this Notice of Inquiry, the Commission seeks comments on: (1) The extent of the use of equipment and services provided by certain entities identified as risks to national security related to bulk electric system operations; (2) the risks to bulk electric system reliability and security posed by the use of equipment and services provided by certain entities; (3) whether the CIP Reliability Standards adequately mitigate the identified risks; (4) what mandatory actions the Commission could consider taking to mitigate the risk of equipment and services provided by certain entities related to bulk electric system operations; (5) strategies that entities have implemented or plan to implement—in addition to compliance with the mandatory CIP Reliability Standards—to mitigate the risks associated with use of equipment and services provided by certain entities; and (6) other methods the Commission may employ to address this matter including working collaboratively with industry to raise awareness about the identified risks and assisting with mitigating actions (i.e., such as facilitating information sharing). The responses to these questions will provide the Commission with a better understanding of the risks to bulk electric system reliability posed by equipment and services provided by entities identified as risks to national security, as well as how the Commission may best address any identified risks.
    • This inquiry follows related actions. In July, acting per an early May executive order, the Department of Energy (DOE) has released a request for information (RFI) “to understand the energy industry’s current practices to identify and mitigate vulnerabilities in the supply chain for components of the bulk-power system (BPS).” In late June, the FERC sought “comment on certain potential enhancements to the currently-effective Critical Infrastructure Protection (CIP) Reliability Standards,” and in mid-June, the FERC released a staff “Cybersecurity Incentives Policy White Paper” that made the case that the agency should create an incentive structure beyond the existing mandatory and binding cybersecurity regulations to prompt utilities to invest more in defending their systems.
  • The United Kingdom’s Department for Digital, Culture, Media & Sport released six principles to “strengthen digital identity delivery and policy in the UK” and floated the possibility of “legislation for consumer protection relating to digital identity, specific rights for individuals, an ability to seek redress if something goes wrong, and set out where the responsibility for oversight should lie. It will also consult on the appropriate privacy and technical standards for administering and processing secure digital identities.” The six principles were developed by “[a] new government Digital Identity Strategy Board:
    • 1) Privacy – When personal data is accessed people will have confidence that there are measures in place to ensure their confidentiality and privacy; for instance, a supermarket checking a shopper’s age, a lawyer overseeing the sale of a house or someone applying to take out a loan.
    • 2) Transparency – When an individual’s identity data is accessed when using digital identity products they must be able to understand by who, why and when; for example, being able to see how your bank uses your data through digital identity solutions.
    • 3) Inclusivity – People who want or need a digital identity should be able to obtain one; for example, not having documentation such as a passport or driving licence should not be a barrier to not having a digital identity.
    • 4) Interoperability – Setting technical and operating standards for use across the UK’s economy to enable international and domestic interoperability.
    • 5) Proportionality – User needs and other considerations such as privacy and security will be balanced so digital identity can be used with confidence across the economy.
    • 6) Good governance – Digital identity standards will be linked to government policy and law. Any future regulation will be clear, coherent and align with the government’s wider strategic approach to digital regulation. For example, firms verifying your identity will need to comply with laws around how they access and store data.
  • Basecamp, Blix, Blockchain.com, Deezer, Epic Games, the European Publishers Council, Match Group, News Media Europe, Prepear, Protonmail, SkyDemon, Spotify, and Tile have formed the Coalition for App Fairness (CAF) to “advocate for enforcement and reforms, including legal and regulatory changes, to preserve consumer choice and a level playing field for app and game developers that rely on app stores and the most popular gatekeeper platforms.” This Coalition follows on the heels of Epic Games suing Apple and Google about their app store practices, namely taking 30% of all in-app purchases. This organization “developed and published a set of 10 “App Store Principles” laying out how they think app stores should be designed and run.

Further Reading

  • Intel chief releases Russian disinfo on Hillary Clinton that was rejected by bipartisan Senate panel” By Andrew Desiderio and Daniel Lippman — Politico. New Director of National Intelligence (DNI) John Ratcliffe released an unclassified version of allegations that former Secretary of State Hillary Clinton was working with the Russian Federation against Donald Trump in 2016. Ratcliffe released this information even though the Senate Intelligence Committee dismissed it as Russian disinformation, and the timing is curious, coming so close to the election.
  • At White House’s urging, Republicans launch anti-tech blitz ahead of election” By Cristiano Lima and John Hendel — Politico. This article shows how the White House’s pressure on Senate and House Republicans has borne fruit as they have focused on technology companies’ supposed bias against conservatives. Not only is this a narrative they can push, but the threat of regulatory and statutory changes to their liability shield also serve the same purpose that professional sports coaches seek when complaining about referees in advance of matches.
  • Coordinated push of groundless conspiracy theories targets Biden hours before debate” By Ben Collins — NBC News. This article shows how lies and information can get traded up the chain until legitimate news outlets cover baseless claims.
  • Russian operation masqueraded as right-wing news site to target U.S. voters – sources” By Jack Stubbs — Reuters. The Federal Bureau of Investigation (FBI) has turned up another Internet Research Agency run disinformation operation offering fake information and content from the right wing. Like the recently uncovered Peace Data site, the Newsroom for American and European Based Citizens (NAEBC) was reposting content from conservative sites and paying unwitting Americans to write for the site. Like Peace Data, the IRA then spread and amplified this slanted content on social media as a means of once again disseminating disinformation and chaos in the United States.
  • Google to Pay Publishers Over $1 Billion for News Content” By Natalia Drozdiak — Bloomberg. As announced by Google and Alphabet CEO Sundar Pichai, Google will pay some media outlets up to $1 billion over the next three years  “to create and curate high-quality content for a different kind of online news experience” for its new product, Google News Showcase. Pichai claimed:
    • This approach is distinct from our other news products because it leans on the editorial choices individual publishers make about which stories to show readers and how to present them. It will start rolling out today to readers in Brazil and Germany, and will expand to other countries in the coming months where local frameworks support these partnerships.
    • Google’s announcement comes as the company and the Australian Competition and Consumer Commission (ACCC) are fighting over the latter’s proposal to ensure that media companies are compensated for articles and content the former uses. In late July the ACCC released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.”
    • The European Publishers Council (EPC) noted
      • The French Competition Authority decision from April considered that Google’s practices were likely to constitute an abuse of a dominant position and brought serious and immediate damage to the press sector. It calls on Google, within three months, to conduct negotiations in good faith with publishers and press agencies on the remuneration for their protected content. Google’s appeal in July seeks to get some legal clarity on parts of the decision.
    • Moreover, the European Union (EU) Directive on Copyright in the Digital Single Market is being implemented in EU member states and would allow them to require compensation from platforms like Facebook and Google. The EPC claimed:
      • Many are quite cynical about Google’s perceived strategy. By launching their own product, they can dictate terms and conditions, undermine legislation designed to create conditions for a fair negotiation, while claiming they are helping to fund news production.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (10 September)

Coming Events

  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • Top Senate Democrats asked the Secretary of the Treasury to impose sanctions on officials and others in the Russian Federation for interfering in the 2020 United States election. In their letter, they urged Secretary Steven Mnuchin “to draw upon the conclusions of the Intelligence Community to identify and target for sanctions all those determined to be responsible for ongoing election interference, including any actors within the government of the Russian Federation, any Russian actors determined to be directly responsible, and those acting on their behalf or providing material or financial support for their efforts.” Given that Mnuchin is unlikely to displease President Donald Trump through agreeing that Russians are again interfering in a presidential election, it is probable that Senate Democrats are seeking to further their line of attack on Republicans that they are unwilling to defend the U.S. and its elections from Russia. They called on Mnuchin to use the authorities granted by Congress in the “Countering America’s Adversaries Through Sanctions Act” (P.L. 115-44) and Executive Order 13848 “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election.”
  • Epic Games has returned to court in an attempt to force Apple to put its popular multiplayer game, Fortnite back into the App Store. At present, those on iOS devices cannot download and play the newest version of the game released a few weeks ago. Even though Epic Games lost its request for a temporary restraining order that would order Apple to put the game back, it has filed for a preliminary injunction:
    • (1) restraining Defendant Apple Inc. (“Apple”) from removing, de-listing, refusing to list or otherwise making unavailable the app Fortnite or any other app on Epic’s Team ID ’84 account in Apple’s Developer Program, including any update of such an app, from the App Store on the basis that Fortnite offers in-app payment processing through means other than Apple’s In-App Purchase (“IAP”) or on any pretextual basis;
    • (2) restraining Apple from taking any adverse action against Epic, including but not limited to restricting, suspending, or terminating any other Apple Developer Program account of Epic or its affiliates, on the basis that Epic enabled in-app payment processing in Fortnite through means other than IAP or on the basis of the steps Epic took to do so;
    • (3) restraining Apple from removing, disabling, or modifying Fortnite or any code, script, feature, setting, certification, version or update thereof on any iOS user’s device; and
    • (4) requiring Apple to restore Epic’s Team ID ’84 account in Apple’s Developer Program.
    •  Epic Games asserts:
      • This motion is made on the grounds that: (1) Epic is likely to succeed on the merits of its claims that Apple’s conduct violates the Sherman Act; (2) absent a preliminary injunction, Epic is likely to suffer irreparable harm; (3) the balance of harms tips sharply in Epic’s favor; and (4) the public interest supports an injunction.
    • Considering that the judge ruled against Epic Games’ claim of irreparable harm in the motion for a temporary restraining order on the grounds that self-inflicted harm (i.e. Epic Game escalated by putting its own pay option on Fortnite to foil Apple’s 30% take on in-game sales and no public interest being present, one wonders if the company will prevail on this motion.
  • Apple filed a countersuit against Epic Games, arguing the latter breached its contract with the former and now must pay damages. In contrast, Epic Games is not suing for any monetary damages, surely a tactical decision to help its case in court and among interested observers.
    • Apple sought to portray Epic Games’ lawsuit this way:
      • Epic’s lawsuit is nothing more than a basic disagreement over money. Although Epic portrays itself as a modern corporate Robin Hood, in reality it is a multi-billion dollar enterprise that simply wants to pay nothing for the tremendous value it derives from the App Store. Epic’s demands for special treatment and cries of “retaliation” cannot be reconciled with its flagrant breach of contract and its own business practices, as it rakes in billions by taking commissions on game developers’ sales and charging consumers up to $99.99 for bundles of “V-Bucks.”
      • Epic decided that it would like to reap the benefits of the App Store without paying anything for them. Armed with the apparent view that Epic is too successful to play by the same rules as everyone else—and notwithstanding a public proclamation that Epic “w[ould] not accept special revenue sharing or payment terms just for ourselves”1—Epic CEO Tim Sweeney emailed Apple executives on June 30, 2020, requesting a “side letter” that would exempt Epic from its existing contractual obligations, including the App Store Review Guidelines (the “Guidelines”) that apply equally to all Apple developers. Among other things, Mr. Sweeney demanded a complete end-run around “Apple’s fees”—specifically, Epic wished to continue taking full advantage of the App Store while allowing consumers to pay Epic instead, leaving Apple to receive no payment whatsoever for the many services it provides developers and consumers.
    • Apple contended “[t]his Court should hold Epic to its contractual promises, award Apple compensatory and punitive damages, and enjoin Epic from engaging in further unfair business practices.”
  • The General Services Administration (GSA) released a draft Data Ethics Framework as part of implementing the Trump Administration’s Federal Data Strategy.
    • GSA noted
      • The Federal Data Strategy, delivered in December 2019, recognized the importance of ethics in its founding Principles. When the Federal Data Strategy team created the 2020 Action Plan, they specifically tasked the General Services Administration (GSA) with developing a Data Ethics Framework (Framework)in Action 14to help agency employees, managers, and leaders make ethical decisions as they acquire, manage, and use data.
      • The resulting Framework is intended to be a “living” resource and to be regularly updated by the CDO Council and ICSP. The Framework incorporates the input and terminology from stakeholders representing many domains, and who use different types of data in different ways. The developers of the Framework recognize that some terms may be used differently, depending on the context, type of data being used, and stage in the data lifecycle.
      • The Framework applies to all data types and data uses. The Framework consists of four parts:
        • About the Data Ethics Framework outlines the intended purpose and audience of this document
        • Data Ethics Defined explores the meaning of the term “data ethics,” as background to the Tenets provided in the following section
        • Data Ethics Tenets provides seven Tenets, or high-level principles, for using data ethically within the Federal Government
        • Data Ethics Tenets in Action describes the benefits of data ethics and contains use cases demonstrating how the Tenets can guide data activities within federal agencies and federally sponsored programs
      • The Administration claimed the 2020 Action Plan “establishes a solid foundation that will support implementation of the strategy over the next decade…[and] identifies initial actions for agencies that are essential for establishing processes, building capacity, and aligning existing efforts to better leverage data as a strategic asset.” The use of federal data holds a key place in the President’s Management Agenda (PMA) and, according to the Administration, will be a key driver in transforming how the federal government operates, particularly in relation to technology. The 2020 Action Plan lays out the steps agencies will be expected to take to realize the Administration’s 10-year Federal Data Strategy. As always, results will be informed by follow through and prioritization by the Office of Management and Budget (OMB) and buy-in from agency leadership.
      • Notably, the Administration tied the 2020 Action Plan to a number of other ongoing initiatives that rely heavily on data. The Administration said the plan “incorporates requirements of the Foundations for Evidence-Based Policymaking Act of 2018, the Geospatial Data Act of 2018, and Executive Order 13859 on Maintaining American Leadership in Artificial Intelligence.”
  • The Office of the Australian Information Commissioner (OAIC) published “its Corporate Plan for 2020-21, which sets out its strategic priorities and key activities for the next four years” according to its press release. The OAIC stated “[t]he plan identifies four strategic priorities that will help the OAIC achieve its vision to increase public trust and confidence in the protection of personal information and access to government-held information:
    • Advance online privacy protections for Australians
    • Influence and uphold privacy and information access rights frameworks
    • Encourage and support proactive release of government-held information, and
    • Contemporary approach to regulation.
    • The agency stated:
      • Over the coming year, the OAIC will continue to promote strong privacy protections for the use of personal information to prevent and manage the spread of COVID-19, including oversight of data handling within the COVIDSafe app system. 
      • Strengthening privacy protections in the online environment remains a key focus for the organisation, while privacy law reform will be a priority in 2020-21, with the Australian Government’s review of the Privacy Act an opportunity to ensure the regulatory framework can respond to new challenges in the digital environment.
      • Commissioner [Angelene] Falk said the OAIC will also enforce privacy safeguards under the Consumer Data Right and will continue its work to improve transparency and prevent harm to consumers through its oversight of the Notifiable Data Breaches scheme.
  • Ontario’s Ministry of Government and Consumer Services “launched consultations to improve the province’s privacy protection laws” and stakeholders “will have the opportunity to contribute to strengthening transparency and accountability concerning the collection, use and safeguarding of personal information online.” Ontario “is seeking advice on ways to:
    • Increase transparency for individuals, providing Ontarians with more detail about how their information is being used by businesses and organizations.
    • Enhance consent provisions allowing individuals to revoke consent at any time, and adopting an “opt-in” model for secondary uses of their information.
    • Introduce a right for individuals to request information related to them be deleted, subject to limitations (this is otherwise known as “right to erasure” or “the right to be forgotten”).
    • Introduce a right for individuals to obtain their data in a standard and portable digital format, giving them greater freedom to change service providers without losing their data (this is known as “data portability”).
    • Increase enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law, including giving the commissioner the ability to impose penalties.
    • Introduce requirements for data that has been de-identified and derived from personal information to provide clarity of applicability of privacy protections.
    • Expand the scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties.
    • Create a legislative framework to enable the establishment of data trusts for privacy protective data sharing.
  • The United States (U.S.) Department of Homeland Security (DHS) Office of the Inspector General (OIG) issued “Progress and Challenges in Modernizing DHS’ Information Technology (IT) Systems and Infrastructure” and found fault with these three systems:
    • DHS-wide Human Resources IT (HRIT)
    • DHS Legacy Major IT Financial System that “[s]erves as Coast Guard and Transportation Security Agency’s (TSA) financial system of record.
    • Federal Emergency Management Agency (FEMA) Grants Management Mission Domain and Operational Environment
    • The OIG stated
      • The DHS 2019–2023 IT strategic plan included two distinct department-wide IT modernization initiatives: to adopt cloud-based computing and to consolidate data centers. However, not all components have complied with or fully embraced these efforts due to a lack of standard guidance and funding. Without consistent implementation of these efforts, DHS components remain hindered in their ability to provide personnel with more enhanced, up-to-date technology.
      • In the meantime, DHS continues to rely on deficient and outdated IT systems to perform mission-critical operations. We identified three legacy IT systems with significant operational challenges that negatively affected critical DHS functions, such as human resources and financial management, as well as disaster recovery mission operations. DHS has not made sufficient progress in replacing or augmenting these IT systems due to ineffective planning and inexperience in executing complex IT modernization efforts. Additionally, the DHS CIO has not performed mandated oversight of legacy IT to mitigate and reduce risks associated with outdated systems. Until DHS addresses these issues, it will continue to face significant challenges to accomplish mission operations efficiently and effectively
    • The OIG recommended:
      • We recommend the DHS OCIO develop department-wide guidance for implementing cloud technology and migrating legacy IT systems to the cloud. Recommendation
      • We recommend the DHS OCIO coordinate with components to develop and finalize a data center migration approach to accomplish strategic goals for reducing the footprint of DHS IT infrastructure. Recommendation
      • We recommend the DHS OCIO establish a process to assign risk ratings for major legacy IT investments, as required by the Federal Information Technology Acquisition Reform Act.
  • The University of Toronto’s Citizen Lab and the International Human Rights Program at the University of Toronto’s Faculty of Law published a report “To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada” that “focuses on the human rights and constitutional law implications of the use of algorithmic policing technologies by law enforcement authorities.” The authors found:
    • The research conducted for this report found that multiple law enforcement agencies across Canada have started to use, procure, develop, or test a variety of algorithmic policing methods. These programs include using and both developing predictive policing technologies and using algorithmic surveillance tools. Additionally, some law enforcement agencies have acquired tools with the capability of algorithmic policing technology, but they are not currently using that capability because, to date, they have not decided to do so. 
    • The authors “analyze the potential impacts of algorithmic policing technologies on the following rights: the right to privacy; the right to freedoms of expression, peaceful assembly, and association; the right to equality and freedom from discrimination; the right to liberty and to be free from arbitrary detention; the right to due process; and the right to a remedy.”
  • The United States (U.S.) Department of Homeland Security (DHS) issued “the Electromagnetic Pulse (EMP) Program Status Report as part of an update on efforts underway in support of Executive Order (E.O.) 13865 on Coordinating National Resilience to Electromagnetic Pulses…[that] establishes resilience and security standards for U.S. critical infrastructure as a national priority.”
    • DHS stated
      • E.O.13865 states, “An electromagnetic pulse (EMP) has the potential to disrupt, degrade, and damage technology and critical infrastructure systems. Human-made or naturally occurring EMPs can affect large geographic areas, disrupting elements critical to the Nation’s security and economic prosperity, and could adversely affect global commerce and stability. The federal government must foster sustainable, efficient, and cost-effective approaches to improving the Nation’s resilience to the effects of EMPs.”
      • In accordance with E.O.13865, the Department has identified initial critical infrastructure and associated functions that are at greatest risk from an EMP and is focusing efforts on the development and implementation of evidence-based and independently-tested EMP protection and mitigation technologies and resilience best practices. Initial efforts within the Department, working across the federal interagency, have focused on risk management to both the Energy and Communications Sectors.
  • Two United States Magistrate Judges denied three requests for a geofence warrant to serve on Google to obtain cell phone data from an area of Chicago for three forty-five minutes periods on three different days. The courts took the unusual step of unsealing the opinions for the proceedings which are not adversarial because the person or people suspected of being involved with the alleged crime are presumably unaware and therefore cannot contest the warrant application. If Google took an adversarial position, there is no indication in the decisions the company did so. However, Google did state in a filing that “[b]etween 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.”
    • Moreover, one wonders if prosecutors did not also seek similar warrant requests from other companies such as telecommunications providers. Nonetheless, the judges ruled the geofence warrant requests violated the Fourth Amendment to the U.S. Constitution in a number of ways and suggested that narrower, more particular requests might have been legal.
    • In the first denial, the magistrate judge explained:
      • As to the first geofence request, the government has probable cause to believe that the suspect received the stolen pharmaceuticals from a commercial enterprise located within the designated geofence area during the designated forty-five minute interval in the early afternoon hours on the day of the first geofence request. The geofence, which has a 100-meter radius, is in a densely populated city, and the area contains restaurants, various commercial establishments, and at least one large residential complex, complete with a swimming pool, workout facilities, and other amenities associated with upscale urban living.
      • The second and third geofence requests focus on the same commercial enterprise where the government has probable cause to believe that the suspect shipped some of the stolen pharmaceuticals to a buyer, who purchased the pharmaceuticals from the suspect at the government’s direction. Again, the government’s requested geofence is a I00-meter radius area extending from the commercial establishment where the suspect shipped the pharmaceuticals and covers two separate dates for forty-five minute intervals in the early afternoon hours. This geofence includes medical offices and other single and multi-floor commercial establishments that are likely to have multiple patrons during the early afternoon hours.
      • The warrant application contemplates that the information will be obtained in three stages: (l) Google will be required to disclose to the government an anonymized list of devices that specifies information including the corresponding unique device ID, timestamp, coordinates, and data source, if available, of the devices that reported their location within the geofence during the forty-five minute periods; (2) the government will then review the list to prioritize the devices about which it wishes to obtain associated information; and (3) Google will then be required to disclose to the government the information identifying the Google account(s) for those devices about which the government further inquiries. The warrant application includes no criteria or limitations as to which cellular telephones government agents can seek additional information.

Further Reading

  • A Saudi Prince’s Attempt to Silence Critics on Twitter” By Bradley Hope and Justin Scheck – WIRED. Considering the United States Department of Justice indictments against three Saudi nationals in November 2019 and resulting news stories (“Why Do We Tolerate Saudi Money in Tech?” – The New York Times and “Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics” – The Washington Post), one would think what news is there in this excerpt on a book. But we learn that Twitter’s anti-establishment stance led the company’s lawyers to suspend the Saudi Twitter employee who the target of a U.S. investigation which allowed him to flee the U.S. Government lawyers were livid. The bigger issue is foreign operatives infiltrated social media platforms and then reaping information about selected people, especially dissidents.
  • When Algorithms Give Real Students Imaginary Grades” By Meredith Broussard – The New York Times. The International Baccalaureate (IB) program used an algorithm to hand out grades this past spring when in-person exams were cancelled. It did not go well as you might imagine. The same was true in the United Kingdom for its A-level exams, causing a furor there. The case id made for never using algorithms in education or related fields.
  • Wheely ride-hailing app writes to UK privacy watchdog over Moscow data demands” By Simon Goodley – The Guardian. A British ride-sharing company wrote the United Kingdom’s data protection authority about data requests made by the Moscow Department of Transportation (MDOT) on individual riders. Wheely made the case to the Information Commissioner’s Office (ICO) that it could not hand over the data under the General Data Protection Regulation (GDPR) unlike some of the app’s rivals who apparently complied with the demand. It is not clear whether the company’s GDPR obligations would apply in another jurisdiction. It may possible Wheely is trying to smear the other companies in the U.K.
  • Deepfake porn is now mainstream. And major sites are cashing in” By Matt BurgessWired. Through the use of artificial intelligence technology, people are making fake pornography in which actresses’ faces are affixed to women’s bodies that are engaged in sexual acts. These deepfake porn videos are soaring in popularity, and there are often not good options for taking them down or taking legal action. This is another area in which technology has outpaced policy and law.
  • Most cyber-security reports only focus on the cool threats” By Catalin Cimpanu – ZDNet. Turns out that commercial threat reports are issued with an eye towards generating business and considering that governments and huge contractors have the deepest pockets, the issues of concern are covered while other less lucrative areas like threats to civil society are largely ignored. These reports also influence policymakers and give them a distorted picture of cyber threats.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Court Splits Between Apple and Epic Games

The Fortnite makers loses its effort to force Apple to put it back into the App Store, but it does succeed in getting the court to restore Unreal Engine to the App Store.     

In response to Epic Games’ suit against Apple, the United States (U.S.) court denied the request for an injunction that would force Apple to put back the popular game Fortnite in its App Store. However, the court did rule for Epic Games regarding Apple’s shuttering of its Unreal Engine, a game engine other companies like Microsoft use in developing their games. If this first court decision is any indication, it appears Epic Games has an uphill battle in convincing the court that Apple in engaged in conduct that violates United States and California antitrust law.

In denying Epic Games’ request for a temporary restraining order against Apple in order to get Fortnite back into the App Store, the court decided the plaintiff does not necessarily have an antitrust case strong enough to succeed on the merits, has not demonstrated irreparable harm because the “current predicament appears to be of its own making,” would unjustifiably be enriched if Fortnite is reinstated to the App Store without having to pay 30% of in app purchases to Apple, and is not operating in a public interest strong enough to overcome he expectation private parties will honor their contracts or resolve disputes through normal means. While Epic Games suit is not over, the judge’s preliminary ruling suggests she may not rule in its favor.

However, the court did rule in Favor of Epic Games because it did make “a preliminary showing of irreparable harm as to Apple’s actions related to the revocation of the developer tools (SDKs)” aka Unreal Engine.

Both Epic Games and Apple asked that this dispute be linked to a suit filed last year against Apple on some of the same grounds. The developer who filed suit explained

  • Plaintiffs Donald R. Cameron and Pure Sweat Basketball, Inc., are application developers for the iPhone, a device powered by Apple’s iOS operating system. iOS developers create the applications and in-app products that bring Apple iPhones, iPads, and iPod touch music players to life. Their apps allow users to play games while on line at the grocery store, to edit documents, to make exercise more fun, to help meditate, and so much more.
  • Plaintiffs and their fellow iOS developers sell their iOS apps via Apple’s App Store. They have no choice in the matter, but not because Apple built an app store that beat all comers fair and square. Instead, from the outset, Apple attained monopoly power in the U.S. market for iOS app and in-app-product1 distribution services by slamming the door shut on any and all potential competitors. And it has barred the door ever since. On the thinnest of pretenses—that somehow it is uniquely qualified to ensure the safety and device-compatibility of apps—Apple has never permitted anyone else to distribute apps and related digital products4 to the many millions of U.S. owners of its mobile devices.
  • Further, Apple’s market power has allowed it to charge developers a supra- competitive 30% commission on the sale of paid apps and in-app products for almost 11 years now, despite the inevitable accrual of experience and economies of scale. Additionally, it collects a $99 annual fee from all developers who wish (and must) sell their products through the App Store. Apple also dictates minimum and greater price points, which prevent developers from offering paid products at less than $.99 or at price points ending in anything other than $.99. And so, while Apple is fond of pointing to impressive-sounding sales numbers and dollars earned by developers, nonetheless, its exorbitant fee for distribution (or retail sales) services, coupled with its $99 annual fee and pricing mandates, have cut unlawfully into what would have been developers’ earnings in a competitive landscape.
  • Also, Apple’s overly expensive 30% commission, its $99 annual developer fee, and its pricing mandate have depressed output of paid app and in-app-product transactions. The consumer apps marketplace, which gives rise to the sale of Apple’s distribution or retail-sales services to iOS developers, resoundingly favors low-priced or free apps.5 Developers and would-be developers, who can only earn 70% on the dollar on each paid app or product, in addition to paying $99 annually to gain entry to the App Store, undoubtedly think very hard about whether to spend the effort, time, and energy that is required to design and program an app or related product, bring it to market in the single store available, and hope to recoup costs and make a reasonable profit. For many, the calculus makes no economic sense. This process, which is ongoing, leads to less output in sales, and ergo, distribution transactions.

This litigation has become a class action and is now joined to the Epic Games/Apple dispute and s before the same judge.

Finally, Epic Games has filed a similar suit against Google on substantially the same grounds as it is brining against Apple. Google acted after Apple did to remove Fortnite from its Play Store once Epic Games started offering users a discounted price to buy directly from them as opposed to through Google. Epic asserted:

  • Epic brings claims under Sections 1 and 2 of the Sherman Act and under California law to end Google’s unlawful monopolization and anti-competitive restraints in two separate markets: (1) the market for the distribution of mobile apps to Android users and (2) the market for processing payments for digital content within Android mobile apps. Epic seeks to end Google’s unfair, monopolistic and anti-competitive actions in each of these markets, which harm device makers, app developers, app distributors, payment processors, and consumers.
  • Epic does not seek monetary compensation from this Court for the injuries it has suffered. Epic likewise does not seek a side deal or favorable treatment from Google for itself. Instead, Epic seeks injunctive relief that would deliver Google’s broken promise: an open, competitive Android ecosystem for all users and industry participants. Such injunctive relief is sorely needed.
  • Google has eliminated competition in the distribution of Android apps using myriad contractual and technical barriers. Google’s actions force app developers and consumers into Google’s own monopolized “app store”—the Google Play Store. Google has thus installed itself as an unavoidable middleman for app developers who wish to reach Android users and vice versa. Google uses this monopoly power to impose a tax that siphons monopoly profits for itself every time an app developer transacts with a consumer for the sale of an app or in-app digital content. And Google further siphons off all user data exchanged in such transactions, to benefit its own app designs and advertising business.
  • If not for Google’s anti-competitive behavior, the Android ecosystem could live up to Google’s promise of open competition, providing Android users and developers with competing app stores that offer more innovation, significantly lower prices and a choice of payment processors. Such an open system is not hard to imagine. Two decades ago, through the actions of courts and regulators, Microsoft was forced to open up the Windows for PC ecosystem. As a result, PC users have multiple options for downloading software unto their computers, either directly from developers’ websites or from several competing stores. No single entity controls the ecosystem or imposes a tax on all transactions. And Google, as the developer of software such as the Chrome browser, is a direct beneficiary of this competitive landscape. Android users and developers likewise deserve free and fair competition.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Epic Games/Apple Suit

A major game developer is taking on Apple over its App Store’s take of 30% of in-app purchases. Antitrust regulators will be paying keen attention.  

In a case sure to be watched closely by antitrust regulators in the United States, European Union, and elsewhere, a major video games developer is suing Apple for its App Store practices. The litigation was sparked after Epic Games tried to get its users to make in app purchases aside and apart from the app downloaded from the Apple Store, for Apple is entitled to as much as 30% of such sales under its terms of services. Apple swiftly removed Epic Games’ Fortnite, claiming a violation of its terms of service, and Google quietly followed suit by removing the multiplayer game from the Play Store.

In its complaint filed in federal court in California, Epic Games is arguing that Apple’s practices violate federal and California antitrust and anti-competition laws. Epic Games argued

  • This case concerns Apple’s use of a series of anti-competitive restraints and monopolistic practices in markets for (i) the distribution of software applications (“apps”) to users of mobile computing devices like smartphones and tablets, and (ii) the processing of consumers’ payments for digital content used within iOS mobile apps(“in-app content”). Apple imposes unreasonable and unlawful restraints to completely monopolize both markets and prevent software developers from reaching the over one billion users of its mobile devices (e.g., iPhone and iPad) unless they go through a single store controlled by Apple, the App Store, where Apple exacts an oppressive 30% tax on the sale of every app. Apple also requires software developers who wish to sell digital in-app content to those consumers to use a single payment processing option offered by Apple, In-App Purchase, which likewise carries a 30% tax.
  • In contrast, software developers can make their products available to users of an Apple personal computer (e.g., Mac or MacBook) in an open market, through a variety of stores or even through direct downloads from a developer’s website, with a variety of payment options and competitive processing fees that average 3%, a full ten times lower than the exorbitant 30% fees Apple applies to its mobile device in-app purchases.

Of note, Epic Games is not suing Apple for monetary damages, which may be a shrewd public relations strategy. Instead the company is seeking an injunction against Apple to end what it calls Apple’s monopolistic practices in its App Store:

  • Epic brings this suit to end Apple’s unfair and anti-competitive actions that Apple undertakes to unlawfully maintain its monopoly in two distinct, multibillion dollar markets: (i) the iOS App Distribution Market, and (ii) the iOS In-App Payment Processing Market (each as defined below).
  • Epic is not seeking monetary compensation from this Court for the injuries it has suffered. Nor is Epic seeking favorable treatment for itself, a single company. Instead, Epic is seeking injunctive relief to allow fair competition in these two key markets that directly affect hundreds of millions of consumers and tens of thousands, if not more, of third-party app developers.

Apple is facing an antirust investigation in the European Union for substantially the same conduct Epic Games has sued the company for. In June 2020, the European Commission (EC) announced two antitrust investigations of Apple regarding allegations of unfair and anticompetitive practices with its App Store and Apple Pay. These investigations precede those in the United States by federal and state governments of Apple, Facebook, Google, and Amazon.

In a press release, the EC announced it “has opened a formal antitrust investigation to assess whether Apple’s conduct in connection with Apple Pay violates EU competition rules…[that] concerns Apple’s terms, conditions and other measures for integrating Apple Pay in merchant apps and websites on iPhones and iPads, Apple’s limitation of access to the Near Field Communication (NFC) functionality (“tap and go”) on iPhones for payments in stores, and alleged refusals of access to Apple Pay.” The EC noted that “[f]ollowing a preliminary investigation, the Commission has concerns that Apple’s terms, conditions, and other measures related to the integration of Apple Pay for the purchase of goods and services on merchant apps and websites on iOS/iPadOS devices may distort competition and reduce choice and innovation.” The EC contended “Apple Pay is the only mobile payment solution that may access the NFC “tap and go” technology embedded on iOS mobile devices for payments in stores.” The EC revealed “[t]he investigation will also focus on alleged restrictions of access to Apple Pay for specific products of rivals on iOS and iPadOS smart mobile devices” and “will investigate the possible impact of Apple’s practices on competition in providing mobile payments solutions.”

In a press release issued the same day, the EC explained it had also “opened formal antitrust investigations to assess whether Apple’s rules for app developers on the distribution of apps via the App Store violate EU competition rules.” The EC said “[t]he investigations concern in particular the mandatory use of Apple’s own proprietary in-app purchase system and restrictions on the ability of developers to inform iPhone and iPad users of alternative cheaper purchasing possibilities outside of apps.” The EC added “[t]he investigations concern the application of these rules to all apps, which compete with Apple’s own apps and services in the European Economic Area (EEA)…[and] [t]he investigations follow-up on separate complaints by Spotify and by an e-book/audiobook distributor on the impact of the App Store rules on competition in music streaming and e-books/audiobooks.”

The EC provided further detail on the scope of its inquiry and “will investigate in particular two restrictions imposed by Apple in its agreements with companies that wish to distribute apps to users of Apple devices:

(i)   The mandatory use of Apple’s own proprietary in-app purchase system “IAP” for the distribution of paid digital content. Apple charges app developers a 30% commission on all subscription fees through IAP.

(ii)  Restrictions on the ability of developers to inform users of alternative purchasing possibilities outside of apps. While Apple allows users to consume content such as music, e-books and audiobooks purchased elsewhere (e.g. on the website of the app developer) also in the app, its rules prevent developers from informing users about such purchasing possibilities, which are usually cheaper.

The EC explained the genesis of part of this inquiry being allegations leveled by Swedish music streaming platform, Spotify. The EC stated “[o]n 11 March 2019, music streaming provider and competitor of Apple Music, Spotify, filed a complaint about the two rules in Apple’s license agreements with developers and the associated App Store Review Guidelines, and their impact on competition for music streaming services.” The EC explained the other part as “[o]n 5 March 2020, an e-book and audiobook distributor, also filed a complaint against Apple, which competes with the complainant through its Apple Books app.” The EC asserted “[t]his complaint raises similar concerns to those under investigation in the Spotify case but with regard to the distribution of e-books and audiobooks.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Hedda Werner from Pixabay